SOCIAL ENGINEERING AWARENESS PROGRAMS: PART 3
Reinforcement and Incentivization
The opinions expressed in this post do not necessarily reflect those of Joe’s employers: past, present, or future. While I am a security professional, I am not your security professional. The data included in this post is sound by current industry parameters, your mileage may vary.
At this point in the awareness life cycle, the culture has been set. Training has been designed and conducted. At this point, we are trying to reinforce the training and provide incentives for those who thwart attacks or report “interesting” attempts or by volume. Note: Be careful about incentivization. Well Fargo is an excellent example as to what happens when people are financially rewarded for something that they could sabotage.
Now that the training is complete and people are continuing with their normal tasking. It is time to keep security, in this case, social engineering in the forefront of people’s minds. This is critical for long term retention.
In reinforcing the training, a program that I have used is called the “Security Thought of the Month.” I abbreviated it as STOM. This is a program where concepts exist for two months at a time. The first month is training month, the second is a testing month. The first month, an initial email is sent to lay the foundation for the concept. Each week, a short email (a paragraph or less) is sent to reinforce the previous email(s) for the month.
The second month is when testing occurs. For some concepts like Social Engineering, this testing should occur more frequently than once per year. I recommend an ongoing testing campaign through various user groups each month. Services from organizations like PhishMe, Social-Engineer.com, and Sword and Shield Enterprise Security allow companies to test their people’s ability to identify and withstand clicking the phish.
I recommend ensuring social engineering be included in any penetration testing that organizations are subject to. If none are required and/or desired, some organizations like those mentioned above do perform Social Engineering Penetration Testing as well. This allows the company to get an accurate picture of how prone their employees are to fall victim to a variety of social engineering attacks.
In conjunction with reinforcement is incentivization. When people do things right or save the organization from catastrophe, they should be rewarded. I like the concepts of challenge coins or free time off. I recommend 10 minute increments with a minimum of 60 minutes off to take it. Giving shirts or parking spots or gift certificates is another method that I have observed to work. Again, be cautious of the incentives used as Wells Fargo employees demonstrated a misuse scenario that once revealed, was almost worse than any attack could have been.
In conclusion, training is not enough. Reinforcement should remain as an ongoing process. Keeping the concepts fresh in the mind of the people of the organization is a critical step in preventing catastrophe from the outside in. People must be equipped with the tools to determine what is legitimate and not. Subjecting them to a real world scenario is an effective method of accomplishing this.