May’s awareness topic is email and messaging security
Introduction and scope
For May, we are focused on email security, primarily, with some coverage of the information risk and security aspects of other forms
of technology-enabled person-to-person (inter-personal) messaging and communications, such as the phone and SMS/TXT.
We’re talking about the central orange area of the scope diagram where networking and messaging technologies intersect with the people communicating:
Other aspects of networking and systems security, and other forms of communications (such as intra-application or system-to-system
messaging, face-to-face conversations and in-person meetings) are out of scope: it’s not that they aren’t important – far from it – just
that other awareness modules go into more depth in those areas. There’s plenty to cover anyway, with significant security issues such as phishing (especially spear-phishing and whaling), ransomware
(such as WannaCry), spam, fraud, mistakes with email addresses, accidental and deliberate disclosures and more.
This is an extremely important and valuable topic for all security awareness programs.
The latest NoticeBored module is intended to:
Introduce email and messaging security, providing general context and background information to set the scene for this topic;
Identify, characterize and assess email and messaging-related information risks to the organization (touching on those affecting them personally as individuals) –
phishing, spam, email-borne malware and privacy breaches being just four of many concerns in this area;
Expand on the associated information security controls (such as email encryption) and other forms of risk treatment (such as not expressing in writing and
communicating things that you might later regret i.e. risk avoidance);
Stimulate everyone to think - and most of all act - more securely while using, managing and administering email and messaging.
Consider your learning objectives on this topic, perhaps including other business issues
relating to email and messaging besides the most obvious information risk and security ones, such as:
Corporate branding e.g. logos and signature blocks;
Using professional/formal business language or casual/informal language as appropriate;
Disclaimers etc. designed to remind users about security and limit liabilities;
Network and system security, including availability (e.g. pre-arranging emergency communication mechanisms in case the normal systems fail for some reason);
Filing, backing up, archiving and retrieving important messages (including the potential ‘discovery’ or search and seizure of pertinent evidence for court cases);
Distraction and overload caused by some users’ obsessive need to read and respond rapidly to electronic messages;
Reporting and responding to security incidents in this area.
Three streams of awareness content all relate to the same topic but emphasize different aspects, reflecting the differing perspectives of three audiences:
IT and other professionals
have an obvious interest in the technology enabling, supporting and securing email and other electronic messaging;
Workers in general (comprising all employees including the other two audiences) are busy using email and messaging, although not necessarily
securely! They welcome practical guidance on how to spot and react to nasty emails, for instance, as well as tips on how to avoid accidentally
sending out confidential personal or corporate information;
Managers need to manage email and messaging security sensibly in relation to other business activities and risks, through sound governance,
strategies, policies, metrics etc. Managers have a particular interest in compliance and phishing, not least because they are prime targets.
Inside the NoticeBored module
The May module is a 50 Mb ZIP file containing the following awareness materials:
The table only briefly describes the content. Discover the thought that went into creating the individual items, and how the whole module evolved as it was
developed during April, through the NoticeBored blog.
Building a security culture through awareness
A security culture involves everyone in the organization, top to bottom, collectively valuing, protecting and (where appropriate!) exploiting information.
Subscribe to NoticeBored for fresh perspectives on information risk and security within the corporate context. NoticeBored picks up on the strategic, governance,
compliance and business aspects, particularly in the management stream of course but the principles underpin the general staff and professional streams too.
Information is a valuable and yet vulnerable asset that needs to be protected for sound business reasons.