Download presentation
Presentation is loading. Please wait.
Published byElfrieda Todd Modified over 9 years ago
1
The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014
2
AGENDA FOR THIS SESSION Why technical defenses are not enough Formal policy vs. training and awareness What does an effective security awareness program look like?
3
LESSONS FROM DATA BREACHES Epsilon – spear phishing attack AOL – not understanding data classification Google, Yahoo and 18 others: users needed to update browsers Gawker Media –used weak passwords for multiple applications Target – began with phishing attack on 3 rd party
4
FORMAL POLICY Provides management guidance and intention Protects company liability Must be “translated” into key concepts and messages Requires partnership with Human Resources
5
What does an effective security awareness program look like?
6
KNOW YOUR AUDIENCE Language Work environment Types of computing devices Job roles
7
KEEP IT SIMPLE
8
REPEAT…REPEAT…REPEAT Screensavers Newsletters Posters Online training Webinars
9
EXPLAIN WHY
10
MAKE IT FUN!
11
ASK FOR FEEDBACK
12
TRACK AND MEASURE
13
RECOGNITION AND REWARDS
14
AWARENESS TOPICS How to spot Key logging devices Is Email Spam Harmful? Watering hole attacks Storing paper records Visitors who may be imposters Are cookies bad for you? All about malware
15
MORE AWARENESS TOPICS Create and remember strong passwords Get Going with Mobile Security What is a mobile botnet? Found any free USB drives? What did you capture on camera? Erase those whiteboards! We love to share email chain letters
16
AND MORE AWARENESS TOPICS Dialing for Dollars: Phone Scams Cell phone ringtone scams Dangers of Counterfeit Software Wi-Fi Security Tips at Home Email Etiquette for Your Career Has your Facebook account been hacked?
17
STANDARDS NIST Special Publication 800-50 “Building an Information Technology Security Awareness and Training Program” ISO 27002:2013 Section 7.2.2 Deliver Information Security Awareness Programs Australian Government: Protective Security Governance Guidelines – Security Awareness Training
18
COST OF SECURITY AWARENESS Budgetary Planning: $5 - $10 per person per year Online courses Posters, Screen savers Newsletters Pens, Buttons, Etc.
19
WRAP UP AND QUESTIONS Is an annual awareness session adequate? Are acknowledgments of policy enough? Are there better ways to audit that will help to drive improvement?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.