6. The Training & Awareness Check
You can have the best home alarm system in the world. I'm talking motion sensors on the lawn, trip wires in the doorways, and vibration sensors on the windows. None of this matters if you invite the criminal inside. Now we aren't saying that employees will purposely invite a criminal into your network, but human error is by far the greatest contributor to breaches. So because of this, let's have some fun with your employees...
The Spot Check:
STEP 1: Open your email and pick your target, preferable someone who won't be hurt too bad by your betrayal.
STEP 2: Send them the below email (or some variation of it)...
What is our username and password for __________? Will you please send it to me, I need to check something ASAP. Also, I need <Client Name's> address, phone number and any other info we have on them for a call this weeks.
STEP 3: The trap is set, now all you need to do is wait.
PASS: The employee walks over to your desk, scolds you for ignorance and lectures you on data security and privacy. Alternatively, they verbally tell you where to find the information and walk away shaking their head.
FAIL They email you the information.
SUPER FAIL: They are working from home and reply from their personal email address.
If you fail:
You are taking on unnecessary risk and need to train your employees.
- Have a conversation with your IT person about how you can protect against untrained employees from a technology standpoint. Contact us if you need help as this is included with our service.
- Contact Ariento or another vendor you trust to get a vulnerability assessment to see where else you may be at risk and to provide you concrete recommendations for improving your security posture.
If you super fail:
Same as fail, but you are even more at risk and should act immediately!
If you pass:
Congratulate the employee and thank them for their diligence. Ask them for feedback on where they learned about data security and how the company can do even better. Optional: repeat the test on another employee.