Cybersecurity training: one company's perspective.
Target Senior Director of Cyber Security provides tips to promote cyber security culture.
At the (ICS)2 Spotlight this week Brenda Bjerke, Senior Director of Cyber Security at Target, spoke about how her company has introduced cyber training in an engaging manner. She discussed techniques for promoting a cyber security culture. She also explained methods her company used to bolster security and promote collaboration.
Collaboration is crucial to combat criminal activities.
Bjerke highlighted the importance of collaboration with other companies and explained how cybercriminals are collaborating with each other to create a “gig economy.” Threat actors often occupy one spot in the market, be it creating malware, negotiating ransoms, or distributing malware, and collaborate with other threat actors to achieve positive results (or negative for the victims) with widespread campaigns. Collaboration from industry partners is therefore crucial to promoting a safe online environment for companies by sharing information about new attacks and successful methods for thwarting campaigns.
Make training engaging and fun.
She also explained how her company has implemented new cyber security training methods with the objective of “Delivering a fun and engaging learning experience for our team members, focused on top risks, in order to promote a culture of working securely.” One such method that stands out is the “Capture the Red Flags Phishin’ Tournament'' where the cyber security team will send out fake phishing emails to the enterprise and employees will then attempt to spot the emails and a trophy is awarded to the person who found the most phishing emails. Their training also includes a team escape room activity where the members are required to answer cyber security questions, and campfire cyber stories.
Build your own phishing emails.
On the technical side of training, Berke highlighted that ‘gamifying’ activities like writing secure code seems to be an effective method to promote secure coding practices. She also explained that some training includes building your own phishing email to better understand the methods that can be used to phish for information.
TOAD attacks are trending.
An interesting trend Bjerke brought to light was the large number of phishing emails that included an 800 number instead of a link to a malicious website. Telephone oriented attack delivery (or TOAD) is a method of social engineering which tries to acquire credentials from targets via the use of malicious call centers. Target developed a method of creating fake TOAD emails with 800 numbers which, when called, played a message explaining that the caller fell for a TOAD attack.