Information Security Week – Keeping monday.com “Always Secure”
Modern companies face various information security risks and compliance requirements that need to be addressed year-round.
One of the greatest risks is the human factor. It is always said that the weakest link in your cyber defense kill chain is the person behind the keyboard.
In today’s business landscape, companies also need to comply with many local and international standards and regulations, which require ongoing reviews, audits, and execution of routine security-related tasks.
So how do you keep your company secure year-round against numerous cyber risks? How do you stay compliant with all relevant regulations and standards? How do you ensure your employees are always aware and alert to potential cyber-attacks? How can we assure our customers that any information they put in monday.com including the most sensitive one is safe and secure?
The solution we came up with at monday.com is the Information Security Week.
What is Security Week?
The Security Week is a once in a quarter occasion that lasts (surprisingly) one week, during which the company puts additional effort into security-related tasks. While regular work continues as usual during thisWeek, special attention is given to tasks that contribute to the company’s security posture, help increase employees’ awareness and ensure we comply with standards and regulations. Since ongoing tasks and especially security tasks are usually backlogged or rarely executed, the Security Week dictates a timeframe to prioritize and execute these tasks.
What does a usual Security Week look like?
Figure 2: Security week planning
Preparation begins for a Security Week a few weeks before its schedule. The first step is to set the goals of the Security Week (e.g. user awareness to physical security, improve security tests in the development process, etc.). After agreeing on the goals, we decide on the specific activities that will be executed during the Security Week in order to meet these goals (e.g. drills, charades, contests, etc.). These activities are combined with the routine activities scheduled during the specific week (e.g. policy reviews, quarterly drills, etc). Afterward, we set a day by day plan in order to get the most out of the security week.
When the date of the Security Week comes, it begins with an opening ceremony in front of the entire company. At monday.com we have a brief company update meeting at the start of the week, but under different circumstances, you can always use email or any other collaborative solution you have (e.g. Slack, monday.com) to announce the beginning of the security week. We use this opportunity to remind everyone (especially to new employees) what the Security Week means, and what activities they should expect during this week.
As the Security Week continues, we go through the schedule and complete all the planned tasks.
At the end of the week, we hold a closing ceremony, this time using the opportunity provided by our weekly company meeting. In this ceremony, we detail the activities that took place during the week, reinforce noteworthy conduct by employees, and discuss aspects that need to be improved.
What special activities can take place during a Security Week?
A few examples of special activities you can consider incorporating into your Security Week are:
- Phishing drills:
In a recent security week, we carried out a phishing campaign against the company, using a fictitious character that contacted various employees in order to obtain sensitive information about them. In the closing ceremony, we revealed the scheme in front of the company, detailed what information we were able to obtain and provided concrete examples of how this knowledge can be used in a cyberattack against the company.
- Physical security drills:
You can conduct tailgating drills in order to increase awareness of this often-overlooked threat.
We also perform clean desk reviews by going through the office during lunchtime or after work hours and identifying sensitive information left in unsecured locations.
- Security incidents identification drills:
Simulate security incidents to assess the company’s preparedness in handling them according to your Incident Response Plan (IRP).
A hackathon focused on security features developed for the company’s solution. Its contribution is twofold:
- It increases developers’ awareness of product security in general.
- It directly contributes to improvements in the product’s security features.
- Security workshops:
You can take advantage of the Security Week to run security workshops for the different departments in the company e.g. Secure development workshop for developers; Identification of security issues in support tickets for the support department; Overview of security features in the product and best practices for the sales team and more.
- DR Drill:
We take advantage of the security week to conduct our annual DR drills. This keeps us always ready for any disaster scenario and helps us comply with standards and commitments to customers.
- Security charade:
In a previous Security Week we ran a charade throughout the week. Every day we sent a short quiz composed of multiple-choice questions to all our employees, covering topics such as phishing awareness, acceptable use, data handling procedures and more. At the end of the week, the three employees who got the most correct answers were declared as winners and were awarded during the week’s company meeting.
Measuring the Security Week’s effectiveness
Every effort must be measured for its effectiveness and impact. Without measuring the effectiveness and impact of the Security Week, we won’t be able to know what’s working and what needs improvement.
So how do you measure the effectiveness and impact of the security week?
We have decided on two goals: Improving the employees’ awareness, and maintaining compliance with international standards.
Measuring the first goal is straightforward: Successfully maintaining our information security certifications means we are on track.
As for measuring employee awareness: We seek to see an improvement in the results of the drills. For example, if an initial incident response drill reveals that only 25% of our employees were able to quickly identify and alert us of the incident, we would expect the percentage to increase in the coming security weeks.
Dedicating routine time frames to tackling ongoing security tasks and increasing employees’ awareness can be a great aid in improving your company’s security posture. For us, the concept of quarterly SecurityWeeks has proven to bring positive impact while maintaining employees’ interest in an aspect of their day-to-day work that’s, let’s face it, often appears less than glamorous.
Found this interesting? Want to join us?
We build our security in the same way we build everything at monday.com. We’re looking specifically for skilled and experienced security professionals with a passion to work in a dynamic framework. If you’re a team player with strong communication skills, this just may be the team for you. You can see all our open positions here.
If you’re excited by what you just read and our challenges, we will be happy to meet and share the knowledge. Let’s be in touch! 🙂