Did you know?

Hello All,

Starting in the beginning of the year I will be sending out a weekly Email to all the End Users here at work, dealing with basic security and general tips.

If you could write one of these Emails (keeping it as basic as possible), what would you say in them?

To give an idea -- yesterday one of the salespersons here got a zipped E-Card from someone they do not know and the salesperson tried to open it; the "card" did not work. As you guessed it, it was one of those annoying "Personal Anti-Virus" viruses, quickly caught by me by sheer luck.

So today I had to write an Email about what is a good Email and what is bad Email and send it out company wide; the name of my Email is "Did You Know?"

So, what would you like to say (being politically correct) to the average end users in an average company, in an average section of NY?

~Obdurate~

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

veritas_libertas

My only concern would be that it is weekly. I know that I ignore the weekly company info e-mails because they come in way to often. The community college that I attended sent out e-mails so often that I treated them like spam.

One thing to be sure of is that it isn't boring. I would put a screen-shot of things that they should be suspicious of. Pictures are much less boring than dull paragraphs of boring security that most end users think will never happen to them.

networker050184

veritas_libertas wrote: »

My only concern would be that it is weekly. I know that I ignore the weekly company info e-mails because they come in way to often. The community college that I attended sent out e-mails so often that I treated them like spam.

One thing to be sure of is that it isn't boring. I would put a screen-shot of things that they should be suspicious of. Pictures are much less boring than dull paragraphs of boring security that most end users think will never happen to them.

My thoughts exactly. Something that gets sent out often tends to be discarded easily. I also agree that pictures and other things would be more likely to be read than a text paragraph.

As far as content, I'd send reminders about email attachments and installing programs if they have that access.

Plantwiz

Good luck with that, but I'm going to bet most will simply delete it. And I probably would too.

How did you conclude an e-mail would be the best way to communicate this material?
Do you not have meetings at work whereby your department (or you) could discuss this in a two-five minute blurb a week (or meeting whichever you may hold)?

veritas_libertas

Plantwiz wrote: »

Good luck with that, but I'm going to bet most will simply delete it. And I probably would too.

How did you conclude an e-mail would be the best way to communicate this material?
Do you not have meetings at work whereby your department (or you) could discuss this in a two-five minute blurb a week (or meeting whichever you may hold)?

If I remember correctly the Security+ certification goes over the best way to remind users about security. I think it said a yearly, and monthly reminder? Darril would know the answer to my question...

apena7

Keep it short, but memorable.

By the way, it would probably be more effective if you post this info by the water cooler or microwave instead of sending it via email. A person waiting for their meal to cook is probably more likely to read a poster on the wall as opposed to reading the email at their desk. You'll also be able to keep the poster up as long as you want instead of crossing your fingers and hoping people read your security emails.

kriscamaro68

I would take it a step further and post at the piss pots. That's where I read things that my company posted and it actually worked. Also you start attaching photos to e-mails then people will then think that all jpg's, or bmp's are safe to open and will catch it that way. If I worked somewhere and wanted to cause problems I could create a fake security e-mail with infected jpg's and have a heyday with your network/computers just a thought.

blargoe

Make the subject lines enticing, like

"Free Beer"
"Increase the size of your @$!@ by 5 inches!"
"FW: FW: Fwd: FW: Funny Joke!"
"Pr0n"
"100% REAL Exam Questions and Answers..."

Also, you could spoof some emails from an obvious fake email address and add suspicious looking links and imbed a bunch of flashing "Click HERE!!!" banners, or questionable attachments.

I guaran-damn-tee you these will be opened more than regularly scheduled tip of the week emails.

msteinhilber

I've found in our environment the best approach is face to face, everything else simply gets ignored. An example is when we had made changes to our mail server configuration that required all users whom do not use the web client to make the changes on their PC's. We have a lot of real estate agents whom use their own computers and for some reason our environment doesn't utilize a domain so management is a royal pain. As it were, it was up to the end users to make the changes or to contact the helpdesk so they could login remotely to make the change for them. We blasted a weekly e-mail and blasted it out to all staff voicemail once a week as well, for 3 weeks leading to the change. Most people ignored it completely and we had a huge amount of users contacting the helpdesk after the switch asking why they weren't able to send or receive e-mail.

veritas_libertas

msteinhilber wrote: »

I've found in our environment the best approach is face to face, everything else simply gets ignored. An example is when we had made changes to our mail server configuration that required all users whom do not use the web client to make the changes on their PC's. We have a lot of real estate agents whom use their own computers and for some reason our environment doesn't utilize a domain so management is a royal pain. As it were, it was up to the end users to make the changes or to contact the helpdesk so they could login remotely to make the change for them. We blasted a weekly e-mail and blasted it out to all staff voicemail once a week as well, for 3 weeks leading to the change. Most people ignored it completely and we had a huge amount of users contacting the helpdesk after the switch asking why they weren't able to send or receive e-mail.

I am waiting for the swamp of help desk tickets from users about losing a bunch of important e-mails. We have informed our users that after the beginning of the year, any e-mails older than '09 will be removed from the Domino servers. I expect see a lot of very angry users that claim they never saw the notices on the doors or regular e-mail reminders.

skrpune

Plantwiz wrote: »

Good luck with that, but I'm going to bet most will simply delete it. And I probably would too.

Unfortunately I have to agree. Whenever our end users see an email from the techy group, it's usually an automatic DELETE. Kinda sad, because they've missed out on some very important information, like security vulnerabilities and changes to user management, etc.

I say reduce the frequency and keep it light and friendly. Have someone proof it to be sure it's not too techy (otherwise you'll lose people off the bat), and keep the subject matter to things that are either directly applicable to the users or things that are just "cool" and make people go "wow, neat!"

Hyper-Me

Its unfortunate that more employees dont care a little more about doing what they are supposed to be doing and NOT damaging company owned equipment. The sad truth is that they dont care. They only thing they DO care about is not getting blamed/fired for it.

If you work where I work, its near impossible to get fired so users basically do whatever they want. My place of work is the ONLY place ive ever seen where the end users cuss out IT staff to their face and suffer no recoil from doing so.

Plantwiz

Hyper-Me wrote: »

Its unfortunate that more employees dont care a little more about doing what they are supposed to be doing and NOT damaging company owned equipment. The sad truth is that they dont care. They only thing they DO care about is not getting blamed/fired for it.

....

I don't think it is so much that they don't 'care' but they don't feel like it is their job. It's our JOB in IT to keep them safe. AND while we may be trying to help teach them ways to keep them safe for the times when all the safety nets we set up may fail...sales folks, don't really concern themselves with IT work. We're just the people who need to keep it running.

But office mail, it's usually just nonsense, so if the OP is going to do this, it needs to be simple, and I'd still recommend as a follow-up to a small 2-5 minute blurb at the company meeting.

I like the toliet martketing approach...it's a captive audience

veritas_libertas

I would suggest reading Kevin Mitnick's book, "The Art of Deception." The last chapter goes over how to educate users on security.

Also, I think you might want to rename this thread so that other TE members will be able to benefit from the advice given.

Pash

skrpune wrote: »

Unfortunately I have to agree. Whenever our end users see an email from the techy group, it's usually an automatic DELETE. Kinda sad, because they've missed out on some very important information, like security vulnerabilities and changes to user management, etc.

I say reduce the frequency and keep it light and friendly. Have someone proof it to be sure it's not too techy (otherwise you'll lose people off the bat), and keep the subject matter to things that are either directly applicable to the users or things that are just "cool" and make people go "wow, neat!"

Im with the two lasses. The amount of emails deleted by the users I was supporting last year that were sent by the IT manager himself was just comical. They never knew what was going on because they would never read his epic emails.

Users are only interested in things that will help with their productivity/save them time at work.

Id personally invest in resources to better prevent these security incidents and work on limiting the impact of these cases where the users are caught out. Aslong as they have a station to work on and the files are always readily available from backup, they will just leave you be.

carboncopy

I would create a rule and send it straight to the trash... or at least I think that is what most users will do.