October is celebrated as the US National Cyber Security Awareness Month. And us being Security nerds, we decided to run a series of cyber simulations, workshops and inter-departmental tests across our organisation to educate our staff about the importance of security awareness.
Our Hacktober campaign ran throughout October, giving us the opportunity to cultivate the security culture while having some fun. We posted daily alerts on our social media channels, allowing us to take everyone through our journey. The campaign has been a great success for us, and our staff has been instrumental in this feat, with the good news being that they all passed with flying colours!
Here's the compiled list of alerts that we created for our team that will help your business stay secure, please remember Security Awareness Training is one of the most important factors as the first line of defence for organisations against cyber threats. We hope you enjoy the following as much as we had in creating them.
Alert 1: USB
We planted a variety of unidentified Mass Storage Devices around our Sydney and Melbourne offices to see if anyone took the bait. These tiny devices can cause havoc, be cautious..
Alert 2: Blog - Most dangerous scams in 2019
The new wave of hacking techniques will have some people bewildered. We explored some unique methods used by cyber criminals this year.
Alert 3: Visitors and guests
How does your organisation identify its own employees from visitors and guests? From signing into a Visitor Management System to wearing an identifiable lanyard or even having the host accompany them while they're onsite. All of these are effective ways to ensure visitors and guests do not gain unauthorised access to areas or information within your organisation. We know sometimes some do slip through the net so if something doesn't feel right, challenge!
Alert 4: Phishing emails
Throughout week 1 of Hacktober, our employees received a variety of simulated phishing emails to their corporate email accounts. Many employees had reported and escalated, which is awesome to see and has kept our SOC team busy.
Alert 5: Unauthorised access
Summer is coming and with the hot weather approaching, it is tempting to open doors and windows and leave them ajar. This provides an ideal opportunity for opportunistic theft and unauthorised access. Always make sure, there's someone to stop and challenge any unauthorised personnel and make sure everything is closed and locked at the end of the day.
Alert 6: Loose lips sink ships
For this challenge, we sent some of the newest members of our Red Team undercover to the coffee shop & local pub to see if they could hear our Sales team chatting about sensitive information... As expected the team passed with flying colours.
Alert 7: Blog - Security Culture & Awareness
Our Associate Security Architect, Nick Forster, writes about setting the challenge for looking at Cyber Security Awareness Training as more than just a compliance box-ticking exercise. Hear his thoughts about security culture within organisations.
Alert 8: Vishing
Our Director of First Impressions and Admin team were tested with a series of Vishing attempts, looking to obtain sensitive information.
Alert 9: MFA
Multi-Factor Authentication (MFA) is one of the most effective controls that protect an organisation from unauthorised access to their network, privileged accounts and sensitive data repositories.
Alert 10: Privacy Screens
More and more organisations are providing their employees with flexible and remote working options. We mitigate this risk through regular training and providing privacy screens for our employees for when they need them.
Alert 11: Hot desks
We've just recently introduced hot-desking for a large portion of our office. So even though it can be disruptive at times, at the end of every working day, all our desks are clear and all documents and devices are secured appropriately.
Alert 12: Blog - 2019’s Cyber Security breaches in Australia
Last year Cyber security breaches rose by almost 80% in Australia. In this blog, we take a look at some of the biggest breaches of 2019 so far.
Alert 13: Information Security Overseas
Do your employees travel overseas as part of their role? Or do they take their corporate devices away with them on leave to have "intermittent access to their emails"? If so, you have a duty of care to provide them with adequate controls to protect them while they're away. This starts with education and should be included in your Security Awareness Training program. Providing pre-travel, during and post-travel guidance is an effective way of informing your employees of the risks.
Alert 14: Social Media
Do you know what personal information about you is out there? We gave our employees two simple tasks to do: 1) Using search engines and its results to try and find out as much information about themselves in 5 minutes 2) Input their email details into 'Have I Been Pwned'.
Alert 15: Backup
How much data can you afford to lose? This alert's focus is on the A in CIA - Availability. We have set all of our employees with the challenge of moving all completed and ongoing project documentation from their local devices to our shared workspace. This is a critical part of any Backup & Restoration program but often neglected due to operations and the next deadline.
Alert 16: Trivia
We recently held a company trivia night at our Sydney office. Our employees were quizzed on the usual - general knowledge, geography and music along with its share of mind-boggling facts. We also managed to sneak some Information Security questions in to see how much attention they've been paying so far this month.
Alert 17: Spear Phishing
We crafted bespoke emails to each member of our leadership team based on what we could find about them online. They all identified the email and reported it to our SOC.
Alert 18: Security Incident Reporting
Incident Reporting should be one of the main topics covered in your organisations Security Awareness Training. Try using dedicated accounts and mailboxes so your IT Team can provide consistent monitoring.
Alert 19: Blog - Managed Security Service Providers
In Australia, over 60% of organisations do not have the necessary resources to respond to cyber attacks. Learn how Managed Security Service Providers create customised solutions to solve individual business needs, budgets and security requirements.
Alert 20: Rogue Access Points
Disabling your WiFi and Bluetooth on laptops and mobile devices is a really easy way to reduce your exposure to wireless attacks. We got all of our employees to check the current status of their devices after their morning commute to see how they'd fair... We also sent a 1-page training document on how to use our VPN solution as a refresher for all mobile workers.
Alert 21: Badges
Badges, Passes, IDs and Lanyards are all effective ways to identify authorised and unauthorised people in your workplace. However, these can be easily replicated and used by an attacker.
Security is a serious issue for businesses, but that doesn’t mean Security Awareness Training can’t be an enjoyable experience for you and your staff. We highly recommend that you try to implement some of the above alerts to see how well your business responds to security threats.
If you would like to learn more about Security Awareness Training or discuss more advanced tests, you can speak with one of our security experts today.
