How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...

Page created by Karl Medina
 
CONTINUE READING
How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
TechBytes
          Thursday, October 22

How to Cut Phishing
  Exposure by 85%
How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
Thank you for joining us today!

Press play!
How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
Thank you for joining us today!

Experiencing Technical Issues?
• Try to RECONNECT;
• Refresh or restart your browser; or
• Chat the admin group if possible
How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
Thank you for joining us today!

       Chat with us!
Submit questions and comment in
  the lower right of your view.
How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
Thank you for joining us today!

     Participate!
Answer the polling question
How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
SSR: a trusted technology partner

  1996                      50+
                      EST
                            SSR TEAM IN
                            BROOKFIELD

                                             24/7
     ACTIVE CLIENTS

    200                     20+              SUPPORT FOR
                                             YOUR TEAM

     x2
SOC-1 CERTIFIED
  DATA CENTERS
                            SSR TEAM IN
                            CHENNAI, INDIA
How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
Security is
everyone’s
responsibility
                                        “In the six months from
                                             January to June,
• COVID-19 forced                        OverWatch observed
  and financed digital                       more hands-on-
  transformation – remote work,           keyboard intrusions
  ecommerce, automation, and data            than were seen
• Crisis will always be exploited       throughout all of 2019,”
                                           says CrowdStrike in
• Infrastructure (e.g., antivirus and       their 2020 Threat
  firewalls) is not enough                    Hunting Report
How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
Joanna Huisman
KnowBe4
SVP Strategic Insights & Research

• 20 years of experience
  in strategic, internal
  and customer-facing
  engagements
• Financial services/tech
  industries
• Previously senior research
  director at Gartner in the areas
  of security awareness, education,
  behavior management, culture,
  crisis communications, security and
  risk program management
How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
Security is Everyone’s
Business

                Joanna Huisman
                SVP – Strategic Insights &
                Research
                KnowBe4, Inc.
How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
Image Credit: Universal Studios, 2019
Joanna Huisman
SVP – Strategic Insights
      & Research
About KnowBe4

• Founded in 2010, the world’s most popular integrated
  new-school Security Awareness Training and Simulated
  Phishing platform, over 35,000 customers worldwide

• Recognized as a Leader in the Gartner Magic Quadrant for
  Computer-Based Training (CBT) with the highest and
  furthest overall position for ability to execute and
  completeness of vision and the Forrester Wave.

• Our mission is to train your employees to make smarter
  security decisions so you can create a human firewall as an
  effective last line of defense when all security software
  fails…
                           Which it will!
                                                                12
1. The Threat Landscape

Agenda   2. Phishing benchmark data by industry
         3. Your Security Culture & “Human
            Firewall”

                                                  13
1. The Threat Landscape

Agenda   2. Phishing benchmark data by industry
         3. Your Security Culture & “Human
            Firewall”

                                                  14
If you discovered burglaries were occurring
           in your neighborhood,
 what would you do to protect your home?
If you discovered cybercriminals were stealing
data from other organizations, what would you
        do to protect your organization?
The Threat Landscape is

         All of Us
       All the Time
       Everywhere
 In All Contexts of Life
Cybercriminals rely on phishing because it works…

                                                    18
91%
     of cyber espionage begins with phishing
     Source: Trend Micro

     95%
     of all security incidents involve human error
     Source: Security Intelligence

19                                                   19
People influence security far more than any technology
  or policy. Security leaders must invest in tools that
increase security awareness and influence behavior to
 support critical security business objectives through
               computer-based training.
Traditional awareness efforts are based
on the belief (or hope) that information leads to action.

                      In other words …
  the problem with awareness is that "awareness" does not
           automatically result in secure behavior.
If You Are Not Preparing For an attack…
You Are Heading Down A Very Ugly Road, Fast

                                              22
1. The Threat Landscape

Agenda   2. Phishing benchmark data by industry
         3. Your Security Culture & “Human
            Firewall”

                                                  23
Social Engineering
25
26
27
28
29
What techniques do hackers use most of the time?
According to our research, around 90% of the emails that are reported to us use social engineering
                        schemes that have been around for many years.

                                     Bogus online
                                       account
                                   “verifications” or
                                      “updates”
What are the bad guys up to this year?

Most             •   Coronavirus-related attacks – up by 6,000%!
                 •   Google Calendar invites
Interesting      •   Fake attachments

Phishing         •
                 •
                     Fake “Trusted Sender” email headers
                     Online file sharing services…Microsoft Sway,
Techniques           Dropbox

                                                                    31
Most Interesting Phishing Techniques: Coronavirus-Related Attacks

                                                • Attacks related to COVID-19
                                                  have been increasing
                                                  exponentially
                                                • Sophistication has increased
                                                • Target-rich environment
                                                • If you put a pause on training
                                                  and phishing your users,
                                                  rethink that ASAP!

                       Copyright KnowBe4 2020

                                                                                   32
Phishing templates to use to get ahead
               of Coronavirus-related attacks:
                 • Zoom, GoToMeeting, and other meeting
Phish Better       invites…“Your meeting attendees are waiting!”
                 • Instacart and other grocery delivery
Than the Bad     • Teladoc and telemedicine
                 • Document sharing and digital
Guys               signatures…AdobeSign
                 • Shipping notices…Amazon, FedEx, UPS

                                                                   33
1. The phishing problem

Agenda   2. Phishing benchmark data by industry
         3. Your Security Culture & “Human
            Firewall”

                                                  34
A security culture lives and breathes within
            every organization.

 The question is how strong, intentional
 and sustainable is your security culture.
  And what do you need to do about it?

                                               35
Know Your Place and Scope of Influence!

                                Culture is led from the
                                very top of the
                                organization; it doesn't
                                originate from you or
                                your group.

                                                           36
Organizational culture is not the sum of
            roles, processes and measurements; it is the
            sum of subconscious human behaviors that
            people repeat based on prior successes and
            collectively held beliefs.
 Defining                      Similarly:
“Culture”   Security culture is not (just) related to
            "awareness" and "training"; it is the sum of
            subconscious human behaviors that people
            repeat based on prior experiences and
            collectively held beliefs.

                                                           37
Culture is:
 • Shared
 • Learned
 • Adaptive
 • Integrative
 • Prescriptive:
     • Rules
     • Patterns
     • Assumptions
     • Beliefs

                     38
We need to condition people to have the right reflexive behaviors

                                        “Everybody has a plan
                                          until they get punched
                                                   in the mouth.”
                                                                                 - Mike Tyson
                                          "People were asking me (before a fight),
                                          'What's going to happen?'" Tyson said. "They
                                          were talking about his style. 'He's going to
                                          give you a lot of lateral movement. He's going
                                          to move, he's going to dance. He's going to do
                                          this, do that.' I said, "Everybody has a plan
                                          until they get hit. Then, like a rat, they stop in
                                          fear and freeze.'"
                                          http://articles.sun-sentinel.com/2012-11-09/sports/sfl-mike-tyson-
                                          explains-one-of-his-most-famous-quotes-20121109_1_mike-tyson-
                                          undisputed-truth-famous-quotes

                                                                                                               39
There are Three Realities
of Security Awareness

                                                      What your
      Just because I’m    If you try to work
                                                  employees do is way
    aware doesn’t mean      against human
                                                  more important than
         that I care.    nature, you will fail.
                                                   what they know.
Driving Security Awareness – Comprehensive and Continuous
    Baseline Testing
    We provide baseline testing to assess the Phish-prone™
    percentage of your users through a free simulated phishing attack.

    Train Your Users
    On-demand, interactive, engaging training with common traps,
    live hacking demos and new scenario-based Danger Zone
    exercises and educate with ongoing security hints and tips emails.

    Phish Your Users
    Fully automated simulated phishing attacks, hundreds of
    templates with unlimited usage, and community phishing
    templates.

    See the Results
    Enterprise-strength reporting, showing stats and graphs for both
    training and phishing, ready for management. Show the great ROI!

                                                                         41
What you can do now…         Increase the frequency in how often you train your
                            employees, while you decrease the time they spend in
educate the right way!                            training.

            Go from this…                                 to this.
What you can do
                now…Condition
                   Use immersive simulated attack
                scenarios (phishing) to help condition
                         employee response

Go from this…                                            to this.
Five Practical Ways to Grow Security Culture
• It’s crucial for everyone from the front                         Include

  desk to the boardroom
                                                                  Everyone

• Ditch the jargon, make it easily
  understood                                                                             Make
                                             Rewards &                                  security
• Security Awareness & Training should       Encourage                                relatable &

  be monthly – it’s not all CBTs
                                                                                       accessible
                                                                 Security
• “If work against human nature, you                             Culture
  will fail” – accept and work with the
  Shadow IT
• Build a healthy culture with examples
                                                                                  Offer
                                                                              continuous
                                                      Embrace
  of ideal behavior                                  Shadow IT
                                                                               security
                                                                             awareness &
                                                                                training

                                                                                                    44
What’s next?
  • Increasing Frequency
     • Assess & Educate
  • Define Behavioral Objectives
     • Phishing, Vishing, patching
  • Measuring Effectively
     • Employee Responsibilities
     • Organization Phish Prone %
  • Motivate Employees
     • Carrot – Everyone loves swag!
  • Make it everyday - meetings
Motivation is a fundamental driver of
   employee behavior that ensures an
        organization’s security.

Security and risk management leaders can
   use positive and negative motivation
     — rewards and consequences —
  to urge staff to complete training and
             adhere to policies.
How to Do It
     Rewards and consequences need to be balanced. Bad behavior cannot become
 normalized; there needs to be an appropriate amount of consequences to drive behavior.

Rewards for good behavior include:           Consequences include:
✓ Certificates                               ✓ Eliminate entry to entertainment
✓ Recognition or praise in front of            or social sites
  peers                                      ✓ Scale back access to systems
✓ Distinguished or classified as             ✓ Mark on performance reviews
  security master                            ✓ Possible termination based on the
✓ Awards: increments of time off,              risk associated with their role
  points in company store to buy
  things, gift cards, etc.
48   48
Securing investment dollars
from executives for a security
awareness program depends on
persuasive communication and
negotiation skills.

Package your approach to
ensure executive understanding
and support.

                                 49
Level of Concern with Executive Issues

                                         IT

                                         Execs

                                                 50
So what do you do?

• Express security requirements to non-IT executives in the context of "what's
in it for me" scenarios that illustrate how security appropriations and resources
can support specific business objectives.

• Make clear connections between security requirements and business
objectives when discussing security awareness programming with executives
and stakeholders by aiming to shape your program as a cornerstone of any
effort intended to achieve business objectives.

• Utilize measurable data to present security as management of risks, rather
than as confrontation of threats, by identifying the most appropriate metrics to
contextualize and punctuate the need for a security awareness program.

                                                                                    51
• Humans are the de-facto top choice for
              cybercriminals seeking to gain access into an
              organization.

    Final   • Security Awareness and frequent simulated
              social engineering testing is a proven method
Thoughts      to dramatically slash your organization’s phish
              prone percentage.
            • Effectively managing this problem requires
              ongoing due diligence, but it can be done and
              it isn’t difficult. We’re here to help.

                                                                52
Thank You
Rob Neijenhuis
                                              SSR Systems Engineer - Cybersecurity
                                              262-901-1879
                                              rneijenhuis@SSRTotalIT.com

                                              Joanna Huisman
                                              SVP Strategic Insights & Research
                                              KnowBe4

Questions
                                              joannah@knowbe4.com

and Conversation
Register for upcoming events and
find more resources at: SSRTotalIT.com/news                                       54
You can also read