Organisations and businesses are concerned about security. The things that keep it going is the understanding that a cybercrime attack on a business can cause more than a few problems.
The monetary investment in front facing systems like firewalls, VPN, Wireless and Intrusions detection are constantly competing with Resilience and compliance components making it difficult to invest the time and money in other areas of your cybercrime protection framework.
One of the least thought through protections is training. Training your staff to understand what is needed and what they have to do to protect the business as well as themselves. Social media has complicated this immensely.
Before the introduction of Facebook, twitter and Linked In a social engineering attack was based mainly on the phone, face to face or maybe a little on email. The social networks have allowed a cyber-criminal, or anyone else, the opportunity to discover everything about you. This includes your likes and dislikes, where you work, what your position is, who you work with and in some cases where you live.
What this does, is give the social engineering criminal a rich area to work in. What this also does is allow a criminal to create an attack that is specifically focused on YOU. They know that you are a DBA, they know you work in a bank, they know you are a member of the DBA fraternity at XXX university.
So when you receive an email that looks legitimate, seems to come from the DBA fraternity and talks about increasing your knowledge and increasing your education then you are more than happy to click on any link that may appear in the email.
Protection and education are critical in this process. If your users are aware of the problem then they will be more careful. If you have an security education program or process that gets your people to think past the first impulse then your business will be a little more secure.
Training and education are important components of your security framework.