SOCIAL ENGINEERING AWARENESS PROGRAMS: PART 5
MAINTAINING THE PROGRAM
The opinions expressed in this post do not necessarily reflect those of Joe’s employers: past, present, or future. While I am a security professional, I am not your security professional. The data included in this post is sound by current industry parameters, your mileage may vary.
Now that the program has been implemented and we have planned for the good and the bad, now we perform the ugly per se. This is when we maintain the program to keep the culture in place while addressing new issues and reinforcing the knowledge and application of concepts from the training in a practical environment. While I called this ugly earlier, it is actually easy as long as it is actively maintained.
In this phase, we continue to educate the people and test them. The main training should be provided annually or semi-annually. On a monthly basis, I recommend using a Security Thought of the Month (STOM) program to convey concepts (that can be used in and outside of both information security and social engineering) to people (users) in small tidbits. In a 4 week cycle, the program can run as such:
- Send a short email (3-5 paragraphs) to all users explaining the absolute core concepts of the topic. This should be very elementary and only lay the foundation for the remaining weeks.
- Send a couple of paragraphs to build on the initial email. Start to explain the applicability of the topic and its concepts.
- Send a couple more paragraphs with slightly more advanced concepts than week 2. This should being to discuss attacks and defenses.
- Send a conclusion paragraph that tells the users what the organization expects and required actions. Convey their role in the process and empower them to make the right decision. Leave the door open for questions.
Next comes the dreaded and unpopular part of maintenance: testing. In this part of maintenance, you will send phishing emails. They can either developed in house or via a service like PhishMe. They should not go to all of the organization, but rather in 3 or 4 groups. This prevents people from alerting others of the test and since it will be known that testing may occur, it will keep the users on their toes with heightened awareness.
I recommend sending a minimum of 1; ideally 2 or 3 emails to a user annually. If the user falls victim, conduct remedial training and include them in the next cycle. In the remedial training, explain that this was a test and reiterate the proper steps and procedures. Reinforcement is better than punishment, unless malicious intent was involved. As with any process, review this annually and refresh the training and concepts to include the most current threats and trends so users are up to date with what they may see.
In conclusion, a social engineering awareness program can be a low cost tool to help save your organization from disaster. From a realistic perspective, this program should cover all aspects of the life cycle and includes planning for obstacles. The methods provided in this blog series will help to enhance the security of your organization. The framework can be applied to other aspects of information security as well. I hope that you will be able to apply this in your organization and see the same success that I have.