You can force complex passwords, install drive encryption, and use three different types of security applications, yet, none of that matters unless you tackle the primary cause of security issues: your employees. While typically not a malicious act, employee caused security incidents are quite common, with phishing attacks accounting for 43 percent of all data breaches. Besides technical means, a comprehensive Security Awareness Training program is essential when it comes to your overall security plan. While many businesses conduct formal training seminars, send email updates, and even test employees on their overall security knowledge, there is one question that IT leaders often have a difficult time answering…is it actually working?
What is Security Awareness Training?
Security Awareness Training is the process of educating employees on proper information security best practices, policies, and general guidelines. Security Awareness Training should be an ongoing process that teaches employees how to best protect themselves and your business from potentially harmful threats. Empowering employees with knowledge, while reminding them of the possible repercussions from a security breach should be a core pillar of every company’s overall security practice.
Global spending on security awareness training for employees is predicted to reach $10 billion by 2027
How Do I Know If my Security Awareness Training Program is Working?
Security Awareness Training can be costly. Given the time commitment required from employees, many executives are cautious about pulling the trigger on funding for security training because it is hard to know if it actually helps. One modern way businesses are gaining quantifiable stats on their security awareness training program for an affordable price is through phishing simulation tests.
# 1: Simulated Phishing Test
Phishing tests are simulated phishing emails that try and trick your employees into opening a possibly fraudulent email, click on a link, and enter private credentials on a bogus landing page designed to look like the real thing(i.e. LinkedIn, DropBox, PlayStation, etc.). These emails appear to be coming from a known source, such as the president of the company, a well known employee or client, social media site, or even a bank or government entity. These simulations exploit common email security best practice guidelines, meaning that employees who have a decent understanding of information security should pass the test. These simulations are incredibly useful as they paint a fairly clear picture of your company’s overall level of security awareness by reporting on who was duped by the test, including who actually entered their private credentials on the dummy landing page. Also, most phishing simulation programs can force employees who failed the test to learn where they went wrong and what they should have done.
Simulated phishing tests can be a relatively low cost, high reward activity as it helps reeducate your entire team, while finding where the holes and gaps might be.
#2: Password Enumeration Tests
Passwords are one of the most basic forms of security, yet many employees often ignore tips and guidelines for creating strong passwords. In a recent study by Thycotic, 30% of people admitted to still using their birthday, address, pet names, or children’s names for their password…which are all big password no-nos.
One quick and inexpensive way to test your Security Awareness Training plan is to have a 3rd party Consulting team conduct a Password Enumeration Test. A Password Enumeration Test is when a trained and qualified security professional acts like a hacker and tries to discover employee passwords using common hacking methods such as dictionary and brute force attacks. The results of this tests come as an executive friendly report that shows you how many passwords were uncovered during the test, and where employees went wrong when they created their password. This will help you and your security team create stronger password policies when needed, and know where to better focus your next security awareness training class.
#3: USB Drop
Social engineering is when a cyber criminal tricks an employee into installing malware or revealing private information. One common form of social engineering is through USB keys or flash drives that contain malware being left in the open or given to someone to use. USB drives have fallen somewhat out of fashion over the years due to a rise in Cloud storage and security concerns, yet many people still save critical and sensitive data on USB drives.
A USB Drop is a form of social engineering testing where “dummy” USB keys are left around your facility in common places like the parking lot, break room, or even on an employees desk. These dummy keys are actually installed with software that will let you remotely know when and where they were plugged in, which will inadvertently reveal employees that do not fully understand the dangers of using an unknown USB drive.
#4: The Eye Test
A lot of security violations come from common mistakes, such as walking away from your desktop without locking it, leaving sensitive data on a printer for an extended period of time, and by not following proper visitor policies. Take a walk around your office, or better yet, get a trained security consultant to do it, and ask the following questions:
- Do you see PCs that are logged in and unattended?
- Are there documents left unattended on a printer?
- Is a contractor in your facility unattended or without a visitor’s badge?
- Are employees using non-approved file sharing methods such as DropBox or a USB drive?
- Is anyone using a non-sanctioned device for business purposes? (i.e. laptop, tablet, phone, etc.)
- Do employees take devices or material home?
Remember, for security to be effective, it needs to be everybody’s responsibility, so make sure to push the importance of Security Awareness Training early and often.