How to test the security savvy of your staff

Kim Lindros and Ed Tittel

Security can be an acute pain point for CIOs. There might be nothing that causes more sleepless nights than ensuring the security of an organization's data and systems. Specialists fortify the network perimeter with firewalls and IDPSs, segment the network and perform regular audits and rigorous assessments. They also classify data and isolate critical files, and follow best practices regarding least privilege and security policies.

Unfortunately, these efforts are vulnerable to the actions of undereducated or malicious users. In its 2013 global, the Ponemon Institute estimates that the average total cost of a data breach in the United States is just over $5.4 million. Roughly 67 percent of the incidents resulted from a malicious or criminal attack or a system glitch, but 33 percent are attributed to the human factor, such as a negligent employee or contractor. It can all start with a single click on the wrong link in an email or trusting an imposter.

User training is an essential part of any security program. Most employees aren't IT or security experts. Nor should you expect them to be. The purpose of security training and awareness is to provide all employees with basic security knowledge, as well as appropriate actions to take when presented with a possible security situation.

Technology must be accompanied by awareness training to protect against social engineering and phishing, two common causes of data leakage and breaches. However, once you've spent time and budget delivering a terrific training program, how do you know your employees have retained the information they learned and are putting it to good use?

4 Security Testing Approaches That Surprise Employees
Testing your employee's security savviness helps you detect who is or might be prone to giving away sensitive organization or customer information. Approaches to testing include the following:

Administer quizzes. The folks who host security awareness training should administer multiple-choice quizzes during training and a few times each year at random. Post a Web-based quiz and vary the questions so employees don't get used to a pattern or share answers in order to get it over with as quickly as possible.

Perform random work area checks. Employees can become desensitized or complacent to the information around them. Check employee desk security for documents and sticky notes that contain confidential information. Are they out in the open so anyone walking by can view or take them? See if filing cabinets are locked and if document storage boxes are left in unlocked work areas. Also check whether employees' computers are still logged on, without password protection, when they're away from their desk.

Become a white hat social engineer. Appoint a staff member who isn't well known in the organization (or hire a consultant) to call employees or stop by their desks, requesting confidential information such as logon credentials or information in a non-public document. The social engineer should have a "pertinent" story ready as to why he or she needs the information.

1  2  3  Next Page