Building better security awareness November 13, 2014 at 7:08am Every October, the National Cyber Security Alliance (NCSA) runs National Cyber Security Awareness Month, an effort to get people involved in cyber security and do their part in making the internet safer and more secure for everyone. In 2011, we took the goals of NCSA and blended them with Facebooks hacker culture to create Hacktober, a month dedicated to building and maintaining a security aware culture at Facebook. With the growing number of people from around the world—friends and family, elected officials, celebrities—visiting our campuses every year, Hacktobers reach continues to extend far beyond Facebook. As we wind down and start planning for Hacktobers 5th anniversary next year, we want to help others outside of Facebook get involved with security awareness at their own organizations. Hacktober is based on a set of core principles that we still follow today. First and foremost, all employees should feel comfortable talking about security and raising potential concerns without hesitation, even if their role in keeping our company safe may not be so obvious. Second, employees should know the people who work on our security teams and understand their role in protecting people on Facebook and making the internet a safer place overall. Finally, security awareness can be fun instead of scary. We figure if we can create an interactive and fun environment around security, people will learn important security lessons and their retention will carry throughout the year. One of the first things we noticed about Hacktober was by providing our employees with the support and space to discuss security issues, they became more involved and took a greater sense of ownership in keeping the company secure. Each year we see a substantial increase in employee engagement; this year, we saw a 35% increase in employee participation in our internal discussion groups alone. We also noticed a much stronger interest in Hacktober from people outside of Facebook. People and organizations of all types and sizes are realizing that you dont need to be a tech company to want to build a security-aware culture. No matter what business you are in, effective security practices are essential. Our hope is that others can take what weve learned from running Hacktober and start brainstorming ways to build and strengthen security awareness within their own organizations. Below, we listed a few of the tips weve picked up along the way and some suggestions for activities that produce the biggest impact for us during Hacktober. You dont need to include all of these suggestions in order to run a successful month of activities, but we recommend using the core categories to ensure you have good depth and variety. Organization and Branding: These elements make up the foundation of Hacktober. In order to build a culture of security throughout the year, people need to understand why it is important and how it affects everyone. Communication- For a company-wide awareness effort to be successful, early and frequent communication is key. You can start by explaining the mission, goals, and plan for the month. We found that encouraging people to stop and take the time to think about risks is effective. Also, give recognition to those who report suspicious activity because it will inspire others to step up and do the same. Design- Each October, Facebook campuses are covered with posters bearing our distinctive “Hack-o-lantern” designs, and our internal groups fill up with posts about Hacktober. Creating a unique identity for your awareness effort helps people identify it and find ways to get involved. Partnerships- The NCSA is a great partner for security awareness work. They create a new security theme each week during October, which can help guide your awareness activities. The NCSA website (staysafeonline.org/) offers great ideas and content to cover throughout the month. Fun: Even though security is a serious issue, we include some fun components in our Hacktober planning to promote enthusiasm and excitement throughout the month. Large company gatherings- Get people socializing and discussing online security outside of the office. We invited families to a safety-themed movie and pumpkin carving night at Facebook Headquarters to learn and have fun together. Before the movie, we distributed educational material and let people talk to members of our security and safety teams to answer their questions about keeping their families safe online. “Swag”- Hacktober memorabilia like t-shirts and stickers are wildly popular at Facebook. You only get one if you report suspicious activity or uncover one of our hacks, so people work hard all month to get one of these coveted prizes. Seeing people wearing Hacktober t-shirts, along with the other themed stickers and posters around our campuses, gives our employees visual reminders about security awareness. Building Awareness: Its easy to forget about online security in your day-to-day life and work environment unless you can feel it directly from your own experience. Thats why we stage real world security scenarios for our employees to help raise their awareness and spark conversations about how to detect potential security threats. We aim to make these simulations or “hacks” understandable to our entire employee base, regardless of which job they perform at the company. Spear phishing emails- These individually targeted scams are the most common method for people to break through company defenses across industry. Malicious actors craft these messages with the purpose of obtaining personal data that can be used to bypass certain security systems. Companies can work with their internal teams to simulate spear phishing emails and encourage employees to learn how to spot these attacks. Malicious email attachments- Email attachments can contain software that attacks the computer system of whomever opens the email. This is a common attack that has compromised many companies, even the most sophisticated employees. Simulating these malicious emails helps employees get better at identifying suspicious ones and reporting them to the right place. USB drop- Malware on USB drives have the power to take over a computer, alter files installed from the drive, and potentially much more. One of our most popular activities involves scattering USB drives with fake malicious executables around the office. From this exercise, employees learn to think twice before plugging an unknown drive or device into their computer. Interactive Activities: To effectively build awareness, we recommend including educational components for employees to understand security topics and threats in greater depth. Internal talks and workshops- Your internal security team is a great resource. You can design activities to help your employees get to know security team members, their roles, and the threats facing your company. For example, we host events throughout the month called “Beers and Breakage,” which are internal talks hosted by members of the security team or partners from other areas of the company who work on security projects. They often cover new security tools or integrations. We also run workshops to teach people how to avoid falling for “social engineering” scams where scammers attempt to get them to reveal sensitive information. Capture the Flag (CTF) Competitions- CTF competitions are becoming more visible within companies, universities, and security conferences as effective learning tools for technical employees. A CTF is a six to eight hour computer security competition that encourages players to solve security puzzles in a safe and controlled environment. Players learn both offensive and defensive security skills with challenge levels that represent real security issues found in networks and systems. Hands-on activities: Our employees love being actively involved because they can put what they learn into practice. Our “How to Lock-Pick” sessions fill up quickly and give any employee a fun and simple way to get introduced to the security mindset of taking something apart. These examples of Hacktober ideas are meant to get your ideas flowing about security awareness activities that could work within your company culture. If you are interested in bringing Hacktober to your company, please contact us at security_awareness@fb. We plan to build out a set of materials and would love to share them with you. Jennifer Henley is the Director of Security Operations at Facebook.
Posted on: Wed, 26 Nov 2014 05:52:06 +0000
Trending Topics
Recently Viewed Topics
© 2015