by Ed Tittel, Kim Lindros

How to Test the Security Savvy of Your Staff

Feb 24, 20146 mins
Data and Information SecurityData BreachPhishing

How do you know your employees retain what you teach them in company-required security awareness training? You don't -- unless you regularly test their security savvy and effectively address their mistakes during post-test follow-up sessions.

Security can be an acute pain point for CIOs. There might be nothing that causes more sleepless nights than ensuring the security of an organization’s data and systems. Specialists fortify the network perimeter with firewalls and IDPSs, segment the network and perform regular audits and rigorous assessments. They also classify data and isolate critical files, and follow best practices regarding least privilege and security policies.

Unfortunately, these efforts are vulnerable to the actions of undereducated or malicious users. In its 2013 global, the Ponemon Institute estimates that the average total cost of a data breach in the United States is just over $5.4 million. Roughly 67 percent of the incidents resulted from a malicious or criminal attack or a system glitch, but 33 percent are attributed to the human factor, such as a negligent employee or contractor. It can all start with a single click on the wrong link in an email or trusting an imposter.

[ Study: Most Data Breaches Caused by Human Error, System Glitches ]

[ How-to: Address the Human Element of Data Security ]

User training is an essential part of any security program. Most employees aren’t IT or security experts. Nor should you expect them to be. The purpose of security training and awareness is to provide all employees with basic security knowledge, as well as appropriate actions to take when presented with a possible security situation.

Technology must be accompanied by awareness training to protect against social engineering and phishing, two common causes of data leakage and breaches. However, once you’ve spent time and budget delivering a terrific training program, how do you know your employees have retained the information they learned and are putting it to good use?

4 Security Testing Approaches That Surprise Employees

Testing your employee’s security savviness helps you detect who is or might be prone to giving away sensitive organization or customer information. Approaches to testing include the following:

Administer quizzes. The folks who host security awareness training should administer multiple-choice quizzes during training and a few times each year at random. Post a Web-based quiz and vary the questions so employees don’t get used to a pattern or share answers in order to get it over with as quickly as possible.

Perform random work area checks. Employees can become desensitized or complacent to the information around them. Check employee desk security for documents and sticky notes that contain confidential information. Are they out in the open so anyone walking by can view or take them? See if filing cabinets are locked and if document storage boxes are left in unlocked work areas. Also check whether employees’ computers are still logged on, without password protection, when they’re away from their desk.

Become a white hat social engineer. Appoint a staff member who isn’t well known in the organization (or hire a consultant) to call employees or stop by their desks, requesting confidential information such as logon credentials or information in a non-public document. The social engineer should have a “pertinent” story ready as to why he or she needs the information.

[ Feature: 6 Ways Employees Put Company Data at Risk ]

[ Tips: How to Prevent Thumb Drive Security Disasters ]

Simulate phishing email attacks. A phishing email contains links to malicious websites or payload-filled attachments. The email is designed to look legitimate, which throws off the typical user. One of the best ways to find out if employees are mindful of phishing emails is to send some to their inboxes. Your test emails should contain some clues that they are not from the purported sender (for post-testing educational purposes) and contain links that go to a safe website. The site could simply be a page that says, “Security awareness training — phishing test in progress.” Security technicians can gather IP addresses of visitors to the page to monitor which employees visited the site and therefore clicked the link.

If your staff is short on time, consider hiring a third party to help you perform simulated phishing attacks. Companies such as KnowBe4 and OneLogin either perform the tests on your employees or provide you with a portal that requires you to enter employee email addresses. You’ll get reports detailing the results of the tests to use for additional training.

Follow Up on Security Tests

Talk to employees who click on a phishing link or fall for social engineering tricks as soon as possible. Explain that, although this was only a test, the next incident could be real and result in the theft of important organization or customer data. Your goal isn’t to embarrass or belittle your staff but, rather, to further educate them and deepen your organization’s security posture.

Organizations that must adhere to government regulations should stress the consequences of a security breach on their compliance status. Failing to maintain effective security, even as a result of user error, can result in an organization being out of compliance and might lead to criminal, legal or financial penalties.

[ Related: How to Prevent Healthcare Data Breaches — and What to Do If You’re a Victim ]

[ Also: Wall Street Sets Example for Testing Security Defenses ]

IT should consider performing a second test on this subset of employees within a few weeks to gauge workers progress. Some employees might need additional tests and reminders before they internalize the gravity of potential security breaches.

In discussions with employees after phishing tests, point out elements of the phishing email that should raise red flags. For example, an email that contains spelling and grammatical errors, or threatening language, is most likely bogus. The sender’s URL can offer clues as well, especially if it contains an IP address or originates from a domain other than the alleged company’s domain.

When it comes to social engineering, many employees feel that security is someone else’s problem, from security guards to management; others are simply reluctant to get involved. Make them feel empowered to stop and ask an unknown person why they’re in the building and coach them on how to ask for credentials in a professional manner. Regardless of the type of test, emphasize the appropriate steps the employees should have taken, such as contacting a supervisor or the security department immediately.

It’s not just general employees who are prone to security gaffes — senior managers struggle with security policies and guidelines, too.

After a round of testing and follow-ups, create a list of lessons learned to improve your program. Remember: A good security awareness program should be ongoing, interactive, include different learning formats and have repetition built in. Post security awareness signs around the workplace, schedule short workshops and seminars and be sure to recognize employees who have demonstrated that they take security as seriously as you do.