According to a recent survey released by the Messaging Anti-Abuse Working Group (MAAWG), about 1 in 6 consumers have at some point acted on a spam message.  Those who admitted to opening a spam message said they “were interested in a product or service” or “wanted to see what would happen if they opened it.”

Wanted to see what would happen if they opened it!?   These people are not 6-year olds wanting to see what would happen if they touched the hot stove or stuck their tongue to a flag pole during an ice storm!

Nearly 2/3 of the people surveyed felt they were very or somewhat knowledgeable in information security, however 80% felt their machines would never be infected with a bot or malicious software.  This lack of awareness can only lead to one thing… expensive consequences! 

Organizations need to ensure that Lessons Learned like this are being implemented down to the individual-level.   Without ongoing education and awareness, many employees, customers, third-parties, etc. will not understand risks, threats, best practices, etc.  By implementing an organization-wide awareness program with accountability and communicating organization-specific polices for passwords, anti-virus software, online safety, etc. your users will understand how to safely and securely navigate the online world. 

I also recommend sharing internal lessons learned with your employees, such as a recent data breach or social engineering incident, so all appropriate personnel understand why they are being required to participate in an ongoing security awareness program.  If employees understand that by opening a spam e-mail, they are responsible for their actions that may potentially cost your organization millions of dollars and loss of reputation because of a data breach, they may be more likely to actually read your acceptable usage policies regarding strong passwords, e-mail safety and social networking best practices.

How are you implementing your security program and ensuring your employees understand the risks and threats of spam and other online threats?