March’s security awareness and training topic is “Malware”
Outline and scope
Malware has been a concern for nearly 5 – yes five – decades. It’s an awareness
topic worth updating annually for three key reasons:
Malware is ubiquitous – it’s a threat we all face to some extent (even those of us who don’t own or use IT equipment rely on organizations that depend on it);
Malware-related risks are changing – new malware is being actively developed and exploited all the time, while technical security controls inevitably lag behind;
Security awareness is vital to prevent or avoid malware infections, and to recognize and respond promptly and effectively to those that almost inevitably occur.
Last year, we focused on cryptocurrency-mining Trojans, and it was ransomware the year before that. Both remain of concern today. That’s the thing with malware:
new forms expand the threat horizon. It never seems to shrink.
So long as malware risks remain significant, we can’t afford to ignore them. Luckily,
generic control measures such as workers’ vigilance, patching, backups, incident management and business continuity management are appropriate regardless of
the particular incident scenarios that may unfold. Antivirus software is part of the
solution – a major part, admittedly. It’s necessary but not sufficient. That’s one of the awareness messages this year.
Another important message this year concerns an emerging malware threat, a new class of malware that seems likely to cause massive disruption at some point. Your
organization can simply wait and see what happens, hoping for the best, or you can evaluate and treat the risk now, while you still can. Get ahead of the game with
The 2019 malware-update awareness module:
Introduces and explains malware in plain English, providing general context and background information, emphasizing what’s new in this area;
Expands on the associated information risks and security controls, emphasizing the need for a framework or structure of complementary controls (more than just antivirus!);
Emphasizes the practical things workers can and should be doing to mitigate or better still avoid malware risks (e.g. not opening dubious
attachments, jailbreaking or disabling security on their devices, or installing dubious apps; keeping up with antivirus updates, patching and
backups; reporting suspicions or incidents promptly to Help Desk);
Motivates people to think - and most of all act - more securely.
Think about your learning objectives in relation to malware. In your situation, what has changed since your awareness program last covered this topic?
Are there particular facets or issues you would like to bring up this time, perhaps specific malware incidents that you or your neighbors, competitors and others have suffered?
We recommend customizing the content supplied, adapting both the look-and-feel (the logo, style, formatting etc.) to suit your awareness program’s
branding, and the content to fit your information risk, security and business situation. Incorporate additional content from other sources, or to cut-and
-paste selections from the NoticeBored materials into your staff newsletters, internal company magazines, management reports etc.
We suggest you organize security awareness seminars
, preferably live in person with a suitable seminar leader or online through a Learning Management System or intranet (perhaps both!). The awareness briefing papers
expand on the topic for those who prefer to read at their own pace, and the malware encyclopedia
takes a tongue-in-cheek look at the terms of art. The FAQ and executive-level materials
are aimed at those too busy or disinclined to read much.
Run the awareness challenge in a relaxed social setting, and work through the case study
in small groups, perhaps as part of a seminar or workshop.
Decide on the prize/s then circulate the wordsearch puzzle and security test
to workers. Reward previous high-scorers, publishing their details plus the winning solutions from last month’s challenges. Remember the prize menu in the Information Security 101 module.
Use the awareness survey
to gather metrics plus feedback comments and improvement suggestions for your security awareness program.
Discuss the generic model/template malware policy with management, comparing and contrasting it against any policies you already have in this
There’s a huge choice of malware-related metrics
: what are you using? What metrics would management value? Which aspects are most imnportant to your organization?
Various specialists have a professional interest in this area, particularly those in IT. The newsletter, pro seminar, pro briefing and Internal C
ontrols Questionnaire are all designed to pique their interest or grab their attention.
In conjunction with HR/Training, you might like to update your new employee induction/orientation pack on this topic, and perhaps other relevant training courses etc.
Get this module
Subscribe to the NoticeBored service to receive this module, plus similar batches of security awareness and training materials delivered fresh to your
organization every month. We offer a wealth of top-quality creative content on a market-leading range of information risk and security topics making it
easy and economic for you to run a world-class security awareness and training program.
Email us to set the ball rolling. Find out what it takes to get your security awareness and training program quickly up to speed, for a lot less than you
might think. We’re a small company with a big reputation for quality and innovation.
If you only want this module, then yes we can do that too.
Tag along with us on NBlog as we work on the next awareness topic. In addition to clues about what’s coming up, we share hints and tips on making
security awareness more effective.