Sophos is the same as any other business – we need to keep our employees (and the company) safe, while at the same time we need to give people the freedom to do their jobs.
Our employees want to be helpful, perform well, and give good support to their co-workers, clients and customers. But good nature is exploitable and it’s those easy-to-exploit characteristics that social engineers seek to tap into.
As an attacker, it’s usually easier to try and push past a human than to try and push past a machine. Unless we understand the tactics and techniques of cybercriminals, people may well fall prey to attacks and put the company at risk at the same time.
The best defense for social engineering attacks is a combination of good controls and an awareness program – start with a good, simple, human readable policy and then base training and awareness campaigns around that.
Who you gonna call?
Staff need a single point of contact – it’s vital for people to know they have a specific person or team that they can ask for help from, escalate issues to, or double check something with – no matter how small they think it is.
Remember, the biggest incidents start with the smallest of indicators. We advertise this point of contact through everything we produce for staff – whether it’s an email from HR, a poster in the coffee area or a presentation we give to employees.
Education through awareness
At Sophos we run an internal education campaign called ‘7 deadly sins of security’. This educates employees on basic security topics, including phishing, passwords, scanning and sharing documents.
Our latest campaign, ‘Don’t let your data get ripped – Encrypt!’, coincided with the full launch of our SGN 8 file-level encryption product.
Through this internal education campaign, staff are informed of particular risks and can learn how to combat them through blog posts, banners, and posters throughout the offices.
Not just for new joiners
Security training and awareness shouldn’t just be something to bulk up a new starter’s welcome pack and then left alone forever more. Nor should it be routinely rolled out just to tick a compliance box.
Beginning at the on-boarding stage with simple policy, this training should be a continuous process, delivered through numerous methods to keep staff engaged and informed.
One of the techniques we use to build awareness is phishing testing, and we continuously test our co-workers against this type of threat. Based on real phishing threats we receive as a security team, our tests have a good call-to-action with domains that resemble our own. We generally run one a month, and anyone who gets caught out gets some instant automated training explaining what to look out for and why.
With any suspected phishing (whether it’s a test from us or the real deal), we actively encourage staff to send possible threats to the security team as soon as they see them – ideally before their first click.
To encourage this, we have clear and simple paths for reporting phishing, including an Outlook button to escalate directly to the team. This is the most straightforward way of being able to proactively defend against this threat.
Protect those passwords
We also have an active password audit program. We enforce large passwords and encourage the use of password managers, as well as check staff passwords and crack any of them that are deemed too simple. Any users with poor passwords get to re-visit our password education campaign.
That’s not everything
This is just a small subset of how we build a security culture. The main thing to remember is that it should be constant, not just a check box.
Security awareness is fine; security culture is where it’s at.