COI Report – Part VII
Page
275 of
425 801. Use real-life incidents – Concrete examples of breaches and other security headlines should
be used in the programme, to add realism and legitimacy to security awareness efforts. As explained by Vivek, sending staff generic messages about cybersecurity and awareness is ineffective – no one reads these messages in the way they should. What works far more effectively is the use of narrative and storytelling – using real experiences and examples of cyber incidents to illustrate the key learning points for staff is more effective as the staff are more likely to read and understand the information provided to them. Moving forward, the Cyber Attack itself can be used as a useful storytelling implement to educate users on many aspects of cyber attacks, including APTs.
802. Test effectiveness of training – Simply waiting fora security breach to test employee readiness cannot be the right strategy. Mock attacks staging simulated social engineering
campaigns should be executed, to assess whether the number of staff falling for them is decreasing. Apart from phishing emails that seek to entice users to click on malicious links, simulated attacks should cover other social engineering scenarios, such as requesting users to divulge user credentials to the ‘helpdesk’. In addition, organisations should go beyond using
emails in their simulations, for example by employing impersonation phone calls to employees
etc.
803. Reward good performance – As previously mentioned, in the wake of simulated phishing attacks, SingHealth staff who responded to
phishing emails twice or more, are also given additional attention. They are requested to attend IT security briefings to become more aware of the risks and in the recent exercise in February 2018, such staff also received a formal letter, with a copy to their direct report, signed off by both SingHealth GCIO Benedict and Dy GCEO Prof. Kenneth, to strongly remind them of the need for vigilance. Aside from the use of brickbats, staff who perform well in the training and simulation exercises should be recognised and rewarded. Incentives help
encourage behavioural changes, and some companies have turned to using gamification to make security awareness education more compelling
e.g. points and prizes maybe awarded to employees who flag a phishing message.
