In order to measure the effectiveness of a Security Awareness Program and track metrics/trending throughout the course of a given year, SecureState performs Social Engineering Testing. Social Engineering is a technique that relies on weaknesses in human nature, rather than weaknesses in hardware, software, or network design. Attacks are successful because they target basic human nature. Humans are susceptible to persuasion and manipulation through various methods.
It is not hacking that result in the most damaging penetrations into an enterprise's security system. It often is the work of an employee within the enterprise that causes the most harm. In most of the organizations, security measures are focused on attacks from the outside. The insider threat usually is ignored, although it is an important area of concern. SecureState will use Social Engineering to determine the effectiveness of your Security Policy Procedures (SPP) and the awareness training surrounding these policies.
Depending on the type of Social Engineering test being conducted, SecureState will target specific users/groups and collect data of successful attempts to either have users click on phishing links or provide information. SecureState will collaborate with your organization to determine the composition of users prior to the engagement. We can categorize the user population by department, shift, employee level or geographic area. We then randomly select individuals from each group, with the sample proportional across the demographics chosen. Typically SecureState recommends to not exclude specific user groups or departments, such as executives/maintenance.
The tracking of results will be done on SecureState’s secure MyState portal. This will allow for the effectiveness of the awareness program to be tracked throughout the year. If results do not improve, changes can be made to the program to increase effectiveness.
SecureState will deliver to your organization a comprehensive report showing screen shots, detailed conversations, names, and links back to the information we found. SecureState also will provide an information linkage diagram (if applicable) showing how your company information is linked together. This will show you visually from a high level the source or sources of the information. Lastly, we will provide a detailed professional analysis of the information found as well as a comprehensive risk rating for your organization. This is determined by considering the sensitivity of the information found as well as how your company rates compared to other similar sized organizations.