Three Cybersecurity ‘ACT’ions to try in 2019
In 2018, cybersecurity and large-scale data breaches dominated headlines. Now more than ever, it is crucial for businesses to provide their employees training and resources to protect themselves against a growing list of cyber threats. To kick off 2019, our Information Security Awareness, Communication and Training (ACT) team has compiled a list of tips and some of our favorite tactics to drive security awareness and better behaviors among employees.
Make Awareness Memorable
In a sea of endless information, to-do lists and too many emails to count, it can be a challenge to make your security message break through workplace clutter. This past October, for Cybersecurity Awareness Month, our team took a “shock and awe” approach with a total screen take over at our corporate offices. When associates walked into their building, turned on their laptops or walked into a conference room (anywhere there was a screen), they saw this:
Just the idea of a breach created a heightened sense of urgency in people proactively seeking out information that would help prevent a real breach scenario. We were able to measure the success of our little social experiment from the peak in traffic on our internal Information Security awareness, training and communication channels.
Another way to make your security awareness program memorable is to add in a little fun and gamification. Our team hosts cybersecurity escape rooms for teams to learn best practices together and we conduct contests and trivia games that are engaging and make learning about cybersecurity fun!
Reinforce Secure Behaviors
Awareness and training efforts won’t move the needle alone; you must also focus on driving more secure behaviors. Social engineering and phishing continue to be a huge threat for organizations of all sizes. As attacks become more sophisticated with the use of artificial intelligence and machine learning, even the most knowledgeable staff can be fooled into letting their guard down. We spend time educating, reinforcing and testing secure behaviors across our global workforce through an ongoing “catch a phish” campaign. Through this program, we send associates fake phishing attempts that include subtle red flags commonly seen in phishing attempts by nefarious actors. This trains associates on things to watch out for before they click.
Depending on the action they take, we provide instant feedback that reinforces the correct way to report a suspicious email and congratulates those who follow the correct process. We’re then able to measure the effectiveness of these campaigns and provide company leaders a dashboard showing the increase in correct reporting of our test phishing attempts. We’ve found this campaign helps our associates sharpen their ability to spot potentially malicious phishing attempts and reinforces secure behaviors at work and at home.
Train Technical Teams
Information security training is a year-round effort that takes constant diligence to respond to new tactics used by adversaries. Partnering with your company’s developer community to host valuable training events is a great way to provide resources and development opportunities for technologists to sharpen their skills. We provide our technology teams ongoing and on-demand training opportunities that can be tailored to the specific needs and skill level of a team or individual. Some examples include capture the flag events, tech talks, lunch ‘n learns, and a variety of other training opportunities in the form of computer-based learning and instructor-led training events. This reinforces the importance of security, creates the most value for time spent in training and encourages future engagement.
At Walmart, we believe security is everyone’s responsibility and we take pride in our efforts to arm associates with the knowledge, skills and behaviors needed to protect themselves, the company and our customers. We hope this list will help *spark* some ideas for ways you too can take cybersecurity ‘ACT’ion in 2019. For more great ideas, check out the Cybersecurity Awareness Month blog post from our team in India and this blog about how Jet integrates cybersecurity into its culture
