security awareness – online training is
TRANSCRIPT
Security Awareness – online training is not enough!
Brad GrebitusDesktop and Client Security LeadSacramento State/Information Resources and Technology
Sue RiveraInformation Security Risk AnalystSacramento State/Information Resources and Technology
Mark HendricksInformation Security OfficerSacramento State/Information Resources and Technology
Agenda
Security Awareness ProgramThe elements of our strategy: Balancing hard and soft skills TeamworkIt takes a campusEngagementCampaigns, communications, education, partnerships and training How are we doing? Metrics and reporting
Security Awareness Online training is not enough
People are an organization’s largest vulnerability undermining all other security efforts.
A security awareness program should include dedicated personnel with communications and marketing skills, which often aren’t strengths of IT security staff.
…
Security Awareness ProgramThinking like our community
The “elements” of our strategy:Blended resource model – dedicated technical
personnel, plus a “soft skills” communications and marketing professional to engage and deputize audiencesPartnerships – Work closely with units closely involved
with target audiences, and participate in national alliances for increased horsepower/supportBack-end vigilance, front-end awareness – to help
prevent, stall, and more quickly resolve campus cyberattacks
Collaborative Team Approach
CIO/ISO
Security Trainer
SME Training
Communications Manager
Partnerships with Campus Divisions and
Units
Our “Deputized” campus community
Campus Security Strategies & Tools
Educate & Communicate HR onboarding and online CSU
compliance training Cofense PhishMe campaigns Proactive marketing and
communications, and leverage affiliations (NCSAM Champion)
System Safeguards 2-Step Verification w/Duo BitLocker Disk Encryption Desktop Security & Network Protection
Risk Assessment Organizational Assessments Sensitive Data Review Procurement Reviews (ICT)
Campus Partnerships Collaborate on campaigns to target
specific audiences Information share Reinforce education/training Data governance
Hard Skills: Security Tools “Prevent Defense” enhancing “Proactive Offense”
• Security Operations• Multifactor Authentication• Data Loss Prevention (DLP)• Vulnerability Management• Network Protection• System Log Monitoring• Encryption• Configuration Management• Vendor and Cloud Management• Forensics
Campus Engagement Summary
• Online and in-person training including Cofense PhishMe Tests (CSU compliance, HR, and PhishMe campaign-related)
• Printed collateral and presentations (Primarily geared toward onboarding and orientations)
• Proactive and reactive emails(Via the official campus broadcast messaging tool)
• Information Security web pages• Digital signage• Social media • Partnerships and Events
(Campus units and national organizations like NCSAM)
Online and In-Person TrainingOnline• Cofense PhishMe Tests• Compliance• PCIIn-Person• MPP 101 and Sac State 101• Governance training• Auxiliary awareness• Division-specialized• Procurement Security Review (ICT)• Security tools training (Duo)
• Access control (PeopleSoft)
PhishMe CampaignsWe send periodic “phishing” emails to test campus cyber literacy. Each campaign
features education to prepare for future tests (or actual) phishing attempts.
Printed Collateral & Presentations
General education and “spotlight” handouts are regularly distributed to targeted audiences – such as incoming students and during Faculty orientation – to provide an early introduction to topics such as phishing and cybersecurity best practices.
HR onboarding is another ideal time to educate incoming staff about cybersecurity.
Broadcast Emails
Urgency and transparency are key!When a phishing attack occurs, we communicate immediately and as often as needed through campus broadcast emails. Selecting an “everyone” list lands urgent messaging in 50,000+ Sac State inboxes alerting them to an issue, with guidance on reporting and pushes to web education tools.
We are also emphasizing and expanding our proactive
communications strategies.
Website
Our best 24/7 resource! All communications push audiences online to regularly updated web content, including abuse reporting instructions, educational materials, an online quiz to test cyber literacy, and results of Cofense PhishMe campaigns.
csus.edu/irt/iso
Digital Presence
Bringing information security messaging front and center!
Rotate cybersecurity campaigns and messages onto digital display screens across campus
Feature “ads” displayed on the mandatory login screen on each of the devices in our IRT Computer Lab
Social Media
Reach audiences (ok, so students!) where they spend significant time, and bring information security messaging front and center.
Alerts when phishing trends emerge Post actual phishing images and how to report Proactive marketing/awareness Leverage affiliations, such as NCSAM
Awareness Month graphics Utilize information security hashtags to
increase reach
Partnering for Success: Working with Campus Units to engage specific audiences
We frequently partner with campus groups for training and awareness to better reach – and educate – students.• We partner with Engineering and Computer
Science and Services for Students with Disabilities during National Cybersecurity Month.
• Student Affairs to reach students who are daily targeted by phishing schemes including financial aid, false employment opportunities, “account issues” relating to campus services such as Office 365, or gift card scams to support phony causes.
Partnering for Success: System-wide, regional and national affiliations
• National Cyber Security Alliance ChampionSupporting national awareness efforts by leveraging supplied marketing materials and hashtags to help messaging go viral
• Higher Ed & Industry Events Best practices and ideas sharing through regular participation at information security conferences, symposiums, and round table discussions.
Metrics and Reporting
An information security program is only good if it works. Ensure you have the right back-end reporting tools to see growth, and share this information regularly with campus to encourage cybersecurity awareness and adoption.
• Online Compliance and Specialized Training reporting
• Results of PhishMe Campaigns• Compromised Accounts over time• Data Security & FERPA Training
The numbers tell the story. When we think we’re making an impact
with our audiences, the results of a PhishMe campaign will show us
where we can improve.
Recap: Security Awareness ProgramDedicated trainers and communications supportResources including a persistent web presence, education, and contacts to
report abuse/cyber incidentsMultiple training mediums (online, in-person) to account for diverse audiencesRegular anti-phishing campaigns and metrics evaluation to adjust future
campaignsPartner with campus units to engage key audiencesLeverage existing trainings and events, and develop custom ones for campusRisk management, metrics and records assessmentBe proactive and engaging with campus audiences – not just when a phishing
attack is occurring Make it relatable, make it fun!
One more thing…Training tomorrow’s cyber workforce
Beyond programmatic campus strategies, we also champion experiential learning, and regularly hire student employees. They gain first-hand experience working alongside the Information Security Team on a variety of tasks, which can support their studies toward a specialty certificate, or in the pursuit of related careers.
Cybercriminals are only getting better at what they
do, which means the skills gap is growing between the
people who hack and the people who stop them.
Questions & Sharing