Security and Privacy in a Networked World/Training: Herding cats

Intro

Awareness training - some possible topics

Generic

• We are targets
• Social Engineering

Main technologies

• Web
• E-mail
• Instant messaging
• Social networks
• Wi-Fi
• Mobile devices
• Cloud services

• Access control - passwords and other measures
• Data security - creation, maintenance and safe destruction
• Threats from inside
• Children online
• Damage control

Special groups to train

• IT staff - those actually in charge, including administrators, developers, support/helpdesk
• Higher management - can be especially difficult to train due to limited time resources and sometimes also mixed attitudes (reluctant to learn, feeling being 'above the law' etc). Should especially focus on social engineering, mobile/travel/cloud and data security, but also reach adequate knowledge of common applications usage (e.g. e-mail).
• Service staff (janitors, drivers, couriers etc) - a major target for social engineers, therefore the training must focus on recognizing and neutralizing SE-based attacks. However, with training these people can be valuable in countering threats due to their mobility and "low profile" image ("just a janitor - he is supposed to be there").

Environment

• Physical security - doors and locks
• Protecting home
• Travelling abroad
• BYOD and teleworking

Study and Blog

• Pick a topic above (e.g. passwords or social networks) and write a short awareness training programme for your colleagues (those who do not work may use a fictional company).