1 / 19

The Most Critical Risk Control: Human Behavior

The Most Critical Risk Control: Human Behavior. Atlanta ISACA Chapter Meeting June 20, 2014. Lynn Goodendorf Director, Information Security. AGENDA FOR THIS SESSION. Why technical defenses are not enough Formal policy vs. training and awareness

astin
Download Presentation

The Most Critical Risk Control: Human Behavior

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Most Critical Risk Control: Human Behavior • Atlanta ISACA • Chapter Meeting • June 20, 2014 • Lynn Goodendorf • Director, Information Security

  2. AGENDA FOR THIS SESSION • Why technical defenses are not enough • Formal policy vs. training and awareness • What does an effective security awareness program look like?

  3. LESSONS FROM DATA BREACHES • Epsilon – spear phishing attack • AOL – not understanding data classification • Google, Yahoo and 18 others: users needed to update browsers • Gawker Media –used weak passwords for multiple applications • Target – began with phishing attack on 3rd party

  4. FORMAL POLICY • Provides management guidance and intention • Protects company liability • Must be “translated” into key concepts and messages • Requires partnership with Human Resources

  5. What does an effective security awareness program look like?

  6. KNOW YOUR AUDIENCE • Language • Work environment • Types of computing devices • Job roles

  7. KEEP IT SIMPLE

  8. REPEAT…REPEAT…REPEAT • Screensavers • Newsletters • Posters • Online training • Webinars

  9. EXPLAIN WHY

  10. MAKE IT FUN!

  11. ASK FOR FEEDBACK

  12. TRACK AND MEASURE

  13. RECOGNITION AND REWARDS

  14. AWARENESS TOPICS • How to spot Key logging devices • Is Email Spam Harmful? • Watering hole attacks • Storing paper records • Visitors who may be imposters • Are cookies bad for you? • All about malware

  15. MORE AWARENESS TOPICS • Create and remember strong passwords • Get Going with Mobile Security • What is a mobile botnet? • Found any free USB drives? • What did you capture on camera? • Erase those whiteboards! • We love to share email chain letters

  16. AND MORE AWARENESS TOPICS • Dialing for Dollars: Phone Scams • Cell phone ringtone scams • Dangers of Counterfeit Software • Wi-Fi Security Tips at Home • Email Etiquette for Your Career • Has your Facebook account been hacked?

  17. STANDARDS • NIST Special Publication 800-50 “Building an Information Technology Security Awareness and Training Program” • ISO 27002:2013 Section 7.2.2 Deliver Information Security Awareness Programs • Australian Government: Protective Security Governance Guidelines – Security Awareness Training

  18. COST OF SECURITY AWARENESS • Budgetary Planning: $5 - $10 per person per year • Online courses • Posters, Screen savers • Newsletters • Pens, Buttons, Etc.

  19. WRAP UP AND QUESTIONS • Is an annual awareness session adequate? • Are acknowledgments of policy enough? • Are there better ways to audit that will help to drive improvement?

More Related