Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The challenge of security awareness

150 views

Published on

A presentation at the Jisc security conference 2019 by Garry Scobie, deputy CISO, University of Edinburgh.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The challenge of security awareness

  1. 1. The challenge of security awareness Garry Scobie, deputy CISO, The University of Edinburgh
  2. 2. Who am I? • Garry Scobie • Deputy CISO • The University of Edinburgh 2 The challenge of security awareness
  3. 3. Agenda • Identifying the challenges to overcome when introducing a security awareness program • An overview of real-life attacks on the organisation; making the abstract, concrete, helping to shape our thinking on awareness training • Suggested solutions using the current awareness program at The University of Edinburgh as an example 3 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-ND
  4. 4. Security breaches commonplace • Compromises resulting in loss of data are announced almost weekly • Huge numbers of accounts are up for sale • It’s commonplace 4 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-SA
  5. 5. Why bother? • Users may rightly ask why bother with security? • Some believe it doesn’t apply to them • “I’m going to be hacked anyway” • “I’ve nothing important to lose” • “Mandatory security training? But I’m a …” • “We have clever people. They won’t be phished” 5 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC-ND
  6. 6. A challenging environment • I see a lot of good practice • Others, however… • “Do I have to ask suppliers about their security?” • “Are there any loopholes in GDPR that I can use to get around it?” • “Can we just not bother?” 6 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-SA-NC
  7. 7. How do we make people aware? • We can spend a fortune on technical controls • We can write policies and procedures • But if someone is phished… • How do we educate in such an environment? • What are the challenges? 7 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
  8. 8. Challenge 1 - complexity 8 The challenge of security awareness • The environment is complex • Connecting everybody with everything • Educating a non-security professional about IoT? Too big, too difficult, not interested • Who reads terms and conditions, and understands what it actually does? This Photo by Unknown Author is licensed under CC BY-NC
  9. 9. Challenge 2 - overload • The sheer volume of data, messages, things for people to click on and access • How is our message going to stand out, let alone get through? 9 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC-ND
  10. 10. Challenge 3 - diversity and accessibility 10 The challenge of security awareness • Everyone is important in helping all of us to be more secure. Fostering awareness cannot lose sight of this • The message must appeal and be understood by all. Be wary of jargon • Is the awareness training you provide accessible and achievable by all your users? • Different audiences – message may have to be modified. Tech v non-tech This Photo by Unknown Author is licensed under CC BY-SA-NC
  11. 11. Challenge 4 - justifying budgets 11 The challenge of security awareness • Security awareness must add value • Not just be a drain on resources • Competing against all other priorities This Photo by Unknown Author is licensed under CC BY-NC-ND
  12. 12. Challenge 5 - it’s not a tick box 12 The challenge of security awareness • Security awareness is not a one-off • Whatever you do has to be ongoing • It’s a continual process of revisiting, revising and reinforcing This Photo by Unknown Author is licensed under CC BY-SA
  13. 13. Challenge 6 – a vast subject 13 The challenge of security awareness • InfoSec remit covers a huge area of policy, tech and guidance • A common support call is “I’ve found this piece of software. Is it okay to use from an InfoSec perspective?” This Photo by Unknown Author is licensed under CC BY
  14. 14. Challenge 7 – image 14 The challenge of security awareness • The image of Information Security needs to change • Pictures of hoodies with dark glasses in basements is dated and turns people off • InfoSec needs to be approachable • Demystify This Photo by Unknown Author is licensed under CC BY
  15. 15. Challenge 8 - measuring effectiveness 15 The challenge of security awareness • How do you know if your message is getting across? • Are you making a difference? • How can you tell? This Photo by Unknown Author is licensed under CC BY-NC
  16. 16. Challenge 9 – cultural change 16 The challenge of security awareness • Ensure security awareness is embedded and becomes the norm for the organisation • Rapid turnover of staff and students is a challenge • Long serving staff • Not just being aware, but understanding This Photo by Unknown Author is licensed under CC BY
  17. 17. The University of Edinburgh • An internationally-acclaimed seat of learning • Reputation for research and as a pioneer of discoveries and scientific breakthroughs • A major employer and a major player in the City Deal Initiative 17 The challenge of security awareness
  18. 18. The university is a target • Data theft – PII of staff and students • Financial gain – handling of student fees; large employer; contracts with third parties; Research grants; City Deal • Espionage – centres for research hold valuable intellectual property – you name it, it’s probably being researched • These are highlighted in our awareness program 18 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
  19. 19. Top cyber threats • Lack of awareness • Phishing • Malware/Ransomware • These are linked together • Helps to shape our thinking on awareness training • Relate advice to incidents helps to make it real 19 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
  20. 20. Phishing • There are deliveries everyday and emails informing users of them • Phishing is typically Ransomware or grab of credentials • Don’t pay. Restore from backups • No reading of email and browsing the web while logged in with a privileged account • Evidence suggests top targets for phishing attempts are research/medical 20 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC
  21. 21. Spear and whale phishing • Academics concerned over phishing attacks which they spotted, but how did they get that personal data about them? • Academic on-line profile is full of useful data • Biography, teaching and PhD Supervision, research, projects, publications • Social engineering using social media • We can’t hide away. Just be aware of what you put out and be on guard whenever someone new approaches you 21 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
  22. 22. Conferences • Register for a ‘conference’ and then email is returned stating there is a problem with the web site handling the registration process • The email contains an attachment, which is not malware. User asked to fill in their details • “We can arrange a discount via local hotels, so fill in this form with your personal details including passport number and credit card” • Also spoofing of genuine conference and claim delegate hasn’t paid 22 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
  23. 23. Other phishing attacks • Disk full alerts, email account upgrade or suspended, doing a routine maintenance and you need to provide your credentials • IT services would never do this • Phone scams on increase • Texts • Watering hole sites/fake domains • Fake pages linked to library systems 23 The challenge of security awareness
  24. 24. Fraud • Spear Phishing - targeting key personnel for urgent payments • Mandate fraud – change of supplier bank details using fake website to spoof bank details. Receive payment to fake supplier bank account • Spoofed invoices • All the above prevented due to internal controls • Students giving money to “money advisers.” Lottery scam. Accommodation scams 24 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-SA
  25. 25. Bitcoin miners • System compromises due to lack of or delay in patching • Bitcoin miner code searches for other computers on the network and attempts to compromise • Failure to patch can impact on everyone 25 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
  26. 26. Freedom of information • Legal requirement for public sector • We have developed an understanding of what we can say in respect of security • You don’t want to map out your tech • We are often asked how many cyber attacks have we had? • We have also been asked how many of the University’s properties are haunted? 26 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
  27. 27. Physical security • The University is very old. Has a sprawling mix of buildings. We are proud of our estate and encourage openness • Physical thefts do occur • Clean desk policy • Wear lanyard, be prepared to challenge 27 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC-ND
  28. 28. Cyber security cultural assessment • Seven focus groups across a range of schools and business units • The themes of Empowerment, Awareness, Values, Behaviours, Adherence, Accountability, Responsibility, and Cultural Norms were discussed • Helped to benchmark and reinforce the direction we were taking • Staff want the information to enable them to do the right thing 28 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
  29. 29. Focus groups - actions • Communications – security working group • InfoSec champions network – with training • Review on-line training and target awareness • Refresh of guidance • Multi-channel communication campaign (use student interns) • Raise empowerment • Accountability 29 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC
  30. 30. The way forward • Users are our best defence • Foster an environment that encourages people to speak up, point out, challenge • A no blame culture • Consensus on what is important and aligned to the business • Assess the risks and partner with the business in language everyone understands • Partnership working 30 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-SA
  31. 31. The way forward • We provide policy and procedures around the need to handle University data securely • We also stress the need for users to handle their own personal data in the same way • Foster awareness by highlighting the data they hold on family and friends • Identity theft is real 31 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-ND
  32. 32. The way forward • Don’t be afraid to try different things and fail • Buy-in from top – invite your senior team along • GDPR champions network - Use those who do get it to help others get on-board • InfoSec champions network • Make it fun - don’t turn your users off • Enthusiasm can’t be faked. Enjoy your subject 32 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY-NC-ND
  33. 33. The way forward • Look for quick wins. What can users do to make them more secure? • Automatic updates • Think before you click • AV on mobiles • We pitch the training at every opportunity 33 The challenge of security awareness This Photo by Unknown Author is licensed under CC BY
  34. 34. The university of Edinburgh • Teamed up with the digital skills program • Security awareness week • Fraud awareness week • New staff welcome sessions • Creative learning festival – Medieval castles – Victorian fan language 34 The challenge of security awareness
  35. 35. University awareness sessions • The Internet survival guide • Fraud, phishing and social engineering • Why is InfoSec important to me and you? • Practical encryption for staff and students • Mobile phone security • Ransomware • Introduction to the InfoSec team • Choosing software from an InfoSec view • Hacking, cybercrime and the movies 35 The challenge of security awareness
  36. 36. MOOC • Massive Open Online Courses • Digital footprint initiative • Three week online course which includes developing an effective online presence, managing your privacy, creating opportunities for networking, balancing and managing professional and personal presences (e-professionalism) 36 The challenge of security awareness
  37. 37. The university of Edinburgh • Mandatory on-line training • Embedding security in projects - Question sets for procurement • Top tip flyers • Active on social media • Student interns – feedback on what we are doing 37 The challenge of security awareness
  38. 38. The university of Edinburgh • Focus groups • Phishing simulation • Merchandise and branding • Developing podcasts 38 The challenge of security awareness
  39. 39. KPI’s • Increase in take up of training • Increase in calls for advice and support • Increased reports of phishing emails • Engagement at project initiation • Requests for vulnerability scans and penetration tests • Invitations to visit schools and colleges • One school now starting their own internal security awareness program • College requests for additional awareness sessions 39 The challenge of security awareness
  40. 40. The challenge of security awareness 40 The challenge of security awareness
  41. 41. customerservices@jisc.ac.uk jisc.ac.uk Garry Scobie Deputy CISO The University of Edinburgh Thankyou

×