The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014
AGENDA FOR THIS SESSION Why technical defenses are not enough Formal policy vs. training and awareness What does an effective security awareness program look like?
LESSONS FROM DATA BREACHES Epsilon – spear phishing attack AOL – not understanding data classification Google, Yahoo and 18 others: users needed to update browsers Gawker Media –used weak passwords for multiple applications Target – began with phishing attack on 3 rd party
FORMAL POLICY Provides management guidance and intention Protects company liability Must be “translated” into key concepts and messages Requires partnership with Human Resources
What does an effective security awareness program look like?
KNOW YOUR AUDIENCE Language Work environment Types of computing devices Job roles
KEEP IT SIMPLE
REPEAT…REPEAT…REPEAT Screensavers Newsletters Posters Online training Webinars
EXPLAIN WHY
MAKE IT FUN!
ASK FOR FEEDBACK
TRACK AND MEASURE
RECOGNITION AND REWARDS
AWARENESS TOPICS How to spot Key logging devices Is Spam Harmful? Watering hole attacks Storing paper records Visitors who may be imposters Are cookies bad for you? All about malware
MORE AWARENESS TOPICS Create and remember strong passwords Get Going with Mobile Security What is a mobile botnet? Found any free USB drives? What did you capture on camera? Erase those whiteboards! We love to share chain letters
AND MORE AWARENESS TOPICS Dialing for Dollars: Phone Scams Cell phone ringtone scams Dangers of Counterfeit Software Wi-Fi Security Tips at Home Etiquette for Your Career Has your Facebook account been hacked?
STANDARDS NIST Special Publication “Building an Information Technology Security Awareness and Training Program” ISO 27002:2013 Section Deliver Information Security Awareness Programs Australian Government: Protective Security Governance Guidelines – Security Awareness Training
COST OF SECURITY AWARENESS Budgetary Planning: $5 - $10 per person per year Online courses Posters, Screen savers Newsletters Pens, Buttons, Etc.
WRAP UP AND QUESTIONS Is an annual awareness session adequate? Are acknowledgments of policy enough? Are there better ways to audit that will help to drive improvement?