Hacktober - As many of you know October is the national cyber security awareness month (NCSAM). Most of the companies plan activities and provide information awareness training via traditional methods such as compliance videos, dry awareness posters and messages, lectures and emails to help their employees detect and prevent cyber attacks. Facebook honors NCSAM initiative by an initiative called “Hacktober” by creating a series of simulated security incidents/threats that are tested on Facebook employees throughout the month of October. This includes attacks to employee computers to see if they fall victim to the attack and to see who identifies and reports the issue. If any of the employee spots a hacktober attack and reports, they will get rewards.
I truly appreciate and support this initiative from Facebook and wanted to share this information to those who are unaware of this. In one of my previous articles, I was reiterating the need of Information Security Awareness in our company. I really hate the CBT videos and the mandatory trainings. I admit that the content of those are good, but not sure how far they are effective. It should not be a ”next next ...” tutorial followed by a quiz. Let these awareness sessions be more employee friendly. Security should have to be considered as responsibility not a burden. It has to be in the form of Fun, not Scary. Here the best part of Facebook is, if the employee was unlucky enough to fall for the security threat and/or not report it, they would undergo further IT Security Awareness training, no other serious actions. They don’t make the employees feel like victims, when they are caught, they get prizes,” This is the best part of it.
Facebook approaches this initiative with three goals in mind.Raise awareness of security threats, educate our employees and have fun – As previously mentioned, I liked the last one.
This is what exactly I wanted to point out. People tend to treat information security audits or exercises differently. We should make an environment where they should start feeling that this is not something against them when they are caught because of any of their unintentional mistakes or due to their unawareness. If we could integrate the fun part to these initiatives, then for sure it is possible to get their support. For the Penetration Testing exercise, we should target specific groups that are vulnerable to specific social engineering attacks.
Rewards will motivate them to identify the possible attacks and it will become more popular. This will also ensure maximum participation throughout the organization. Employees should feel comfortable talking about security and raising potential concerns without hesitation.
These sorts of campaigns will give some experience for employees to face real internet threats before coming across them in the wild. Also it will give us great insight into how similar incidents may play out, were they to actually happen in the future.
Are you ready for a change? If yes, let the change bring a positive approach towards security.
Views by Aju Nair