The big staff sting! Contentious they may be, but targeted attacks on your own employees can be a highly effective information security benchmarking exercise. Benchmarking the existing information security know-how of your employees is a crucial first step to an effective awareness campaign. Traditionally taking the form of an online survey that a cross-section of employees undertake, it allows you to identify the gaps between what they ought to know and what they actually know. However, there is a more potent approach: simulating information security attacks on your own employees and recording the results. Here are our three favourites – all of which double up as highly memorable ways to ensure employees don’t make the same mistake twice. The office walk First of all, simply go for a walk around your office – once at lunchtime and once after everyone has gone home. The aim is to compile a list of everything that could have been stolen had you been an information thief. Simply count the number of laptops, mobile devices, DVDs, CDs, memory sticks and hard drives that have been left out on desks, not to mention ID cards, wallets, purses, keys, handbags, rucksacks and other personal items of value. Look for username/password reminders and confidential paper documents (check under the photocopier lid and on fax machines too). I’ve even heard of an example where employees turned up one morning to find a big note on their computer screen with ‘you have been robbed’ written on it, together with a list of what could have been taken listed underneath. The phishing email Host a secure phishing site on an external server, add the URL as a link to an email, and present a compelling reason to click on it. A good example is an email from HR that commands employees to visit a webpage to read an important, confidential company statement, which requires them to log in using their IT username and password. Make the email as realistic as possible. Send it to all employees and see how many take the bait. The fake IT helpdesk Telephone a cross-section of employees from your IT help-desk number and tell them that you need to reset their password because of a system error. Ask them for their current username/password and see how many fail to observe the commandment of ‘thou shalt not divulge thy password to anyone who requests it under any circumstances’. A few caveats There are of course a few caveats to this – most logically, not doing anything that compromises your own information security. However, most important is to not treat this as a naming and shaming exercise. If you wish to draw attention to a serious knowledge gap, release figures not names. Furthermore, the mere fact that you’ve been actively testing employees is often impetus enough for them to pay more attention to information security.
Related Articles -
staff, phishing, fake IT helpdesk,
|