Training and Awareness

Transcription

1 Training and Awareness Services Overview JANUS Associates, Inc Washington Boulevard Stamford, CT

2 Providing your employees with information technology security awareness training is your best defense against the number one cause of data breaches - Social Engineering Social engineering is the number one cause of data breaches. These breaches continue to increase in frequency even though most organizations have invested heavily in putting network security devices in place. This has not stopped the breaches. Hackers have found that the weakest link in an organization is its people. As such, your employees, not your 95 percent of data actual technology, are most often the first target of an attacker. Empower your employees and make them your first line of defense by making sure they are properly trained to spot today s new breaches were a result of social engineering of employees. Tactics used include phishing attacks, attack methods. stolen credentials, media drops, and physical exploits Cybercriminals are increasingly using social such as tailgating engineering to gain an undetected foothold within business and government networks. Stolen credentials obtained by social engineers are used in four out of five breaches, regardless of whether the attack was driven by financially motivated cybercriminals, nation-state-driven cyber espionage activity, or hacktivists. Solution What can you do to minimize these types of intrusion risks and improve your odds of avoiding a breach? Through vastly improved employee awareness training you have an increased chance of thwarting an attack. The goal of an awareness program should be to go beyond simply meeting compliance requirements for training and awareness and comply with your policies. A broader goal should be to also change the culture of your organization to bring focus on the importance of active information security and get buy-in from end users to serve as an added layer of defense against security threats. Traditional training is typically rolled out to employees once a year but studies show that knowledge is often forgotten within ninety days. How do you bolster this first critical line

3 of defense? The answer is to utilize focused security training and train more often, in small bursts, with relevant and timely information. The JANUS method trains your employees more effectively with monthly ten minute highly 75 percent of breaches took weeks to focused, bite-sized modules that employees can quickly absorb. months to discover; only 25 percent were discovered in a day or less This information, in turn, fosters greater topic understanding, better comprehension, and longer knowledge retention of your data security policies and procedures. Monthly reinforcement keeps security knowledge and focus fresh in employees minds and allows for current topics of importance to be brought quickly to your staff as new threat vectors emerge. JANUS data security awareness training is designed to reinforce industry best practices and it can easily and cost 76 percent of breaches were tied to stolen passwords and 70 percent of breaches were discovered by external parties, not internal Administrators effectively be customized to reflect your specific policies and procedures. The JANUS system is often utilized for more than breach prevention. It also helps employees reinforce their responsibilities regarding electronic health information (ephi), personal health information (PII), comply with regulations such as PCI (payment cards), FISMA (federal), HIPAA (healthcare), NERC (utilities), ISO (international), FFIEC (financial), and many other specific requirements and standards. Modules can be customized to focus on each specific regulation or standard (or a combination) that apply directly to your organization leaving no doubt as to what controls staff is to adhere to. The baseline course is comprised of multiple modules; includes non-threatening quizzes; and supplies you with management metrics that reflect quiz scoring and course completion by each employee. Metrics are generated as audit quality artifacts to help you achieve your regulatory compliance requirements. Continuing education credit from recognized industry organizations is available to those requiring it, and all who successfully complete the course are awarded a certificate of completion.

4 Best Practice Modules Available for Lease JANUS Associates provides six industry standard, best-practice training and awareness modules for lease. These systems can be purchased quickly and hosted either by JANUS or by you. Of course these can be customized to include your logo for an addditional fee. The following packages are available for immediate purchase. Information Security Information Security is Every Employee s responsibility How a hacker steals your information Social Engineering What is a Social Engineering attack? How to Recognize and Avoid Phishing attacks Credential Management Protecting Your Password How to Make a Good Password Confidentiality How to Protect Your Privacy How to Prevent Identity Theft Acceptable use of Electronic Devices Internet, , and Company Computers Removable Media (USBs, CDs, DVDs) Mobile devices, Laptops and Remote Access Workplace Security Account Management Physical Security: visitor access, no piggybacking, clean desk policy

5 The JANUS Training System Three service levels of trainng are provided by JANUS to meet your regulatory compliance, IT security/privacy requirements and general training needs. These levels allow our clients the ability to tailor their training and awareness solution to the specific needs of their industry and size. For each of the three service levels, four options exist with respect to hosting, branding, and course length. Best Practices Most off-the-shelf information security training available today is prepared by one of two types of organizations: either a specialist training company or a security practictioner who works as a lone consultant and offers generic classes to large businesses and governments. Per employee, these are the least expensive choice. However, our current state of security readiness attests to the fact that these methods are seriously lacking in capability and preparation. Therefore, they actually are most likely the most expensive form of education available since their outcome value is low and breaches continue to skyrocket. You are literally spending with no return on investment except to report to your regulating agencies that you held a class. At JANUS, generic training modules are available from information security experts who understand the specific regulations that apply to multiple industries. These are built into the modules and are available on a per user basis. Examples include Avoiding Tailgating, Identifying a Phishing Attack, and Handling Removeable Media. Customized In many industries it is important for your employees to understand your specific information security policies and procedues to avoid serious problems. For this growing need, JANUS security experts will review your orgnizational policies and procedures and tailor a set of training modules to meet your needs that is specific to you and branded with your logo, business acronyms, and terms. This structure lets your staff understand that your business understands the importance of security and that your want to reinforce your commitment to its principles. Such tailoring avoids generalities and ensures that your message comes across thus increasing your training benefits. Instructor Lead For users that require specific instruction in the classroom, JANUS will develop a customized classroom experience based on your specific needs. As in the previous examples, experts in information security and training will work with you to build a storyboard for you to review. Upon your approval, they will build your class and review it with you prior to finalization.

6 JANUS has a variety of structures for undertaking this level of training, including slides, videos, tests, and laboratories, amongst others. These training level are illustrated by the horizontal bars in the figure below. JANUS LMS Methodology Hosted by JANUS Hosted by Client Modular Complete Instructor Lead Customized Best Practices The vertical components in the figure above illustrate the various methods you can choose to carry out your information security training. Would you like JANUS to host the training environment or might you want to host it yourself. Either is available. Do you want to select modular elements with which to train your people or would you prefer a longer classroom period of specialized education? Because JANUS has been performing information security consulting and training for over 25 years, we understand what is relevant and what is not. We also regularly update our materials to meet changes in the laws/regulations, to incorporate new threats and concepts, and to freshen the materials. These are all very important elements in training your people well but are often lacking.

7 General Training and Awareness Pricing Each engagement is priced specifically for the client. However, there are a few variables which impact the total cost of a training engagement. Hosting Model If you decide to host your own LMS system, you are simply charged for licensing and development of the training package. If JANUS hosts the solution, hosting costs apply. Level of Customization It is common that even in a customized solution; JANUS can reuse portions of its best practices modules. This can reduce costs to you. Instructor Led Number of instructor led hours can increase cost. The following model illustrates the cost relationship of each type of training to each other. Complete Modular Self Hosted Hosted By JANUS Preparation Best Practices Customized Instructor Lead Speak with a JANUS security professional and find out what the true value of IT security awareness training is to you and your organization JANUS Associates, Inc Washington Boulevard Stamford, CT