The reason for this is the explosion in cyber threats. More and more IT departments rely on penetration tests or bug bounty programs and simulate Cyber Attacks to raise their employees’ awareness. Whether you want to check the security measures or the employees’ digital reflexes, the simulation of cyber attacks contributes to an increased perception of cyber risks.
The Simulation Business Is Booming
Today more and more companies offer penetration tests as well as practical exercises for employees. Role-playing games, simulated cyber attacks – the development of the cybersecurity culture in companies is becoming more and more immersive. Whether looking to review security measures or employees’ digital reflexes, such activities can increase awareness of potential threats.
Pentesting or bug bounty programs used to attack a product or network infrastructure to prove its stability or security are now common in the cyber world. Companies often even use external providers to have their security precautions checked.
“With black box pentesting, the person in charge has access to real data and will try to attack the network from the outside,” explains experts, “On the other hand, you can give the person in question access to code and procedural rules so that they can try to circumvent the protective mechanisms by proofreading the code. This is called white box pentesting. “
Traps Can Help Raise Awareness
A recent IBM study featured on the blog secure found that human error accounts for 95% of a company’s security breaches. In other words, the correct handling of the human factor could eliminate most of the loopholes since the mere protection of the perimeter is insufficient, and any person can become a vector of attack.
However, due to the cost factor of such operations, not every small or medium-sized company can afford to implement such cyber exercises. For this reason, the CISOs then tend to be inspired by the principle of the Red and Blue team role-play on a smaller scale.
To create realistic conditions, the employees to be attacked should not know anything about the exercise. For example, an employee in the HR department could be unknowingly set up to check the correct implementation of the necessary protective measures for a file with personal data. Others would have to try to access this file using various technical or social methods.
The challenge is to combine the penetration test or role-play exercises with efficient awareness-raising. “So you have to take the time to put the exercise into a more general context and analyze the cyberattack step by step to be able to draw all the lessons from it,” he continues. “Sometimes it is even an advantage to repeat the practical exercise a few months later to see whether the behaviour of the employees has changed and whether the security precautions for such attacks have also been understood”.
Also Read: Home Office-From Temporary To Transformation