Skip to main content

Security Awareness Tactics | Week 6

Security awareness is a critical aspect of any information security department. This often involves training, video modules, posters, email announcements, and various other communications. Unfortunately all this effort often falls on deaf ears. Employees represent the largest potential of risk to a company from an information security standpoint; however, it has been my experience that all the training in the world cannot make people disrupt their daily routine and make security a priority. 

There is one technique that I have seen work however. Something that has always gotten people engaged, more recently upset, but always talking about information security. This technique involves sending fake spam emails from our Information Security Department to our end-users, and I would like to share how this process has evolved over the years.  

Our InfoSec department has been using this technique for years now. They first started sending out the emails and tracking click-through rates to see who they were able to fool. All the data was internal and shared with leadership, but the user-base was never made privy to the results and no action plan was ever implemented based on the results.  

Eventually they started sharing out the results in a contest-fashion. The InfoSec team would show the clickthrough rate based on department and tried to encourage the employees to become competitive and lower the rate over time. This got more people talking but didn’t get the results they wanted.  

To add more of a “game” component to it, they next added a fun Easter-egg if someone clicked the link. A gif or meme of some kind would come up humorously shaming the person for clicking the link. The reaction was great and got people talking. Unfortunately, the employees liked the Easter-eggs too much and started purposefully clicking spam links to see where it brought them.  

This leads us to our current iteration of the fake spam emails. New policy was written that would put disciplinary enforcements in place if an employee continues to fall for this trap multiple times. It starts with a warning after one click, mandatory training after 2 clicks, an action plan enacted by HR after 3 clicks, and a termination of employment after 4 clicks. You would have to fall for the fake email 4 straight times to be terminated, but the strict change in the policy changed the attitude here quickly.  

Employees are more aware of the fake spam emails now, and security is absolutely at the forefront of their minds. The means to achieve that however were not well received. As time has gone on with these policies in place, people are realizing that it’s not that difficult to spot the spam emails. Tempers have cooled quite a bit since the policy went into effect, but there is still a sense of hostility towards the process. Still, it doesn’t change the fact that the current process combined with enforceable policy has proven very effective.  

Comments

Post a Comment

Popular posts from this blog

A Balancing Act: When Security Controls Disrupt Operations | Week 10

In an ideal world security controls should integrate seamlessly with business strategy and through policy and procedure support operations.  In reality however  security controls often disrupt operations. From a user perspective an Information Security Department is simply a group of people sitting behind computers all day saying “no” to everyone. Although that is sometimes the case (“no” is a common word in their vocabulary from what I have seen), there are reasons behind it.   This week I want to share a story of how a change in policy and procedure by one security department, disrupted current operational workflow in another. Our AV engineering team works with integration vendors to build out the videoconferencing infrastructure through our offices. One day our director of security decided this  vendor  had too many badges assigned to them and wanted to reel back access to physical locations by limiting the badges to 2.    The reasonin...
Post a Comment
Read more

A Test of Physical Security - A Real World Example | Week 5

I would like to build off last week’s post by sharing a real-world example of how no matter how many security controls you have in place, employee engagement and adherence to policy will inevitably determine their effectiveness.   The organization I work for have two separate departments, one for data security (think workstations, servers, etc.) and the other for physical security (think door/badge access, security cameras, etc.). Both departments are completely separated from each other and operate in their own silos. One day the security operations center who manages the physical security of our buildings decided to run a penetration test. They hired an outside contractor, gave him a “lost employee bade” with basic access, and told him to see what he can gain access to in a day before getting caught.    So  off this contractor went wearing a badge without his picture on it, no knowledge of the key combination to use with the badge, but simply followin...
Post a Comment
Read more

Bitlocker, Filevault, JAMF, and KACE – Auditable Encryption Verification | Week 9

As you can clearly tell from my previous posts, I am a big fan of automated controls. This week I want to share with you a story of a recent computer upgrade. I had an old 2013  Macbook  Air. Our Desktop Engineering team was tasked with rolling out the new OS, Mojave, to all outdated Mac systems. Now my Air was a test Mac I got years ago and never really had much need to upgrade. Through automated controls, specifically a tool called Casper JAMF, our Desktop  Eng  team was able to tell that my Mac was outdated and needed an upgrade.   They reached out to me, set up a time to update, and realized that the hardware was simply too old for the new OS. To accommodate they initiated an update procedure. A new  MacbookPro  was imaged, updated, and given to me. They jumped the gun when they distributed it to me in production however and the disk encryption,  FileVault , was not completed before it left the secured image lab. Once again, the JAMF s...
Post a Comment
Read more