After several years of running phishing programs and working with other organization's on theirs, I'm starting to notice a trend. Sooner or later everyone falls victim to a phishing assessment. Heck, even I fell victim to a phishing assessment once, and it was my own assessment (happy to share that story, but the price is a beer at a local con). Here is the interesting part though, most people only fail once. It is almost as if failing a phishing test is a rite of passage, once you fall victim you truly remember the incident, rarely to ever fall victim again. The majority of people who I see falling victim each month are new hires. As they are new to the organization and new to awareness, they too...
One of the ideas I pulled from John Kotter's book Leading Change was a suggestion on Human Resources. Have your HR team align performance evaluations, compensation, or promotions based on peoples' security behaviors. This does two things. First, it increases motivation because people see an actual, tangible gain by changing their behaviors. But even more importantly, Mr. Kotter points out that this demonstrates that the leadership is serious about security, that they want to make secure behaviors part of the organization's DNA. I thought this was a great idea. Here are some examples of metrics your HR could use to track employees and staff.
- Employee had no security violations in past 12 months
- Employee successfully completed all awareness training
- Employees on their own reviewed online profile to confirm
Editor's Note: This is a guest Blog Post from Cheryl Conley, head of Lockheed Martin's Security Education and Awareness team. Lockheed is one of the most targeted (and phished) organizations in the world. Below are her thoughts on Phishing as she wraps up 2014.
I hope everyone survived NCSAM, we at Lockheed had a very successful run. We were very pleased with the participation across the enterprise and eager to capitalize on the flurry of interest from our non-cyber employee base. October was a very busy month, while we started planning for NCSAM in June, the activities during the month included our monthly phishing efforts. As we wind down for 2014, the email testing team is taking a breather. We feel December has too many activities that conflict with a phishing assessment, to include enterprise activities such as compliance deadlines and many of the employees are out of office on vacation or travel. Also much of the leadership will
Folks, as some of you know in October for National Cyber Security Awareness Month we released the first ever Security Awareness Survey for Security Awareness Officers. Over 200 people responded, which was an amazing number. We had hoped to release the results of the survey this week but have ran into two challenges, to be honest both are good problems to have.
- We received far more information then we expected. We really want to be sure we take our time and digest/analyze this information correctly and present it in a useful and easy to use format for security awareness officers around the world.
- Bob Rudis from the infamous Verizon DBIR team volunteered to help analyze this rich source of information. We wanted to give Bob time to work his magic.
So, while the survey results will be later then we hoped, we like to think they will be well worth the wait. Stay tuned :)
The folks from the Ft. Meade Alliance have posted both an interesting blog post and infographic on the Defense Department's approach and need for employee cyber security training, and how that compares to the civilian world. Long story short, looks like the military folks may be ahead of the game compared to corporate world. You can find more about the blog post and their poster at www.ftmeadealliance.org.