2. Who am I?
• Garry Scobie
• Deputy CISO
• The University of Edinburgh
2 The challenge of security awareness
3. Agenda
• Identifying the challenges to
overcome when introducing a
security awareness program
• An overview of real-life attacks on
the organisation; making the
abstract, concrete, helping to shape
our thinking on awareness training
• Suggested solutions using the
current awareness program at
The University of Edinburgh as
an example
3 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-ND
4. Security breaches commonplace
• Compromises resulting in
loss of data are announced
almost weekly
• Huge numbers of accounts
are up for sale
• It’s commonplace
4 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-SA
5. Why bother?
• Users may rightly ask why bother
with security?
• Some believe it doesn’t apply to them
• “I’m going to be hacked anyway”
• “I’ve nothing important to lose”
• “Mandatory security training? But I’m a …”
• “We have clever people. They won’t
be phished”
5 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC-ND
6. A challenging environment
• I see a lot of good practice
• Others, however…
• “Do I have to ask suppliers about
their security?”
• “Are there any loopholes in GDPR
that I can use to get around it?”
• “Can we just not bother?”
6 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-SA-NC
7. How do we make people aware?
• We can spend a fortune on
technical controls
• We can write policies and procedures
• But if someone is phished…
• How do we educate in such
an environment?
• What are the challenges?
7 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
8. Challenge 1 - complexity
8 The challenge of security awareness
• The environment is complex
• Connecting everybody with everything
• Educating a non-security professional
about IoT? Too big, too difficult,
not interested
• Who reads terms and conditions, and
understands what it actually does?
This Photo by Unknown Author is licensed under CC BY-NC
9. Challenge 2 - overload
• The sheer volume of data,
messages, things for people
to click on and access
• How is our message going to stand
out, let alone get through?
9 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC-ND
10. Challenge 3 - diversity and accessibility
10 The challenge of security awareness
• Everyone is important in helping all
of us to be more secure. Fostering
awareness cannot lose sight of this
• The message must appeal and be
understood by all. Be wary of jargon
• Is the awareness training you
provide accessible and achievable
by all your users?
• Different audiences – message may
have to be modified. Tech v non-tech
This Photo by Unknown Author is licensed under CC BY-SA-NC
11. Challenge 4 - justifying budgets
11 The challenge of security awareness
• Security awareness must add value
• Not just be a drain on resources
• Competing against all other priorities
This Photo by Unknown Author is licensed under CC BY-NC-ND
12. Challenge 5 - it’s not a tick box
12 The challenge of security awareness
• Security awareness is not a one-off
• Whatever you do has to be ongoing
• It’s a continual process of revisiting,
revising and reinforcing
This Photo by Unknown Author is licensed under CC BY-SA
13. Challenge 6 – a vast subject
13 The challenge of security awareness
• InfoSec remit covers a huge area
of policy, tech and guidance
• A common support call is “I’ve found
this piece of software. Is it okay to
use from an InfoSec perspective?”
This Photo by Unknown Author is licensed under CC BY
14. Challenge 7 – image
14 The challenge of security awareness
• The image of Information Security needs
to change
• Pictures of hoodies with dark glasses in
basements is dated and turns people off
• InfoSec needs to be approachable
• Demystify
This Photo by Unknown Author is licensed under CC BY
15. Challenge 8 - measuring effectiveness
15 The challenge of security awareness
• How do you know if your message is
getting across?
• Are you making a difference?
• How can you tell?
This Photo by Unknown Author is licensed under CC BY-NC
16. Challenge 9 – cultural change
16 The challenge of security awareness
• Ensure security awareness is
embedded and becomes the norm
for the organisation
• Rapid turnover of staff and students
is a challenge
• Long serving staff
• Not just being aware, but
understanding
This Photo by Unknown Author is licensed under CC BY
17. The University of Edinburgh
• An internationally-acclaimed seat
of learning
• Reputation for research and as a
pioneer of discoveries and scientific
breakthroughs
• A major employer and a major player
in the City Deal Initiative
17 The challenge of security awareness
18. The university is a target
• Data theft – PII of staff and students
• Financial gain – handling of student fees;
large employer; contracts with third
parties; Research grants; City Deal
• Espionage – centres for research hold
valuable intellectual property – you name
it, it’s probably being researched
• These are highlighted in our
awareness program
18 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
19. Top cyber threats
• Lack of awareness
• Phishing
• Malware/Ransomware
• These are linked together
• Helps to shape our thinking on
awareness training
• Relate advice to incidents helps to
make it real
19 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
20. Phishing
• There are deliveries everyday and emails
informing users of them
• Phishing is typically Ransomware or grab
of credentials
• Don’t pay. Restore from backups
• No reading of email and browsing the web
while logged in with a privileged account
• Evidence suggests top targets for phishing
attempts are research/medical
20 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC
21. Spear and whale phishing
• Academics concerned over phishing attacks
which they spotted, but how did they get that
personal data about them?
• Academic on-line profile is full of useful data
• Biography, teaching and PhD Supervision,
research, projects, publications
• Social engineering using social media
• We can’t hide away. Just be aware of what
you put out and be on guard whenever
someone new approaches you
21 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
22. Conferences
• Register for a ‘conference’ and then email is
returned stating there is a problem with the web
site handling the registration process
• The email contains an attachment, which is not
malware. User asked to fill in their details
• “We can arrange a discount via local hotels, so
fill in this form with your personal details
including passport number and credit card”
• Also spoofing of genuine conference and claim
delegate hasn’t paid
22 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
23. Other phishing attacks
• Disk full alerts, email account upgrade or
suspended, doing a routine maintenance
and you need to provide your credentials
• IT services would never do this
• Phone scams on increase
• Texts
• Watering hole sites/fake domains
• Fake pages linked to library systems
23 The challenge of security awareness
24. Fraud
• Spear Phishing - targeting key personnel
for urgent payments
• Mandate fraud – change of supplier bank
details using fake website to spoof bank details.
Receive payment to fake supplier bank account
• Spoofed invoices
• All the above prevented due to internal controls
• Students giving money to “money advisers.”
Lottery scam. Accommodation scams
24 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-SA
25. Bitcoin miners
• System compromises due to lack of or
delay in patching
• Bitcoin miner code searches for other
computers on the network and attempts
to compromise
• Failure to patch can impact on everyone
25 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
26. Freedom of information
• Legal requirement for public sector
• We have developed an understanding of
what we can say in respect of security
• You don’t want to map out your tech
• We are often asked how many cyber
attacks have we had?
• We have also been asked how many of
the University’s properties are haunted?
26 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
27. Physical security
• The University is very old. Has a sprawling
mix of buildings. We are proud of our estate
and encourage openness
• Physical thefts do occur
• Clean desk policy
• Wear lanyard, be prepared to challenge
27 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC-ND
28. Cyber security cultural assessment
• Seven focus groups across a range
of schools and business units
• The themes of Empowerment, Awareness,
Values, Behaviours, Adherence,
Accountability, Responsibility, and
Cultural Norms were discussed
• Helped to benchmark and reinforce
the direction we were taking
• Staff want the information to enable
them to do the right thing
28 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
29. Focus groups - actions
• Communications – security working group
• InfoSec champions network – with training
• Review on-line training and
target awareness
• Refresh of guidance
• Multi-channel communication
campaign (use student interns)
• Raise empowerment
• Accountability
29 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC
30. The way forward
• Users are our best defence
• Foster an environment that encourages
people to speak up, point out, challenge
• A no blame culture
• Consensus on what is important and
aligned to the business
• Assess the risks and partner with the
business in language everyone understands
• Partnership working
30 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-SA
31. The way forward
• We provide policy and procedures around
the need to handle University data securely
• We also stress the need for users to handle
their own personal data in the same way
• Foster awareness by highlighting the data
they hold on family and friends
• Identity theft is real
31 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-ND
32. The way forward
• Don’t be afraid to try different things and fail
• Buy-in from top – invite your senior
team along
• GDPR champions network - Use those
who do get it to help others get on-board
• InfoSec champions network
• Make it fun - don’t turn your users off
• Enthusiasm can’t be faked.
Enjoy your subject
32 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC-ND
33. The way forward
• Look for quick wins. What can users
do to make them more secure?
• Automatic updates
• Think before you click
• AV on mobiles
• We pitch the training at every opportunity
33 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
34. The university of Edinburgh
• Teamed up with the digital skills program
• Security awareness week
• Fraud awareness week
• New staff welcome sessions
• Creative learning festival
– Medieval castles
– Victorian fan language
34 The challenge of security awareness
35. University awareness sessions
• The Internet survival guide
• Fraud, phishing and social engineering
• Why is InfoSec important to me and you?
• Practical encryption for staff and students
• Mobile phone security
• Ransomware
• Introduction to the InfoSec team
• Choosing software from an InfoSec view
• Hacking, cybercrime and the movies
35 The challenge of security awareness
36. MOOC
• Massive Open Online Courses
• Digital footprint initiative
• Three week online course which includes
developing an effective online presence,
managing your privacy, creating
opportunities for networking, balancing
and managing professional and personal
presences (e-professionalism)
36 The challenge of security awareness
37. The university of Edinburgh
• Mandatory on-line training
• Embedding security in projects
- Question sets for procurement
• Top tip flyers
• Active on social media
• Student interns – feedback on what
we are doing
37 The challenge of security awareness
38. The university of Edinburgh
• Focus groups
• Phishing simulation
• Merchandise and branding
• Developing podcasts
38 The challenge of security awareness
39. KPI’s
• Increase in take up of training
• Increase in calls for advice and support
• Increased reports of phishing emails
• Engagement at project initiation
• Requests for vulnerability scans and
penetration tests
• Invitations to visit schools and colleges
• One school now starting their own internal
security awareness program
• College requests for additional awareness sessions
39 The challenge of security awareness
40. The challenge of security awareness
40 The challenge of security awareness