The week of security at Werkspot / Instapro

Last week we organized the week of Security. A week dedicated to increasing the security awareness of our employees. When it comes down to security you might think our developers and product owners are pretty aware of the risks, but the interest and results show different. This post is about some activities we organized and what we learned in order to improve the security awareness within Werkspot/Instapro.

Gamification

To get started we thought about a way to get everyone motivated. A great way to have everyone involved was adding a competition component. Everyone could earn “Security coins” for each challenge. The one with the most coins at the end of the week could win one of the amazing security prizes. The winner would receive the Security Gnome!

Dedicated Slack Security Channel

At Werkspot/Instrapro we are big fans of Slack. To get started we asked everyone to join our security channel. This way we can communicate certain security risks and no matter whether someone is working from home, at the office, or be commuting, all of us are pretty quickly up to date.

Surprisingly this resulted not only in people joining the channel, but started to share security issues and helping each other out. Pictures of unlocked machines, keys at desks and paper at printers that were left behind were mentioned in this channel.

Daily security tips & posters

To keep everyone engaged in this week of security, we put up some simple posters about the do’s and don’ts on security. Related to this we send daily tips on how to handle phishing emails, multi-factor authentication (MFA) and awareness of your social activities in relation to security.

Phishing emails and follow upphishing.png

By Tselmuun.mn (Own work) [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)%5D, via Wikimedia Commons

Receiving spam is something we all receive in our inboxes on a daily basis. To train our employees we use Phishme to send Phishing emails and support the ones that do click on the link by providing training.
Phishme is providing plenty of scenario’s and templates for catching a recipient on matters of urgency, emotions or even “great deals”. We decided to send emails about losing your last year’s vacation days as well as tax-related messages. In multiple languages, we provided training material so people were still able to read what they could improve. Within a couple of months, we will do the same exercise and see if we improved the awareness.

Show how to crack passwords

It’s great to inform people about the risks and warn them about the way they choose passwords or don’t make use of MFA, however, showing how hackers actually could resolve your password is making the risk more real.
We invited the whole company to join a session where we showed the different ways of brute force login on a website, social engineering for retrieving the password and a live demo of using the tool Hashcat to decrypt passwords.

With a database of 20k encrypted passwords within minutes, we decrypted a couple hundred. Most of the people were amazed by seeing a plain text password coming out of a hash that actually worked to log in to a real website.

Final words

The week of security is, with a small amount of effort, a great way to improve security awareness in any organization. Even as a tech company there is enough to learn and enough material available to increase this awareness. My main takeaway is, provide enough information, make it rewarding to join and show some real-life examples of how certain security issues happen.