How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Thank you for joining us today! Experiencing Technical Issues? • Try to RECONNECT; • Refresh or restart your browser; or • Chat the admin group if possible
Thank you for joining us today! Chat with us! Submit questions and comment in the lower right of your view.
SSR: a trusted technology partner 1996 50+ EST SSR TEAM IN BROOKFIELD 24/7 ACTIVE CLIENTS 200 20+ SUPPORT FOR YOUR TEAM x2 SOC-1 CERTIFIED DATA CENTERS SSR TEAM IN CHENNAI, INDIA
Security is everyone’s responsibility “In the six months from January to June, • COVID-19 forced OverWatch observed and financed digital more hands-on- transformation – remote work, keyboard intrusions ecommerce, automation, and data than were seen • Crisis will always be exploited throughout all of 2019,” says CrowdStrike in • Infrastructure (e.g., antivirus and their 2020 Threat firewalls) is not enough Hunting Report
Joanna Huisman KnowBe4 SVP Strategic Insights & Research • 20 years of experience in strategic, internal and customer-facing engagements • Financial services/tech industries • Previously senior research director at Gartner in the areas of security awareness, education, behavior management, culture, crisis communications, security and risk program management
Joanna Huisman SVP – Strategic Insights & Research
About KnowBe4 • Founded in 2010, the world’s most popular integrated new-school Security Awareness Training and Simulated Phishing platform, over 35,000 customers worldwide • Recognized as a Leader in the Gartner Magic Quadrant for Computer-Based Training (CBT) with the highest and furthest overall position for ability to execute and completeness of vision and the Forrester Wave. • Our mission is to train your employees to make smarter security decisions so you can create a human firewall as an effective last line of defense when all security software fails… Which it will! 12
1. The Threat Landscape Agenda 2. Phishing benchmark data by industry 3. Your Security Culture & “Human Firewall” 13
1. The Threat Landscape Agenda 2. Phishing benchmark data by industry 3. Your Security Culture & “Human Firewall” 14
If you discovered burglaries were occurring in your neighborhood, what would you do to protect your home?
If you discovered cybercriminals were stealing data from other organizations, what would you do to protect your organization?
The Threat Landscape is All of Us All the Time Everywhere In All Contexts of Life
Cybercriminals rely on phishing because it works… 18
91% of cyber espionage begins with phishing Source: Trend Micro 95% of all security incidents involve human error Source: Security Intelligence 19 19
People influence security far more than any technology or policy. Security leaders must invest in tools that increase security awareness and influence behavior to support critical security business objectives through computer-based training.
Traditional awareness efforts are based on the belief (or hope) that information leads to action. In other words … the problem with awareness is that "awareness" does not automatically result in secure behavior.
If You Are Not Preparing For an attack… You Are Heading Down A Very Ugly Road, Fast 22
1. The Threat Landscape Agenda 2. Phishing benchmark data by industry 3. Your Security Culture & “Human Firewall” 23
Social Engineering
25
26
27
28
29
What techniques do hackers use most of the time? According to our research, around 90% of the emails that are reported to us use social engineering schemes that have been around for many years. Bogus online account “verifications” or “updates”
What are the bad guys up to this year? Most • Coronavirus-related attacks – up by 6,000%! • Google Calendar invites Interesting • Fake attachments Phishing • • Fake “Trusted Sender” email headers Online file sharing services…Microsoft Sway, Techniques Dropbox 31
Most Interesting Phishing Techniques: Coronavirus-Related Attacks • Attacks related to COVID-19 have been increasing exponentially • Sophistication has increased • Target-rich environment • If you put a pause on training and phishing your users, rethink that ASAP! Copyright KnowBe4 2020 32
Phishing templates to use to get ahead of Coronavirus-related attacks: • Zoom, GoToMeeting, and other meeting Phish Better invites…“Your meeting attendees are waiting!” • Instacart and other grocery delivery Than the Bad • Teladoc and telemedicine • Document sharing and digital Guys signatures…AdobeSign • Shipping notices…Amazon, FedEx, UPS 33
1. The phishing problem Agenda 2. Phishing benchmark data by industry 3. Your Security Culture & “Human Firewall” 34
A security culture lives and breathes within every organization. The question is how strong, intentional and sustainable is your security culture. And what do you need to do about it? 35
Know Your Place and Scope of Influence! Culture is led from the very top of the organization; it doesn't originate from you or your group. 36
Organizational culture is not the sum of roles, processes and measurements; it is the sum of subconscious human behaviors that people repeat based on prior successes and collectively held beliefs. Defining Similarly: “Culture” Security culture is not (just) related to "awareness" and "training"; it is the sum of subconscious human behaviors that people repeat based on prior experiences and collectively held beliefs. 37
Culture is: • Shared • Learned • Adaptive • Integrative • Prescriptive: • Rules • Patterns • Assumptions • Beliefs 38
We need to condition people to have the right reflexive behaviors “Everybody has a plan until they get punched in the mouth.” - Mike Tyson "People were asking me (before a fight), 'What's going to happen?'" Tyson said. "They were talking about his style. 'He's going to give you a lot of lateral movement. He's going to move, he's going to dance. He's going to do this, do that.' I said, "Everybody has a plan until they get hit. Then, like a rat, they stop in fear and freeze.'" http://articles.sun-sentinel.com/2012-11-09/sports/sfl-mike-tyson- explains-one-of-his-most-famous-quotes-20121109_1_mike-tyson- undisputed-truth-famous-quotes 39
There are Three Realities of Security Awareness What your Just because I’m If you try to work employees do is way aware doesn’t mean against human more important than that I care. nature, you will fail. what they know.
Driving Security Awareness – Comprehensive and Continuous Baseline Testing We provide baseline testing to assess the Phish-prone™ percentage of your users through a free simulated phishing attack. Train Your Users On-demand, interactive, engaging training with common traps, live hacking demos and new scenario-based Danger Zone exercises and educate with ongoing security hints and tips emails. Phish Your Users Fully automated simulated phishing attacks, hundreds of templates with unlimited usage, and community phishing templates. See the Results Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI! 41
What you can do now… Increase the frequency in how often you train your employees, while you decrease the time they spend in educate the right way! training. Go from this… to this.
What you can do now…Condition Use immersive simulated attack scenarios (phishing) to help condition employee response Go from this… to this.
Five Practical Ways to Grow Security Culture • It’s crucial for everyone from the front Include desk to the boardroom Everyone • Ditch the jargon, make it easily understood Make Rewards & security • Security Awareness & Training should Encourage relatable & be monthly – it’s not all CBTs accessible Security • “If work against human nature, you Culture will fail” – accept and work with the Shadow IT • Build a healthy culture with examples Offer continuous Embrace of ideal behavior Shadow IT security awareness & training 44
What’s next? • Increasing Frequency • Assess & Educate • Define Behavioral Objectives • Phishing, Vishing, patching • Measuring Effectively • Employee Responsibilities • Organization Phish Prone % • Motivate Employees • Carrot – Everyone loves swag! • Make it everyday - meetings
Motivation is a fundamental driver of employee behavior that ensures an organization’s security. Security and risk management leaders can use positive and negative motivation — rewards and consequences — to urge staff to complete training and adhere to policies.
How to Do It Rewards and consequences need to be balanced. Bad behavior cannot become normalized; there needs to be an appropriate amount of consequences to drive behavior. Rewards for good behavior include: Consequences include: ✓ Certificates ✓ Eliminate entry to entertainment ✓ Recognition or praise in front of or social sites peers ✓ Scale back access to systems ✓ Distinguished or classified as ✓ Mark on performance reviews security master ✓ Possible termination based on the ✓ Awards: increments of time off, risk associated with their role points in company store to buy things, gift cards, etc.
48 48
Securing investment dollars from executives for a security awareness program depends on persuasive communication and negotiation skills. Package your approach to ensure executive understanding and support. 49
Level of Concern with Executive Issues IT Execs 50
So what do you do? • Express security requirements to non-IT executives in the context of "what's in it for me" scenarios that illustrate how security appropriations and resources can support specific business objectives. • Make clear connections between security requirements and business objectives when discussing security awareness programming with executives and stakeholders by aiming to shape your program as a cornerstone of any effort intended to achieve business objectives. • Utilize measurable data to present security as management of risks, rather than as confrontation of threats, by identifying the most appropriate metrics to contextualize and punctuate the need for a security awareness program. 51
• Humans are the de-facto top choice for cybercriminals seeking to gain access into an organization. Final • Security Awareness and frequent simulated social engineering testing is a proven method Thoughts to dramatically slash your organization’s phish prone percentage. • Effectively managing this problem requires ongoing due diligence, but it can be done and it isn’t difficult. We’re here to help. 52
Thank You
Rob Neijenhuis SSR Systems Engineer - Cybersecurity 262-901-1879 rneijenhuis@SSRTotalIT.com Joanna Huisman SVP Strategic Insights & Research KnowBe4 Questions joannah@knowbe4.com and Conversation Register for upcoming events and find more resources at: SSRTotalIT.com/news 54
You can also read