Cyber Security 101: Training, awareness, strategies for small to medium sized business
Download as PPTX, PDF•20 likes•23,843 views
The document discusses the critical need for computer security training, highlighting that a significant majority of U.S. adults have not received such training, which leads to numerous security vulnerabilities. It outlines the steps for improving security awareness, including assessing risks and educating employees, emphasizing that a well-informed workforce can reduce the impact of cyber threats. The document underscores that effective security policies and continuous training are necessary for organizations to protect sensitive information and maintain compliance with industry regulations.
Cyber Security 101: Training, awareness, strategies for small to medium sized business
- 1. Security 101 Training, awareness, and strategies Stephen Cobb, CISSP Senior Security Researcher ESET NA
- 2. The SMB Sweet Spot for the cyber-criminally inclined Enterprises SMB “Sweet Spot” Consumers Assets worth looting Level of protection
- 3. The challenge • Organizations of every type rely on computers to handle information • Everyone today is a computer user • Most have no security training • Lack of security training leads to problems
- 4. How big is the challenge We asked U.S. consumers if they had ever received any computer security training No: 68% Yes: 32% *Savitz Research for ESET, 2012
- 5. 68% is sadly consistent We asked working adults in the U.S. if they had ever received any computer security training No: 68% Yes: 32% *Harris poll for ESET, 2012
- 6. 73% is even worse We asked adults in U.S. who use social media if they had ever received online safety training No: 73% Yes: 27% *Harris poll for ESET, 2012
- 7. Security training is not yet part of our society* • This has serious implications for your business • 93% of American adults say they’ve had no computer security training in the last 12 months • How many of them work for you, or for your clients, suppliers, etc? *Savitz Research for ESET, 2012
- 8. Some problems that lack of security training can cause • Unauthorized access to information • Loss of access to information • Loss of information • Corruption of information • Theft of information
- 9. The implications are non-trivial • Loss of revenue • Loss of business • Fines, lawsuits, headlines • Unbudgeted expenses – Breach costs currently estimated at around $190 per record exposed* – 5,263 records = $1 million hit *Ponemon Institute
- 10. Trojan terminates escrow firm • $1.1 million wired to China and could not be retrieved • Firm was closed by state law, now in receivership, 9 people out of a job • So what’s the best weapon for keeping that kind of Trojan code out of your company’s system?
- 11. A well-trained workforce • Knows not to click on suspicious links in email or social media • Knows to report strange activity (e.g. the two-factor authentication not working) • Knows to scan all incoming files for malware – Email, USB drives
- 12. Does training make a difference? • Yes • A significant percentage of problems can be averted, or their impact minimized, if more employees get better security training and education* *A bunch of different studies in recent years
- 13. Security training or awareness • What’s the difference? • Training makes sure people at different levels of IT engagement have the right knowledge to execute their roles securely • Awareness makes sure all people at all levels know what to look out for
- 14. Not that kind of actor… Do your employees know what motivates bad actors? IMPACTADVANTAGEMONEY CREDENTIALS
- 15. Do you know how the bad guys operate?
- 16. Taken to exploit site Malware server Popular Attack Technique !?**! User clicks a link Gets infected/owned Command & Control
- 19. • RAT has full access to victim PC • And its network connections • Search and exfiltrate files • Access to webcam and audio • Scrape passwords • Execute system functions • Chat with victim
- 24. So how do we move forward?
- 25. The road map: A B C D E F • Assess your assets, risks, resources • Build your policy • Choose your controls • Deploy controls • Educate employees, execs, vendors • Further assess, audit, test A B C D E F F E D C B A Technology
- 26. Assess assets, risks, resources • Assets: digital, physical – If you don’t know what you’ve got you can’t protect it! • Risks – Who or what is the threat? • Resources – In house, hired, partners, vendors, trade groups, associations
- 27. Build your policy • Security begins with policy • Policy begins with C-level buy-in • High-level commitment to protecting the privacy and security of data • Then a set of policies that spell out the protective measures, the controls that will be used
- 28. Choose controls to enforce policies • For example: – Policy: Only authorized employees can access sensitive data – Controls: • Require identification and authentication of all employees via unique user name and password • Limit access through application(s) by requiring authentication • Log all access
- 29. Deploy controls, ensure they work • Put control in place; for example, antivirus (anti-malware, anti-phishing, anti-spam) • Test control – Does it work technically? – Does it “work” with your work? – Can employees work it?
- 30. Educate everyone • Everyone needs to know – What the security policies are – How to comply with them through proper use of controls • Pay attention to any information- sharing relationships – Vendors, partners, even clients • Clearly state consequences of failure to comply
- 31. Who gets trained? • Everyone, but not in the same way, break it down: – All-hands training – IT staff training – Security staff training
- 32. How to deliver training • In person • Online • On paper • In house • Outside contractor • Mix and match • Be creative
- 33. Incentives? • Yes! • To launch programs, push agendas • Prizes do work • But also make security part of every job description and evaluation
- 34. Use your internal organs • Of communication! • Newsletter • Intranet • Bulletin board • Meetings • Company-wide email
- 35. How to do awareness • Make it fun • Make it relevant • Leverage the news • Bear in mind that everyone benefits from greater awareness, at work and at home
- 36. Resources to tap • Industry associations • FS-ISAC, NH-ISAC, others • CompTIA, SBA, BBB • ISSA, ISACA, SANS, (ISC)2 • Local colleges and universities • Securing Our eCity
- 37. Need more motivation? • Security training is the law – HIPAA – Red Flag Identity Theft Prevention – Gramm-Leach-Bliley, Sarbanes-Oxley – FISMA • Or required by industry – PCI Data Security Standard
- 38. Or just plain required • To get that big juicy contract • Many companies now require suppliers to certify that they have security training and awareness programs in place as a condition of doing business
- 39. Further assess, audit, test… • This is a process, not a project • Lay out a plan to assess security on a periodic basis • Stay up-to-date on emerging threats • Stay vigilant around change such as arrivals, departures, functionality A B C D E F F E D C B A
- 40. Backup and archive Firewall and scan: Incoming traffic emails files devices media Encrypt Monitor Filter and monitor outbound Authenticate users The Technology Slide
- 41. Thank you! • [email protected] • WeLiveSecurity.com • www.eset.com • More info in the lobby