Embed Size (px)
Citation preview
Employee Training & Awareness A Critical Element in Cybersecurity Resilience
@Ben_Smith Ben Smith, CISSP Field CTO (East), Security Portfolio
2 © Copyright 2015 EMC Corporation. All rights reserved.
Agenda
1 2
Looking in the mirror
Failures of awareness, failures of behavior
4
Additional resources
SAMPLE REFERENCE – “Hunting for Sharks’ Teeth (and Other IOCs)” https://blogs.rsa.com/hunting-sharks-teeth-iocs/
3
What does success look like?
3 © Copyright 2015 EMC Corporation. All rights reserved.
• “It’s not about if you get breached; it's when you get breached.”
• “Even large enterprises that have millions of dollars to spend on security got breached, so everyone is at risk.”
• “The breaches we have seen so far are just the beginning – bigger breaches are coming.”
• “Legacy security technologies are of limited value in the face of advanced persistent threats.”
• “Security incidents can put you out of business.”
What you will NOT hear from me today…
Gartner, “The Future of Security Sales Revolves Around Digital Risk” (May 2015) [G00278090]
4 © Copyright 2015 EMC Corporation. All rights reserved.
• “We’re not very visible.”
• “But we’ve never had a breach.”
• “The probability of this happening is so low that I’ll take my chances.”
Beware These Cop-Out Statements!
Forrester, “Understand The Business Impact And Cost Of A Breach” (Jan 2015) [60563]
It doesn’t matter if your company has a widely known public brand or not
Don’t confuse luck with competence
It’s unlikely that anyone in the organization knows the probability of certain security incidents happening
5 © Copyright 2015 EMC Corporation. All rights reserved.
• “We’re a small organization.”
• “We have insurance.”
Beware These Cop-Out Statements!
Forrester, “Understand The Business Impact And Cost Of A Breach” (Jan 2015) [60563]
A much bigger factor today than the size of your organization is whether you have
information that is valuable to attackers now, or will be valuable in the future
Read the fine print to ensure you know exactly what will be covered by your insurance policy, and remember…
cyberinsurance is not a get out of jail free card
6 © Copyright 2015 EMC Corporation. All rights reserved.
• Education
• Training
• Awareness
What is “Security Awareness”?
Mark Wilson, “A Crash Course in Awareness versus Training versus Education versus Certification (An Off-Kilter Look)” (Feb 2014) http://csrc.nist.gov/organizations/fissea/2014-conference/presentations/fissea_2014_mwilson.pdf
…study a topic in depth
…produce relevant skills & competencies
…focus attention, recognize & respond, change behavior
7 © Copyright 2015 EMC Corporation. All rights reserved.
• The good news (from the management front) – “Security awareness” as a priority has risen
– 56% ► 71% (from 2010 to 2014)
• The bad news (from the employee front) – 53% are aware of their employer’s current security policies
– 38% say they have received training on staying secure at work
– 22% of information workers are concerned about security
Security Awareness, by the Numbers
Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
8 © Copyright 2015 EMC Corporation. All rights reserved.
• Staff are not emotionally involved
• Objectives are not aligned with the ultimate goal
• Bland and generic content fails to help the audience
• Employers settling for one-time, compliance-driven approach
Why Do Security Awareness Programs Fail?
Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
9 © Copyright 2015 EMC Corporation. All rights reserved.
• Behavior change is an ambitious (and necessary) goal!
– Learning in the correct context
– Repeating actions to embed knowledge
– Rewarding staff to encourage new habits
Awareness =? Behavior Change
Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
10 © Copyright 2015 EMC Corporation. All rights reserved.
1. Speak a common language (business) to align incentives – Shift security and risk to a shared business issue from an IT-
specific responsibility
2. Redefine data ownership to spread security and privacy mindfulness – Accountability = the business units, not IT
3. Cultivate “right choice” decision-making – Produce targeted security awareness training that is relevant for
employees beyond the work environment
3 Key Processes to Change Culture & Behavior
Forrester, “Instill A Culture Of Data Security And Privacy: Equip Your Workforce To Augment The Security Team” (Mar 2015) [101761]
11 © Copyright 2015 EMC Corporation. All rights reserved.
• “Crossover areas” of importance – Password reuse across accounts
– Connecting to public Wi-Fi access points
– Presence on social media sites
– Social engineering
– Phishing
Beyond the work environment
12 © Copyright 2015 EMC Corporation. All rights reserved.
• Focus on discrete, clearly phrased, measurable outcomes in all objectives for security awareness
• Avoid poorly-defined outcomes
– “Increase the awareness of employees…”
– “Ensure that all employees understand…”
– “Effectively communicate corporate goals and principles regarding security risks”
Define Measurable Outcomes
Gartner, “Effective Security Awareness Starts With Defined Objectives” (Dec 2013) [G00258624]
13 © Copyright 2015 EMC Corporation. All rights reserved.
Define Measurable Outcomes
Gartner, “Effective Security Awareness Starts With Defined Objectives” (Dec 2013) [G00258624]
14 © Copyright 2015 EMC Corporation. All rights reserved.
One Size Fits All?
Gartner, “Segment Your Audience for Effective Security Awareness Communications” (Feb 2015) [G00271825]
Office Bound Mobile
Digital Immigrant
Digital Native
Coffee Machine Communicator Road Warrior
Tablet Traveler Facebook Friend
Group behavior Individual behavior
Watch your mouth
Watch your typing
• Lock up before you leave
• Keep your desk clean
• Avoid loose talk in public
• Be aware of the dangers of
multichannel multitasking
• Be aware of the risks of
mixing work and pleasure
• Protect your devices
• Be aware of shoulder surfing
• Avoid loose talk in public
• Don’t share devices
• Don’t share credentials
• Be aware of media dangers
• Humanize data
15 © Copyright 2015 EMC Corporation. All rights reserved.
• Management buy-in & sponsorship
• Cross-functional “campaign” approach
• Marketing, branding – One-line tagline used with all communications
• Identification of “awareness vehicles”
Case Study: Large Company
Allen Smith & Nancy Toppel, “Case Study: Using Security Awareness to Combat the Advanced Persistent Threat” (Jun 2009) http://cisse.info/resources/archives/category/12-papers?download=131:s03p02-2009
Intranet
One-page, once monthly
Audio vignette
Audio message from Executive
Management briefings
Awareness giveaways
Contest
Events
Email Q&A list
16 © Copyright 2015 EMC Corporation. All rights reserved.
• Make it personal for employees
– Security best practices inside and outside the workplace
• Treat communication like a Hollywood movie – Clips, tasters, and teasers ahead of deployment can build tension
and interest
• Embed elements of novelty & use unexpected delivery channels – Draw attention to a message by making it appear outside of its
normal, or expected, context
Some Content Ideas
Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
17 © Copyright 2015 EMC Corporation. All rights reserved.
• Reinforce the message at teachable moments
– Near-misses (your organization, or others in the news)
– One-on-one guidance following (failed) phishing tests
• Test gamification tactics
– Set up friendly competition among staff – Create scenarios where employees compete with each other,
or for personal “best scores”
Some Content Ideas
Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
18 © Copyright 2015 EMC Corporation. All rights reserved.
Gamification
Ira Winkler & Samantha Manke, “Gamifying Security Awareness” (Feb 2014) http://www.rsaconference.com/writable/presentations/file_upload/hum-t07a-gamifying-security-awareness.pdf
19 © Copyright 2015 EMC Corporation. All rights reserved.
• SANS “OUCH!” newsletter – https://www.securingthehuman.org/resources/newsletters/ouch/2015
Additional (Free!) Resources
∙ Shopping Online Securely (Nov) ∙ Password Managers (Oct) ∙ Two-Step Verification (Sep) ∙ Backup & Recovery (Aug) ∙ Social Media (Jul) ∙ Educating Kids on Cyber Safety (Jun) ∙ Securing the Cyber Generation Gap (May) ∙ Passphrases (Apr) ∙ Gaming Online Safely & Securely (Mar) ∙ Staying Secure on the Road (Feb)
20 © Copyright 2015 EMC Corporation. All rights reserved.
• SANS “Securing the Human” blog – https://www.securingthehuman.org/blog/
• National Cyber Security Alliance: Business Safe Online Resources – https://www.staysafeonline.org/business-safe-online/resources/
• NIST SP 800-50, “Building An Information Technology Security Awareness and Training Program” (Oct 2003)
– http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf – < Section 4. Developing Awareness and Training Material >
Additional (Free!) Resources
21 © Copyright 2015 EMC Corporation. All rights reserved.
• DHS US-CERT: National Cyber Awareness System - Tips – https://www.us-cert.gov/ncas/tips
• DHS “Stop.Think.Connect.” Campaign – http://www.dhs.gov/stopthinkconnect – http://www.dhs.gov/publication/stopthinkconnect-small-business-resources
• RSAC CyberSafety: Kids initiative – http://www.rsaconference.com/about/rsac-cyber-safety
Additional (Free!) Resources
22 © Copyright 2015 EMC Corporation. All rights reserved.
• Pro – “The ABC’s of Security Behavioral Influence” (Geordie Stewart, 2015) http://www.risk-intelligence.co.uk/7-habits-of-highly-successful-security-policies/ – “The 7 elements of a successful security awareness program” (Ira Winkler & Samantha Manke, 2014)
http://www.csoonline.com/article/2133408/network-security/the-7-elements-of-a-successful-security-awareness-program.html – “Information Security Awareness - Down, But Not Out” (Salvatore Paladino, 2013) http://www.csoonline.com/article/2136488/security-
awareness/information-security-awareness---down--but-not-out---by-salvatore-c--paladino.html – “Security Awareness Education” (“Ben Ten” @Ben0xA, 2013) http://ben0xa.com/security-awareness-education/ – “Arguments Against Security Awareness Are Shortsighted” (Ira Winkler, 2013) http://www.darkreading.com/risk/arguments-against-security-awareness-
are-shortsighted/d/d-id/1139417?print=yes – “Schneier, Winkler and the Great Security Awareness Training Debate” (Stephen Cobb, 2013) http://www.welivesecurity.com/2013/03/27/schneier-
winkler-and-the-great-security-awareness-training-debate/ – “Ten commandments for effective security training” (Joe Ferrara, 2012) http://www.csoonline.com/article/2131688/security-awareness/ten-
commandments-for-effective-security-training.html – “Security awareness can be the most cost-effective security measure” (Ira Winkler, 2012) http://www.csoonline.com/article/2131999/metrics-
budgets/security-awareness-can-be-the-most-cost-effective-security-measure.html – “Security Awareness Programs: Now Hear This!” (Lew McCreary, 2006) http://www.csoonline.com/article/2120826/strategic-planning-erm/security-
awareness-programs--now-hear-this-.html
• Con – “Security Awareness Training” (Bruce Schneier, 2013) https://www.schneier.com/blog/archives/2013/03/security_awaren_1.html – “Why you shouldn't train employees for security awareness” (Dave Aitel, 2012) http://www.csoonline.com/article/2131941/security-awareness/why-
you-shouldn-t-train-employees-for-security-awareness.html
Other Thoughts from Industry
23 © Copyright 2015 EMC Corporation. All rights reserved.
http://BenSmith.SE/twitter http://BenSmith.SE/linkedin
