Securing company assets is a shared responsibility. It requires People, Process and Technology to be effective.
This non-technical slide deck is compulsory viewing for all company staff. It is designed to educate staff about security risks, building an in-house security culture, and explains how humans are the weakest link in the security chain.
While the slides are self explanatory, detailed slide notes to significantly enhance the presentation, are available on request.
To receive your complimentary slide notes, please email mikek@m-net.com.au with title "Baking Security - Notes".
Alternatively, if you would like this session professionally presented to your organisation please email:
mikek@m-net.com.au with title "Baking Security - Presentation".
Measures of Central Tendency: Mean, Median and Mode
Baking Security into the Company Culture (2017)
1. 0
Baking Security into the
Company Culture
(an interactive security awareness session
to educate staff and foster a security culture)
Mike Kleviansky
2017
2. 1
Objective of this Presentation
• Gain high level understanding of Information Security
• Understand that Security is centred around: PPT
• Appreciate that Security is a shared responsibility
• Understand common security threats
• Understand how you can help mitigate security risks
3. 2
High Level View of IT Security
Office 2
Assets
Access to Local
and Network Data
Knowledgeable
Staff
Cloud Data
Office 1
Assets
Office
Connectivity
Friendly Staff
Data Centre
Third Party
Support
4. 3
IT Security Technology is configured by humans
Human error is the main cause of security and data breaches!
5. 4
Information Security is a Shared Responsibility
Hacker
People
IT/Security
Technology
Company Assets
Securing Company Assets requires = People + Process + Technology
Process
6. 5
The IT Department’s Responsibility
Disk/Data
Encryption
Firewall
IDS/IPS
Cloud
Security
Identity and
Access
Management
Define policies and procedures, configure systems/devices, secure, manage operations, etc.
Updates
OS Patching
Risk
Analysis
Technology can secure infrastructure, systems, applications
and data but is configured by people and managed by process
7. 6
Your Responsibility as a Staff Member
Corporate Network
Strong Passwords
USB Beware
Follow P & P
Wifi is NOT
Secure
Don’t leave Printouts
Unattended
Lock screens
Physically
Secure devices
Adhere to Policies and Procedures
Be aware of common risks, use common sense and adhere to policies and procedures
Malware Beware
No sensitive data?
Apply privacy settings
8. 7
Common Threat Identification
Attack database
applications Make systems
unavailable
Keep trying
username/passwords
Exploit in
Vendor
Software
YOU have some control of this area Technical Department control this area
11. 10
2. Strong Passwords are good, but Passphrase is Better
• Passwords are a first line of defence!
• Make sure your password is secure!
• More than 8 characters
• Combination of alpha (a-z), Uppercase (A-Z),
numeric (0-9) and special (!@#$)
• Weak passwords:
• password1, mikekleviansky, mikek
• Strong passwords:
• P@$$:w0rd!, M!k3:KL3v!@nsky,
!23:P@$$w0rd,
• A passphrase is more effective than a password
• Mike Kleviansky is a contract CIO
MkiacCIO2017
• MK:Is:@:G:G
• Mnimkaila18ssi2017
• Jack and Jill went up the hill again JaJwutha
• Don’t use same password on different sites
• Change passwords on a regular basis (90 days)
• Don’t cache passwords in a browser
Password
please?
What is more effective than a passphrase?
Answer:Two-factorAuthentication
12. 11
3. An unlocked screen/device is an open invitation!
• If your screen is unlocked you are inviting potential trouble!
• An unlocked screen is equivalent to no password (in some instances)
• Portable devices (e.g. notebook) should be secured at a desk where applicable
• Set an inactivity timer to automatically lock your screen
• Do you leave the front door open when you pop down to the shops?
If your desk is unattended Lock your screen: CTRL+ALT+DEL, or WIN + L
13. 12
4. USB Storage can be infected and/or stolen
• Portable USB storage is not secure:
• Data can be infected with malware
• Data can be easily stolen
• Never insert unauthorised portable devices
• Anti Virus software should always scan USB drives by default (or drives disabled)
Portable devices (when inserted) are an extension of your desktop environment so secure them
14. 13
5. Phishing for personal information
• Phishing - email from “reputable company” to gain personal information
• Spear phishing – email from known or trusted sender to gain personal information
• Whaling – email that targets high-profile end user in order to gain personal information
It is easier to trick someone into clicking a malicious link than hacking into a system
masquerade
trust
contextual
16. 15
6. Malware is Malicious Software
Malware is designed to disrupt, damage or gain authorised access to a computer system
Internet
Downloads!
17. 16
7. Secure physical devices or risk data loss
C:businessE:client data F:Backups
DATA = OR
Protect your devices against data loss: do NOT store sensitive data locally or encrypt data
18. 17
8. Do not leave printer output unattended
• Sensitive data is vulnerable, regardless of the format (softcopy, hardcopy, visual)
• Unattended printouts on a printer can be stolen and easily digitally recorded
Data on disk Data on screen Data printout Recorded data
19. 18
9. Public Wi-Fi is not Secure
Public Cafe The Office
VPN
Don't trust public Wi-Fi hotspots when dealing with work or personal matters e.g banking
20. 19
10. Apply privacy settings
What information does an institution (e.g. bank) require to validate your identity?
The less you publish about yourself online, the better.
What is published online, stays online, and may be used against you:
• Identity theft
• Social Engineering (using your details for personal gain)
• Negative publicity and branding
• Blackmail
• Job application rejection
John Smith
16/11/1978
Sydney Grammar
marybjane@gmail.com
2 Smith Street,
Smithfield
21. 20
In Summary …
The key takeaways from this session are:
• Security and cyber security is a shared responsibility! People, Process and Technology
• Humans are the number 1 cause of cyber security breaches
• Know your key security responsibilities: secure password, locked screens, etc.
• Be able to identify common threats such as Malware, email attachments
• Physical security cannot be ignored
• Keep it private when it comes to online security
• Use common sense at all times