Pub. 15 2020-2021 Issue 2

WWW.NEBANKERS.ORG 22 TECH TALK Becoming a Coach If you’ve ever volunteered to coach youth sports — especially T-ball — you’ve probably learned as much as the kids about how to teach and train someone to performan activity. The first lesson of coaching: it involves repetition. When I helped coach T-ball, our first day of practice involved running to first base over and over and coaching kids to listen to the first base coach. We spent a lot of time on the fundamentals and basics of baseball. When all is said and done, the purpose of T-ball is to provide the kids with a basic knowledge of the game and awareness of what to do when the ball is hit. The goal of security awareness train - ing should be similar to coaching T-ball. We should understand that the audience is not full of security experts, and we need to provide basic knowledge and ap - propriate action to take when faced with an incident. We also need to repeatedly test the effectiveness of the training pro - gram. Unlike T-ball, however, we need to keep score, not to shame an employee but to measure our coaching. Verifying employees have retained this informa- tion and will deploy their training in the future is the key to a successful security awareness program. Common Testing Methodologies Quizzes Administering a quiz after a training session is a common testing approach, but quizzes are ineffective if using a one-and-done approach. Remember, coaching is repetition. Random web- based quizzes throughout the year may provide a better measurement unless employees share answers. Workplace Security Review Employees can become desensitized to confidential information in the work area. A great way to test your clean desk policy and physical security policy is to observe your workplace. Take pictures of any security violations — it is the best formof evidence—and share the results of your physical checks during your next security awareness training session. Dumpster Diving Dumpster diving can literally be a treasure trove of information for anyone who wants to create a highly successful social engineering campaign. A pair of latex gloves is always recommended for this test. One of the best (cleanest) methods to perform this test is to follow the cleaning crew around after business hours and observe what information is being disposed of as ordinary garbage (not in shred bins; that’s where you want employees to put confidential information). Pretext Phone Calls In larger organizations, pretext phone calls may be performed by an in- ternal resource that isn’t well-known or by an outsourced auditor or consultant. The tester can perform the test via the phone (voice/text) or internet (email/ chat) posing as a customer, vendor, or business partner who is request - ing confidential information or login credentials. The tester needs to have a good cover story as to why the informa - tion is needed. Testers will often use popular spoofing tools to display local area codes, phone numbers, and alias names when impersonating a person or company. Shane Daniel, Senior Information Security Consultant, SBS CyberSecurity, LLC Should I Test Employee Security Awareness?