What you Need to Know about Building an Effective Security

Awareness Program Kimberly Hood

10-27-2016

Is an Awareness Program a Waste of Time?

Value to the Organization

PCI Data Security Standard (PCI DSS) One of the biggest risks to an organization’s information security is the action or inaction by employees that can lead to security incidents • through disclosure of information that could be used in

a social engineering attack, • not reporting observed unusual activity, • accessing sensitive information unrelated to the user’s

role without following the proper procedures, and so on.

PCI Best Practices for Implementing a Security Awareness Program, October 2014

Value to the Organization

2014 US State of Cybercrime Survey by PricewaterhouseCoopers • 42% of respondents said security education and

awareness for new employees played a role in deterring potential attacks

• Companies without security training for new hires reported average annual financial losses of $683,000, compared with

• Companies with training that said average financial losses totaled $162,000.

Compliance Requirements

• ISO/IEC 27001 & 27002 §8.2.2 - All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.

• PCI DSS o Educate employees (for example, through posters, letters, memos,

meetings and promotions). o Require employees to acknowledge in writing that they have read

and understood the company’s security policy and procedures.

Compliance Requirements

• Federal Information Security Management Act (FISMA) §3544.(b).(4).(A),(B) - Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.

• Health Insurance Portability & Accountability Act (HIPAA) §164.308.(a).(5).(i) - Implement a security awareness and training program for all members of its workforce (including management).

Compliance Requirements

• Red Flags Rule §16 CFR 681.1(d)-(e). Employees should be trained about the various red flags to look out for, and/or any other relevant aspect of the organization’s Identity Theft Prevention Program.

• Control Objectives for Information and Related Technologies (CobiT) §PO7.4 Personnel Training - Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organizational goals.

Compliance Requirements

• NERC CIP-003-6 §CIP-003-6(A2)…documentation that the reinforcement of cyber security practices occurred at least once every 15 calendar months. The evidence could be documentation through one or more of the following methods: o Direct communications (for example, e-mails, memos, or computer-

based training); o Indirect communications (for example, posters, intranet, or

brochures); or o Management support and reinforcement (for example,

presentations or meetings).

Compliance Requirements

• 201 CMR 17.00 §17.03(2) 1. ongoing employee (including temporary and contract employee) training; 2. employee compliance with policies and procedures; and 3. means for detecting and preventing security system failures. Imposing disciplinary measures for violations of the comprehensive information security program rules. §17.04(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Building a Security Culture

Building a Security Culture

• George Kelling • Minor policy violations lead

to bigger ones – eroding the security culture

• Building a security culture requires regular reinforcement, creating and sustaining habits.

The Tipping Point - Malcolm Gladwell

• Executive Team 1

• IT Department 2

• Employees 3

Building a Security Culture

• Obtain buy-in at All Levels

Building a Security Culture

• Write a Plan • Build a Security

Awareness Team • Be Creative and

Enthusiastic • Have an Expert

• Select metrics

What is Effective Training?

What is Effective Training?

The first goal of any security awareness and training program should be improved knowledge and behavior, not just awareness.

• Security awareness alone is not enough to improve end-user security

• Users must understand and know how to respond to potential security risks

What is Effective Training?

Real-life examples and immediate feedback enhance learning and retention, allowing users to understand and correct their behavior

What is Effective Training?

• When users can understand the context of their behaviors, practice through simulated situations, and receive immediate feedback, they can make better decisions and reduce risks

What is Effective Training?

• Establish baseline training for the organization • Present individualized training to specialized

groups with higher risk profiles – IT, Dispatch, Customer Service, HR, Procurement

• Keep current - Ukrainian Grid, WikiLeaks, Dyn, What have you seen in the organization?

• Don’t be about NO, be about HOW

What is Effective Training?

• Use mixed media – videos, posters, games, interactive lessons

• Free content and forums available

• www.clickclickphish.com

How can we Enforce Compliance?

Why enforce the policy? If employees in a company witness other people breaking security policies and not being punished • they are tempted to do the same • becomes socially acceptable and normal This is the root cause of poor security culture

Enforcement

• Write a Security Policy with Teeth • Train to the Policy • Graduated Enforcement • Lead by Example • Follow-up

Enforcement

PCI Security Standards Council recommendations • Make employees aware of potential

harm to the organization and detail how that would affect the employee – penalties, reputational harm, impact on employee’s job

Enforcement

Measuring Effectiveness

Measuring Effectiveness

You can’t improve if you don’t measure.

The Ponemon Institute’s Security Effectiveness Score recommends these metrics: • Uptime • Compliance • Threat containment • Cost efficiency • Data breach prevention • Policy enforcement http://www.csoonline.com/article/2134334/metrics-budgets/measuring-the-

effectiveness-of-your-security-awareness-program.html

Social Pen-Testing

• Social engineering has long been the preferred route for hackers, whether through the front door or using social media and email – Target, Natanz, Ukrainian Grid, RSA

• Shock complacent staff into realizing how vulnerable to social engineering they really are, and through that keep them on their toes and improve overall security

• Opens a valuable communications channel between users and security staff

Phishing

• Be open and up-front about the program goals and objectives – Allows a dialog to occur and concerns to be addressed

before any simulated phishing training takes place

• Steer the debrief conversation in the direction of remediation and education, rather than blame and sanctions

• Make reporting part of the message

Phishing

• Phish using both inside and outside addresses

• Not everyone will be vulnerable to every phish

• Immediate feedback is a teaching opportunity

Phishing

Click the Link

Open the Attachment

Fill out this Form

Phishing - Examples

Phishing - Examples

Phishing - Examples

Security Fatigue

Security Fatigue • 2016 study by the National Institute of Standards and

Technology (NIST) • When asked to make more computer security decisions

than they are able to manage, they experience decision fatigue, which leads to security fatigue. – “I never remember the PIN numbers, there are too many

things for me to remember. It is frustrating to have to remember this useless information.”

– “It also bothers me when I have to go through more

additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly.”

Three ways to ease security fatigue and help users maintain secure online habits and behavior.

Security Fatigue

1. Limit the number of security decisions users need to make

2. Make it simple for users to choose the right security action

3. Design for consistent decision making whenever possible.

Questions?