Strengthen your team's security reflexes:

The USB
Treasure Hunt

A strategic exercise to enhance your staff's reporting behaviors and cyber security awareness.

  • Provides practice for reporting beyond phishing
  • Gain an objective measure & baseline of reporting propensity
  • Psychologically safe and fun

Reporting keeps everyone safe

Alongside challenge behaviours, reporting the things that don’t seem right is fundamental to keeping everyone safe. Yet the only time that is practiced is through phishing tests.

So, why is such a fundamental security behaviour left to chance?

According to a Keeper Security report, almost 41% of attacks are not reported to senior leadership, while almost 48% are kept secret from the appropriate authorities. The FBI’s figures paint an even stronger picture, stating that only between 10 and 12% of cyber crime victims reach out for help.

On the hunt...

In the USB Treasure Hunt exercise, reporting behaviours are not just left to chance, they are actively encouraged.

Working with your in-house security team (or nominated representative), a set number of “malicious USB” devices are hidden around your office or site, with their location recorded. These USBs however are no more than plastic 3D printed replicas, embossed with words like “DANGER” or “VIRUS” to overtly signify their potential risk.

As your staff then carry out their daily work, they will eventually and inevitably come across the USBs. More proactive members of staff may even actively seek them out. When they do find them, they should report it to the security team, who are then able to cross reference against the known list of devices.

Encouragement, hints, and friendly competition can be introduced to drive further engagement, enhancing the innate elements of gamification built into the exercise.

"But we don't control USB usage"

The exercise still provides value. Whether you control their use or not, USB devices are still a means of attack. The exercise uses this well- known tactic as a way of visually representing wider security risk. This is also the reason that the devices are so overt in their design.

Controlling the exercise

Multiple controls are put in place to ensure the exercise runs correctly and safely, from both an individual and organisational perspective.

Safe Devices

Only “inert” devices produced by Recyber are ever used.

Customisable USB Count

Set amount of numbered USBs provided/used per exercise.

Deployment Tracking

Thorough recording of positions of USB devices deployed.

Support & Guidance

Instructions and guidance for security teams also provided.

Central Themes

Our service is built around key themes that prioritize psychological safety, engaging learning experiences, and actionable insights.

  • Positivity towards reporting
  • Psychological safety
  • Improving cyber behaviours
  • Fun, novel engagement with security topics

Platform Integrated

Our workshops and exercises don’t stand alone – they’re tightly integrated with our behavioral change software, Republic. Delivered as complementary components of our managed security awareness service, our products tackle low motivation and overcome resistance to secure practices.

USB Treasure hunt participants are awarded in-game currency for finding the devices and can win virtual rewards based on their level of engagement.

Schedule a USB Treasure Hunt Exercise

Please let us know what's on your mind. Have a question for us? Ask away.