employee security awareness - wecc security awareness... · • staff responsibilities •...

Employee Security Awareness

Tuesday, April 9, 2019

Louis StramaglioIT Ops Supervisor

• What is the greatest vulnerability in your organization?

oElectronic Security Perimetero IT NetworkoOT NetworkoPermissionsoPhysical Security

2

Are You Vulnerable?

• Employees

• End users

• Clients

• Customers

• Contractors

3

YES!

Does your company have an Employee Security Awareness Program?

4

Question

• Understand and comply with company security policies and procedures

• Be appropriately trained in the rules of behavior for the systems and applications to which they have access

• Work with management to meet training needs• Keep end users aware of actions they can take

to better protect their company’s information

5

IT Security Program

1. Security Policies• Designed to protect the data• Business needs• Known risks

2. Define responsibilities• Who is responsible• Staff responsibilities• IT/Security responsibilities

3. Establish Processes• Monitor the program• Review results• IRP(Incident Response Plan)

6

Security Program Contents

Do you believe your current Employee Security Awareness Program has Management Buy-in?

7

Question

• Support

• Budget

• Reporting

• Feedback

8

Management Buy-in

• Not training

• Addresses concepts and behaviors

• Terminology

• Informational

9

What is Awareness?

10

Best Asset/Biggest Vulnerability

• Strategy and Plan• Feedback from key groups• Assess current materials

• Create a baseline• Review current metrics• Analysis of findings and

recommendations• Current trends

• Prioritize

• Schedule, but remain flexible

• Make it “So Number One”

11

Create the Awareness Plan

12

Ransomware

Awareness

13

We Are Done, Right?

14

We Are Done, Right?

Awareness

Training

• End users

• IT

• Executives

• Everyone

• Training everyone equally doesn’t always mean training everyone the same way.

Stay flexible15

Who Needs Training?

• In-house

• LMS

• Outsource

16

Where Does Training Come From?

17

NOW We Are Done, Right?Awareness

TrainingTesting & Education

• Measure your success

• Report your success to management

• Remember, stay flexible

• Prioritize weak points, add new content

• Continue the cycle

18

Why Test Me?

1. Obtain Management buy-in

2. Create your awareness plan based on your IT Security Program

3. Generate a security baseline and prioritize

4. Train everyone

5. Test everyone

6. Stay flexible and prioritize

19

Participant Challenge

Contact:Lou StramaglioIT Ops Supervisorlstramaglio@wecc.org

20