So you’re well on your way to creating a cybersecurity culture in your organisation. You’ve built a foundation of institutional knowledge, and you’ve carefully considered how people, process, and technology play a role. But there’s one more element to think about, and that’s testing. Actually not just testing, practice is also important. One of our security advisors often says, “You can’t think your way into playing the piano.” Practice will help you achieve cybersecurity resilience.
Have you ever done well on a test that you haven’t practiced or prepared for? Most likely, you haven’t. Your test results will often dramatically improve when you practice. By nature, we approach tests differently than practice. During tests, people often get into a weird headspace. There’s pressure to perform, and that can adversely affect performance. Learning doesn’t really happen in a test environment either.
What does it mean to practice cybersecurity?
IT procedures are a good example of ongoing practice. IT professionals are always practicing some form of response procedure. Tasks such as building systems, changing systems, and configuring systems are exactly the kind of process-oriented practice for any event that would disrupt those things. What’s interesting is that it may be the only function within an organisation that practices cybersecurity every day. In most other roles, you’re practicing your professional business role, but not so much the cybersecurity part of the role.
The whole point of practice is to exercise a capability, so you can improve without measuring performance. Not measuring performance allows people to be relaxed and focus on learning.
Types of Practice
- Phishing Practice: Have participants try to identify phishing emails, and reward them for meeting certain goals, such as identifying the clues that make it a phishing email. Then, put all the correct responses in a hat and give away a gift card. It’s always important to use carrots instead of sticks during practice.
- Social Engineering Practice: Get a group together to run though telephone or network pretexting scenarios. First, have someone run through the scenario in the correct way, then give everyone a turn to do it themselves. The body and the mind need to get memory of things, and practicing is a great way to do that. You can also try an in-person vendor impersonation role-play scenario.
- Undocumented Disaster Recovery Practice: This includes, system restoration, backup restoration, and changing over to alternate sites / equipment. You should also practice manual process testing and downtime procedures.
Now You are Ready to Test
Testing can assure you that your controls are working as designed and intended to, and includes:
- Social Engineering: Network and customer telephone pretexting can ensure that employees know how to identify fraud attempts. Phishing emails will help ensure they know how to identify fraudulent emails and websites. Both will also enable you to ascertain if you’re providing the proper training.
- Audits can help you determine if processes are working, and allow you to understand if everything is operating according to policy.
- Perform external penetration testing to ensure your perimeter defense is properly configured, patched, and monitored.
- Internal configuration analysis and vulnerability scanning can help ensure hosts are properly hardened / configured, patched, and monitored.
- Disaster recovery testing will ensure that alternate sites, equipment, and connectivity are functioning as expected.