Security Awareness Program Case Study
About Our Client
The client is a leader in the Industry Standard and highly Commendable services across multiple horizontals such as Business & IT Services, Strategic Consulting, Big Data Solutions, Web & Mobile Applications development and testing, and Professional QA Services. The client is in Artificial Intelligence and integrated products development in health care and IT security domains. The client is recognized in the market for its ability to deliver reliable, efficient and performance driven ERP implementations.
Objective
- The objective of the activity was to maintain the CIA of the Information within the organization.
- To create a secure environment within the organization.
- To deliver minimum baselines security awareness to all its employees.
The Challenge
- To gather details of All employees and schedule a security awareness session comfortable to their time zone.
- Information Gathering and Social Engineering of the different verticals and their functions of organization to draft the Phishing Email.
- To coordinate with the Security Team in assisting to identify and alert for any Phishing Email apart from the Simulation Activity.
- To maintain secrecy of the Phishing Simulation Campaign.
The Varutra’s Security Awareness Program
The Varutra’s Security Awareness Program includes conducting security awareness session followed by a detailed test to gauge the effective of the security awareness sessions delivered. The Phishing Simulation Activity was further carried to test the response and awareness of the organizations employees towards the Phishing Emails.
Varutra’s Security Awareness Program
Varutra’s Security Awareness Program is in accordance with best standards and follows guidelines from Industry best practices such as NIST, CIS, SANS.
Varutra follows a distributed model for security awareness training.
Varutra has a wide Security Awareness Program that includes various tasks to make the activity a fun learning.
Our Methodology
Varutra’s methodology is in alignment with the industry best practices NIST, CIS, SANS and ISO 31000. The methodology has the best practices related to the scope of the assessment as listed below:
- Creating a detailed Project Plan
- Using a PDCA Approach
- Assignment of Roles and Responsibilities as per the RACI Matrix
Our Approach
We recognized and analyzed the risk and threat agents that might affect the security of the organization. And developed a security awareness program in a distributed approach to ensure the threats associated to all the verticals are addressed and mitigated.
The general overview of our approach specific to the organization’s requirement is as follows:
PLAN
The Project Plan was prepared for the Security Awareness Training and Phishing Simulation Activity. Further Calendar Invites were shared the Employees for Awareness Training. The Tool used for the Phishing Simulation activity was studied in detailed for the various features available and to be used for the activity.
DO
The Risk Assessment was performed to identify and mitigate the risks involved in the Phishing Simulation Activity, Change Management Process was followed to track and approve required whitelisting changes. Post Approval from the CCB, the changes were implemented by the IT Team at the infrastructure level.
CHECK
Demo - Phishing Simulation Tests were conducted to test the efficiency and expected workflow of the activity. The hyperlinks were tested where data or information during the phishing activity was proposed to be captured. As per the Privacy Policy and Security Norms the tool has a feature to not to capture any password from the Data Being Phished.
ACT
After the Demo – Phishing Simulation Tests were successful the Phishing Emails were broadcasted to the employees in scope of the activity. The Activity was closely monitored for two working days by the Varutra Team to track the response and data being gathered by the Phishing Simulation Tool.
Key Findings & Observations
The phishing simulation activity was performed with the automated tools for verification and validation. While the security awareness session were delivered manually by scheduling a Microsoft Teams Meeting. Post Security Awareness Training the evaluation test was conducted. The findings are as follows.
A. Security Awareness Program and Test
- Almost all employees did attend the security awareness training.
- None of the total employees received less than 30% correct answers.
- Almost all the total employees that attended the security awareness training scored more than 75% correct answers.
- The security awareness program turned out be a fun learning activity for the organization.
B. Phishing Simulation Activity
- Almost half of the total employees did not open the phishing email.
- The remaining half of the total employees did open the phishing email.
- A certain number of the total employees clicked the phishing link in the email.
- Further an identifiable number of the total employees posted credentials on the Phishing Link.
- Handful of the total employees reported the phishing email to the incident response team.
C. Key Takeaway
- It was observed by Varutra Team that Security policies were not configured at Clients Network and Infrastructure.
Deliverables
The reports and analysis information derived by Varutra Team post activity were collaborated in a presentable manner.
The following reports were submitted to the senior management:
How Varutra Helped
Our Penetration Test helped numerous clients to identify the potential threats / vulnerabilities that could have compromised entire infrastructure. All of our clients are assisted in assessing percentage of potential business and operational impacts of successful attacks / exploitation.
Additionally, the client gained the following benefits:
Conclusion
Security Awareness Training Program is often done for varying reasons. The key goals organization aimed for, were:
- to increase awareness of security issues and
- to test detection and response capabilities by phishing simulation activity.
After conducting the security awareness program, further evaluations were made to develop a robust security architecture and a yearly calendar for the activity.
In the end the organization was able to meet the highest level of compliance and regulation standards, develop better security practices and reassure their customers, employees, and board of their continued dedication to best business practices and continued growth.
After mitigating all security risks by following all remediations suggested by Varutra Team, client’s infrastructure was secure from all possible risks uncovered and effectiveness of these controls were further verified by conducting an evaluation test activity on the same to compare the response and learning from the activity by the employees.
- Upon conducting the evaluation test, the observations were made, and the environment is secure as per the industry best practices.
Hence, Varutra assisted the client to meet all compliance standards at the end of the activity and regulations which will influence the business positively.