At Rackspace, Fanatical Support is part of everything we do, especially when it comes to security. We work hard to secure your environment using tools, technology, policies, procedures and different teams with different specializations and skills.
But there is still one method that an intruder can exploit that no technical control, policy, procedure or team can prevent – the human element. However, we can work to alter and influence human behavior around security through security education and awareness training to each person in our company.
In the security world there has long been a debate over whether security education and awareness training is worth the time and money. Smart people from many security blogs and security sites have weighed in on both sides. For two great examples of this debate, check out Dark Readings’s posts both against and for this type of training.
One good way to get an understanding of your employees’ security prowess and to make sure that your education/awareness campaigns are effective is to launch an internal phishing (or spear-phishing) campaign. Phishing involves intentionally misleading a victim, typically through email, to give away sensitive information to a non-authorized person. In an internal phishing campaign you purposely send out a communication to your entire organization, or select employees or teams, and monitor how many people click the link and how many people report the suspicious activity. This can help your employees become more aware of how to better secure themselves, leading to a more secure company.
At Rackspace we employ internal phishing campaigns against our fellow Rackers to check the security pulse of the company. We target our employees to reinforce caution over the urge to click on links or emails from unknown and known sources. We also try to make the education piece more playful so it does not feel like the “Rackspace Police” are coming after any person who clicked on the link. We vary our internal phishing tactics each time and monitor how successful the campaign was to determine if our awareness training is impacting Rackers by making them more security conscious.
We have seen positive results from our internal phishing campaigns that show the security education and awareness training is having an impact. We have seen a sharp decline in clicks on the bogus links and also more Rackers reporting the suspicious emails to the security teams.
Needless to say, the results are great, but there is still more that we can do. Switching things up and thinking outside the box about the different ways future attacks could be mimicked will make an even stronger positive impact on Rackers and their overall security awareness. With a stronger overall security awareness, Rackers can also increase the company’s overall security posture.
With the positive response from Rackers with regards to the phishing emails; it helps to reinforce my opinion that any company, regardless of size, should educate its employees about security. You should strongly consider implementing a similar security awareness and education program with your employees. Devising a good internal phishing (or spear-phishing) campaign is one of the easiest methods that can yield instant results and can allow every employee to touch, see and immediately understand the impact of what a click can lead to.