From awareness to culture:Building an effective security program

Chester WisniewskiPrincipal Research Scientist

October 2016

Who am I?

2

The problem

Which is easier to circumvent?

4

The keys to social engineering

5

I’m here to help

6

Criminal tactics

We’re good at detecting this

8

Not so good at this

9

Not so good at this

10

High definition phishing

11

Open Source Intelligence

12

Education only goes so far

13

What to do about it

The number is 3.

15

People

Creating a security culture

17

The great phish debate

18

Use the force

19

Source: Verizon Data Breach Investigation Report 2016

AlwaysClick

SuspiciousReport to IT

Process

Assess risk

21

Focus where it matters most

22

Continuous improvement

23

Tools

Continuous improvement

25

Compatible → cooperating

26

Here to help

27

https://www.sophos.com/free-tools.aspx