SEPTEMBER 10, 2015
My last blog described the need to assess and improve the cybersecurity awareness of employees. Of course, that begs the question of how to do so. In general terms, it makes the most sense to test awareness, reveal the results, train to improve deficiencies and conduct periodic re-assessments. Security is a continuing requirement; there is no day off from an adequate security posture. Similarly, effective security awareness is a recurring endeavor.
Testing Awareness: There are many ways to test your staff’s cybersecurity awareness, and the following suggestions are not exhaustive. You can certainly deploy a questionnaire or survey to ask the usual cybersecurity questions concerning topics like spam and malware. But the assessment also has to have some covert components to test actual behavior within the workplace. For example, design a spam email that looks like one a real malefactor might send. If a recipient responds, however, instead of launching an attack, the email should cause a warning to appear on the user’s screen and send notice to the security assessor. Similarly, USB drives can be abandoned in reception areas, parking lots, office kitchens or any other place an employee might realistically misplace a device. The test is whether the finder will report the drive to the IT department or insert it into a workstation. Obviously, only the first option is acceptable. Mock social engineering calls can also be quite useful. Prepare a caller with the information a good researcher can come up with in an effort to try and convince an employee to part with additional information that should not be revealed and which could compromise security.
Such tests should be widespread enough to disclose your organizations actual cybersecurity-related behavior. Prepare a report and publish the results throughout the enterprise.
Train: Now comes the training, after the staff has been sensitized to the issue and probably had a good laugh at themselves. The training should have multiple forms: online, live presentations and published materials. Training should occur in multiple and reasonably brief but lively sessions, so no one gets bored with the topic.
Retest: Retest your staff periodically and on a continuing basis with randomly selected employees. Whether you really do randomly select employees or target them due to their position or past performance is up to you, but make sure to retest. Congratulatory emails should be sent to those that pass and publish the good reports in your employee newsletter. Recognize groups of co-workers who do well as a way to build morale and a sense of team participation in security awareness. Reward units that have outstanding cybersecurity awareness profiles. Individuals and groups who fail should receive computer-based warnings and repeated errors should result in mandatory retraining.
An experience cybersecurity team must be part of your training program, working in cooperation with your own IT department. An effective cybersecurity-awareness building program must combine a thorough understanding of both your system and the risks confronting it.
Kenneth C. Citarella
is senior managing director for the Investigations and Cyber Forensics practice at Guidepost Solutions LLC. He has more than 30 years of experience investigating and prosecuting white collar crime and computer crime.