Solar Security Awareness Information Security Skills Management

The Security Awareness service is designed to increase the company's resilience to the human factor. Employees learn to recognize malicious emails, identify dangerous sites, choose strong passwords, and protect data stored on mobile devices.

2019: Supplementing the platform with descriptions of updated phishing attack methods

On September 2, 2019, "," Rostelecom-Solar announced the release of an updated version of the Security Awareness platform designed to improve staff cyber literacy. The training course is supplemented by descriptions that phishing attacks became widespread in the first half of 2019, the ways to control the assimilation of theoretical knowledge and practical skills are also expanded. Such training allows organizations to reduce phishing efficiency by more than 2 times. The platform is based on the solution of the Antifishing vendor.

According to statistics from the Solar JSOC Cyber ​ ​ Attack Monitoring and Response Center, in 2018, about 70% of complex targeted attacks began with phishing. On average, every 7th user who fails awareness courses lends themselves to social engineering. However, this figure can vary depending on the functional unit of the company. In the legal service, on average, every fourth employee becomes a victim of phishing, in accounting, financial and economic service and logistics - every fifth, in the secretariat and technical support service - every sixth.

In any modern organization, employees when hiring study and sign information security regulations. But, as we can see, it does not work: in a month or two, two people forget about security policies and fall for the tricks of intruders. Textbooks, lectures and basic courses are also ineffective - the absence of an interactive part in them leads to the fact that the user receives not practical skills, but only quickly forgetting theoretical knowledge. In addition, the methods of attacks and tricks of fraudsters are constantly changing and improving, textbooks simply do not have time to follow them. With all this in mind, we have laid down three key principles in our Security Awareness platform: frequency of training, regular updating of educational content and, of course, realistic verification in practice. All this helps organizations reduce the number of phishing email discoveries by an average of 64% and, as a result, significantly reduce the risks of successful attacks. told Alexey Grishin, head of security assessment at Rostelecom-Solar

According to the company, the Security Awareness platform update primarily affected training content. It is complemented by updated phishing attack methods. The main source of malicious email patterns is copies of dangerous mailings received by the Solar JSOC cyber attack monitoring and response center both as part of the provision of its own information security services and during the exchange of cyber attack data with third-party vendors and service providers.

The tools for monitoring the information security skills of employees now include 13 different types of tasks. So, if earlier, when checking the theoretical part, users were asked to choose the correct answer from the listed options, now the control method is diversified. Verification tasks are supplemented with tests in which the user needs to independently enter the answer to the question or compare terms and definitions. This allows a more accurate and comprehensive assessment of the knowledge learned, reducing the likelihood that the employee will randomly select the right options.

At the end of the training cycle, a phishing attack is simulated against company employees using updated scenarios. On average, such training allows organizations to reduce phishing efficiency by more than 2 times and significantly increase employee vigilance in information security issues.

The information security skills training service is provided on the basis of the Security Awareness web platform, which is part of the Solar MSS managed cybersecurity services ecosystem. Platform training and validation content is updated monthly. You can manage the parameters of subscription to the service through your personal account - while the ordering company independently determines which user groups and how often you should train, and also conducts the required number of checks. The information security officer receives complete statistics on the actions of employees (which of them opened the letter, who followed the link, who reported the attack) and the level of their cyber literacy, as well as data on the vulnerabilities found in the office software and browser.

As a result, users learn to identify phishing emails and dangerous sites, protect their data on mobile devices, and choose secure passwords.

2018: Security Awareness Platform Description

As of October 2018, the service is a distance learning platform with access through a web interface and consists of three elements:

• theoretical course on the basics of cybersecurity and protection against social engineering,
• online testings
• and a practical test of the knowledge learned during a training phishing attack on the company.

At each stage, employees are evaluated according to the rating system. They receive or lose points depending on whether they violated the rules for completing the theoretical course, how correctly they answered the test questions and whether they were able to recognize the threat.

All information about the results of employee training is available to the curator in the personal account of the service. The resource contains complete information about the statistics of user actions and their rating. The curator can look at the list of "vulnerable" employees and assign them a second check or an additional course.

The platform, including its personal account, is located on the computing power of Rostelecom.