FEDERAL POLYTECHNIC DAMATURU, SCHOOL OF SCIENCE

AND TECHNOLOGY DEPARTMENT OF CYBER SECURITY

AND DATA PROTECTION.

Tittle: ASSIGNMENT

By

Maimadu Muhammad sulum

2024/HND/CSDP/020

QUESTION: 1 design a security awareness campaign for a mid-

size company (50 employees) to address growing phishing and
ransome ware threats.

2 identify top 3 vulnerabilities affecting similar organisations.

3 create a scenario for reporting suspicious activity.

To be submitted to course lecturer

Gana Investment – Security Awareness Campaign

QI. Security Awareness Campaign Design: “Sulum Gana

investment: Secure & Smart Online!”.

• Summary: Design of a comprehensive security awareness campaign

for Sulum Gana Investment’s 50 employees to combat phishing and
ransomware threats. The campaign aims to create a security-conscious
culture and empower employees to protect the company’s assets.

• Key Elements:

• Target Audience: 50 employees with varying levels of technical

expertise, including administrative staff, accounting personnel,
investment analysts, and management.

• Goals: the goals of this campaign are to:

• Increase employee awareness of phishing and ransomware threats by

75% within three months.

• Reduce the click-through rate on simulated phishing emails by 50%

within six months.

• Increase the reporting of suspicious activity by 40% within three

months.

• Promote safe online behavior and a security-conscious culture

throughout the organization.

• Theme: “Sulum Gana: Secure & Smart Online!” – This theme is catchy,
memorable, and emphasizes the importance of both security and
intelligence in online activities.

• Communication Channels:

• Email:

• Weekly “Security Tip of the Week” emails with actionable advice.

• Monthly simulated phishing tests to assess employee awareness.

• Regular updates on the latest threats and security best practices.

• Intranet:

• Dedicated “Security Awareness Center” with resources, FAQs, and

training materials.

• Blog posts on relevant security topics.

• A reporting portal for suspicious activity.

• Posters:

• Visually appealing posters displayed in common areas (e.g., break

rooms, hallways) with key security messages.

• Posters with QR codes linking to online resources.

• Training Sessions:

• Monthly interactive workshops on specific threats and security best

practices.

• Guest speakers from cybersecurity firms.

• Hands-on exercises and simulations.

• Lunch and Learn Sessions:

• Informal sessions with food provided, covering specific security topics.

• Q&A sessions with IT security experts.

• Content Examples:

• Email:

• “Phishing Friday” quiz: Test employees’ ability to identify phishing

emails.

• “Ransomware Alert”: Provide tips on how to prevent ransomware

attacks.

• “Password Security”: Explain the importance of strong passwords and

multi-factor authentication.

• Posters:

• “Think Before You Click”: Remind employees to be cautious when

clicking on links or opening attachments.

• “Report Suspicious Activity”: Encourage employees to report any

unusual activity to the IT Security Department.

• “Lock Your Screen”: Remind employees to lock their computers when

they step away from their desks.

• Training:

• Identifying Phishing Emails: Teach employees how to recognize red flags

in phishing emails, such as suspicious sender addresses, grammatical
errors, and urgent requests.

• Creating Strong Passwords: Explain the importance of using strong,

unique passwords and provide tips on how to create them.
• Safe Browsing Habits: Teach employees how to avoid malicious websites
and protect their personal information online.

• Data Security and Privacy: Educate employees on the importance of

protecting sensitive company data and complying with privacy
regulations.

• Implementation:

• Develop a detailed schedule for training sessions and email

communications.

• Create visually appealing posters and intranet resources.

• Implement a system for tracking employee participation and measuring

campaign effectiveness.

• Partner with a cybersecurity firm to provide expert training and support.

• Measurement:

• Track click-through rates on simulated phishing emails before and after

the campaign.

• Monitor employee participation in training sessions and lunch and learn

sessions.

• Measure the number of reported suspicious emails and security

incidents.

• Conduct employee surveys to assess their knowledge and security

training

QII. Top 3 Vulnerabilities Affecting Similar Organizations

(Sulum Gana Investment)

• Summary: Identify and explain the top 3 vulnerabilities that commonly

affect organizations similar to Sulum Gana Investment, a mid-sized
investment firm.

1. Phishing Attacks:

• Explanation: Employees are tricked into clicking malicious links or

providing sensitive information through deceptive emails or websites.
Phishing attacks often impersonate legitimate organizations or individuals
to gain trust.

• Relevance to Sulum Gana: Investment firms are prime targets for

phishing attacks due to the high value of the data they handle (financial
records, client information, investment strategies). Employees may
receive sophisticated phishing emails disguised as legitimate business
communications from clients, partners, or regulatory agencies.

• Specific Examples:

• Phishing: An email targeting a specific employee (e.g., the CFO) with

personalized information to make the attack more convincing.

• Whaling: An email targeting high-profile executives (e.g., the CEO) with

the goal of gaining access to sensitive company data.

• Business Email Compromise (BEC): An email impersonating a vendor

or partner, requesting a wire transfer to a fraudulent account.

• Actionable Steps for Sulum Gana:

• Implement a robust email filtering system: Use a spam filter that

can detect and block phishing emails.

• Provide regular security awareness training: Educate employees

on how to identify phishing emails and what to do if they receive one.

• Implement multi-factor authentication (MFA): Require employees

to use a second factor of authentication (e.g., a code sent to their phone)
to log in to their email accounts.

• Establish a clear reporting process: Make it easy for employees to

report suspicious emails to the IT Security Department.

• Conduct regular phishing simulations: Send fake phishing emails to

employees to test their awareness and identify areas for improvement.

2. Weak Passwords and Credential Reuse:

• Explanation: Employees use easy-to-guess passwords or reuse the

same password across multiple accounts, making it easier for attackers to
gain unauthorized access.

• Relevance to Sulum Gana: If an attacker gains access to an

employee’s email or other company account, they could potentially
access sensitive financial data, client information, or internal
communications.

• Specific Examples:

• Using common words or phrases as passwords (e.g., “password,”

“123456”).

• Using personal information in passwords (e.g., birthdate, pet’s name).

• Reusing the same password for multiple accounts (e.g., company email,
social media, online banking).
• Storing passwords in plain text (e.g., in a document on their computer).

• Actionable Steps for Sulum Gana:

• Enforce strong password policies: Require employees to use strong,

unique passwords that meet certain complexity requirements (e.g.,
minimum length, use of uppercase and lowercase letters, numbers, and
symbols).

• Implement a password manager: Provide employees with a

password manager to help them generate and store strong passwords
securely.

• Educate employees on password security best practices: Teach

employees how to create strong passwords, how to store them securely,
and why they should never reuse passwords.

• Implement multi-factor authentication (MFA): Require employees

to use a second factor of authentication to log in to their company
accounts.

• Regularly audit password security: Use tools to identify weak or

reused passwords and require employees to change them.

3 Outdated Software and Unpatched Systems:

• Explanation: Software and operating systems with known

vulnerabilities that have not been patched can be exploited by attacking.

Q3 • Scenario for Reporting suspicious activities Steps:

1. Do not click on any links or open any attachments: This is the

most critical step. Clicking on links or opening attachments could
install malware on Sarah's computer or direct her to a phishing
website.
. Sarah is an employee.

2. Do not reply to the email: Responding to the email could confirm to

the sender that the email address is active and that Sarah is a potential
target.

3. Forward the email to the IT Security Department: Forward the

suspicious email, including the full email header, to
itsecurity@sulumganainvestment.com. The email header contains
valuable information about the sender's IP address and location, which
can help the IT team track down the attacker.

4. Call the IT Security Department: Call the IT Security Department at

07088559350 to report the suspicious email. This ensures that the IT team
is aware of the situation and can take immediate action. Even if it's
outside of normal business hours, there should be an emergency
contact number.

5. Describe the situation: Clearly explain to the IT Security Department

what happened and why she suspects the email is suspicious. Provide as
much detail as possible, including the sender's email address, the subject
line, the content of the email, and any red flags she noticed.

6. Confirm with Mr Sulum gana (CEO): Independently verify with

Mr. Sulum gana whether he sent the email and authorized the wire
transfer.

7. If unable to reach anyone, wait: If Sarah cannot verify the request

and the situation feels suspicious, she should not proceed with the wire
transfer. She should wait until she can confirm the request with Mr. Sulum
gana or another authorized individual.

• Importance of Reporting:

• Prevents financial loss: The wire transfer could be fraudulent,

resulting in a loss of $15,000 (or more) for Sulum Gana Investment. These
funds could be difficult or impossible to recover.

• Protects company data: The email could contain malware (e.g.,

ransomware, keyloggers) that could compromise the company's systems
and data, leading to data breaches, financial losses, and reputational
damage.

• Prevents further attacks: By reporting the email, the IT Security

Department can identify the source of the attack, block the attacker's IP
address, and take steps to prevent similar attacks in the future. This can
protect not only Sulum Gana Investment but also other organizations that
may be targeted by the same attacker.

• Maintains client trust and confidence: A successful cyberattack

could damage Sulum Gana Investment's reputation and erode client trust.
By reporting suspicious activity, employees can help protect the
company's reputation and maintain client confidence.

• Promotes a culture of security awareness: By reporting the email,

Sarah demonstrates a commitment to security awareness and encourages
other employees to do the same. This helps create a culture where
security is everyone's responsibility.

• Complies with regulatory requirements: Many industries, including

the financial industry, are subject to regulations that require organizations
to implement security measures to protect sensitive data. By reporting
suspicious activity, employees can help Sulum Gana Investment comply
with these regulations.

• Feedback and Recognition:

• Acknowledge and reward employees who report suspicious activity to

reinforce positive behavior and encourage others to do the same. (e.g
Sarah)

• Verbal Recognition: Publicly acknowledge Sarah's actions during a

team meeting, highlighting her vigilance, quick thinking, and adherence to
security.