Testing Employees’ Cyber Security Knowledge

Testing Employees’ Cyber Security Knowledge

December 1

About 10 years ago, at the workplace of one of my friends, a secretary was going through her email when she came across an interesting subject line.

Upon clicking on it, she unwittingly sent a virus throughout the company’s network.

This friend’s company works in an industry that works heavily with computers. Knowing that, I asked my friend why the secretary would click on something she knew was probably spam. My friend’s response: “We all do those things from time-to-time.”

I guess I can’t judge — I once clicked on an email that turned out to be virus-like. I was really afraid I would get an angry phone call from IT, but I didn’t. I assume they monitored my activity and saw that I realized my error and deleted the email.

Those instances I mentioned are all user error. Last month, my colleague wrote about user error and how to survive it.

In the second piece, he mentioned a technique that administrators use to test that employees are being safe users — simply put a fake phishing email. If you click on it, you are taken to a website that teaches you how to spot future scams like that. If you report it to IT, you are rewarded.

So I went out in search of other tricks admins use to test people.

While doing my research, I saw that the phishing email was quite popular. Last year, FindLaw wrote about PhishMe Inc. that provides a cat photo IT departments can use to test employees.

PhishMe has sent that email to more than 5 million users, with susceptibility to phishing of 58 percent, according to PhishMe’s website. After implementing the process, organizations have been able to reduce that down, on average, to 8 percent, the company said.

In looking for other methods, I found a few. The Wall Street Journal uncovered some good ones from Ryan Jones, an “ethical hacker” for Chicago digital-security company Trustwave Holdings Inc. When hired by a company, he uses tricks like dropping thumb drives and CDs in places like bathrooms, driveways, and retailers near where those employers would be.

He sweetens the pot by putting the company logo or competitor logo as well as “confidential,” on the item. He told WSJ that most of the time, an employee will stick those in a computer out of curiosity. The items contain software that capture photos of the employee.

Jones also said he has used himself to identify breaches, dressing up as everyday people who would go to an office like those delivering a package. He has even donned crutches to see if people would let him in otherwise locked doors.

And, I’m not sure this is as much a trick as just a request for information, but Microsoft put together a 10-question quiz on employee awareness of online security.

As for my friend’s workplace virus, all of the employees had to give up their computers to IT for a while so anti-virus software could be updated. Plus, everyone had to participate in Internet education. She thought it was a pain, but I haven’t heard her talk of another instance like this, so it must have worked.

Does your company do anything to educate employees on cyber-threat? Let us know in the comments or on Twitter.

Photo credit: Tessss via Flickr