Developing a Successful Security Awareness Training Program Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc.
Agenda The human element of cyber security Building your case Building a security awareness program Best practices for training effectiveness
How Large is the Problem? 91% of targeted attacks involve spear-phishing emails (1) 29% of breaches in 2012 leveraged social tactics (2) 31% of mobile users received a text from someone they didn t know requesting that they click a link or dial an unknown number (3) 1 Trend Micro, November 2012 2 Verizon Data Breach Investigations Report 2013 3 Cloudmark, September 2012
Increasingly Sophisticated Attacks Spear-phishing targeting specific groups or individuals Leveraging of information about your organization, group or you Mobility adding new challenges Traditional red flags missing Email subpoena from the US District Court in San Diego with your name, company and phone number, and your lawyers name, company & phone number
Human Defenses Must be Strengthened The end user is the target Exploits human weakness The end user is the problem Technology can t solve the issues Countermeasures must be taken
Humans are the Weakest Link Overlooking the human element is most common mistake in computer security 1 PWC Information Security Breaches Survey (April 2012) 2 Deloitte Global Security Survey (Feb 2009) 93% of large organizations had a security breach(1) 82% of large organizations had staff driven incidents(1) 47% had employees lose or leak confidential information(1) 86% of companies cite humans as their greatest vulnerability(2)
Technology Alone Won t Work Tempting to just buy software or hardware that promises to solve these problems However, attackers are very resourceful, constantly looking to circumvent your defenses Security controls are lagging behind technology adoption Technology alone can t motivate people Human error is involved in more than 95% of the security incidents investigated in 2013 IBM Security Services 2014 Cyber Security Intelligence Index
Training has a Big Role to Play Lack of understanding of risks Wide range of scenarios Required knowledge is vast & growing Delivery methods must be compelling Security is a secondary task Root cause is often a failure to invest in educating staff about security risks PWC Information Security Breaches Survey (April 2012)
Building a Strong Security Awareness Program Goals Getting started Key activities Strategies for success
Security Awareness Goals Education Compliance Cost reduction Risk reduction Protecting company & customer data Protect brand reputation
Getting Started Make a plan Know your audience Focus on your organization s goals Measure from the start Gain support
How do you make your case? Develop a budget based on your plan Target your desired behavior(s) Set expectations and goals Request budget & executive support Leverage internal & external supporters
Strategies for Success - Marketing Think of yourself as a marketer The 4Ps : Product, place, positioning, price Drive impressions Reach people through different media Test and adjust strategy based on what is working Gather and analyze data
Strategies for Success - Support Gain support throughout the organization Executive management, peers, key stakeholders Encourage and even praise engagement Share successes (and failures) Lack of support can kill efforts Blocked activities Slipped schedules Reallocated funding
Align education approach with goals Fit to company culture Prioritize content based on need Leverage continuous improvement Multiple communication methods Training content - Emails/newsletters Websites/portals - Posters Giveaways Align with different audiences New employee onboarding - Ongoing education Knowledge refresh - Remediation education
Lessons Learned Don t wait until you have a breach Organizational support & executive buy-in speeds approvals Create an internal awareness steering group (support group) Include assessments to measure knowledge and susceptibility Vary the educational material/campaigns Include in-person activities into your plan Brush up on marketing & communications Test with a small group to get started
Continuous Training Methodology Assessment Across All or Some Topics Analyze & Repeat Education Scheduled Training for Everyone Simulated Attacks Email, Smish, Memory Device
Social Engineering Assessments Links education & assessments Assesses vulnerability and keeps users vigilant in their defense Motivates users to take training Possible attacks email phishing memory device SMS/text message
Definition of Effective Training Present concepts and procedures together Bite-sized lessons Learn by doing Story-based environment Create teachable moments Provide immediate feedback Use conversational content Collect valuable data
From Simple to Increasingly Realistic
End Users are Trainable Mock Phishing Attack Email storage & Email account issues Over 80% Reduction in Less than 45 Days Training Modules Repeat Just In Time Training 35% Failure 1 st Campaign 6% Failure 2 nd Campaign Auto-Training Enrollment Email Security and URL Training
90% Increase in Training Penetration Mock Phishing Attack Social media invite & Password update 69% Less Susceptible in 54 Days Training Modules Repeat Just In Time Training 35% Failure 1 st Campaign 11% Failure 2 nd Campaign Auto-Training Enrollment Email Security and URL Training
Education Works, When Done Right Your end users are the target Direct correlation between strong awareness program and reduced attacks Continuous security education leveraging learning science principles for best results Security education can have a positive ROI with only a 10% reduction in susceptibility to attack Companies who deploy awareness training reduce staff-related security breaches by 50%(1) (1) PricewaterhouseCoopers 2012 Information Security Breaches Survey
For more information contact: info@wombatsecurity.com +1-412-621-1484