Effective ways to test your staff’s security awareness

In 2013 the Ponemon Institute released a report which estimated the total cost of a data breach in the United States at roughly $5.4 million; 33% of which were caused by simple human error such as falling for a spam email.

That’s right. Your entire cyber security strategy which consists of firewalls, segmented networks, a rigorous audit schedule; all of it, can be undermined by one uneducated user.

So what can you do?

You can either:

  1. Ignore the insider threat in the hope that all of your users are well aware of the threats that surround them, or
  2. Test your staff’s awareness of the threats and see how they deal with them.

Option 2 is the winner

Testing your staff’s awareness doesn’t necessarily mean sending out a survey via email and asking employees to complete it because, a) they might not complete it and b) they might lie.

Instead, I suggest the following three methods:

Check the work environment

When people get comfortable, they tend to get careless. So if you want to ensure that your staff apply basic security precautions, then go into the work environment and do some snooping.

Are cabinets locked? Are the sticky notes with passwords on stuck to user’s monitors? Are users locking their screens when away from the desk?

Put on your whitehat

Social engineering is a key threat to organisations. If you have over 80 people in your offices, then it’s very easy for your employees to lose track of who is who. Therefore, you need to ensure your staff can recognise unauthorised individuals from authorised ones.

A good way to do this is to send in a member of staff who may not be well known to others and use them to test your employees reactions to a somewhat stranger asking them for confidential information. Your staff need to know that it’s okay for them to ask who a person is if they’re not sure.

Train and test

Probably the most effective of the options is to train your staff and then test them on the subject matter. IT Governance offer information security awareness training which comes in the form of e-learning, so your users don’t need to leave their desks. The courses include a test which will allow you to assess who needs some extra guidance. This course also produces comprehensive reports on progress of training which can be used as evidence for compliance purposes.