make a good business better

Blog Information Security

Print Divider Print Divider Branding

Developing an Effective Security Awareness Program: Physical Security, Password Security, and Phishing

01/17/2017  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services


Social Logo Social Logo Social Logo Social Logo

It is a well-known fact that one of the greatest threats in information security comes from within one’s own company.  Cybercriminals have become increasingly advanced in their never ending attempts to manipulate users into compromising systems and exposing valuable information.

Security awareness programs have been implemented on a growing scale due to necessity and compliance requirements imposed by standards such as PCI, FISMA, and HIPAA, to name a few.  However, the purpose of implementing a strong, thorough security awareness program is not to simply satisfy compliance needs.  The true purpose of a solid security awareness program is to prevent sensitive data loss and the pain and anguish that accompany a breach.

All too often companies and organizations develop security awareness programs to meet the bare minimum of requirements, but just because compliance with a regulatory standard is achieved does not mean the company is secure.  To gage the effectiveness of a security awareness program, data tracking security incidents and employee involvement must be charted from one year to next as the program is updated and evolved to meet the growing needs of the business.

An effective and thorough security awareness program must have a variety of communication methods and include a range of topics educating the user about the array of tactics utilized by cybercriminals in today’s world.  Three of these highly important topics which will be covered in this article are: physical security, password security, and phishing.

Physical Security

One very important topic warranting a comprehensive lesson is physical security.  The SANS Institute explains, “When addressing physical security, locking your doors and desk/file cabinet drawers should be the main focus.” 

Securing the building’s perimeters and internal areas containing sensitive information is an important first step towards security, and employees must to be aware of this importance.  However, in my social engineering experience, locked doors have never prevented me from gaining entry into a building.  This is because a company employee has always allowed me access whenever a locked door stood in my way. 

My reasoning for needing access to a building has ranged from, “It’s my first day, and apparently they didn’t set my badge up right,” to “I accidently left my badge in the meeting room.  I usually work in the building next door.”  Often times, merely tailgating employees as they badged into a restricted area, pretending to badge in behind them has proven to be highly successful.  (One vulnerability of most badge readers is the fact that they produce the exact same sound for a failed badge as they would for an accepted badge.  Therefore, the tailgated victim hears the badge reader’s all too familiar ding and assumes the stranger behind him must have a viable badge.)

This is where locking desks and filing cabinets come into play.  In my experience, many times filing cabinets which should be locked will have the keys in the actual locks!  If the key is turned in to the locked position but is left in the locking mechanism, the filing cabinet is not actually locked, and this concept seems to be overlooked by many employees. Additionally, having roamed the buildings of many companies, I have noticed that unattended desktops are often left unlocked.  A malicious individual does not need but a couple minute’s access to a logged-in workstation to compromise the computer and its data. 

Employees assume because their computers are behind locked doors, they are safe and fail to log out when they walk away.  Clearly, this is not the case. Therefore, all employees need to be made aware of the seriousness of physical security when protecting sensitive data and working in restricted environments, and they must feel empowered to question a stranger’s presence in these areas.

Password Security

Companies more often than not require employees to adhere to best practice standards when creating and replacing passwords.  Employees need to have an understanding of why the enforced password requirements are important for protecting themselves, as the user, and the company. 

It is no secret that simple passwords, such as “Password1”, are incredibly common and predictable.  A basic Internet search of the most common passwords generates article upon article of lists of common password.  Many articles report the most common email password is “123456,” while other common passwords are “abc123,” “monkey,” and “iloveyou.”  Clearly, the necessity of complex passwords is lost on the common user.

The commonality of user passwords are not lost on cybercriminals, and although complex passwords may be enforced through group policies, there is always the occasional account with a weak, predictable password. Ultimately, users should be encouraged during awareness training to create complex passphrases containing special characters and numbers.  Statistically, passphrases are easier to remember but far more difficult to crack.

Users should also be made aware of the potential consequences associated with sharing passwords with others.  Sharing passwords leaves the user and company vulnerable in a number of ways.  Whether the employee entrusted with the shared password misuses the trusting employee’s access or insecurely manages the password, the trusting employee could become a victim and be held accountable for the breach.

Lastly, in regard to password protection, employees must be made aware of the importance of never leaving passwords written anywhere anyone other than the user can view them.  Viewable passwords can be utilized for malicious purposes by both those with legitimate building access and those who happen to social engineer their way into the restricted area.


Phishing campaigns targeting companies and sensitive data are increasingly more complex and sophisticated.  Employees must to be aware of phishing and the consequences associated with this attack. 

Though the concept is not foreign, sometimes the term “phishing” is and it is important to clearly define this term for users.  The SANS Institute explains, “Examples are key to this portion of security awareness training. Things to avoid (e.g. clicking on links provided in e-mail, submitting banking and password information via email, etc.) should be highly emphasized so people know what to look for.”

Many users are suspicious of emails with poor grammar and typos which directly ask for user credentials or request the recipient click a link.  Though these phishing emails still circulate in the wild, cybercriminals have become far more devious in their phishing campaigns.  Having developed successful phishing campaigns for security assessments, it has become clear there are some tactics to which users remain highly vulnerable. 

Well written, articulate emails targeting employees requesting a link be followed for important surveys, the new and improved company newsletter, or policy revisions are only a few examples of phishing campaigns that have proven to be successful in the past. 

Going one step further and creating and linking in the email a bogus website displaying the company’s name and logos along with username and password entry fields which capture user credentials has proven to be far more successful than not. Furthermore, the tried and true approach of attaching a document posing as a resume or valuable company statistics with an embedded exploit continues to be successful in the phishing world.

Therefore, users must be made aware of the value of suspicion when receiving unexpected emails requesting any information, a link to be followed, or an attached document be opened no matter how legitimate it may appear.


Physical security, password security, and phishing are three of the many important topics which must be covered in-depth in an effective security awareness program.  Employees must be made aware of secure behavior and practices and the consequences of insecure behavior.  They must feel empowered to stand up for the security of the company and know that they are expected to question suspicious behavior and emails.

To be effective, a security awareness program must include a variety of communication methods which can include routine educational emails, newsletters, training videos, and quizzes.  Regularly reminding users throughout the year of the importance of security and the latest news in information security is far more effective than requiring training only once a year.

Physical security, password security, and phishing are only three of the most vital topics to cover in security awareness training.  Check back for the follow up article, Developing an Effective Security Awareness Program: Malware, Wireless Security, and Safe Internet Browsing which will cover three more of highly important topics in security awareness.

The LBMC Information Security team can help you assess your risks and ensure that your security efforts produce the greatest benefit and have the most effective impact.