October is coming up. While for many Americans that means starting to think about what to wear for Halloween, October is also National Cybersecurity Awareness Month.
First marked in 2014, National Cybersecurity Awareness Month is an opportunity to raise the awareness of employees, customers, and the general public on cybersecurity risks. It includes highlighting their personal and collective role in mitigating against such risks.
Cybersecurity Awareness Month is more relevant today than it’s ever been. There’s an increasingly frightening threat landscape featuring everything from phishing and pharming, to ransomware and massive DDoS. Worse still, security threats have moved beyond just malicious and financial intent. They have now entered the realm of geopolitical warfare as the 2016 U.S. presidential election showed.
Despite the obvious rationale though, an awareness month won’t have the intended impact on your organization if employees do not feel adequately engaged. Hence the need for exciting activities that get everyone actively involved. Here are some fun things you could do.
1. Quiz night
How well do your employees understand cybersecurity? There are a number of ways to impart such knowledge. You could do so via a formal classroom-like session. But that can be dull and boring. Other techniques don’t work as well either. For instance, many people don’t bother to read InfoSec emails sent to them periodically as part of the company’s overall security awareness program.
You can get a lot more participation by organizing fun, competitive but less formal quiz sessions. Think about a quiz night pitting different departments against one another. Offer a reward to the team that gets the most answers right. You could also have an individual reward for outstanding personal performance.
For best results, keep questions as nontechnical as possible so you do not give undue advantage to IT staff.
2. Document hunt
It’s hard to go wrong with some form of treasure hunt. How about at the end of a random day, task each department to find as many sensitive documents or unlocked computers in another department’s workspace. The department where the least amount of unprotected information is found ultimately wins.
The catch here is that departments that already have a strong culture of good document management and information protection would have an easier time winning this challenge.
An alternative would be to hide one or more documents somewhere within the premises and then task employees to search for the documents. They’ll have the entire month to find the items. Those who do locate the documents would get a reward.
3. Fake phishing attack
Create a fairly persuasive phishing email and send it to every person in the organization. You’ll probably want to do it late in the night so employees find it when they come in the morning. Use an external or spoof email address but make it convincing. Incorporate the company logo, brand colors, disclaimers and real names of senior executives.
It should make an urgent appeal for confidential information that the recipient is asked to send over as quickly as possible. This prank is meant to see how many employees will actually respond to the email with the requested data.
Actually, any response to the mail even when not providing the requested data should be considered a fail. Often, identity thieves are looking for the name of a real employee (which any response will provide) to get a conversation going.
There'll be plenty of good laughs when staff eventually discovers it was fake, but there are real lessons on social engineering to be learned here.
Gamification may entail a significant amount of custom programming if you opt not to procure a suitable application off-the-shelf. However, it is well worth the effort. The game would reward participants for activity that demonstrates or increases awareness. To be effective, the game should have clear rules. Employees must clearly see how they can participate, what rewards they’ll get and a real-time leaderboard that shows who has the highest score.
Participants could, for instance, earn 20 points for completing an InfoSec quiz and 50 points for identifying a lapse in security procedures. At the end of National Cybersecurity Awareness Month, you can reward the top scorers with a day off, a family dinner, or a gift card. The entire system should be as automated as possible in order to gain the confidence of everyone who takes part.
5. Make the most of the outdoors
If you really want to get people’s creative juices flowing, have at least one outdoor activity during cybersecurity awareness month. There is a wide range of outdoor teambuilding activities where you could embed cybersecurity elements and get people to compete against each other.
The good thing about outdoor fun is you don’t have to come up with pricey rewards for the winning individuals or teams. First, employees will be excited to be away from the office. Second, they’ll look forward to kicking their colleagues’ asses just for fun.
This kind of laid-back environment is pretty effective at getting serious messages across. It takes staff away from office distractions allowing them to concentrate on just this one topic for the entire day.
6. Bug bounty
We talked about creating activities that aren’t too technical so you can have a level playing field. Nevertheless, your IT department is the most burdened with ensuring cybersecurity controls work. You have to throw the geeks a bone if you want them to feel challenged enough to participate in cybersecurity awareness month.
So for your more tech-savvy employees, you could organize a bug bounty event. Give participants the entire month to unearth any system vulnerabilities.
As with any pen test, make sure the bug bounty event is conducted in a way that doesn’t disrupt everyday operations. A hack may be so effective as to bring down a production environment. Ergo, it’s prudent to limit the hack to low-traffic days (such as Sundays for most businesses). Better yet, you can restrict the exercise to a test environment that is an exact mirror of production systems.
Finding vulnerabilities can be intense and time-consuming work. You should, therefore, have an enticing financial reward to persons that come up with the most significant vulnerabilities.
Cybersecurity awareness: One month for a safer year
Cybersecurity Awareness Month is perhaps your best chance to get senior management behind an organization-wide awareness initiative. With such high-level buy-in and by making the activities fun, you are more likely to get employee participation and ultimately make the enterprise a better place for data and systems security.
Featured image: Pixabay