Associates Urged to be Vigilant During Cyber Security Awareness Month

The email that arrived in Exchange inboxes Oct. 5 seemed innocuous: “Effective as of September 15th, 2020 we released an updated Employee Handbook,” began the note purported to be from human resources.

“Employees” were instructed to click on a link to provide an electronic signature. But it was a trick—and a test. Anyone who clicked the link was taken to a message from the Exchange’s IT cyber security awareness team alerting them that they were responding to a phishing simulation and not a legitimate request from the Exchange’s Human Resources directorate.

“The funny thing is, we don’t even have an employee handbook, we have EOPs,” Exchange Data Security Analyst Becky Burkheart said. “There are all sorts of clues you can detect. For example, we aren’t employees. We are associates.”

The test was sent out to draw attention to how the Exchange combats malicious emails, bots and other intruders as it observes Cyber Security Awareness Month in October.

“Each associate needs to understand that they are on the frontlines on the war against cyber intrusions,” Burkheart said. “We can put up all the firewalls in place, but our main weapon is the vigilance of the Exchange workforce.”

The Exchange’s Intrusion Detection and Prevention Team protects the organization with network security tools that include anti-virus software, data loss prevention defenses, firewalls, web proxies and intrusion prevention sensors. Email is protected by safety protocols that filter spam, phishing schemes and malicious emails.

Security measures also provide remediation when systems are attacked and forensic reviews to provide detailed statistics for malware analysis and investigations.

But the best weapon against intrusions is vigilance.

“The investment in our associates gives us back so much more than any cutting-edge technology does,” said David Drake, IT intrusion detection and prevention manager. “Our associates provide us with much more awareness than our tools.”

Of the 17.1 million messages sent to the Exchange during the past 30 days, 81% were considered threats. Most threats were intercepted, and others were categorized as spam.

After the intruders were weeded out, 2 million emails were delivered to Exchange inboxes.

One of the tools the cyber security team uses is an interactive portal designed by Burkheart that provides quizzes, games and tips to help associates spot cyber intrusions.

“We try to use ‘gameification’ in what we want to teach instead of just providing lectures,” Drake said. “People want to win the game and they learn more in the process.”

The portal includes serious messages behind the fun, including documents that are informed by the Department of Homeland Security, which provides guidance during Cyber Security Awareness Month.

“We want to emphasize the positive,” Burkheart said. “If you look for clues and report the spam or the phish, you aren’t just protecting the Exchange. You can take this knowledge home and safeguard your family.”