The reason this worked is that a "good" awareness program was implemented. It was not a generic video with no reinforcement. The information provided all of the critical elements of good awareness materials: 1) Awareness of what the issue is, 2) Definitive and relevant actions to take in response to the issue, and 3) Motivation to take the proper action.
Admittedly, the IDG team already has a general awareness to be on the lookout for spearphishing messages. That itself is a Security Awareness success. However it just becomes obvious when you are under attack.
The reality is that there are Security Awareness success stories every second of the day. They just do not get noted. Every time a person does not click on a phishing message, every time they avoid a malicious website, every time they lock their door or computer monitor, every time they refuse to enter private information for questionable purposes, it is a Security Awareness success story. It is however much more notable when you realize that you are under attack from an intent adversary.
The fact that we were able to predict exactly how and when the SEA would attack was a clear benefit. However, I was still pleasantly surprised to learn that nobody fell victim to the attacks. As previously implied, all security countermeasures will fail at some point in time, and it is impossible to create perfect security. This is why everyone should practice defense in depth.
While there are many characteristics of a successful awareness campaign, what made the IDG's awareness program effective in this case was:
- The guidance was clear as to what people should watch out for.
- The guidance was relevant to current and future circumstances, and stated why it was relevant.
- There was clear motivation as it was obvious what a failure would mean to the individual and the organization.
- People were informed exactly how to report attacks.
- Once an attack was detected, the organization was informed about the attacks.
- The organization helped people by taking the appropriate actions to block access to the dangerous websites, deleting unopened messages, and informing people about the details of the ongoing attacks. The latter provided additional motivation for people to behave more securely in general, which lead to the reporting of the social engineering attacks.
I assume that prior to the publication of this article, IDG would have sent out reminder messages to remind people about the past guidance, and tell them to be on the look out for other attacks that use similar strategies. This should produce similar results, i.e., repelling all attacks, but even if it doesn't, any damage should be proactively mitigated with defense in depth.
When you have a good Security Awareness program, you will have a lot of success stories, as not only will many incidents be prevented, you will know about them. It is frankly refreshing to be able to highlight a success story that we were involved in. However, make sure that you don't forget to acknowledge and highlight the small success stories that help you prevent the proverbial death by 1,000 cuts.
Sign up for MIS Asia eNewsletters.