End User Security Awareness Campaign
Why this is important to you, and your company.
We all move data around on networks; email, text messages, word files, etc. The encryption of this data is usually sufficiently complex to deter all but the most determined, skilled, and persistent attackers.
A much easier way of giving away your information, is when the person is reading the email, after all, they have to read the email in plain text, (unless they are especially geeky). Attackers know that people are a much simpler target and exploit this to gather your information, aka: Social Engineering.
One of the ways many sophisticated organisations are exploited is by getting the target (user) to unwittingly run a piece of software that copies and exports snapshots of the screen when emails are being read. This effectively gives the bad guys a copy of your email, for them to read at leisure.
Employees would not willingly send out your emails, but can easily fall into the trap by simply not being aware of the possibilities and the steps to take to avoid giving away your company secrets.
The above is just an example of what happens every day, and why increasing security awareness amongst your staff can help reduce the damage to your organisation from fairly simple exploits.
The modules cover such diverse topics as Phishing email formats, Voice phishing (vishing), piggy-backing, social media exploits, web site pharming, amongst others.
Each module in our security awareness campaign is designed to measurably improve security awareness amongst employees and management alike. The aim is to cultivate a security culture in which all staff are engaged, aware, and safe! The campaign is delivered in as seamless, non-disruptive way as possible.
EXECUTIVE WORKSHOP (Assessment phase)
This stage is to show the measurable benefits of security awareness to top level management. We discuss how much they want their businesses to gain from the awareness training and create a plan based on their requirements.
Areas of assessment include:
- Client Requirement- Understanding business, security, and the interfaces between
- Legislation & Regulation- Governance, who do you answer to?
- People, Process, & Technology, asset and information Inventory- What you need to protect?
- Risk- Assessment, mitigation, threat profiles, Vulnerability Analysis and IMPACT.
ONLINE AWARENESS VIDEOS
Videos are tailored to suit the needs of the client, where possible using your systems and information as examples, and can cover anything from identifying phishing emails or social engineering to covering the information security policies & procedures in the organisation.
Modules can be mapped to the employee’s role and which information assets they use. This is to ensure the relevance of what the employee is learning.
Topics are tailored for emphasis and include:
- Physical security of assets
- Social engineering
- Computer & Network Security
- Mobile, wireless and Apps Security
- Email and SMS Security
- Security Risks Management SRM
- Incident response
- Secure browsing practices
TECHNICAL INFORMATION SECURITY TRAINING AND ACCREDITATION FOR THE IT TEAM
This is to give the IT team the knowledge and tools to maintain the state of their organisations information security.
Courses can include:
- CompTIA Advanced Security Practitioner (GCHQ accredited)
- CompTIA Security+ (GCHQ accredited)
- Certified Information Systems Security Professional
- Certified Information Security Manager
- CISCO CCNA Security
- Checkpoint, JUNIPER and other vendors
- Bespoke security training
Visual displays showing current threats and reminders of good security practices can help keep information security at the forefront of the employee’s minds. Messages could be projected on the walls in reception or information could be displayed on rolling banners in their office.
EMAIL SECURITY UPDATES
IT teams are emailed weekly security reports and instant zero day attack reports. The IT department can then take the information and disseminate it to the staff through different methods.
LOG IN POP UP CHALLENGES
It’s difficult to get staff to pay attention to the latest security updates. This is why the security pop up challenge is a great way to educate staff in the latest threats by making it interactive. Once a new security threat has been identified, the IT team create a scenario based on the threat and the best methods to reduce the impact.
INFORMATION SECURITY GAMES
This is light hearted, but effective, way of cultivating good information security practices from employees. If a member of staff catches a co-worker leave their computer logged in whilst they are away from their work station or finds their password on a sticky note at their desk. For the employee who gets caught out a forfeit must be completed. The forfeits could be whatever the employees want, for example: make a round of tea’s and coffees. There could be six forfeits and the employee must roll a dice to decide which forfeit they complete.
Alternately, a ticket based system could be used. Where the IT team would be charged with random patrols to find unsecured IT assets, passwords on sticky notes and generally poor information security practices. A three strike rule could be used; Warning on the first strike, more training on the second and disciplinary on the third.
Phishing emails, Spear phishing and social engineering testing- This service tests the diligence of staff by sending phishing emails with attachments that log if the attachments are opened. Other methods include calling members of staff under false pretences in order to get them to divulge company information. If a member of staff fails to recognise the test, they are flagged up to management for remedial training.
With each of these, metrics are applied to quantify the improvement between the before and after states. These metrics can be scaled from pilot programs, up to full enterprise environments so the effectiveness can be demonstrated at every level.