Editor's Note: This is a guest Blog Post from Cheryl Conley, head of Lockheed Martin's Security Education and Awareness team. Lockheed is one of the most targeted (and phished) organizations in the world. Below are her thoughts on Phishing as we kick off 2015.
Happy New Year!
I trust everyone had a good holiday, with welcomed down time and a chance to reflect on 2014. While at times my mind was racing with what's next on the Security Awareness horizon, I did have the time to look back on 2014. We had a great, impactful year at LM and I owe that success to our small team. This includes a call out to our advocates across the corporation.
In my last blog I mentioned a discussion surrounding one of our most asked question or inquiry: "what do you do to reward good behavior?" Before I elaborate on any details, it's my own personal opinion that if you're employed by a large corporation or any business that provides education and awareness material; you should be responsible for handling all assets appropriately. In my view, rewarding employees for protecting LM information and property very well fits on our job jar. Beyond that, we have resource ramifications surrounding rewarding a report into the CIRT from a phishing email:
- Each monthly e-mail test brings with it well over 400 submissions into the CIRT resource mailbox (I believe we topped out at ~850).
- The team is committed to responding to each one, typically a template that requires us to tag on a contact name. This usually consumes 2-3 FTE's for 2 days.
- Some of these submissions come with questions, and at times generate e-mail support ping pong adding additional labor to our intense couple days. Another drain, but generates great dialogue and provides us a looksee into what these employees are thinking (or not!).
All that being said, we do have a process in place to recognize employees that go beyond the call of duty. If we have an employee who submits what they believe to be a malicious e-mail, and identifies red flags within that suspect e-mail, the team generates a Cyber certificate with a Thank You. This certificate is sent to the employee with a .cc to their leader. The list of these employees is included our monthly metrics package to the Business Area Information Security Officer. We can handle the labor surrounding this effort, but may have to get more selective if the numbers skyrocket. Hats off to the team for implementing this, it's been a great success and goes a long way promoting our mission.
I hope to take another deep dive into the "easy button" concept of responding to our phishing e-mails, working closely with our CIRT and technical teams. The intent would be to develop backend scenarios that would allow for reporting our known e-mail test submissions and possibly some generic posts regarding other suspect e-mails. I would be interested in understanding what other folks are doing in this space, lessons learned and especially if the "easy button" was too easy; generating another resource hit for the awareness team and CIRT.
BIO: Cheryl Conley has held the Sr. Manager position for the Security Education & Awareness Team in the Corporate Information Security organization for the past 6 years and recently also assumed the role of Business Area Information Security Officer. She started her career with the company in 1983, her past experience includes computer operations, customer service, systems engineering, and program support. She has participated in the creation of information security policies, operational readiness reviews, encryption technologies, and employee development. She has managed numerous successful teams to include The I Campaign®, teaches several classes within CIS, and has a passion for the Security Awareness arena. She holds a Masters' degree in Information Technology, and obtained the CISSP in December 2005.