Pub. 15 2020-2021 Issue 2

NEBRASKA BANKERS ASSOCIATION 23 Physical Impersonation We have all likely performed this test once in our life without realizing it. As an example, when I go to the gym, the attendant is supposed to swipe my card to grant and track my access. However, if I havemy earbuds in and stare at my phone, I’m allowed to walk by unchallenged. I look like I belong at the gym; why inconvenience me? If a tester looks like they belong to your organization, will your staff challenge their identity? Flash Drive Drop Attack Test Another great test is to bait users with a “lost” USB (Uni - versal Serial Bus) flash drive. How many employees will call IT? How many will plug the device into a company worksta - tion? This test may be performed by capable IT Staff with help from the internet or performed by an outsourced auditor or consultant. Phishing Attack Simulation One of the best ways to determine if your employees are aware of the threat posed by a phishing attack is to perform a controlled test (simulated attack) of employee email. Test emails should provide clues covered in training that should tip the recipient of the deception. Directing the recipient to a website link will allow the tester to gather evidence of who opened the email and who followed the link. Such testing may be performed by skilled staff or by a third-party provider. It is recommended that testing be performed throughout the year to maintain employee awareness. Measuring Results Share the test results with the management team by documenting your findings using generic terms such as pass - words written down and stored within eyesight, confidential information stored in unlocked desk drawers after hours, etc. Avoid using names of employees in the written reports but be prepared to offer details when asked. Keeping inmind the goal is not to demean an employee but improve the organization’s security awareness. The risk of social engineering attacks can - not ever be 100% mitigated, but you should strive to improve the results (fewer violations) each year. Employees should be informed that such testingmay occur at random. The results of testing should be sharedwith employ - ees to emphasize the fundamentals in the test that should have raised a red flag and the actions that users should have taken. Security awareness and testing methodologies must con - tinue to evolve with attack methods, and the best way to pro - vide evidence of progress is to monitor performance through observation testing.  For more information, contact Reece Simpson at 605-270-3916 or reece.simpson@sbscyber.com. SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, on-site and virtual auditing, network security and education. Learn more at www.sbscyber.com . Bridgepoint provides confidential institutional investment banking services delivered by local professionals. • Distressed and bridge financing (equity and non-bank finance) • Capital raising for growth or liquidity • Sell-side M&A advisory services for banks and operating companies • Leveraged finance solutions for community banks • Generous fee-sharing program for bankers CREATIVE SOLUTIONS THAT LEAD TO OPTIMAL RESULTS OFFICES: Omaha • Lincoln • Des Moines • Denver • Chicago NEBRASKA PRINCIPALS: Matt Plooster • Gary Grote Wm. Lee Merritt • Mike Anderson Call Bridgepoint Investment Banking Today 402-817-7900 www.bridgepointib.com [ Securities offered through an unaffiliated entity, M&A Securities Group, Inc., member FINRA/SIPC “Bridgepoint is a true resource and partner for commercial bankers as we all work through one of the most trying years in history. We’re here for you when your clients need creative financial solutions.” – Gary Grote Managing Director