Security Awareness Month Tips: Make employees feel they’re on the team

Cyber security awareness month is almost over, but before it ends we’ve got some advice from infosec pros to pass on that hopefully will be useful in your work.

First, from Tim Helming, director of product management at DomainTools, a service for searching behind domain names and IP addresses, comes a suggestion on getting help for the security team: Use employees.

“My philosophy is security and secure practices need to be absolutely baked into the culture of an organization and everything they do,” he said in an interview. There are two really big ways employees can be an incredible asset. One way is by them practicing good security so they don’t click on stuff they shouldn’t. The other big way is by being your sensors on the network to tell you about things that are going on.”

For example, not only spotting spear phishing but also bring it to the attention or or sending to the security team. “A phishing email can be a tremendously valuable forensic artifact,” says Helming, because security might not have seen it, it might not have triggered an alert.”

So when an employee is onboarded it should be emphasized they are part of the security team. It doesn’t mean they have to be a security expert, among the regular security training they should be told to but here are some things to pass on to staff and security when they discover suspicious messages, or if someone tries to give them a USB drive.

Helming also a big supporter of gamification as part of awareness training – for example, as part of a phishing test giving coffee shop coupons for those who alert the security team. As the tests get harder, up the value of the coupon.

As for infosec pros, Helming urges them to build a library of online resources they can turn to  and build their  security knowledge or use in an emergency Among those he likes:

Cisco Systems’ Talos threat research blog, which he says is usually free of vendor puffery and has information on new vulnerabilities and how to break them down;

The OWASP Top Ten Project, a regularly updated list of the top cyber threats and guidance on how to avoid them;

The SANS Institute resource page, a huge source of information on a wide number of topics on security, awareness training and leadership;

SANS has information on industrial controllers, but there’s also the American-based ICS-CERT, which issues alerts and has this recommended practices page;


For those who want to dig into the technical aspects of malware, he favours Malware Must Die and Kahu Security.

Finally, if you’re bored and want a dancing graphical representation of what malware is doing around the globe, see Kaskpersky’s cybermap.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.