the most critical risk control: human behavior

19
The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014

Upload: astin

Post on 06-Jan-2016

21 views

Category:

Documents


0 download

DESCRIPTION

The Most Critical Risk Control: Human Behavior. Atlanta ISACA Chapter Meeting June 20, 2014. Lynn Goodendorf Director, Information Security. AGENDA FOR THIS SESSION. Why technical defenses are not enough Formal policy vs. training and awareness - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: The Most Critical Risk Control: Human Behavior

The Most Critical Risk Control: Human Behavior

Lynn Goodendorf

Director, Information Security

Atlanta ISACA

Chapter Meeting

June 20, 2014

Page 2: The Most Critical Risk Control: Human Behavior

AGENDA FOR THIS SESSION

Why technical defenses are not enough

Formal policy vs. training and awareness

What does an effective security awareness program look like?

Page 3: The Most Critical Risk Control: Human Behavior

LESSONS FROM DATA BREACHES

Epsilon – spear phishing attack

AOL – not understanding data classification

Google, Yahoo and 18 others: users needed to update browsers

Gawker Media –used weak passwords for multiple applications

Target – began with phishing attack on 3rd party

Page 4: The Most Critical Risk Control: Human Behavior

FORMAL POLICY

Provides management guidance and intention

Protects company liability

Must be “translated” into key concepts and messages

Requires partnership with Human Resources

Page 5: The Most Critical Risk Control: Human Behavior

What does an effective security awareness program look like?

Page 6: The Most Critical Risk Control: Human Behavior

KNOW YOUR AUDIENCE

Language

Work environment

Types of computing devices

Job roles

Page 7: The Most Critical Risk Control: Human Behavior

KEEP IT SIMPLE

Page 8: The Most Critical Risk Control: Human Behavior

REPEAT…REPEAT…REPEAT

Screensavers

Newsletters

Posters

Online training

Webinars

Page 9: The Most Critical Risk Control: Human Behavior

EXPLAIN WHY

Page 10: The Most Critical Risk Control: Human Behavior

MAKE IT FUN!

Page 11: The Most Critical Risk Control: Human Behavior

ASK FOR FEEDBACK

Page 12: The Most Critical Risk Control: Human Behavior

TRACK AND MEASURE

Page 13: The Most Critical Risk Control: Human Behavior

RECOGNITION AND REWARDS

Page 14: The Most Critical Risk Control: Human Behavior

AWARENESS TOPICS

How to spot Key logging devices

Is Email Spam Harmful?

Watering hole attacks

Storing paper records

Visitors who may be imposters

Are cookies bad for you?

All about malware

Page 15: The Most Critical Risk Control: Human Behavior

MORE AWARENESS TOPICS

Create and remember strong passwords

Get Going with Mobile Security

What is a mobile botnet?

Found any free USB drives?

What did you capture on camera?

Erase those whiteboards!

We love to share email chain letters

Page 16: The Most Critical Risk Control: Human Behavior

AND MORE AWARENESS TOPICS

Dialing for Dollars: Phone Scams

Cell phone ringtone scams

Dangers of Counterfeit Software

Wi-Fi Security Tips at Home

Email Etiquette for Your Career

Has your Facebook account been hacked?

Page 17: The Most Critical Risk Control: Human Behavior

STANDARDS

NIST Special Publication 800-50 “Building an Information

Technology Security Awareness and Training Program”

ISO 27002:2013 Section 7.2.2 Deliver Information Security

Awareness Programs

Australian Government: Protective Security Governance Guidelines –

Security Awareness Training

Page 18: The Most Critical Risk Control: Human Behavior

COST OF SECURITY AWARENESS

Budgetary Planning: $5 - $10 per person per year

Online courses

Posters, Screen savers

Newsletters

Pens, Buttons, Etc.

Page 19: The Most Critical Risk Control: Human Behavior

WRAP UP AND QUESTIONS

Is an annual awareness session adequate?

Are acknowledgments of policy enough?

Are there better ways to audit that will help to drive improvement?