The modern cyber landscape is fraught with security risks. It seems like there is a new report of a major company that has suffered a malware infection, a ransomware infestation, or an account breach via phishing almost daily.
You need to secure your systems to prevent security risks, but that isn’t enough anymore. The human element is one of the biggest areas of concern and should not be overlooked when protecting your systems and data from attack.
Educating your employees with security awareness training will help them recognize and report potential threats before they fall victim to them.
What is Security Awareness Training?
Security awareness training is a combination of education, communication, and simulated attacks to educate and reinforce the positive security practices you are trying to instill in your staff.
The cornerstone of any training program is effective training materials. You can develop these internally, use free resources such as the CDSE Security Awareness Hub, or partner with awareness training platforms such as SANS or InfoSec Institute.
This is the portion of the security awareness training that is most visible to employees, and what they think of when they hear about your program, but it is only a portion of the overall training they are actually receiving.
Security education can include the following:
- Video modules
- Assessment tests
- Informative documentation
- Slide shows
Creating a way for your employees to ask questions and report suspicious activity is very important. This will help you have a better understanding of malicious activity coming at your organization, and will help your employees demonstrate positive security behaviors.
Ensure your chosen method of communication is working. In other words, make sure it cannot be easily ignored, and it is effective in getting participation in your program.
It is not enough to simply educate your staff. Present employees with controlled, real-world tests of the information they are learning to simulate dangerous everyday security situations. This can be done a number of ways, depending on the contents of your training materials.
Here are the four types of simulated attacks:
1. Phishing Simulations
Phishing is often the easiest method of attack to fall victim to, which means phishing simulations must be included in your program. A carefully crafted email can have the real appearance of being something of immediate importance. Maybe it is an urgent need for money, or a password reset that needs to happen before you lose healthcare benefits. This is where email security comes into play.
If you’re successful in your security awareness campaign, your staff will know to check the headers of the emails and inspect the links being asked to click, especially when there is a sense of urgency.
Include the following types of phishing emails in your security awareness training program:
- Urgent needs for password resets
- False document shares
- Files to download and open.
If you’re really doing things right, this should be a challenge to you because you have other security measures in place that make your legitimate phishing campaign truly challenging to get to your intended targets.
Additionally, don’t make the phishing emails easy to spot, because real phishing attacks won’t be.
2. USB Drop Campaigns
To perform a USB drop campaign, pre-install several otherwise innocuous USB drives with tracking software, and then leave the drives in public areas both inside and outside of the office. Once these drives are connected to a computer, they report back who and when the drives were accessed. The software we’re using is benign and for simulation purposes only.
You may ask yourself why this is an important test, but as the Department of Defense can likely attest, it is effective.
3. Social Engineering
In an effort to stay connected, so many expose so much of their lives online today through social media without giving it a second thought. A clever attacker uses this data to hand-craft a method to get their foot in the door. An initial tidbit of information to prove they have a reason to be involved or stay connected, and hackers will continue pursue collecting key bits of information to further to their goals.
As the administrator of a security awareness training program, your goal should be to attempt to gain information about the inner workings of your organization through examining the social media presence of your employees. Pick an employee with a strong social media presence, and attempt to glean information about the inner workings of the company from the presence. Be on the lookout for any types of sensitive information shared that could be a security risk.
If that doesn’t work, and you offer customer support, attempt to contact that support to further your goals. Be polite but also be rushed. Make the support agent feel like they are in a rush to bail you out from your impending troubles.
4. Physical Security Breach
Physical access is full access in most cases. If an attacker can breach your physical security and gain access to the hardware that contains your data, then they have all that much more advantage to securing that data for their own nefarious needs. A good cyber defense is built on the shoulders of a solid foundation of physical security.
For this test, have a trusted friend / colleague / employee from a foreign location attempt to gain access to your facility without pre-announcing them. Have them attempt to leverage human kindness to gain physical access through the following ways:
- Following another employee inside the building through a secure access point
- Stating that they forgot their access credentials
- Catching a door as an employee leaves
Be certain to inform the appropriate personnel before attempting a physical security test so that your trusted partner does not find themselves in actual trouble if they succeed.
Response to Simulations
If a member of your organization falls victim to one of your simulated attacks, you shouldn’t respond harshly. Instead, remember that you are trying to train them to be more security-minded. Offer them additional training that is centered around the method that tricked them.
Remember, the goal here is to build a healthy paranoia that starts with every user who has physical or virtual access to your critical business systems.
The goal of a security awareness training program is to educate employees about security best practices, not humiliate or punish them for failing simulated attacks.
A successful security awareness training campaign can be measured by turning failures into successes. A combination of training content and real testing can result in a mindfulness towards security that will only serve to strengthen your overall security posture. At the end of the day, you can have all of the best security tools money can buy, but they will only be so good without the help of a security-aware staff.