Editor's note: This post is a excerpt from our new free guide, The Amazing Security Awareness Playbook
Okay, IT admin, you just caught wind of a ransomware campaign making the rounds. Attackers are sending out waves of phishing emails with infected Word doc attachments disguised as legitimate invoices. Once opened, victims are getting all of their files encrypted.
You think about what might happen if an employee at your company gets one of those phishing emails. Truth be told, you're less than confident.
For one thing, you've heard the vast majority of ransomware victims were running antivirus when they got hit, so you're not crazy about relying on your AV to stop an attack if one does get triggered.
For another thing, you do have backups you can hopefully use to recover encrypted files, but it's been awhile since you tested them, and you really don't want to put all your eggs in that basket, either.
You'd obviously love to avoid dealing with an attack altogether, so as an extra measure of prevention you decide to draft up an email to warn your users:
Subject: New Security Alert — Be on lookout for ransomware-infected Microsoft Office docs
A new malicious email campaign is infecting victims with ransomware, a dangerous type of virus designed to encrypt your files and hold them for ransom. Criminals are hiding the virus in attached Microsoft Office documents disguised as invoices. When you try to open the attachments they encourage you to “enable macros,” which will actually allow the virus to infect your machine.
Once the infection starts it only takes minutes or even seconds for your files to be encrypted, at which point a ransom screen will appear with instructions for supplying payment in exchange for the decryption key. What makes this latest virus especially dangerous is that also encrypts shadow copies of your files, which makes recovering them even more difficult.
To avoid losing access to your files and putting you and your colleagues at risk of downtime, do not open any invoice attachments from senders you don’t know.
If you open any Microsoft Office documents that ask you to enable macros, close them and contact me immediately.
Your friendly, tireless, vigilant IT person
Direct, informative, and to the point, right? It may not be the same as putting everyone at your company in a ransomware-proof bubble, but at least you did something.
Then you wait. Sure enough, three days later, one of your users let's you know their computer is acting funny and they can't access their files. And how did the infection start? You guessed it — by opening a fake invoice doc.
Really? How did they fall for this? Didn't they read your email?
The answer is no. Or not really. If anything, maybe they skimmed it. To them, it probably looked something like this:
Subject: Another non-urgent, overreactive email from IT
Guess what? Something that doesn’t really impact you. Blah, blah, blah. Jargon, jargon, jargon. Something about “shadow” something-or-other (Game of Thrones reference?).
In short: Don’t be dumb.
Wrapping up, here’s something I’m going to stress that you do, but, really, just get around to it when you have time. Maybe later, after you finish the hundred other things you have to do today...
In an ideal world, email alerts are easy and effective ways to notify your users about new security threats, updates, and other relevant news. In the real world, well, we have to be realistic.
You may see your emails one way. Users may interpret them differently. You have to keep in mind they're also reading them (or not reading them) in the context of all the other messages filling up their inboxes.
The good news is by stepping back to see your emails from a user's perspective, you can change the way you write them to make them more relevant and effective. Here are five tips to get you going on the right track:
Before you hit send, ask yourself three questions:
Remember, your users’ inboxes are just as full as yours. Before you add to the pile of unread messages, make sure any emails you send are truly necessary and valuable. Otherwise, users are going to quickly learn to pass over them for the emails that are. And once that pattern develops it’s an increasingly difficult one to break.
Your emails need to be clear, relevant, and actionable. It all starts with your subject line, which should strike the right balance of urgency and let users know exactly what to expect.
When users open your emails, they should be able to immediately understand three things:
Tip: Show your users you value their time by leading off emails with a short list of key takeaways or a “1-minute version” with the most important information listed at the top.
Your users may be more or less tech savvy depending on your organization. In general, though, it’s a good idea to keep it simple and skip the jargon. When it comes to security emails, covering technical details should often take a back seat to clarifying what the direct impact is for users and what they should do next.
Think about who you’re writing for. What’s important to them personally and in their day-to-day jobs? You'll find a worksheet to help you surface those things included in the Playbook download.
Sending an email without a good call to action is like choosing to stand instead of walk on a moving sidewalk. You’ll get to where you’re going eventually, but you’re kind of missing the point.
Calls to action don’t have to be (and many cases shouldn’t be) a big ask. But by asking your users to do something — even if it’s as simple as replying back with a quick thumbs up/down — you’re making them active participants rather than passive recipients.
Not only will that increase the chances of your information actually sticking with them, it will also get you in the right mindset of focusing on what you actually want to achieve with your emails.
The fact is we’re visual creatures — images grab and hold our attention much better than blocks of text. They’re also much more efficient at walking people through steps and processes that would otherwise take multiple paragraphs to explain.
With those tips in mind, let's go back to our ransomware alert example and see what a more user-friendly version might look like:
Subject: ACTION REQUIRED: 1min change to avoid dangerous virus infection
Note: This email skips the blah and cuts right to the chase, so please read carefully.
What to do:
Step 1: Take 1 minute to confirm Microsoft Office macros are disabled
Step 2: Reply back to this email with “Done”
Do not open invoices or Word attachments from senders you don’t know. Can you imagine losing access to all your files? Take 2 seconds to notify me, instead.
Need your help:
If you open any Word doc and it asks you to “enable macros” or “enable content” (see example below) close the document and notify me immediately.
If a Word doc looks like this, close it and notify me.
Thanks very much for your help!
PS: Don’t forget to reply back with “Done” once you’ve confirmed macros are disabled.
Using these tips will help make your emails more scannable and actionable, but you shouldn't stop there. The majority of today's cyber attacks target users and their endpoints. That makes training them to recognize potential threats and report incidents quickly more important than ever.
The truth is you don't need to hire a team of consultants or experts to train your users to be more security conscious. There are plenty of effective programs and initiatives you can develop to raise security awareness, yourself.
If you're looking for tips on how to get started, check out our new Security Awareness Playbook. It's full of advice on handling the most common problem areas (using and re-using bad passwords, falling for phishing emails, etc.), and it includes worksheets and checklists to help you figure out what your top user awareness priorities are and how to start tackle them.
As long as you're working with users, there's always going to be the risk of one of them making a mistake, right? Security awareness training is one lever you can pull to reduce that risk, but there are others that are equally important and that center around things you can actually control. Find out what they are in our blog post "4 Ways to Prepare for User Mistakes".
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.