Assessing Security Culture within a Company
Scenario
Employees at SilverCorp are increasingly using their own personal devices for company work.
Specifically, over half of all employees check their work email and communications via Slack on their personal mobile phones.
Another 25% of employees are doing other work-related activities using work accounts and work-related applications on their personal phone.
Allowing sensitive work information to be shared on employees’ personal devices has a number of security implications.
Step 1: Measure and Set Goals
Indicate the potential security risks of allowing employees to access work information on their personal devices. Identify at least three potential attacks that can be carried out.
The person loses their device or it gets stolen
From infected personal devices, malware is introduced to the network at the office
An attacker can do a MitM attack if they did reconnaissance on the worker and went to a Starbucks at the same time as the worker did. Or went to the employee’s hotel. Basically any public wifi.
Phishing
Based on the above scenario, what is the preferred employee behavior?
Preferred employee behavior would be them not connecting to public wifi if they are using personal phones for work data. I would say employees shouldn’t connect work-related phones to any wifi other than their office. If they have to work from home, they would use a VPN. I would give all the employees Tiles, so if they lost their phone or it was stolen they could track it. Also employee awareness training. They would also be trained on recognizing phishing emails and not clicking on suspicious links.
What methods would you use to measure how often employees are currently not behaving according to the preferred behavior?
I would keep track of all devices connected to the office network to see who does not connect. I would also run routine network scans to see if any phones have been connected to outside networks besides their VPNs. The office will also log their VPNs. I would also have employees take a survey to see how often they receive or click on suspicious emails.
What is the goal that you would like the organization to reach regarding this behavior?
If it’s a big company, only 5% of workers lose their phones, connect to outside networks, and get scammed by phishing.
Step 2: Involve the Right People
Now that you have a goal in mind, who needs to be involved?
“COO: Responsible for ensuring an organization can function effectively every day. Can look over the logs/surveys.
CISO: Manages risk to an organization’s data throughout its lifecycle. Can analyze the data from the logs/surveys to assess risk.
CFO: Charts and monitors the company’s financial trajectory, helping ensure the company uses its finances wisely. Can use CBA’s to see if the costs outweigh the benefits in regard to these extra security measures.
CIO: Develops IT systems that support the business. Can implement the technical aspects of the security plan such as scanning the network, updating patches, etc.
CEO: Responsible for plotting the overall direction of the company. Oversees everyone listed above and helps provide resources to help implement the security plan.” (Slides 11, 12).
Step 3: Training Plan
How frequently will you run training? What format will it take? (i.e. in-person, online, a combination of both)
What topics will you cover in your training and why?
After you’ve run your training, how will you measure its effectiveness?
First, I would have all the employees take surveys to get a baseline for their knowledge of internet safety, phishing, and keeping up with items before training. Then, I would do online and in-person training (combination) once every year as a refresher. I would have the employees watch online videos teaching them about internet safety, phishing, and keeping up with company property. After each video, I would have them take an online quiz and they would have to pass with at least an 80% to be able to move on to the next video. The in-person training would go over live demonstrations on phishing emails, what malware looks like, how to detect a scam, and ways to keep up with the employee’s company electronics. Every new employee will have to take the in-person and online courses.
The topics covered in training will include an overview of the company (its history and some of its cybersecurity risks), phishing scams (emphasizing not clicking unfamiliar links in external e-mail). Information about the common types of hacking tricks such as malware, ransomware, code injection, brute force, as well as examples of data breaches with other companies. Utilize least privilege and set a policy where employees have to change their passwords every few months. In addition to online training, employees are encouraged to install anti-malware software on their personal devices and encrypt all data on the company and personal devices. Things such as not using personal USBs and logging out and turning off the employees’ workstations when they clock out.
I would measure the effectiveness of the training by reviewing the quiz results, doing new surveys, and comparing the new answers with the old answers. I would also have a pen tester try and scam by phishing and malware to see if the employees are aware enough to catch them, and I would also conduct employee feedback surveys.