190 likes | 293 Views
The Most Critical Risk Control: Human Behavior. Atlanta ISACA Chapter Meeting June 20, 2014. Lynn Goodendorf Director, Information Security. AGENDA FOR THIS SESSION. Why technical defenses are not enough Formal policy vs. training and awareness
E N D
The Most Critical Risk Control: Human Behavior • Atlanta ISACA • Chapter Meeting • June 20, 2014 • Lynn Goodendorf • Director, Information Security
AGENDA FOR THIS SESSION • Why technical defenses are not enough • Formal policy vs. training and awareness • What does an effective security awareness program look like?
LESSONS FROM DATA BREACHES • Epsilon – spear phishing attack • AOL – not understanding data classification • Google, Yahoo and 18 others: users needed to update browsers • Gawker Media –used weak passwords for multiple applications • Target – began with phishing attack on 3rd party
FORMAL POLICY • Provides management guidance and intention • Protects company liability • Must be “translated” into key concepts and messages • Requires partnership with Human Resources
What does an effective security awareness program look like?
KNOW YOUR AUDIENCE • Language • Work environment • Types of computing devices • Job roles
REPEAT…REPEAT…REPEAT • Screensavers • Newsletters • Posters • Online training • Webinars
AWARENESS TOPICS • How to spot Key logging devices • Is Email Spam Harmful? • Watering hole attacks • Storing paper records • Visitors who may be imposters • Are cookies bad for you? • All about malware
MORE AWARENESS TOPICS • Create and remember strong passwords • Get Going with Mobile Security • What is a mobile botnet? • Found any free USB drives? • What did you capture on camera? • Erase those whiteboards! • We love to share email chain letters
AND MORE AWARENESS TOPICS • Dialing for Dollars: Phone Scams • Cell phone ringtone scams • Dangers of Counterfeit Software • Wi-Fi Security Tips at Home • Email Etiquette for Your Career • Has your Facebook account been hacked?
STANDARDS • NIST Special Publication 800-50 “Building an Information Technology Security Awareness and Training Program” • ISO 27002:2013 Section 7.2.2 Deliver Information Security Awareness Programs • Australian Government: Protective Security Governance Guidelines – Security Awareness Training
COST OF SECURITY AWARENESS • Budgetary Planning: $5 - $10 per person per year • Online courses • Posters, Screen savers • Newsletters • Pens, Buttons, Etc.
WRAP UP AND QUESTIONS • Is an annual awareness session adequate? • Are acknowledgments of policy enough? • Are there better ways to audit that will help to drive improvement?