There are so many types of social engineering attacks – how should we determine which ones to focus on for employee security awareness training?

Awareness & TrainingThreat & Vulnerability Management
4.6k viewscircle icon3 Comments
Sort by:
Chief Supply Chain Officer in Governmenta year ago

Based on what we've seen for statistics around ransomware events, over 90% of all ransomware attacks start with a phishing event.
I would focus my primary training on how to recognize and not fall victim to social engineering events from phishing.
Beyond that we also provide training on other categories.
The training platform we use is KnowBe4.  It works great for overall cybersecurity awareness training and phishing exercises.

Head of Information Security in Services (non-Government)2 years ago

You need to tell people what to expect and what not to expect from IT. We’ve tried to train people to expect that IT will do certain things or make requests which are okay to comply with, but IT will never call you out of the blue and ask you for your password, for example. We're never going to call and say, “Go ahead and enter the two digit MFA code.” You have to help people understand what is expected behavior and what they should be suspicious of.

1 Reply
no title2 years ago

Great suggestion as long as you have tied it into training IT not to ask for those things.

Content you might like

I'm looking to go for the Certified CISO certification & training as I'm an aspiring CISO. Any recommendations and additional certifications that I should be doing along with that? I already have CISSP. 

Read More Comments

Which technology will be your top priority to invest in next year?

Zero trust31%

Deception technology23%

Authentication solutions19%

Access controls9%

Application monitoring7%

Cloud-based security services9%

View Results

AI deepfakes have cost the industry over $200M this year. As CISOs, can we scale detection fast enough, or is regulatory pressure the only way to drive adoption?

We implemented Oracle HCM recently including Redwood.  Defining the long term plan for support, we face challenges with our Oracle Security knowledge depth specifically (defining and maintaining roles/ SOD/ SOX etc). Is there anyone who has experience in setting this up after a successful Oracle HCM plus Redwood implementation and would like to share best practices with me?

How would you rate your group’s ability to respond to a zero-day attack?

Excellent – couldn’t be better!4%

Very good57%

Good24%

Acceptable – it’s good enough6%

Not good – we have to do better5%

Don’t know / show results1%

View Results