Cybersecurity Employee Training
•
2 recomendaciones•3,641 vistas
The critical element in Cybersecurity (employee training)
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (19)
Similar a Cybersecurity Employee Training
Similar a Cybersecurity Employee Training (20)
Más de Paige Rasid
Más de Paige Rasid (20)
Último
Último (20)
Cybersecurity Employee Training
- 1. Employee Training & Awareness A Critical Element in Cybersecurity Resilience @Ben_Smith Ben Smith, CISSP Field CTO (East), Security Portfolio
- 2. 2© Copyright 2015 EMC Corporation. All rights reserved. Agenda 1 2 Looking in the mirror Failures of awareness, failures of behavior 4 Additional resources SAMPLE REFERENCE – “Hunting for Sharks’ Teeth (and Other IOCs)” https://blogs.rsa.com/hunting-sharks-teeth-iocs/ 3 What does success look like?
- 3. 3© Copyright 2015 EMC Corporation. All rights reserved. • “It’s not about if you get breached; it's when you get breached.” • “Even large enterprises that have millions of dollars to spend on security got breached, so everyone is at risk.” • “The breaches we have seen so far are just the beginning – bigger breaches are coming.” • “Legacy security technologies are of limited value in the face of advanced persistent threats.” • “Security incidents can put you out of business.” What you will NOT hear from me today… Gartner, “The Future of Security Sales Revolves Around Digital Risk” (May 2015) [G00278090]
- 4. 4© Copyright 2015 EMC Corporation. All rights reserved. • “We’re not very visible.” • “But we’ve never had a breach.” • “The probability of this happening is so low that I’ll take my chances.” Beware These Cop-Out Statements! Forrester, “Understand The Business Impact And Cost Of A Breach” (Jan 2015) [60563] It doesn’t matter if your company has a widely known public brand or not Don’t confuse luck with competence It’s unlikely that anyone in the organization knows the probability of certain security incidents happening
- 5. 5© Copyright 2015 EMC Corporation. All rights reserved. • “We’re a small organization.” • “We have insurance.” Beware These Cop-Out Statements! Forrester, “Understand The Business Impact And Cost Of A Breach” (Jan 2015) [60563] A much bigger factor today than the size of your organization is whether you have information that is valuable to attackers now, or will be valuable in the future Read the fine print to ensure you know exactly what will be covered by your insurance policy, and remember… cyberinsurance is not a get out of jail free card
- 6. 6© Copyright 2015 EMC Corporation. All rights reserved. • Education • Training • Awareness What is “Security Awareness”? Mark Wilson, “A Crash Course in Awareness versus Training versus Education versus Certification (An Off-Kilter Look)” (Feb 2014) http://csrc.nist.gov/organizations/fissea/2014-conference/presentations/fissea_2014_mwilson.pdf …study a topic in depth …produce relevant skills & competencies …focus attention, recognize & respond, change behavior
- 7. 7© Copyright 2015 EMC Corporation. All rights reserved. • The good news (from the management front) – “Security awareness” as a priority has risen – 56% ► 71% (from 2010 to 2014) • The bad news (from the employee front) – 53% are aware of their employer’s current security policies – 38% say they have received training on staying secure at work – 22% of information workers are concerned about security Security Awareness, by the Numbers Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
- 8. 8© Copyright 2015 EMC Corporation. All rights reserved. • Staff are not emotionally involved • Objectives are not aligned with the ultimate goal • Bland and generic content fails to help the audience • Employers settling for one-time, compliance-driven approach Why Do Security Awareness Programs Fail? Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
- 9. 9© Copyright 2015 EMC Corporation. All rights reserved. • Behavior change is an ambitious (and necessary) goal! – Learning in the correct context – Repeating actions to embed knowledge – Rewarding staff to encourage new habits Awareness =? Behavior Change Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
- 10. 10© Copyright 2015 EMC Corporation. All rights reserved. 1. Speak a common language (business) to align incentives – Shift security and risk to a shared business issue from an IT- specific responsibility 2. Redefine data ownership to spread security and privacy mindfulness – Accountability = the business units, not IT 3. Cultivate “right choice” decision-making – Produce targeted security awareness training that is relevant for employees beyond the work environment 3 Key Processes to Change Culture & Behavior Forrester, “Instill A Culture Of Data Security And Privacy: Equip Your Workforce To Augment The Security Team” (Mar 2015) [101761]
- 11. 11© Copyright 2015 EMC Corporation. All rights reserved. • “Crossover areas” of importance – Password reuse across accounts – Connecting to public Wi-Fi access points – Presence on social media sites – Social engineering – Phishing Beyond the work environment
- 12. 12© Copyright 2015 EMC Corporation. All rights reserved. • Focus on discrete, clearly phrased, measurable outcomes in all objectives for security awareness • Avoid poorly-defined outcomes – “Increase the awareness of employees…” – “Ensure that all employees understand…” – “Effectively communicate corporate goals and principles regarding security risks” Define Measurable Outcomes Gartner, “Effective Security Awareness Starts With Defined Objectives” (Dec 2013) [G00258624]
- 13. 13© Copyright 2015 EMC Corporation. All rights reserved. Define Measurable Outcomes Gartner, “Effective Security Awareness Starts With Defined Objectives” (Dec 2013) [G00258624]
- 14. 14© Copyright 2015 EMC Corporation. All rights reserved. One Size Fits All? Gartner, “Segment Your Audience for Effective Security Awareness Communications” (Feb 2015) [G00271825] Office Bound Mobile Digital Immigrant Digital Native Coffee Machine Communicator Road Warrior Tablet TravelerFacebook Friend Group behavior Individual behavior Watch your mouth Watch your typing • Lock up before you leave • Keep your desk clean • Avoid loose talk in public • Be aware of the dangers of multichannel multitasking • Be aware of the risks of mixing work and pleasure • Protect your devices • Be aware of shoulder surfing • Avoid loose talk in public • Don’t share devices • Don’t share credentials • Be aware of media dangers • Humanize data
- 15. 15© Copyright 2015 EMC Corporation. All rights reserved. • Management buy-in & sponsorship • Cross-functional “campaign” approach • Marketing, branding – One-line tagline used with all communications • Identification of “awareness vehicles” Case Study: Large Company Allen Smith & Nancy Toppel, “Case Study: Using Security Awareness to Combat the Advanced Persistent Threat” (Jun 2009) http://cisse.info/resources/archives/category/12-papers?download=131:s03p02-2009 Intranet One-page, once monthly Audio vignette Audio message from Executive Management briefings Awareness giveaways Contest Events Email Q&A list
- 16. 16© Copyright 2015 EMC Corporation. All rights reserved. • Make it personal for employees – Security best practices inside and outside the workplace • Treat communication like a Hollywood movie – Clips, tasters, and teasers ahead of deployment can build tension and interest • Embed elements of novelty & use unexpected delivery channels – Draw attention to a message by making it appear outside of its normal, or expected, context Some Content Ideas Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
- 17. 17© Copyright 2015 EMC Corporation. All rights reserved. • Reinforce the message at teachable moments – Near-misses (your organization, or others in the news) – One-on-one guidance following (failed) phishing tests • Test gamification tactics – Set up friendly competition among staff – Create scenarios where employees compete with each other, or for personal “best scores” Some Content Ideas Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
- 18. 18© Copyright 2015 EMC Corporation. All rights reserved. Gamification Ira Winkler & Samantha Manke, “Gamifying Security Awareness” (Feb 2014) http://www.rsaconference.com/writable/presentations/file_upload/hum-t07a-gamifying-security-awareness.pdf
- 19. 19© Copyright 2015 EMC Corporation. All rights reserved. • SANS “OUCH!” newsletter – https://www.securingthehuman.org/resources/newsletters/ouch/2015 Additional (Free!) Resources ∙ Shopping Online Securely (Nov) ∙ Password Managers (Oct) ∙ Two-Step Verification (Sep) ∙ Backup & Recovery (Aug) ∙ Social Media (Jul) ∙ Educating Kids on Cyber Safety (Jun) ∙ Securing the Cyber Generation Gap (May) ∙ Passphrases (Apr) ∙ Gaming Online Safely & Securely (Mar) ∙ Staying Secure on the Road (Feb)
- 20. 20© Copyright 2015 EMC Corporation. All rights reserved. • SANS “Securing the Human” blog – https://www.securingthehuman.org/blog/ • National Cyber Security Alliance: Business Safe Online Resources – https://www.staysafeonline.org/business-safe-online/resources/ • NIST SP 800-50, “Building An Information Technology Security Awareness and Training Program” (Oct 2003) – http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf – < Section 4. Developing Awareness and Training Material > Additional (Free!) Resources
- 21. 21© Copyright 2015 EMC Corporation. All rights reserved. • DHS US-CERT: National Cyber Awareness System - Tips – https://www.us-cert.gov/ncas/tips • DHS “Stop.Think.Connect.” Campaign – http://www.dhs.gov/stopthinkconnect – http://www.dhs.gov/publication/stopthinkconnect-small-business-resources • RSAC CyberSafety: Kids initiative – http://www.rsaconference.com/about/rsac-cyber-safety Additional (Free!) Resources
- 22. 22© Copyright 2015 EMC Corporation. All rights reserved. • Pro – “The ABC’s of Security Behavioral Influence” (Geordie Stewart, 2015) http://www.risk-intelligence.co.uk/7-habits-of-highly-successful-security-policies/ – “The 7 elements of a successful security awareness program” (Ira Winkler & Samantha Manke, 2014) http://www.csoonline.com/article/2133408/network-security/the-7-elements-of-a-successful-security-awareness-program.html – “Information Security Awareness - Down, But Not Out” (Salvatore Paladino, 2013) http://www.csoonline.com/article/2136488/security- awareness/information-security-awareness---down--but-not-out---by-salvatore-c--paladino.html – “Security Awareness Education” (“Ben Ten” @Ben0xA, 2013) http://ben0xa.com/security-awareness-education/ – “Arguments Against Security Awareness Are Shortsighted” (Ira Winkler, 2013) http://www.darkreading.com/risk/arguments-against-security-awareness- are-shortsighted/d/d-id/1139417?print=yes – “Schneier, Winkler and the Great Security Awareness Training Debate” (Stephen Cobb, 2013) http://www.welivesecurity.com/2013/03/27/schneier- winkler-and-the-great-security-awareness-training-debate/ – “Ten commandments for effective security training” (Joe Ferrara, 2012) http://www.csoonline.com/article/2131688/security-awareness/ten- commandments-for-effective-security-training.html – “Security awareness can be the most cost-effective security measure” (Ira Winkler, 2012) http://www.csoonline.com/article/2131999/metrics- budgets/security-awareness-can-be-the-most-cost-effective-security-measure.html – “Security Awareness Programs: Now Hear This!” (Lew McCreary, 2006) http://www.csoonline.com/article/2120826/strategic-planning-erm/security- awareness-programs--now-hear-this-.html • Con – “Security Awareness Training” (Bruce Schneier, 2013) https://www.schneier.com/blog/archives/2013/03/security_awaren_1.html – “Why you shouldn't train employees for security awareness” (Dave Aitel, 2012) http://www.csoonline.com/article/2131941/security-awareness/why- you-shouldn-t-train-employees-for-security-awareness.html Other Thoughts from Industry
- 23. 23© Copyright 2015 EMC Corporation. All rights reserved. http://BenSmith.SE/twitter http://BenSmith.SE/linkedin