Malawareness module for February
Background and scope
We have covered this topic annually since 2003, usually emphasizing novel forms of
malware that were emerging issues at the time – multifunctional malware, Advanced Persistent Threats, bank Trojans, ransomware and cryptocurrency miners being fairly recent examples.
As with almost all of the security awareness topics, and the information security
field in general, our primary concern to date has been to help organizations avoid and prevent incidents, reducing the probability of occurrence. This year, however,
we’re taking a different tack with malawareness, exploring what happens after malware incidents occur - what can/should be done to reduce the business impacts
of those incidents and, ideally, to reduce the possibility of future incidents by learning the hard lessons.
The nice thing about security awareness is that we also get to learn the soft lessons,
benefiting from others’ misfortune. Specifically, we have used the Travelex ransomware incident as a case study illustrating the awareness materials this
month, plus those experienced previously by Norsk Hydro, Sony and many others. We have consciously avoided blaming them for failing to avoid or prevent the incidents: they are, after all, the victims of these attacks, not the perpetrators. As
far as we know, their information security arrangements were in line with current practice, not exceptionally insecure, lax or incompetent … but that’s the crux of it:
current practice is inadequate. We can, or rather must do better! Since we can't totally block malware infections, we must be ready to handle incidents efficiently
and effectively. Awareness is a critical part of the control.
February’s awareness module:
Introduces the malware risks in the corporate context, outlining the information security controls typically used in this area – including their
Outlines the Travelex ransomware infection as an ongoing malware incident causing material harm to the business;
For the general audience, discusses the practical limitations of antivirus software, and the need for compensating security controls such as
patching, network/system security monitoring and backups, plus of course risk avoidance through awareness, vigilance and caution;
For the management audience, highlights aspects of the Travelex and other cases that are pertinent e.g. governance, compliance, risk and
security management, crisis and incident management, business continuity management, and the linkages between business/commercial, risk,
information security and other strategies. Specifically, we were asked to cover the disclosure aspects e.g. how should management prepare for
and control the release of information about malware, ransomware or other information security incidents?
For professionals and specialists, emphasizes the more technical aspects of malware incident responses and business continuity.
Don’t forget that security awareness, alone, achieves nothing. It is straightforward to provide information such as what we know of the Travelex case but
the real benefits come from motivating the organization to improve its information security. The relatively simple, sequential scenarios commonly used in
na´ve incident management and business continuity exercises may not adequately reflect the ‘mess and stress’ that characterizes the real thing … so
“Persuading management to use more realistic, complex and dynamic scenarios for business continuity purposes” is just one example of a possible
behavioural change objective for this month’s security awareness module.
As well as customizing the NoticeBored materials to suit your awareness program’s branding and objectives, feel free to blend-in additional content from
other sources, including your own policies and procedures. Use the materials in the company newsletters and magazines, publish them on your intranet Security Zone, and use them in awareness events. The train-the-trainer guide in the module offers tips on making the most of the materials.
Buy and download the new module today through our eShop www.SecAware.com