CASE STUDY Our Information Security team brought innovation and data-driven intelligence to programs designed to help our people avoid social engineering scams. Call for changeOur organization is a large, globally
dispersed professional services company that handles a lot of sensitive information. We work with—and handle the sensitive information of—numerous Fortune 500 companies, as well as nearly half a million employees who work in our offices, from home, at client sites and while on the go. When it comes to keeping information secure, our people are both our greatest asset and our biggest vulnerability. The increasing sophistication in social engineering techniques, coupled with
the large volumes of e-mails and use of numerous communication channels, creates more opportunity for employee errors. We needed a social engineering program for all our people that would assess, demonstrate and continually reinforce the best security behaviors in our fast-paced, digital lives—helping to keep information secure on all fronts, at all times. Our Information Security group is charged
with protecting the information of Accenture, its clients, its business partners and employees. Social engineering programs address some of the key risks around protecting data. When tech meets human ingenuityTo
address social engineering threats, our Information Security organization mobilized to develop and run a formal social engineering awareness program. Information Security now conducts regular social engineering tests to identify behavioral risks related to phishing. It uses a variety of learning assets to inform our workforce on how to recognize social engineering indicators and malicious tactics that threat actors might use to gain access to sensitive information. Custom-made educational materials help employees understand the risks and consequences of falling victim to social engineering. Gamification, video and animated microbursts of learning content build a robust (and enjoyable) portfolio of learning assets. Constant improvementTest results are further used to measure and improve the overall effectiveness of the awareness program.
Key to all behavior change programs are people. For our Social Engineering awareness programs, helping employees understand their critical role—at an individual level—in keeping information safe is always the goal. Learning assets are developed on relatable topics like ransomware, business e-mail compromise, and charitable giving. Messaging for our people around identifying social engineering
indicators, personal accountability and clear consequences for failing to recognize threat characteristics are embedded in the assets, which are deployed regularly on themes reflecting timely security industry-related trends.
Regularly distributed “spoof” phishing e-mails test our employees on their understanding and ability to recognize social engineering attacks. To pass the tests, recipients must not click on any links or attachments. Our people are encouraged to report any suspicious e-mails to the Accenture Security Operations Center using the “Report Phishing” icon in Microsoft Outlook. Employees who don’t pass
these tests are asked to complete specific learning assets and may be enrolled in more involved training and a consequences program.
Three technical components were implemented to improve our people’s decision-making when it comes to e-mail-based threats. 1. The first is a feature that displays “[External]” in subject line of every e-mail received from outside Accenture. 2. The second is a warning message included at the top of e-mails coming from external sources as an added visual cue. 3. The third is a URL and attachment validation technology applied to every external email to verify safe links and attachments. A valuable differenceSince launching the program, our social engineering test failure rates have decreased
significantly, demonstrating employee adoption of desired secure behaviors. "Our behavior change programs are rooted in data. We measure adoption and benchmark ourselves rigorously and adjust approaches, so we can maximize the user experience as well as the benefits of each solution." — Urszula Fabiszak, Managing Director – Information Security, Change
Strategy and People Programs Our people (where legally permissible) are tested quarterly on their ability to identify threats and respond appropriately. Employees
are encouraged to report suspicious e-mails to the Accenture Security Operations Center with a "Report Phishing" icon in Microsoft Outlook. Those who fail multiple phishing tests have their external e-mail redirected to their junk folder with links and attachments disabled. The program continues to evolve based on its results, driving constant improvement, including the development of a consequences program that is designed and administered regionally based on local laws and policies. Our Information Security team is dedicated to staying ahead of threat trends and incident patterns using gathered intelligence to formulate leading-edge,
immersive learning assets. These help our people stay alert before threats are headlines. Subscription Center Stay in the know with our newsletters Stay in the know with our newsletters Which are reportable behavioral indicators?Reportable Behaviors/Indicators of Distress. Experiencing a marked decline in academic performance?. Demonstrating disruptive, erratic or disturbing behavior?. Showing dramatic changes in appearance, behavior, or weight?. Making disturbing comments in conversation, e-mail, letters, papers, or social media postings?. What type of behavior should you report as a potential insider threat?An insider threat uses authorized access, wittingly or unwittingly, to harm national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in loss or degradation of resources or capabilities.
Which of the following must be reported to the Defense Counterintelligence and security Agency and the FBI by contractors?Cleared contractors must also report actual, probable, or possible espionage, sabotage, terrorism, or subversion promptly to the Federal Bureau of Investigation (FBI) and DCSA (NISPOM 1-301).
Which of the following is mostly considered an insider threat select all that apply?The NITTF defines five main categories of insider threat which we will discuss in this course: leaks, spills, espionage, sabotage, and targeted violence.
|