We just had all of our staff take the 2016 Kevin Mitnick Security Awareness Trianing - 45 minute program as our annual security awareness training.
One of the question in the training was something like "At work, you receive an email that contains an excel document that you are not expecting what do you do?" (I may have the wording slightly off) but the answer in the program is "That's right! Contact the sender to confirm that it's safe."
That seems like the absolutely wrong answer. If you contact the person who just sent you a phishing email or course they are going to say its safe! Shouldn't it be something more like "Contact your IT or information security department for help verifying the safety of the attachment" or maybe "Contact the sender using their publicly available contact information and NOT replying to the possibly malicious email".
Maybe other will have a different opinion on this though. Thanks!
Please sign in to leave a comment.