Linda Musthaler | May 11, 2012

Training Workers to be Cyber Safe

An article posted to Barracuda Labs Internet Security Blog warns that scammers are now tailoring their phishing messages to prey on people who commonly use their Facebook, Google or Yahoo accounts to login to other websites via OpenID. People who fall for the scam unwittingly give up their login credentials to a thief, and these credentials can then be used for all sorts of nefarious deeds.

Unfortunately, this scenario is becoming all too common, and the scammers’ attempts at garnering login credentials and other important information are getting better every day. I nearly fell for one the other day when I had a message that appeared to come from LinkedIn, a social network I use. The message directed me to confirm my email address so that my LinkedIn invitations could be sent out.

When I hovered over the hyperlink in the message, I noticed the underlying URL looked a little weird—like it would direct me to a website in Russia. A warning bell went off in my head and I deleted the entire message. Since then, I’ve had the same message sent to me at least a dozen times, and each time the hyperlink showed a weird address that is definitely not for LinkedIn.

It shows that people have to be more vigilant than ever when opening or reading email messages or conducting activities on the Web. It’s very easy for busy people to simply click on a link that appears to come from a trusted source, only to become a scammer’s latest victim. The cyber thief could use the opening to plant malware on the user’s device or to steal personal or corporate credentials or other valuable information.

Such actions can have a big impact on companies as well as on the individuals who are scammed. This portends a need for companies to teach their workers how to be cyber safe. “In 2012 we’re already seeing a sharp increase in data breaches caused by employees who lost or leaked confidential company data,” according to Perry Carpenter, research director at Gartner. “Gartner considers a behavior-change oriented information security awareness and training program to be an essential tool for all companies, regardless of size. Without one, serious IT risks may be overlooked.”

In part, I owe my cyber savvy nature to Wombat Security Technologies, whose training programs taught me to hover over a hyperlink for a moment to reveal the URL before clicking on it.

Wombat provides highly effective training programs that teach workers how to maintain a safe posture when reading email or working on the Internet.

The company’s training modules include topics on how to:

  • Use social networks safely
  • Create and remember strong passwords
  • Avoid common email traps used in phishing
  • Identify fraudulent or malicious URLs
  • Use public Wi-Fi networks safely
  • Keep smartphone conversations and information safe

Wombat’s latest training module, just released in early May, is on “Security Beyond the Office.” When employees work outside the office, they often choose convenience over safety, which can compromise company assets. For example, workers may send confidential company information via email over an unsecured public Wi-Fi network without thinking about how easy it is for a thief to grab those bytes out of thin air. The Security Beyond the Office training module explains the risks of working remotely and then teaches employees how to work safely outside of their office.

Wombat has a unique offering that works to change employees’ behavior. All of Wombat’s training materials are based on learning science. That is, they incorporate scientific principles to ensure that people learn and retain the important lessons.

Wombat’s training is engaging and effective because it:

  • Presents concepts and procedures together
  • Uses a story-based environment
  • Helps people to learn by doing
  • Creates teachable moments
  • Provides immediate feedback to the student
  • Uses conversational content and not technical jargon
  • Collects valuable data that helps a training administrator refine or re-enforce the lessons

The lessons are short – often 10 minutes or less – and can be targeted to specific groups or people within an organization. Many of the lessons are interactive, asking students to respond to questions or take some action, such as choosing to open or delete a suspect email message (in a simulated environment, of course). Based on the action the student takes, the training module provides feedback to reinforce the lesson and guide future behavior.

Wombat has some free training demos on its website. Check them out to see the easy but very practical lessons they teach in order to get people to think about what they are doing both in and outside the office.

Linda Musthaler is a Principal Analyst with Essential Solutions Corporation.

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Read the article at Network World.