Embed Size (px)
Citation preview
How the NIST Cybersecurity Framework Improves Security Awareness
79,790 security incidents were reported in 2014. (source)
90% of all data breaches in 2014 were the result of human error. (source)
That’s a substantial amount of sensitive data put into the wrong hands,
published to public web servers, incorrectly disposed, or otherwise lost
at the hands of the people that you pay to grow your business;
you can’t risk that.
With security breaches making mainstream headlines and the average
breach costing $3.79 million (source), internal errors and a lack of
concern for security are no longer acceptable. In recent high-profile
incidents, investigations proved that the necessary experience and
knowledge to pinpoint the severity of a cyberattack was missing. Now
more than ever, it’s imperative that security awareness programs are
implemented at every tier of an organization, from executive to entry-
level, to help mitigate potential threats.
2
72%72% of companies where the security policy was “poorly understood” had staff-related breaches. (The policies were in place; but the people didn’t understand them). (source: pwc 2015 Information Security Breaches Survey)
If you’re reading this, you probably already know that in 2014 the
National Institute of Standards and Technology (NIST) introduced
a Cybersecurity Framework in response to an executive order calling
for “a set of industry standards and best practices to help
organizations manage cybersecurity risks” (source). Since then,
this Framework has evolved to become one of the most cited guidelines
used by enterprise auditors to standardize cybersecurity expectations.
With this evolution, security awareness and security awareness training
programs are no longer considered “recommendations” but rather
unofficial requirements for businesses of every size. That’s good news!
Research shows that investing in security awareness training not only
decreases the likelihood that your organization will face a breach, but
lowers the cost if you are hit.
To protect your organization, you must do a better job educating
employees on how to identify risk and react appropriately.
Do it by developing a security awareness training program
that aligns with the NIST framework.
3
Elements of a Security Awareness Program
We know that humans continue to be the weakest link in the data security
chain (source). To fix this, we need security awareness programs that
are designed to educate, raise awareness, and change the behavior
of our staff—from entry-level to executive to information security officer.
The NIST Framework has an entire section devoted to awareness
and training of personnel, from understanding their roles and
responsibilities to learning appropriate procedures and policies.
The Center for Internet Security notes that “No cyber defense
approach can begin to address cyber risk without a means to address
this fundamental [human] vulnerability. Conversely, empowering people
with good cyber defense habits can significantly increase readiness.”
(source)
With a more knowledgeable staff, fewer phishing e-mails will be
opened, more care will be taken to save data in secure locations,
and team members won’t be given unauthorized access to protected
information. When an organization is avoiding errors like these, its
cybersecurity training can result in a 76% decrease in the cost
of security incidents. (source)
Developing good security awareness means adopting a program
that is predictive, adaptive, can continuously be improved upon, and
that becomes part of the organizational culture through constant
reinforcement. Historically, developing such a program has been
difficult for security professionals, but today, there’s finally a solution...
4
Meet the Adaptive Awareness Framework
The Adaptive Awareness Framework, designed by MediaPro and tightly
aligned to the NIST Cybersecurity Framework, offers businesses an
actionable and measurable way to introduce better security awareness
into their organizations. It organizes and integrates a variety of well-
known and widely dispersed standards into a single overarching
framework that is easy to implement, manage, and adapt.
Below, we’ve broken out each step of the Adaptive Awareness
Framework to see how it can be leveraged in your own business.
The outlined process (analyze, plan, train, and reinforce) has been
modified from the NIST Framework’s core recommendations to “aid an
organization in expressing its management of cybersecurity risk by
organizing information, enabling risk management decisions, addressing
threats, and improving by learning from previous activities.” (source)
1
5
ANALYZE
Why would you ever deploy an Awareness program without really
understanding the severity of your risks, or without a way of
measuring whether or not it’s successful? You wouldn’t (or, at least
we hope you wouldn’t).
When it comes to both understanding the risks you face and then
measuring the success of your security awareness program in
addressing those risks, you need data. You want to be able to quantify
the baseline knowledge and behavior of your employees at the start
of your program, and you want to know if the education you provide
to them has made an impact. Most importantly, you should prepare
from the start to ask yourself, “Has this program led to behavior change?”
But how you do that? What tools are available to help you understand what your employees know and do, and how it changes over time?
Below are some measurements tools to look at:
Knowledge assessments/surveys
Knowledge assessments are a great way to measure what your
employees know before training and what they retain after training.
Once you’ve identified where staff needs additional training, you can
build your program around these areas. With that baseline recorded,
you can deliver follow-up surveys every six months to measure
how your environment is changing over time, and to help gauge
effectiveness.
6
Phishing/social engineering:
Since phishing is one of the most common social engineering tactics
in use today, it makes sense to run simulated phishing and social
engineering attacks. These simulated attacks can employ a wide
variety of clever techniques to obtain passwords, attain access to
sensitive information, or gain physical access through tactics as
simple as an e-mail or a phone call, tailgating, or dropping a USB
device. Data accumulated from these simulated phishing and social
engineering attacks can be used to make improvements to your
overall security awareness program because these attacks allow
you to understand how users actually respond to various types of
simulated attacks and determine what type of messages carry the
most risk.
Incident reporting:
Another way to measure the success of your security program
is to look at the number of incidents being reported. If people are
more aware of potential threats, it stands to reason that you’ll see
a spike in your incident reporting. Arguably a noisy channel, but one
to watch nonetheless.
Completions of training/reinforcement:
If security awareness training is required at your organization, then
this isn’t a great measure of success. However, if it’s not required,
then it may be a great measure of how well people are engaging
with your message. You could also measure traffic to reinforcement
material to see how many people have viewed them and whether
your message is getting out there.
6 7
2 PLAN
You can’t implement a successful security awareness program without
first understanding the key risks, and specific business and security
goals you’re looking to achieve. To create the right training model:
assess your baseline risk profile and then map out the plan that makes
the most sense for the business. During this process, it’s important
to identify the most important risks facing the organization and the
behaviors you want to change relative to those risks.
Ask yourself:
• What is your overall goal?
• What are your key risks associated with the human
behavior? (If you’ve done a survey, you’ve got valuable data.)
• What behaviors do you want to change?
• What tools will you use to bring about change?
• How will you measure knowledge and behavior change?
When referencing the NIST Cybersecurity Framework, you might
align the Planning process with the core function of identifying risks.
Similarly, the Framework recommends that an organization take
an inventory of the data or programs necessary for business functions,
the company’s overall mission, potential risks against its assets and
staff, and more. Use this inventory to complete a Security Awareness Risk and Intervention matrix where each identified risk is mapped
to desired behaviors, training solutions, and reinforcement solutions.
8
Employees are not consistently following data protection and reporting policies, standards and guidelines.
DESIRED BEHAVIORAll employees will:
• Electronically certify that they have read the policies.
• Validate they understand the key policy points.
• Identify common policy mistakes and missteps.
• Correctly identify how to report a security incident or whom
to contact if they have any questions.
• Describe the possible consequences of inaction.
Result: 50% reduction in policy violations
Increase calls to the help line by 10%
TRAINING SOLUTIONSInteractions within the training will allow students to practice
identifying data security threats, view ways to prevent threats, as well
as show common examples of mistakes, identify contacts, and discuss
consequences.
REINFORCEMENT SOLUTIONS• Make the policy certification (pledge page) part
of the annual training.
• Place posters on all breakroom walls and rotate every 2 months.
• Host an open “round table” lunch each quarter where employees
can share their ideas on preventing data security incidents
(prizes awarded).
• Include 2 brief articles in the company newsletter and the
InfoSec website about recognizing and reporting incidents.
9
RISK: Employees not identifying threats properly,or classifying personally identifiable or companysensitive information correctly.
DESIRED BEHAVIORAll employees will:
• Be able to identify what information needs to be protected and classify information correctly.
• Apply the correct protections and procedures on a consistent basis.
• Be able to identify and respond to phishing and social engineering threats.
Result: 40% reduction in misclassification and misuse of data
Reduce phishing response rates by 50% and reduce social engineering responses by 75%
TRAINING SOLUTIONSInteractions within the training will allow students to: a) practice identifying PII and company sensitive information; b) practice classifying that information into the correct categories; and c) practice identifying phishing e-mails and view
common social engineering threats.
REINFORCEMENT SOLUTIONS• Provide job aids to all employees that handle PII and sensitive company information.
• Host a Security Awareness Day in October (cyber security month).
• E-mail a reminder (with links to a game or animation) to all departments with employees that handle PII and/or sensitive data 3 times during the year.
• Use an outside company to apply social engineering tests to “at risk” employees and senior
• Deliver a simulated phishing test to all employees 2 times a year and to senior management 3 times a year.
By creating a plan that aligns each risk to a specific behavior and to
training and reinforcement deliverables, you ensure the desired level
of protection and diligence for the organization. Such a plan also allows
you to identify cybersecurity roles and responsibilities for your team,
including staff, third-party stakeholders, etc., and ensures the right
levels of education and production for the right people within your
organization.
The NIST Framework notes that with the right plan, organizations
will be capable of making strategic decisions regarding cybersecurity
implementations and will be able to better determine the scope of
systems and assets that support the selected business line or process.
10
3 TRAIN
Training is the single most influential way to deliver your security
awareness message to staff. With training, all eyes are on your
organizational security program and it’s your chance to clearly
communicate to employees the risks that they face, and the policies
and best practices recommended by the company to help avoid them.
So make this time count! Assemble security training that not only
addresses security concerns, but also regulatory needs (like the ability
to prove training was issued). Training should also engage staff, to aid
in it being remembered and acted upon.
Of course, that’s no easy task. There are so many different options
available when it comes to security awareness training, and many
of the choices to be made are outside the realm of the IT professional’s
expertise. While they don’t cover everything, use the following list
of key questions to ask yourself when you’re in the market for a security
training solution.
11
Should I go with web-based or in-person training?This can be a difficult decision for many. The right answer for your
company will depend on both its size, as well as the size of the program
you’re looking to deliver. Smaller companies running smaller security
awareness programs may opt for an in-person training solution that
is more cost-effective. Larger companies (especially where employees
are dispersed throughout locations), or companies investing in larger
training programs, will likely favor web-based training as it’s easier
to deploy, manage, and measure.
Should I build an in-house training solution or buy one?Whether you opt to build something or buy something, each decision
comes with its own pros and cons. Building your own solution may allow
you to customize it directly to the needs of your business, but anyone
who has attempted the task knows it can quickly become painful,
difficult, and time-consuming.
Buying a solution, of course, comes with the built-in cost of paying
for the program, as well as the additional risks that you may not like
what you bought or that it may not be as easy to work with as you
hoped; however, it will likely save you the internal investment
of creating it on your own, and provides a variety of training solutions
to choose from. Ultimately, you’ll have to have to balance your decision
against your budget and your time availability.
Will this be easy to refresh and/or customize?This is a big one, especially for organizations looking to build an
adaptive program (referred to as a “Tier 4” program in the NIST
Cybersecurity Framework). You’ll want to assess whether the training
will be easy to refresh as new risks come to light. Will it be easy
to customize, or are you locked in to what you bought with no ability
to easily swap topics or modify content to fit your organization?
12
Will training be required?If you require training, you’re likely to get a 100% participation rate.
If you’re not going to require training, you’ll have to ask yourself,
“How do you make sure that people take it, or are interested in it?”
Again, you’ll want to look for a solution that is easily customizable
and is designed to engage the end user.
Is it trackable?If you are in an audited environment, or if measurement is something
that is important to you, you probably want to opt for a training solution
that is both trackable and measurable. This may mean going with
a computer-based training solution, as they are the easiest to track
and measure. Thankfully, there are lots of options out there, including
many cloud-based solutions that provide an easy way to deliver and
track your training.
Do I believe this will change behavior?This is really the heart of it, right? When evaluating training solutions,
ask yourself, “Is this going to work? Does it bring about behavior
change?” Let this be your mantra, and consider what it takes to get
people to really engage with content and to commit to what they’ve
learned. Is this training directly relevant to the work people perform?
If yes, does it provide opportunities within the training itself for people
to practice the kinds of behaviors that you want to target? The answer
should be “yes” to both questions.
13
4 REINFORCE
As you’ve probably noticed, we’re big believers in training. However,
we’re also big believers that training alone is not enough to create
new habits. A habit is something you practice, and it must be
constantly reinforced. Security-aware behaviors must be fostered
the very same way. Otherwise it’s too easy for a staff member
to attend training once, only to never use (or think about) that
information again.
Creating a reinforcement program around your security awareness
training increases the effectiveness of that training, which helps you
to not only see a bigger impact but also furthers staff engagement.
When building a reinforcement program,below are some factors to consider:
COST. You don’t have to spend a lot of money to create, or even
to source, really great security reinforcement material. You can
start by downloading some free posters or free worksheets
available online from different government websites. You can
even find free security reinforcement materials from your friends
at MediaPro. It’s not important that you spend a lot of money
on these items, what is important is that you make security
reinforcement part of your awareness program, and keep the
training content accessible and relevant to your organization’s
everyday experience.
14
CULTURAL FIT. When deciding on which reinforcement materials
are right for you, consider how well will these materials fit into
your culture and your business. For example, humor is proven
to be a great way to help people retain information. However,
humor is also tricky. Anyone who has ever tried to build “funny”
approaches to security awareness (or anything else, for that matter)
knows that while you may get some chuckles, you’re also likely to
get some eye rolls—or worse yet, someone who is offended by the
material. The trick is to know your company culture, and what’s
going to work for you and grab your staff’s attention.
LOGISTICS. Something else to consider is the logistics and
hidden costs of creating and delivering reinforcement materials.
Sure, creating 5,000 fortune cookies with security awareness
messages inside sounds like a great idea until you have to ship
those cookies to 40 locations spread across a 5-state region.
It would have been cheaper to hire a chef to cater your training!
We’re not saying don’t be creative, but run the numbers first.
Also, remember that creative online content works just as well.
There’s no need to break the bank.
WE HOPE IT GOES WITHOUT SAYING, BUT LET’S SAY IT ANYWAY:
the four components of Analysis, Planning, Training, and Reinforcement
should work together in a continuous feedback loop. These elements are
not meant to stand alone or proceed in linear fashion. Rather, in a truly
adaptive program, you would gather the data from all of the above
activities and use it to refresh your annual training and reinforcement
materials.
15
Creating Your Security Awareness Program
Okay. You’re ready to go. You’ve been versed on the steps and the
elements necessary to put together an integrated security awareness
program—all that’s left to do is build the program.
GULP!Don’t worry, we wouldn’t send you out there without a plan. Following
the plan laid out below (though not necessarily in the order it is laid out)
will help your organization aspire to Tier 4, NIST’s highest possible risk
tolerance level. While this isn’t a requirement, it is something we believe
businesses should aspire to. Aiming higher will put you in a better
position to comply with future cybersecurity and privacy regulations,
and can only serve you well down the road.
With that said, here’s how to pull it all together into an adaptive program.
1
2
Survey employees to assess their existing knowledge.
A great way to launch your security awareness program is with
a knowledge assessment that helps you understand exactly what
your employees know—and what they don’t. This baseline
assessment can help you build a plan, but if you use follow-up
assessments months later, you can also get a great measure
of whether you are improving over time. It’s a sure way to
demonstrate the ROI on your awareness investment.
Plan your overall effort with an eye to suspected risks.
With your assessment in hand, and your own knowledge of the
risks facing your organization, you’re ready to create an adaptive
program plan. You need to know where you’re going and what
your objectives are, but you also need to be open to the idea that
things will come up. Maybe you have five key risks you want to
tackle so you plot them out over the year… but then something
comes up and changes that plan. That’s okay. Leave gaps in your
plan for surprises you’re sure to discover along the way.
16
3
4
5
6
7
Announce the overall awareness program to all employees.
Announcing your program will help to get internal buy-in, thereby
increasing the number of employees who participate in your
surveys and who are open to the training. This will help employees
to not only understand what you’re doing, but why you’re doing
it, why it’s important, and how it relates to their everyday job
functions. And announcements always work better when they’re
delivered by people with real credibility, like CISOs or CEOs.
Phish your employees and provide minimal correction.
Again, it’s all about collecting the data you need to create and
implement your plan. By running a simulated phishing attack
you’ll be able to identify where your team is weak and how you
can help them improve their phishing prevention skills.
Train all employees.
Whether it’s training you’ve built from scratch or training you’ve
purchased, find the program you believe best meets your needs
and deploy it to your staff.
Reinforce the top risks identified in your initial survey.
Strengthen your training by reinforcing the messages related
to the highest risks. Reinforce with materials like animation
videos, posters, tent cards, games, and other material designed
to gain attention and convert training to memory.
Survey and phish again at appropriate intervals.
Run a follow-up simulation of social engineering and phishing
attacks to see how many employees take the bait, and see
whether the “bites” have decreased (showing a positive sign),
if they remain the same or…worse.
17
8 Analyze and adapt.
With your security awareness program live and running,
you can analyze its success by measuring training completions,
survey results, and phishing scores. You may need to target
frequent phishing victims with more in-depth phishing training,
begin using role-based training in areas that show functional
deficiencies, or use personal follow-up messages to reinforce
pressure points.
Get Started!
Let’s recap.
We know that the number of breaches affecting businesses every
year continues to skyrocket.
We know that the costs associated with those breaches also
continues to rise year-over-year.
We know that implementing an adaptive security awareness
program, one which aligns with NIST’s Cybersecurity Framework,
decreases the likelihood that you’ll be breached, and the costs
you’ll face should it happen.
The only question today is, will you adopt the Adaptive Awareness
Framework now, putting your company at the highest risk tolerance
immediately, or will you wait until you suffer a breach?
If you’d like to discuss how MediaPro’s Adaptive Awareness Framework
can put your business ahead of the curve,
WE’D LOVE TO SPEAK WITH YOU.
18
Sources
2015 Data Breach Investigation ReportVerizon
Verizon Data Breach Investigation Report: What You NEED To Know MediaPro
Cost of Data Breaches Rising Globally, Says ‘2015 Cost of a Data
Breach Study: Global Analysis,’Security Intelligence
2015 Global State of Information Security Studypwc
Framework for Improving Critical Infrastructure CybersecurityNational Institute of Standards and Technology
2015 Attendee SurveyBlack Hat
The Critical Security Controls for Effective Cyber DefenseSANS Institute
US Cybercrime: Rising Risks, Reduced Readinesspwc
Framework for Improving Critical Infrastructure CybersecurityNational Institute of Standards of Technology
