How to test employee cyber competence through pentesting
Social engineering hacking preys on the vulnerabilities inherent in human psychology.
Take the Nigerian (419) scams as an example: the scammer tries to convince the victim to help get funds out of their own country into a safe bank by offering a percentage of the money for their participation. While senders of “Nigerian prince” emails have been scamming people for decades, people still regularly fall for it.
If they’re not properly trained and educated on role and responsibilities, employees pose a huge threat to their organization and it is therefore vital for organizations to test employee cyber competence. To weed out the vulnerable workers that may require extra learning, organizations can utilize social engineering pentesting.
Employees are the first line of defense
Your employees are truly the first line of defense to keeping your company safe and secure. Employees need to understand how their personal social media habits and information oversharing can have a direct impact on the safety of their companies. With the amount of information shared on platforms such as LinkedIn, Facebook, Twitter, and Instagram, hackers can gather enough of it to build trust with the victim or even assume the identity of someone in their social circle.
Employees also often lack the knowledge to identify cyber threats. Phishing emails, tailgating, and baiting may seem legit to an employee who has no reason to be skeptical. Why wouldn’t they open an email from their boss on vacation, asking them to transfer money for him/her? Why wouldn’t they open the door for a colleague who happened to leave their keycard at home that day?
Social engineering hacks infiltrate organizations by “hacking” the human brain and taking advantage of its vulnerabilities. Without a general understanding and training on how to identify cyber threats, employees will remain a target for cybercrime.
Make employee training a priority
Seek out comprehensive training services to prepare your employees to recognize and avoid the latest cybersecurity threats. You’ll want to find a cybersecurity training program that addresses your organization’s vulnerabilities and risks. Organizations in different industries have different needs and compliance standards.
For example, law firms and others in the legal services field have strict, mandated compliance requirements regarding both the handling of paper documents and digital security. Custom employee training programs for legal services will help staff adapt to the latest technologies and reduce liabilities with best practices in data hygiene and physical security.
The training program that focuses on your industry should also be customizable so that it can be adapted to an employee’s role within the company (e.g., paralegals must beware of spoofed emails from court systems, wait staff at a restaurant should focus on credit card theft or identify fraud, and financial advisors need to be cautious when wiring money to and from their clients’ accounts).
Another crucial aspect of employee cybersecurity training is teaching your staff the importance of digital hygiene and how to keep their online data organized, safe, and secure from outside threats. This can be established through digital hygiene practice and data-loss prevention methods. Educate your employees on the value of information and how to properly share it at different levels – this will help protect against accidental disclosures.
Going back to oversharing on social media: training can help employees better understand social media hygiene and better gauge when and where it is appropriate to share personal information. If employees are aware of how the information they post can be used, they’ll be less likely to make that information so easily accessible to hackers.
One-time-training isn’t going to cut it. Frequent training sessions for employees are crucial to highlight new social engineering hacks flagged by experts as well as to keep best practices fresh in employees’ minds. Regular sessions keep information active in the brain and not pushed to long-term memory.
Also: non-technical employees will absorb more information via 5 to 10-minute-long micro-training sessions than via the typical annual one-hour training session.
Test employee cyber competence
Your employees have gone through training programs and are more aware of their responsibilities. It’s time to put them through the test. You can do this by utilizing social engineering pentesting to evaluate your employee’s level of cyber awareness through simulations. Hiring an outside penetration testing firm to run your security preparation through the paces is ideal since a third party can bring to light issues that may be in your company’s blind spot.
The value of social engineering pen testing is that it will uncover security weaknesses in the following areas:
- Physical security (of the entire building)
- Corporate security policies regarding proper usage and disposal of sensitive data
- Employees’ security awareness and implementation – you will discover whether the staff needs additional security training
Social engineering pentesting can be used on your employees, either offsite or on-site. Offsite testing is designed to make employees divulge information intended for internal use only. You can attempt to compromise employees through phone phishing, email phishing or SMS phishing. A pentester can send employees an email with a link to files containing malware. For example, staff members may receive an email that informs them they’ve won a vacation. If they click on the link, they give the pentester access to the target’s corporate account. A test of this nature will provide the organization with analytics on how many employees clicked the link and which employees are the biggest threat to company security.
On-site penetration testing includes various techniques aimed at gaining physical access to the office of the target company. This can include impersonation of employees or clients, dumpster diving, and physical honey pots. One way to test employee cyber competence through this method is to try out impersonation. Have a pentester impersonate a tech support worker to gain access directly to the company’s network. The pentester can launch a USB thumb-drive on the target computer and compromise the company within seconds. Employees that were easily tricked can get additional training.
Take a dumpster dive into your employee’s trash bins. Have they left printouts and pieces of paper with critical information? Was the paper shredder not used to get rid of data? This is an effective way to see which employees may not be cautious with sensitive corporate information.
Takeaway
You may think your organization is safe, but it only takes one individual to jeopardize the security of the whole company. Social engineering pentesting is an efficient way to identify where your employees stand when it comes to cybersecurity best practices. Making employees aware is the key, and results from pentests can help drive this awareness.
Pentesting also provides valuable metrics – education and training without metrics fail to show whether people are learning and putting what they’ve learned to use. Testing employees when they don’t know they’re being tested enables real insight into their cyber awareness and how you can best train them. With your employees being your biggest cybersecurity vulnerability, training is the most cost-effective way to safeguard your organization.