As we prepare to move into the end of the year holiday season, organizations tend to enter into one of two modes: they are either winding down end of the year activities in preparation to close their books, or they are sprinting to get things done before the end of the year. Sometimes it's a mixture of both these things. One common theme no matter what mode you are in, is your users will be distracted by the holidays. And if they are distracted, they are more prone to error, which means more vulnerable to attack and fraud.
But you can use this to your advantage! One of the best tools in your awareness toolbox is communication. Your users will listen to you especially if you communicate messages they are open to hearing. Online fraud spikes during the next couple of months, so helping your users with their holiday shopping is an excellent way to get your message heard.
Remember, imparting awareness is about changing behaviors, so giving your users tools to be aware of their online behaviors in their personal lives can naturally spill over into their corporate lives. It's a win-win!
The best thing about this technique is that it's free. There are many resources available from many outlets that you can use to send your message. Or you can create your own, tailored to your users and their needs. I prefer a mix of both of these, as you can tailor your message and also get some support from some significant resources.
Here are a couple of articles that popped up recently in my Flipboard feed that have good content:
- Don't Get Grinched By Cybercrime During The Holiday Season (AP Newswire)
- The biggest security mistakes people make when buying things online (Business Insider)
If you are not aware (ha!) SANS publishes the free OUCH! Newsletter on security awareness, and the November 2015 issue contains online shopping tips. The nice thing about OUCH! Is you can just redistribute it.
Again my preference is a combination of all these things. Planning your message to hit the hot topics in your organization will have the best effect for you. For example, during a security awareness roadshow, I got asked the same question by a lot of people that I had not even thought would be an issue today.
“Is it safe to use my credit card online?”
Of course this depends on your interpretation of safe. However it occurred to me that my users very likely did not understand what the fraud rules were around using credit/debit. So a quick search revealed the FTC rules around the The Fair Credit Billing Act (FCBA) and the Electronic Fund Transfer Act (EFTA). Here's the resource page that explains the liability:
The biggest takeaway is the difference between ATM/Debit and credit cards. While the liabilities are limited similarly, the ATM/Debit is higher risk because it directly accesses funds which are then unavailable until the dispute is resolved. This may not be news to you, but you would be surprised at the number of your users who don't understand this. Having you state it and then backing it up with FTC rules makes a very powerful message. Obviously this applies to USA, so for your country the rules may be different.
Another strong message is showing how to avoid clickfraud by not clicking on tracking numbers in UPS or FedEx or USPS fake shipping emails. It's natural that people will have ordered something, or maybe a lot of things online, and maybe they've ordered so much they might be wondering what package is arriving. All these outlets have web pages devoted to exposing the fraud.
The tip here is to not click the link, but go to the shipper's website and enter the tracking number manually. Again, this may seem obvious to you, but to those who are not aware, it can be an epiphany.
Another thing I like to do is give users tools to make smart shopping choices. Very often non-technical people are buying computers for themselves or their kids who are in school. Creating a simple matrix on buying a PC (what to look for, what terms mean, etc) and passing it out can be a huge help.
And since this is the season of giving, I'm giving this to you! Attached to this post is a Powerpoint my take on a typical outreach document than you can re-brand and distribute, tear apart, or whatever you like. I prefer to use the more visual elements, infographics and a newsletter style, but I included some word summaries that you can take from. Now you can help your users be safe when they want to buy that Sarlaac Toilet or Bacon Bandages! I also included the “How To Buy A Computer Guide” that you can use, modify or whatever.
The best gift you can give yourself is to build on this idea. Use this holiday season to start your outreach and then keep it going as often as you can; weekly, monthly, quarterly, or whatever period you can manage. The trick is to keep those lines of communication open, and your users will be more open and willing to accept your messages over time.