The large staff hurts a lot! Targeted assaults on your own personnel may be a very useful information security benchmarking exercise, despite the fact that they may be divisive. One of the most important initial steps in developing a successful awareness campaign is to do a benchmarking of the information security knowledge that your staff already possess. In its typical form, it takes the form of an online survey that is completed by a representative sample of workers. This survey gives you the opportunity to determine the gaps that exist between what people should know and what they really know. However, there is a more effective method, which involves mimicking assaults on information security that are carried out on your own personnel and documenting the outcomes. Listed below are our three favorites, each of which serves as a very memorable method to guarantee that staff do not repeat the same error repeatedly. the stroll through the workplace The first thing you should do is take a stroll around your workplace. Do this twice: once at lunchtime and once after everyone has left for the day. The purpose of this exercise is to make a list of everything that may have been taken from you if you had been a person who stole information. It is sufficient to merely count the number of laptops, mobile devices, DVDs, CDs, memory sticks, and hard drives that have been left out on desks. This is in addition to the identification cards, wallets, purses, keys, handbags, rucksacks, and other valuable personal items that have been forgot about. Find any reminders of your login and password, as well as any secret paper documents (check under the photocopier lid and on fax machines too). I’ve even heard of an instance in which workers arrived at work one morning to see a large letter printed on their computer screen that said, “You have been robbed.” The statement also included a list of items that may have been stolen from the premises. A secure phishing website is hosted on an external server by the phishing email, the URL is included as a link to the email, and a persuasive rationale is presented to encourage the recipient to click on the link. An excellent illustration of this would be an email sent by human resources that instructs workers to go to a website in order to read a significant and sensitive business statement. In order to access the webpage, employees are required to check in using their IT login and password. Create an email that is as realistic as you possibly can. See how many of the workers accept the bait by sending it out to all of them. the helpdesk for the fraudulent IT Because of a problem with the system, you should call a representative sample of your staff members using the number for your IT help desk and inform them that you really need to change their password. The commandment that states, “thou shall not give thy password to anybody who demands it under any circumstances” comes into play when you ask them for their current login and password. Count the number of people who fail to follow this commandment. a few qualifications to make This is, of course, subject to a few qualifications, the most important of which is that you should avoid doing anything that may put your personal information security at risk. Nevertheless, the most essential thing is to avoid seeing this as an exercise in identifying and humiliating them. Instead of releasing names, you could reveal numbers if you want to bring attention to a significant knowledge gap. In addition, the sheer knowledge that you have been conducting tests on your personnel is sometimes sufficient to motivate them to pay greater attention to the protection of sensitive information.
Author
jackemails@gmail.com