Developing a Successful Security Awareness Training Program. Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc.

Transcription

1 Developing a Successful Security Awareness Training Program Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc.

2 Agenda The human element of cyber security Building your case Building a security awareness program Best practices for training effectiveness

3 How Large is the Problem? 91% of targeted attacks involve spear-phishing s (1) 29% of breaches in 2012 leveraged social tactics (2) 31% of mobile users received a text from someone they didn t know requesting that they click a link or dial an unknown number (3) 1 Trend Micro, November Verizon Data Breach Investigations Report Cloudmark, September 2012

4 Increasingly Sophisticated Attacks Spear-phishing targeting specific groups or individuals Leveraging of information about your organization, group or you Mobility adding new challenges Traditional red flags missing subpoena from the US District Court in San Diego with your name, company and phone number, and your lawyers name, company & phone number

5 Human Defenses Must be Strengthened The end user is the target Exploits human weakness The end user is the problem Technology can t solve the issues Countermeasures must be taken

6 Humans are the Weakest Link Overlooking the human element is most common mistake in computer security 1 PWC Information Security Breaches Survey (April 2012) 2 Deloitte Global Security Survey (Feb 2009) 93% of large organizations had a security breach(1) 82% of large organizations had staff driven incidents(1) 47% had employees lose or leak confidential information(1) 86% of companies cite humans as their greatest vulnerability(2)

7 Technology Alone Won t Work Tempting to just buy software or hardware that promises to solve these problems However, attackers are very resourceful, constantly looking to circumvent your defenses Security controls are lagging behind technology adoption Technology alone can t motivate people Human error is involved in more than 95% of the security incidents investigated in 2013 IBM Security Services 2014 Cyber Security Intelligence Index

8 Training has a Big Role to Play Lack of understanding of risks Wide range of scenarios Required knowledge is vast & growing Delivery methods must be compelling Security is a secondary task Root cause is often a failure to invest in educating staff about security risks PWC Information Security Breaches Survey (April 2012)

9 Building a Strong Security Awareness Program Goals Getting started Key activities Strategies for success

10 Security Awareness Goals Education Compliance Cost reduction Risk reduction Protecting company & customer data Protect brand reputation

11 Getting Started Make a plan Know your audience Focus on your organization s goals Measure from the start Gain support

12 How do you make your case? Develop a budget based on your plan Target your desired behavior(s) Set expectations and goals Request budget & executive support Leverage internal & external supporters

13 Strategies for Success - Marketing Think of yourself as a marketer The 4Ps : Product, place, positioning, price Drive impressions Reach people through different media Test and adjust strategy based on what is working Gather and analyze data

14 Strategies for Success - Support Gain support throughout the organization Executive management, peers, key stakeholders Encourage and even praise engagement Share successes (and failures) Lack of support can kill efforts Blocked activities Slipped schedules Reallocated funding

15 Align education approach with goals Fit to company culture Prioritize content based on need Leverage continuous improvement Multiple communication methods Training content - s/newsletters Websites/portals - Posters Giveaways Align with different audiences New employee onboarding - Ongoing education Knowledge refresh - Remediation education

16 Lessons Learned Don t wait until you have a breach Organizational support & executive buy-in speeds approvals Create an internal awareness steering group (support group) Include assessments to measure knowledge and susceptibility Vary the educational material/campaigns Include in-person activities into your plan Brush up on marketing & communications Test with a small group to get started

17 Continuous Training Methodology Assessment Across All or Some Topics Analyze & Repeat Education Scheduled Training for Everyone Simulated Attacks , Smish, Memory Device

18 Social Engineering Assessments Links education & assessments Assesses vulnerability and keeps users vigilant in their defense Motivates users to take training Possible attacks phishing memory device SMS/text message

19 Definition of Effective Training Present concepts and procedures together Bite-sized lessons Learn by doing Story-based environment Create teachable moments Provide immediate feedback Use conversational content Collect valuable data

20 From Simple to Increasingly Realistic

21 End Users are Trainable Mock Phishing Attack storage & account issues Over 80% Reduction in Less than 45 Days Training Modules Repeat Just In Time Training 35% Failure 1 st Campaign 6% Failure 2 nd Campaign Auto-Training Enrollment Security and URL Training

22 90% Increase in Training Penetration Mock Phishing Attack Social media invite & Password update 69% Less Susceptible in 54 Days Training Modules Repeat Just In Time Training 35% Failure 1 st Campaign 11% Failure 2 nd Campaign Auto-Training Enrollment Security and URL Training

23 Education Works, When Done Right Your end users are the target Direct correlation between strong awareness program and reduced attacks Continuous security education leveraging learning science principles for best results Security education can have a positive ROI with only a 10% reduction in susceptibility to attack Companies who deploy awareness training reduce staff-related security breaches by 50%(1) (1) PricewaterhouseCoopers 2012 Information Security Breaches Survey

24 For more information contact: