Recent studies show that CIOs allocate a considerable share of their budget to improve technical controls to mitigate a cyber issue.However, it is imperative to acknowledge that the most expensive controls in place are not enough.While security researchers and cyber experts are worried about new threats like Meltdown and Spectre, the enduring problem of employee ignorance is still at large.Security has spent significant time and energy attempting to curb insecure employee behavior, but the problem persists and attackers are only becoming more advanced.At Walmart Labs, we have been championing security awareness initiatives aligned to company goals, policies, and standards.We are spearheading our awareness activities through weekly awareness emails, security sessions and campaigns, Capture the Flag contests, fun crypto games, and a state-of-the-art phishing program.
Role-Based Awareness Initiatives One size doesn’t fit all.In a heterogeneous organisation with application developers, architects, HR, finance and, allied support services, we are planning to mature security awareness training to a role-based model that imparts training based on the job functions the associate handles.
As a kickoff step, we have identified the developer job family associates to have a mandatory annual training program on OWASP top ten vulnerabilities.Though the tech stack used in every project is unique, this language-agnostic online training allowed developers to identify the security ramifications of the code they write.
Bolstering this critical understanding of how to develop secure applications benefits both their career path and organisation’s security stance in the long term.The awareness team is also in the process of designing a curated training program for finance and HR groups who handle highly sensitive PII (personally identifiable information) and PCI (Payment card industry) data.
Learning from Recurring Incidents The security awareness team has tailor-made communication contents based on the real-time incidents triggered by the incident management team.To illustrate it, this is how we created awareness of passwords at our organisation.There were incidents in which associates inadvertently share private key details in messaging apps and service account passwords are shared in plaintext in the company intranet.
While covering password security through emails and posters, we went beyond giving the regular advice of using long and strong passwords.
We explained to our associates how to share sensitive tokens securely using encryption-based tools.We provided training regarding secure storage of passwords using hashing and salt.Further, the training programs also covered how to secure HTTP cookies exchanged between a web-server and a browser using HttpOnly and Secure flags in the HTTP response header.The Human Face of InfoSec The security team has been notoriously sidelined as road blockers for production rollout by application teams.
To change that perception, InfoSec conducts a monthly open house on the security risk compliance process wherein associates can interact with our risk analysts and get their queries clarified instantly.We made sure that all the application teams are aware of security review and the InfoSec team is always available for security consulting proactively while they start their SDLC process.We conducted two awareness campaigns, Human Firewall campaign in June and CtrlAltDel in October to reiterate the importance of security and assured to build employee engagement using interactive surveys and quizzes.Sneak Peek on our Security Awareness Campaign: CtrlAltDel 2019 CtrlAltDel Timeline In October, InfoSec team came back with Cyber security awareness campaign CtrlAltDel with overarching theme ‘Own IT.Secure IT.
Protect IT.’ Preparation work for the campaign: To set the background up, we designed custom danglers and tent cards with cyber messages in collaboration with our internal comms team and placed them at all cubicles and floors.Associates and vendors were informed about how to access Walmart policies and standards and their importance in protecting our assets.They were given handy information about how to report a breach and the contact number to be reached out in case of theft or accidental loss of Walmart laptops or any company assets.Tent cards and Danglers Roadshow: We kickstarted our campaign with a roadshow.InfoSec associates visited all the facilities in Bengaluru and Gurgaon giving a heads up on CtrlAltDel calendar.
It was a very interactive and information-packed session for five days with cyber quizzes and brief security tips shared with associates all over India.To add to the fun, goodies from InfoSec became a huge hit at our offices.
Roadshow External Speaker Sessions: Jatinder Pal Singh, Director of Product Security, Informatica discussed “The State of Security Operations Centre”.Jatin pointed out that with an ever-increasing number of touch points within and outside our software products, cyber risk has increased to a degree that adopting a preventive approach to product/data security is no longer enough.In a scenario like this where a breach is only a matter of “when”, he discussed his experiences in detecting and responding to cyberattacks on software products.Dr.
S.Murugan IPS spoke about the recent trends in Cyber Crime and shared his law enforcement experiences on 21st October.He gave tips to stay safe online, briefed about dark-net issues , and social media hygiene checklist.External Speaker Sessions Cryptex Contest: InfoSec team launched a CTF, challenging Cyber enthusiasts with 3 Hall of Fame questions on cryptography and Web security for five days.The three Hall of Fame problems were named so because they were part of another CTF conducted several months ago.
That CTF had around 20 problems out of which all but these three remained unsolved.So we decided to put these problems up again as a challenge for the associates to solve in the security awareness month.To our delight, we received correct solutions for two of these three problems and the solutions revealed amazing cryptography-related talent present among our associates.Cryptex Contest We concluded our action-packed calendar with a cyber treasure hunt, Clash of the Cipher across all the offices in Bengaluru.
Winners of the contests were given rewards which include swags and goodies along with public acknowledgment on company social media platforms.Clash of the Cipher — Treasure hunt clues The CtrlAltDel awareness campaign ensured that associates are empowered to act as the human firewalls who can reach out to the security team for any clarification at any time.At Walmart Labs, we take credit in believing that security is everybody’s responsibility.We want to continue our security awareness journey next year with better ideas to seamlessly integrate cyber security in our personal and professional culture.Using technology, data and design to change the way the world shops.
Learn more about us – http://walmartlabs.com/ Follow .
