it security awareness - how to?
TRANSCRIPT
eGovernment Forum 2016
IT Security Awareness How to …
อ.นรินทร์ฤทธิ์ เปรมอภิวัฒโนกุลผู้เชี่ยวชาญและที่ปรึกษาอิสระด้านความมั่นคงปลอดภัยไซเบอร์
เลขานุการสมาคมความมั่นคงปลอดภัยระบบสานสนเทศ (TISA)อนุกรรมการด้านความมั่นคงปลอดภัย
ภายใต้คณะกรรมการธุรกรรมทางอิเล็กทรอนิกส์
6 Key Components of IT
Har
dwar
e
Soft
war
e
Net
wor
k
Peop
le w
are
Dat
a
Secu
rity
Security is Foundation
Har
dwar
e
Soft
war
e
Net
wor
k
Peop
le w
are
Dat
a
Security
Need Security in Every Pillar
Har
dwar
e
Soft
war
e
Net
wor
k
Peop
le w
are
Dat
a
S S S S S
People is most important and always be the “WEAKEST LINK”.Each pillar need to consider security for its whole “LIFECYCLE”.
Most people familiars with how to patch a software. But how to patch “PEOPLEWARE”?
awareness training ≠ awareness program
IT Security DayGood, but effective ?
Conduct Security Awareness once a year
WHAT???
Compliance ≠ Effective
WHEN?❖ Risk reduction
❖ Compliance
❖ Electronic Transaction Act
❖ ISO27001 or others
❖ Good governance
❖ Best practise
❖ ROSI (Return on Security Investment)
WHEN?❖ Stakeholders
❖ Role & Responsibility
❖ Top management
❖ Direct, sponsor & monitor
❖ Leading by example
❖ Program owner/manager
❖ IT
❖ User
❖ Office
❖ Factory
❖ Goal - what organization expect to achieve?
❖ Measurement - what is the current situation? what kind of improvement expected?
❖ Content - what need to be communicated?
❖ Knowledge
❖ News
❖ Tip & Trick
❖ Policy
❖ Context - what is the best way to deliver the content to specific group of audience?
Example Content Cybersecurity Malaysia/CyberSafe - http://www.cybersafe.my/en/
❖ Dealing with Malware
❖ Backing up data
❖ Email & spam
❖ Protecting passwords
❖ Identity theft & privacy
❖ Securing mobile devices
❖ Wireless access
❖ Secure remote access
❖ Desktop security
❖ Social network
❖ Safe online shoping
❖ Safe Internet banking
❖ Cyber stalking
❖ Safe chat
❖ Email & spam
❖ Phishing & scam
Example Content SANS Securing the human
❖ Social engineering
❖ Protecting your personal computer
❖ What is phishing?
❖ Data privacy
❖ You are the target
❖ Email security
❖ Browsing security
❖ Social network security
❖ Mobile device security
❖ Password security
❖ Encryption security
❖ Data security
❖ Data destruction security
❖ WiFi security
❖ Working remote securely
❖ Insider threats
❖ Physical security
Example Content ENISA - https://www.enisa.europa.eu/media/multimedia/material/awareness-raising-video-clips
❖ Lock your computer
❖ Protect your data
❖ Shoulder surfing
❖ Use strong password
❖ Keep your password safe
❖ Secure printing
❖ USB drive
❖ ATM machine
WHEN?
❖ Regular basis
❖ IT Security Event - annually
❖ Incident mockup & Measurement - quarterly
❖ eNewsletter - once a week (52 weeks a year)
❖ Special occasion - by festival, by incident
WHEN?❖ Location/Venue
❖ Physical
❖ Logical (virtual)
❖ Centralize/Decentralize
❖ HQ
❖ Regional branches
❖ Provincial branches
WHEN?❖ Communication channel
❖ Style, context, look & feel
❖ Strategy
❖ Edutainment
❖ Personal & privacy first then corporate policy
❖ eLearning
❖ Seminar
❖ Classroom
❖ Video clips
❖ Cartoon
❖ How to measure???
❖ Incident mockup
Example of Measurement from “Phishing” Incident Mockup
Summary
❖ Continuous program - PDCA
❖ Annual plan
❖ Goal & measurement
❖ Known your audiences
❖ Be fun and energetic
❖ It’s a long-term journey
Thank You