Its not often you get to hear about how a successful awareness program thwarted an attack.
Computerworld magazine recently published an article about some recent attacks that were alleged to be retaliatory for a writer’s negative presentation at the RSA conference.
Computerworld’s parent company, IDG Enterprises was supposedly worried about becoming retaliatory targets themselves for reporting additionally on the topic. So they stepped up their security awareness efforts to get ready for what they expected as described in Computerworld’s sister publication CSO magazine article here.
They then posted a lessons learned for all of us in a follow-up article here.
As expected by those of us who preach about awareness programs, the successful awareness efforts were:
- Specific. Exactly how to report an incident.
- Relevant. Employees were informed exactly what typical attacks would look like, including the spearphishing emails they ended up receiving.
- Well Timed. Its unlikely most of us would have to deal with this precise sort of event, but what sort of events might trigger attacks on our organizations that we should remind employees about? Events in communities where we do business? Upcoming holidays? News about our organization?
PCI DSS requirement 12.6 and its subrequirements are the security awareness program related ones in case you were wondering.
Ad below this line:
