No matter how advanced your technical setup is, your whole network is as strong as its weakest component. The same remains true regarding employees when the lack of cybersecurity awareness is one of the leading threats confronting enterprises worldwide. After the surge of remote working, most employees also rely a great deal on sent materials and online communication. As for the cybersecurity side of things, it’s an explosive situation that requires immediate action.
One way of approaching this problem is company-wide cybersecurity tests. Here’s what you should know about them.
What are cybersecurity exercises?
As companies are at increased risk of online threats, cybersecurity exercises walk your organization through a cyber-attack simulation. They aim to test how well your organization is prepared to withstand real-life cyber threats in a controlled environment like phishing and social engineering.
Such drills provide an invaluable insight into a particular organization’s cybersecurity status. Usually, cyber security exercises have a specific emphasis on the staff and their competencies in detecting potential threats.
LinkedIn phishing exercise
Nord Security frequently engages in employee resistance testing. One of the recent endeavors was checking how our employees respond to phishing attempts on social media. The main reason for it — every month our employees are asked to participate in various researches and surveys. While they seem innocent, this can be a window of opportunity to gain confidential information.
Our team decided to test how liable our employees really are. Here’s how the whole plan went.
Step 1: Assume a fake identity
To message anyone on social media, you must have a profile. The first attempt was to create them from scratch, but it didn’t work out. LinkedIn is pretty strict when it comes to new accounts. The created new accounts were blocked almost instantly putting a halt to our initial plan.
We had to dig around and find some accounts that were already created. Thankfully we already had two that were previously created for some other tests. We crossed the number #1 item off the list, the trap was set.
Step 2: Initiate the contact
Our cover-up was that we’re scientists trying to collect information about Nord Security and its products. Based on this, we’ve started inviting our colleagues to connect on LinkedIn. The plan was to send out 3-5 friend requests per day not to seem too spammy and fly under LinkedIn’s checks.
While it went slow, it gained momentum after the first few people accepted the requests. This opened doors to invite more users. In addition, the users were less suspicious seeing mutual connections as proof that the person on the other end is real. Twenty people were the threshold where the people started to accept without second-guessing.
Step 3: Close in on employees
After they were in our network, this set the stage to talk them into a short video call for an online survey. 160 people were messaged, but only 40 responded. Nine people accepted to participate in an online survey, while nine declined. This shows how social media can serve as an attack vector for confidential company information.
After answering, some people dug around and refused to speak to our fake LinkedIn profiles. Others cited a non-disclosure agreement that binds them to the company. In any case, it’s an illustration of how phishing can change forms even if it isn’t done via shady-looking emails.
Step 4: Disclosing findings
The last step was to present our employee’s responses to the request to have a private video call. We’ve added the replies into several categories like “Very trustful”, “Trustful but questioning”, “Suspicious”, and “Very suspicious”.
The experiment goes to show that being too trustful early on can backfire. The moral of the story is always to double-check each sender that contacts you online to ensure that you’re not being scammed.
Don’t forget that the same applies to emails and especially any attachments. The moral of the story — trust, but verify.
How to perform a cybersecurity exercise?
There’s more to cybersecurity exercises than creating fake profiles and messaging them. To be useful the experiment has to have some solid justification as it can take up a lot of work time to set up.
Here are the general steps that you’d have to go through when planning a cybersecurity exercise.
1. Assess the organization’s cybersecurity status
Before the test itself, you need to identify all used IT assets. They will be closely tied to attack vectors that could be used to breach your network. This will help you to estimate the likelihood of an attack and the impact that it may have.
Using this data will allow you to identify specific pain points that could be tested to see how well they fare in a real-world situation. You should treat these areas as critical and focus your cyber attack exercise around these weak spots.
2. Have a clear hypothesis
Once you’ve identified specific weak spots, come up with a hypothesis to test. Once you have a specific problem in mind, it will be much easier. Make sure that your hypothesis is clearly defined and is solving a specific cybersecurity problem that a business is facing.
Think outside the box here, what is relevant for your business will be completely irrelevant to others. Follow your unique workplace traits and you’ll find something that could be exploited for your test.
3. Set a specific scope for targeting
Your hypothesis can be tested on a larger or smaller scale, affecting how your cybersecurity exercise will look. For instance, if you expect that the accounting department will be attacked, then it’s likely that you’ll shape your phishing attempt to be more targeted to lure them in. If you’re testing company-wide cybersecurity awareness, you’ll probably cast the net wide.
Once again, the scope will depend on your hypothesis and your particular cybersecurity risks.
4. Develop an attack scenario
Writing a spoofed message and then hoping for the best is not enough. Cybersecurity scenarios should have a detailed script of how the attack will be done. This will help you to stick to the hypothesis that you’re trying to confirm.
Secondly, this will help to limit your damage as it can be really easy to go overboard, trying to hack more than was outlined than it was intended.
5. Put your plan into action
As outlined by your attack scenario, you’ll need to prepare and launch the actual cyberattack simulation. There are multiple things that you might need to set up — from creating fake websites to spoofing emails. Cybersecurity exercises are complex assignments where everything has to go according to plan. It’s likely that you’ll need to prepare for it for months before your plan will be ready to put in practice.
6. Analyze the acquired data
Once the test is completed, it’s important to analyze the aggregated data. Look into the context why your employees were trustful when instead they should have been suspicious.
There are many variables there. You should ask critical questions like maybe the spoofed email looked too real, maybe the victims were recent hires, etc. Frame your data to draw insights — these directly contribute to the value of such tests.
7. Reveal the test results
As soon as you have some insight why the test went one way or another, it’s time to reveal its findings to the employees. Choose an appropriate format and adjust your tone accordingly.
Don’t forget to include tips on what to look out for in the future. Repeat the drills as necessary, until you begin to see positive test results. That way you’ll be ironing out specific business flaws. It surely will come in handy when someone actually tries to breach your network.
Practical tips
Here are some excellent tips on handling cybersecurity exercises if you'd want to replicate them in your organization.
1. Don’t start witch hunt trials
You may quickly identify colleagues that took the bait, but it may not be clear what to do with this information. It may also be tempting to make an example of them by sending them to mandatory cybersecurity awareness training.
The pitfall is that training as a form of punishment does more harm than good. A much better alternative is incentivizing the desired behavior. For instance, rewarding those who are first to report a phishing attempt. That way, you’re not contributing to the alienation of the workspace and promoting a healthy environment that will fare better when someone does decide to attack your organization.
2. Keep your attack controlled
Malware may also be used, depending on the attack vector you’re testing. Keep in mind that each tool used in the test can have unforeseen consequences. In case of bringing your device policies, this can be extremely dangerous as you could infect the employee’s device. You may also mix up email addresses and send malware to your clients.
Don’t forget that your test should be isolated for testing purposes only. Allowing the testing to spill into other areas can have legal repercussions, as well. During the write-up of your cyberattack scenario, critically evaluate what could backfire and make sure to limit as much collateral damage as possible.
3. Limit your communication when the test is in progress
Public announcements that a phishing test is incoming is a great way to nullify the value of the test. This automatically puts your employees on a higher alert. This can skew your test results, and the data might reflect a reality that doesn’t exist.
If you aim to get the full picture of an organization's cybersecurity awareness — your test should be a secret. That way you’re mimicking real-life scenarios, which are always unannounced. Even if your employees start asking questions about a strange email that they got, answer them, but ask not to spread the message further.
4. Have patience
Depending on your chosen attack vector, the whole operation can drag for a long time. If you’ve selected to test social media to get in touch with your targets, you may need time to build credibility. Then, there’s passing through multiple hoops to avoid being flagged by the service itself.
Email phishing campaigns can take time just from a site-building and domain registration perspective. If you rely on a modest cybersecurity team, the work can take even longer to set the stage for your test correctly.
5. Don’t forget about the appropriate code of conduct
It’s most likely that as a result of your experiment you will obtain some private data ranging from passwords to payment card details. As a tester, you should accept full responsibility for the gathered data’s safety and stick to a strict code of conduct.
You should also have an action plan for sensitive data shredding. The danger of leaving it unprotected in some hard drives cannot be emphasized enough. Avoid situations when your test materials eventually get used by real hackers.
6. Have cybersecurity as part of your onboarding
Making cybersecurity a part of the company’s DNA should be the norm. Even your onboarding should focus on cybersecurity and present various risks that could affect them.
Cybersecurity tests could function as a method to keep your employees on alert and stay vigilant when receiving a request from an unknown sender. Plus, it’s no use testing something when the employees had no experience detecting it. This approach helps to balance the two sides out — theory and practice.
7. Perform tests regularly
Cybersecurity training exercises shouldn’t be done once and then completely forgotten about. This is a muscle that needs constant training. Therefore, you should organize a test every couple of months. After the constant tests, detecting suspicious stuff will be second nature to them.
This also will have a long-lasting effect on your organization as a whole. Each passed cybersecurity training additionally doubles down as a lesson of what to avoid or where to look for clues. The more your organization has cyber-aware people, the better cybersecurity status it will have.
