The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.

Slides:



Advertisements
Similar presentations
ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Advertisements

MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.
SECURITY AND INFORMATION SYSTEMS THE EVOLUTION OF SECURITY SYSTEMS Created By: Jamere Hill Instructor: Kyhia Bostic Section University of Houston.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Information Security Awareness Training
Security Awareness Lloyd Guyot – Steelcase Ed Jaros – Tenundra Inc. July 17, 2003.
Chapter 8 Chapter 8 Digital Defense: Securing Your Data and Privacy
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Welcome to New Hire Orientation Information Security
CS691 Robin Kimzey Cell Phone Security a little computer in your pocket an easy target for malcontents.
New Faculty Orientation to Privacy and Security at UF Susan Blair, Chief Privacy Officer Kathy Bergsma, Information Security.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Threats to I.T Internet security By Cameron Mundy.
Information Security Technological Security Implementation and Privacy Protection.
Protecting Yourself Online (Information Assurance)
Design of a cyber security awareness campaign for Internet Cafés users in rural areas WA Labuschagne, MM Eloff, N Veerasamy, L Leenen, M Mujinga CSIR /
TITLE : E-SAFETY NAME : ABDUL HAFIQ ISKANDAR BIN ROZLAN PROGRAM : SR221 NO.STUDENT :
Implementing Security Education, Training, and Awareness Programs
ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
Information Security and YOU!. Information Assurance Outreach Information Security Online Security Remote Access with Demonstration The Cloud Social.
ESCCO Data Security Training David Dixon September 2014.
Staying Safe Online Keep your Information Secure.
Lesson 2- Protecting Yourself Online. Determine the strength of passwords Evaluate online threats Protect against malware/hacking Protect against identity.
IT security By Tilly Gerlack.
Day 2. The norms of appropriate, responsible behavior with regard to technology use Communic ation Commerce Literacy Access Etiquette Law Rights & Responsibi.
Introduction to ITE Chapter 9 Computer Security. Why Study Security?  This is a huge area for computer technicians.  Security isn’t just anti-virus.
 A viruses is a program that can harm or track your computer. E.g. browser hijacker.  When a viruses accesses the computer it can accesses the HDD and.
Session 7 LBSC 690 Information Technology Security.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
How can IT help you today?. Agenda Why Do You Care? What Are The Risks? What Can You Do? Questions? How can IT help you today? 2.
Joel Rosenblatt Director, Computer and Network Security September 10, 2013.
Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.
ISPAB Panel on Usable Security Mary Frances Theofanos - NIST Ellen Cram Kowalczyk - Microsoft.
Cyber Security and Staying Safe Online Mark D. Riley College of Health Sciences and Professions.
Strong Security for Your Weak Link: Implementing People-Centric Security Jennifer Cheng, Director of Product Marketing.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
INFORMATION SECURITY AWARENESS Whose Job is it Anyway? Ron Freedman Ron Freedman Vice President VCampus Corporation Scott Wright Scott WrightPresident.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
INTRODUCTION & QUESTIONS.
Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.
Safe Computing Practices. Outline Objective Safe Computing Defined Safe Computing Methods Summary List of References.
OCTOBER IS CYBER SECURITY AWARENESS MONTH. October is Cyber Security Awareness Month  Our Cyber Security Awareness Campaign focuses on topics such as.
Implementing Security Education, Training, and Awareness Programs By: Joseph Flynn.
Safe Computing Practices. What is behind a cyber attack? 1.
2015Computer Services – Information Security| Information Security Training Budget Officers.
Digital & Internet Safety. Understanding your personal data Defining “Big Data” Protecting your data, computer & devices Avoiding identity theft.
USDA 2016 Financial Management Training Transforming Shared Services Cyber Security Presented by Jack Blount.
Allison Gladkowski.  About privacy and why it matters  Spyware and spam vocabulary and examples  Identity theft  Unapproved access  Today's big issues.
An Introduction to Phishing and Viruses
Social Engineering Brock’s Cyber Security Awareness Committee
Information Security.
Forensics Week 11.
Cybersecurity Awareness
yahoo mail technical support number
Information Technology Services Education and Awareness Team
Call Now Yahoo Support Number Phone USA
Strong Security for Your Weak Link:
Dear Students,   The school holidays are just around the corner. When spending time online during the school holidays, you should be aware of good practices.
Home Internet Vulnerabilities
Internet Safety Vocabulary
Keeping your data, money & reputation safe
Security Hardening through Awareness August 2018
Steppa Cyber Security Training Tips Your Business Was Seeking For With Cyber Security Training!
Policies and Procedures to Protect you, your Office and your Data
Information Technology Services Education and Awareness Team
How to Stay Safe Online Rollie Edwards.
Security in mobile technologies
IT and Audit Building a Security Aware Culture
Presentation transcript:

The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014

AGENDA FOR THIS SESSION  Why technical defenses are not enough  Formal policy vs. training and awareness  What does an effective security awareness program look like?

LESSONS FROM DATA BREACHES Epsilon – spear phishing attack AOL – not understanding data classification Google, Yahoo and 18 others: users needed to update browsers Gawker Media –used weak passwords for multiple applications Target – began with phishing attack on 3 rd party

FORMAL POLICY Provides management guidance and intention Protects company liability Must be “translated” into key concepts and messages Requires partnership with Human Resources

What does an effective security awareness program look like?

KNOW YOUR AUDIENCE Language Work environment Types of computing devices Job roles

KEEP IT SIMPLE

REPEAT…REPEAT…REPEAT Screensavers Newsletters Posters Online training Webinars

EXPLAIN WHY

MAKE IT FUN!

ASK FOR FEEDBACK

TRACK AND MEASURE

RECOGNITION AND REWARDS

AWARENESS TOPICS How to spot Key logging devices Is Spam Harmful? Watering hole attacks Storing paper records Visitors who may be imposters Are cookies bad for you? All about malware

MORE AWARENESS TOPICS Create and remember strong passwords Get Going with Mobile Security What is a mobile botnet? Found any free USB drives? What did you capture on camera? Erase those whiteboards! We love to share chain letters

AND MORE AWARENESS TOPICS Dialing for Dollars: Phone Scams Cell phone ringtone scams Dangers of Counterfeit Software Wi-Fi Security Tips at Home Etiquette for Your Career Has your Facebook account been hacked?

STANDARDS NIST Special Publication “Building an Information Technology Security Awareness and Training Program” ISO 27002:2013 Section Deliver Information Security Awareness Programs Australian Government: Protective Security Governance Guidelines – Security Awareness Training

COST OF SECURITY AWARENESS Budgetary Planning: $5 - $10 per person per year Online courses Posters, Screen savers Newsletters Pens, Buttons, Etc.

WRAP UP AND QUESTIONS Is an annual awareness session adequate? Are acknowledgments of policy enough? Are there better ways to audit that will help to drive improvement?