Home page logo

dataloss logo Data Loss mailing list archives

How to Test the Security Savvy of Your Staff
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 27 Feb 2014 18:23:18 -0700


Security can be an acute pain point for CIOs. There might be nothing that
causes more sleepless nights than ensuring the security of an
organization's data and systems. Specialists fortify the network perimeter
with firewalls and IDPSs, segment the network and perform regular audits
and rigorous assessments. They also classify data and isolate critical
files, and follow best practices regarding least privilege and security

Unfortunately, these efforts are vulnerable to the actions of undereducated
or malicious users. In its 2013 global, the Ponemon Institute estimates
that the average total cost of a data breach in the United States is just
over $5.4 million. Roughly 67 percent of the incidents resulted from a
malicious or criminal attack or a system glitch, but 33 percent are
attributed to the human factor, such as a negligent employee or contractor.
It can all start with a single click on the wrong link in an email or
trusting an imposter.

User training is an essential part of any security program. Most employees
aren't IT or security experts. Nor should you expect them to be. The
purpose of security training and awareness is to provide all employees with
basic security knowledge, as well as appropriate actions to take when
presented with a possible security situation.

Technology must be accompanied by awareness training to protect against
social engineering and phishing, two common causes of data leakage and
breaches. However, once you've spent time and budget delivering a terrific
training program, how do you know your employees have retained the
information they learned and are putting it to good use?

4 Security Testing Approaches That Surprise Employees

Testing your employee's security savviness helps you detect who is or might
be prone to giving away sensitive organization or customer information.
Approaches to testing include the following:

Administer quizzes. The folks who host security awareness training should
administer multiple-choice quizzes during training and a few times each
year at random. Post a Web-based quiz and vary the questions so employees
don't get used to a pattern or share answers in order to get it over with
as quickly as possible.

Perform random work area checks. Employees can become desensitized or
complacent to the information around them. Check employee desk security for
documents and sticky notes that contain confidential information. Are they
out in the open so anyone walking by can view or take them? See if filing
cabinets are locked and if document storage boxes are left in unlocked work
areas. Also check whether employees' computers are still logged on, without
password protection, when they're away from their desk.

Become a white hat social engineer. Appoint a staff member who isn't well
known in the organization (or hire a consultant) to call employees or stop
by their desks, requesting confidential information such as logon
credentials or information in a non-public document. The social engineer
should have a "pertinent" story ready as to why he or she needs the

Simulate phishing email attacks. A phishing email contains links to
malicious websites or payload-filled attachments. The email is designed to
look legitimate, which throws off the typical user. One of the best ways to
find out if employees are mindful of phishing emails is to send some to
their inboxes. Your test emails should contain some clues that they are not
from the purported sender (for post-testing educational purposes) and
contain links that go to a safe website. The site could simply be a page
that says, "Security awareness training - phishing test in progress."
Security technicians can gather IP addresses of visitors to the page to
monitor which employees visited the site and therefore clicked the link.

If your staff is short on time, consider hiring a third party to help you
perform simulated phishing attacks. Companies such as KnowBe4 and OneLogin
either perform the tests on your employees or provide you with a portal
that requires you to enter employee email addresses. You'll get reports
detailing the results of the tests to use for additional training.

Follow Up on Security Tests

Talk to employees who click on a phishing link or fall for social
engineering tricks as soon as possible. Explain that, although this was
only a test, the next incident could be real and result in the theft of
important organization or customer data. Your goal isn't to embarrass or
belittle your staff but, rather, to further educate them and deepen your
organization's security posture.

Organizations that must adhere to government regulations should stress the
consequences of a security breach on their compliance status. Failing to
maintain effective security, even as a result of user error, can result in
an organization being out of compliance and might lead to criminal, legal
or financial penalties.

IT should consider performing a second test on this subset of employees
within a few weeks to gauge workers progress. Some employees might need
additional tests and reminders before they internalize the gravity of
potential security breaches.

In discussions with employees after phishing tests, point out elements of
the phishing email that should raise red flags. For example, an email that
contains spelling and grammatical errors, or threatening language, is most
likely bogus. The sender's URL can offer clues as well, especially if it
contains an IP address or originates from a domain other than the alleged
company's domain.

When it comes to social engineering, many employees feel that security is
someone else's problem, from security guards to management; others are
simply reluctant to get involved. Make them feel empowered to stop and ask
an unknown person why they're in the building and coach them on how to ask
for credentials in a professional manner. Regardless of the type of test,
emphasize the appropriate steps the employees should have taken, such as
contacting a supervisor or the security department immediately.

It's not just general employees who are prone to security gaffes - senior
managers struggle with security policies and guidelines, too.

After a round of testing and follow-ups, create a list of lessons learned
to improve your program. Remember: A good security awareness program should
be ongoing, interactive, include different learning formats and have
repetition built in. Post security awareness signs around the workplace,
schedule short workshops and seminars and be sure to recognize employees
who have demonstrated that they take security as seriously as you do.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 


Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!

  By Date           By Thread  

Current thread:
  • How to Test the Security Savvy of Your Staff Audrey McNeil (Mar 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]