There are so many types of social engineering attacks – how should we determine which ones to focus on for employee security awareness training?

4.5k viewscircle icon3 Comments
Sort by:
Chief Supply Chain Officer in Governmenta year ago

Based on what we've seen for statistics around ransomware events, over 90% of all ransomware attacks start with a phishing event.
I would focus my primary training on how to recognize and not fall victim to social engineering events from phishing.
Beyond that we also provide training on other categories.
The training platform we use is KnowBe4.  It works great for overall cybersecurity awareness training and phishing exercises.

Head of Information Security in Services (non-Government)2 years ago

You need to tell people what to expect and what not to expect from IT. We’ve tried to train people to expect that IT will do certain things or make requests which are okay to comply with, but IT will never call you out of the blue and ask you for your password, for example. We're never going to call and say, “Go ahead and enter the two digit MFA code.” You have to help people understand what is expected behavior and what they should be suspicious of.

1 Reply
no title2 years ago

Great suggestion as long as you have tied it into training IT not to ask for those things.

Content you might like

Yes, if followed correctly.39%

Unsure38%

No, there is still a significant risk.19%

Other (please tell us in the comments)3%

View Results

Yes65%

No35%