Proposal Overview
Problem Summary
Synecdoche is a film production company based in Baltimore, MD. The company is experiencing increased cyber incidents causing malware on company devices, sensitive data loss, and employee account breaches. Executives at Synecdoche would like to limit these incidents to protect their employees and sensitive information better.
IT Solution
Synecdoche will implement a software service that houses a knowledgebase for all things information security-based. This software will also include a dashboard for end-users to track their usage and see where they rank among their coworkers. There will also be an administrative dashboard where the cybersecurity staff can track the employees who may need additional guidance on information security training. Finally, a module will allow the Cybersecurity staff to send phishing email campaigns to test employees. This software implementation will reduce the number of cyber incidents caused by phishing emails and ignorant web browsing behavior. Synecdoche will implement a new password policy that strictly says how long a user’s password will be valid and clearly states the parameters that a password must have for it to be accepted. This implementation will reduce the quantity of employee account breaches by external threat actors. Synecdoche will create a new Cybersecurity department that will include a Chief Information Security Officer (CISO), Security Analyst, Network Security Engineer, Incident Response Manager, and Security Awareness Coordinator. This new department will assist with enforcing new security policies and keep Synecdoche up-to-date on industry standard practices and procedures, further limiting the number of cyber incidents.
Implementation Plan
A web application will be deployed on a company web server where employees can log in with their standard credentials via the intranet. From there, they can participate in educational materials, including articles, videos, and interactive labs. Participation will be tracked, and the user’s scores on the interactive labs will be kept so that users and administrators can track progress. Synecdoche will also force each employee to complete courses/activities on a yearly basis to ensure a baseline of security awareness.
The Synecdoche Cybersecurity team will create a password policy that has the following parameters:
- Maximum password age of 120 days
- Must be at least 10 characters in length
- Must include at least 1 uppercase letter
- Must include at least 1 number
- Must include at least 1 symbol
- Must not include any of the following:
- Username
- First or Last name
- Date of Birth
- Any of the user’s previous 10 passwords
The employees of Synecdoche will be given notice of this password change in advance, and then, at the start of the new year, all employees will be required to set a compliant new password.
Synecdoche executives will hire a Chief Information Security Officer (CISO). Once that position is filled, the CISO will oversee strategic planning for all things cybersecurity-related, policy creation and validation, and compliance oversight. The CISO will then be tasked with filling the other four roles in the Cybersecurity Department at Synecdoche. Those roles will include a Security Analyst, Network Security Engineer, Incident Response Manager, and Security Awareness Coordinator.
Review of Other Work
Summary of Four Works
As information security becomes more and more critical as technology advances in our world, companies must find the most effective ways to combat cyber incidents. One of the most effective ways to limit the number of cyber incidents in an organization is to properly train the employees to avoid and report common threats that involve human interaction. “Verizon’s 2022 Data Breaches Investigations Report shows 82% of data breaches involve a human element. These incidents range from employees exposing information directly, such as misconfiguring a database, to indirectly making an error that enables cybercriminals to access the organization’s systems” (Rende, 2023). That said, providing the educational material is only half the battle when properly securing a company’s data. This is precisely why Synecdoche plans to implement dashboards where users and administrators can track progress and see what areas they can improve. The overall goal is to provide “[…] a year-end evaluation summary (e.g. metrics) to measure each employee’s performance (e.g. level of awareness, number of training sessions completed, etc.) and to provide guidance on necessary improvements” (Alyami et al., 2023).
Improving the password policy at an organization is an easy way to combat brute-force attacks where an attacker will use a computer program to try thousands of password combinations per second. “Every additional character increases the time it takes to crack a password exponentially. Adding numbers, symbols, upper and lowercase letters to the password makes it difficult to brute force” (Jithukrishnan, 2022).
Synecdoche has been lagging behind industry standards when it comes to cybersecurity. Until now, they have chosen to avoid paying for internal cybersecurity employees to save money and hope that a significant cyber incident does not impact their business model. When an incident occurs, they rely on hiring external cybersecurity consultants to analyze and contain it. This model is not sustainable as time goes on since consultants are typically costly, and Synecdoche may not be able to give the consultants full access to the company’s data due to security concerns and trade secrets. Implementing an internal Cybersecurity Department “[…] can help organizations save money by preventing costly data breaches and cyber-attacks. The cost of a data breach can be significant, including expenses such as legal fees, lost business, and damage to the organization’s reputation. By implementing cybersecurity measures, organizations can prevent these costs from occurring” (Lievense, 2023).
Project Rationale
Synecdoche is currently experiencing a high number of cyber incidents due to human error. An employee awareness training application will be put in place to educate all employees on the dangers of current cyber-attacks and how to prevent/avoid these attacks, thus decreasing the number of cyber incidents and increasing productivity.
Synecdoche is concerned about employee account breaches, potentially leading to the leaking of employee personal identifiable information (PII) and trade secrets. To combat this concern, Synecdoche will enforce a strict password policy to mitigate employee account breaches.
As Synecdoche is overhauling its security posture, it will be starting a brand new internal Cyber Security Department to oversee these changes and provide a guiding hand in ensuring these new policies and applications are appropriately implemented and updated as they see fit.
Current Project Environment
Security Awareness Training Application
There is nothing in place to train employees on cyber security awareness. Due to nothing in place, Synecdoche is experiencing many cyber incidents due to ignorant employee behavior. To solve this problem, a security awareness training application will be implemented on the company’s intranet. This application will serve as a knowledgebase for all employees to learn about best practices for surfing the web, being weary of phishing emails, and reporting suspicious activities to the correct authorities. The application will also feature a phishing email simulator where the Cyber Security Department can send phishing email campaigns to all employee mailboxes. Finally, the application will include a dashboard for users and administrators so that employee participation can be tracked and employees in bad standing can be notified and instructed to correct their mistakes to return to good standing.
Updated Password Policy
The current password policy at Synecdoche is severely outdated and has not been enforced by any entity. Due to no strict password policy, the employees are subject to brute-force attacks where an attacker can use a computer program to crack an employee’s password with relative ease. By implementing a stricter password policy that includes a maximum password age of 120 days, a minimum of 10 characters, including at least 1 uppercase letter, at least 1 number, and at least 1 symbol, an attacker would need five years to crack a Synecdoche employee password.
Creation of Cybersecurity Department
There is currently no internal Cybersecurity Department at Synecdoche. Due to the lack of a cybersecurity department, there is no governing body to enforce policies to protect company data. If Synecdoche executives want to make meaningful changes, they need to hire an external consultant, which would cost significant money and only provide short-term benefits. By creating an internal Cybersecurity Department at Synecdoche, there will be experts to create, apply, update, and enforce security policies that keep Synecdoche employees and data safe. This new department will require a significant upfront cost, but over time, Synecdoche will save money by not resorting to external consultants for cybersecurity needs.
Methodology
The ADDIE Methodology will be used here as it checks many boxes for all three projects Synecdoche is attempting to implement. The ADDIE methodology consists of 5 phases: Analysis, Design, Development, Implementation, and Evaluation.
Luckily, the analysis phase has already been completed. Synecdoche has analyzed each issue they face and broken down exactly what factors contribute to those issues. Now, Synecdoche can move on to designing processes to resolve the issues.
The design phase is also complete. Three processes have been identified as solutions, and they are as follows:
- Security Awareness Training Application
- Web application hosted on Synecdoche intranet
- Knowledgebase containing educational materials on common cyber incidents and how to avoid them
- Phishing email campaign module that allows Cybersecurity staff to send test phishing emails to unsuspecting employees
- A user dashboard will help employees visualize their educational progress and where they need to improve
- Admin dashboard to keep track of employees that are in bad standing and could use supplemental training/education
- Password Policy Update
- Maximum password age of 120 days
- Minimum of 10 total characters
- Must include at least 1 uppercase letter, 1 number, and 1 symbol
- Must not include:
- Username
- First or Last name
- Date of Birth
- Any 10 previous passwords
- Cybersecurity Department
- Chief Information Security Officer
- Strategic planning, policy management, compliance oversight
- Security Analyst
- Threat analysis, security audits, penetration testing
- Network Security Engineer
- Firewall management, intrusion detection systems, VPN management
- Incident Response Manager
- Incident investigation, incident containment, recovery, forensic analysis
- Security Awareness Coordinator
- Designing and implementing training programs, evaluating training effectiveness
- Chief Information Security Officer
The development phase will consist of the programmers at Synecdoche creating the Security Awareness Training Application and dashboards for end-users and administrators. Next, the CISO will create the updated password policy to meet the abovementioned parameters. Lastly, the CISO and the Human Resources Department will work together to develop a job listing for the four remaining roles in the Cybersecurity Department.
The implementation phase will occur once the training application development has been completed, the password policy has been created, and all four roles have been filled in the Cybersecurity Department. The training application will be hosted on a Synecdoche-owned web server, and the application will be accessible via the company’s intranet. Once the application is live, the Marketing Department will update the Synecdoche website so that employees have a shortcut to the new application. Next, the newly created password policy will be applied to the Synecdoche active directory service and immediately enforced on all company devices/applications. Lastly, the newly hired cybersecurity staff members will be onboarded and trained in their new roles and responsibilities.
Lastly, the evaluation phase will consist of a meeting at the end of the project to discuss any issues or successes each team encountered. After that, there will be a meeting once per quarter to discuss the effectiveness of the training application, password policy, and the Cybersecurity Department.
Project Goals, Objectives, & Deliverables
Goals, Objectives, & Deliverables Table
| Goal | Objectives | Deliverables | |
|---|---|---|---|
| 1 | Improve Security Awareness at Synecdoche | 1. Educate employees on common cyber-attacks and their causes | 1. Create a web application with a knowledgebase of common cyber-attacks and how to avoid them |
| 1a. Allow end-users and administrators to track usage data | 1a. Create a dashboard that allows employees to their training history and visualize where they can improve | ||
| 1b. Create a dashboard that allows Cybersecurity staff to see employee usage data to see who may need extra training material | |||
| 2 | Limit employee account breaches | 2. Update the password policy to current industry standards | 2. Create a new password policy that combats brute-force attacks |
| 2a. Utilize the new Security Awareness Training Knowledgebase | 2a. Refer employees to the security awareness knowledgebase after a failed password creation failure | ||
| 3 | Establish an internal Cybersecurity Department at Synecdoche | 3. Develop a comprehensive cybersecurity strategy that includes risk assessment, threat management, and incident response tailored to the company’s specific needs | 3. Cybersecurity Policy Document outlining protocols, employee responsibilities, and guidelines for managing cyber risks and incidents |
| 3a. Hire and train a skilled cybersecurity team equipped to handle the company’s specific security needs and compliance requirements | 3a. A fully staffed and operational cybersecurity department with necessary tools, technologies, and processes in place for continuous monitoring and threat mitigation |
Goals, Objectives & Deliverables Descriptions
- Goal 1: Improve Security Awareness at Synecdoche. Synecdoche has been experiencing increased cyber incidents over the past year and is looking for ways to mitigate them. After researching, Synecdoche executives have learned that the most effective way to mitigate these incidents is to train your employees on security awareness properly.
- Objective 1: Educate employees on common cyber-attacks and their causes. By educating Synecdoche employees, the company should expect a significant decrease in cyber incidents. This education curriculum will focus on safely surfing the web and avoiding phishing attempts.
- Deliverable 1: Create a web application with a knowledgebase of common cyber-attacks and how to avoid them. The in-house programmers at Synecdoche will develop a web application hosted on the company intranet website. This application will include a robust knowledgebase with articles and training exercises to educate Synecdoche employees on security awareness.
- Objective 1a: Allow end-users and administrators to track usage data. Providing education is excellent on its own, but Synecdoche would benefit from having a way that users can track what they have learned and what they could improve on.
- Deliverable 1a: Create a dashboard allowing employees to see their training history and visualize where they can improve. Allowing users to track their educational progress will encourage them to progress and learn more about security awareness. By proxy, Synecdoche will have a more robust security posture because of this.
- Deliverable 1b: Create a dashboard that allows cybersecurity staff to see employee usage data and determine who may need extra training material. Allowing the Cybersecurity staff to access an administrative dashboard to view all the Security Awareness Training Application usage data will ensure that all employees view mandatory materials and pass tests such as phishing email campaigns.
- Objective 1: Educate employees on common cyber-attacks and their causes. By educating Synecdoche employees, the company should expect a significant decrease in cyber incidents. This education curriculum will focus on safely surfing the web and avoiding phishing attempts.
- Goal 2: Limit employee account breaches. Synecdoche has become concerned with employee account breaches from external and internal threat actors. Synecdoche executives would like to see this threat decrease to a tolerable amount that aligns with the company’s risk appetite.
- Objective 2: Update the password policy to current industry standards. Synecdoche will update the company password policy to be stricter. This stricter password policy will help combat brute-force attacks and insider threats.
- Deliverable 2: Create a new password policy that combats brute-force attacks. Synecdoche will create and enforce a new password policy that includes maximum password age, minimum password length, required characters, and disallowed characters.
- Objective 2a: Utilize the new Security Awareness Training Knowledgebase. Synecdoche will leverage the new Security Awareness Training Application when employees need assistance or an explanation as to why their new password is not being accepted.
- Deliverable 2a: Refer employees to the security awareness knowledgebase after a failed password creation failure. When an employee attempts to create a new password and gets rejected, a message will appear that will guide the employee to the knowledgebase article that explains the new password policy parameters and why they are being enforced from a security perspective.
- Objective 2: Update the password policy to current industry standards. Synecdoche will update the company password policy to be stricter. This stricter password policy will help combat brute-force attacks and insider threats.
- Goal 3: Establish an internal Cybersecurity Department at Synecdoche. Synecdoche executives would like to start a new Cybersecurity Department to oversee information security, employee training, and network security. They are choosing this route to avoid working with external cybersecurity consultants to save money in the long run.
- Objective 3: Develop a comprehensive cybersecurity strategy that includes risk assessment, threat management, and incident response tailored to the company’s specific needs. With this new Cybersecurity Department in place, Synecdoche will need to ensure everyone is on the same page regarding security practices, policies, and procedures. Developing a cybersecurity strategy will help Synecdoche achieve this goal.
- Deliverable 3: Cybersecurity Policy Document outlining protocols, employee responsibilities, and guidelines for managing cyber risks and incidents. A Cybersecurity Policy Document will help all employees understand what the policies are, what the procedures are when a cyber incident is ongoing, and who to escalate incidents to based on the type and priority of the incident. This document will also give upper management a good understanding of the strategies.
- Objective 3a: Hire and train a skilled cybersecurity team equipped to handle the company’s specific security needs and compliance requirements. Synecdoche would like to find four highly skilled cybersecurity professionals to be the building blocks for the brand-new Cybersecurity Department. These four new employees will assist in keeping Synecdoche data and employees safe from potential threats and vulnerabilities.
- Deliverable 3a: A fully staffed and operational cybersecurity department with necessary tools, technologies, and processes for continuous monitoring and threat mitigation. Having a dedicated team at the company whose only job is to protect everything digital—like the company’s computers, data, and online systems. This team will be fully staffed, meaning all the right people are in place, and they will have the right tools and processes to keep an eye on any suspicious activity around the clock. If something looks risky or dangerous, they will act quickly to fix it, keeping the company safe from cyberattacks.
- Objective 3: Develop a comprehensive cybersecurity strategy that includes risk assessment, threat management, and incident response tailored to the company’s specific needs. With this new Cybersecurity Department in place, Synecdoche will need to ensure everyone is on the same page regarding security practices, policies, and procedures. Developing a cybersecurity strategy will help Synecdoche achieve this goal.
Project Timeline with Milestones
| Milestone or Deliverable | Duration | Projected Start Date | Anticipated End Date |
|---|---|---|---|
| Meeting – Project Start | 3h | 10/01/2024 | 10/01/2024 |
| Hiring four employees for the Cybersecurity Department | 30d | 10/01/2024 | 11/15/2024 |
| Creation of a new Password Policy | 1d | 10/01/2024 | 10/01/2024 |
| Meeting - Requirements of Security Awareness Training Application | 3h | 10/02/2024 | 10/02/2024 |
| Development of Security Awareness Training Application | 21d | 10/02/2024 | 11/01/2024 |
| Development of End-User Dashboard | 7d | 11/01/2024 | 11/14/2024 |
| Development of Administrator Dashboard | 7d | 11/14/2024 | 11/25/2024 |
| Development of Phishing Campaign Module | 7d | 11/25/2024 | 12/06/2024 |
| Development of password creation failure error message that points to knowledgebase | 6h | 12/06/2024 | 12/06/2024 |
| Creation of Cybersecurity Policy Document | 14d | 12/06/2024 | 12/27/2024 |
| Creation of Knowledgebase articles for Security Awareness Training Application | 10d | 12/27/2024 | 01/13/2025 |
| Implementation of Security Awareness Training Application on Synecdoche web server | 2d | 01/13/2025 | 01/15/2025 |
| Test functionality of Security Awareness Training Application | 1d | 01/15/2025 | 01/16/2025 |
| Send emails to all employees regarding new applications, policy updates, and Cybersecurity Dept | 1h | 01/16/2025 | 01/16/2025 |
| Meeting – Project End | 3h | 01/17/2025 | 01/27/2025 |
Expected Outcome
Synecdoche will take on a massive 3-part project that created a Security Awareness Training Application, a new password policy, and a new 5-person Cybersecurity Department. The new department will create a strategic plan that includes updated policies and procedures for all cyber incidents. Due to the creation of this department, Synecdoche expects a decrease in Mean Time to Detect (MTTD) by 30%. In other words, the Cybersecurity Department expects to detect incidents much quicker than before, which means these incidents can be contained and eradicated more quickly.
The new Security Awareness Training Application is anticipated to be a massive success. Employees will use the knowledgebase system to learn more about current threats and how they can best avoid them. The phishing campaign system will significantly boost the company’s security posture, allowing end-users to learn to look for telltale signs of a phishing attack, such as spelling errors, unrecognized email addresses, and masked hyperlinks. With all these factors, Synecdoche can expect as much as a 50% decrease in incidents caused by human error after the application has been live for one year.
Finally, the new password policy should deliver immediate results and significantly decrease the chances of a brute-force attack. Assuming a user’s old password was only eight characters long with an uppercase letter and a number, the time required to crack that password would jump from 1 hour to 5 years. That would be an 876500% increase in the time for an attacker to crack a Synecdoche employee’s password.
References
Alyami, A., Sammon, D., Neville, K., & Mahony, C. (2023, August 1). Critical success factors for Security Education, training and awareness (SETA) programme effectiveness: An empirical comparison of practitioner perspectives. https://www.emerald.com/insight/content/doi/10.1108/ICS-08-2022-0133/full/html
Jithukrishnan. (2022, June 12). Top 10 password policy recommendations for system administrators in 2023. https://www.securden.com/blog/top-10-password-policies.html
Lievense, M. (2023, April 21). The top 12 benefits of cyber security for your business. ACP. https://www.acp.com/blog/benefits-of-cyber-security-for-your-business
Rende, J. (2023, January 27). Council post: How providing staff awareness training improves a company’s security posture. Forbes. https://www.forbes.com/councils/forbestechcouncil/2023/01/27/how-providing-staff-awareness-training-improves-a-companys-security-posture/