Download to read offline
![Information Security
Training Presentation
[name] [date]](https://image.slidesharecdn.com/cybersecuritytrainingpresentation-230425034954-62a3973b/85/Cyber-Security_Training-Presentation-pptx-1-320.jpg)
![Next steps
Call _____ on _____ if you need information or guidance
Call _____ on _____ if you need to raise concerns
Access self-study courses on our e-learning portal for further training [or
optionally – Complete your mandatory training on our corporate e-learning
portal]](https://image.slidesharecdn.com/cybersecuritytrainingpresentation-230425034954-62a3973b/85/Cyber-Security_Training-Presentation-pptx-24-320.jpg)
![Employee Security Training[1]@](https://cdn.slidesharecdn.com/ss_thumbnails/EmployeeSecurityTraining1-122974944243-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Cyber Security_Training Presentation.pptx
- 1.
- 2. Learning objectives Whyinformation security? What information is covered? Classifying information Information security in practice Our company’s information security policy
- 3. Why is informationsecurity important? Information is valuable… Information is personal…
- 4. What information iscovered? Personal Legal Corporate Operational If it’s not in the public domain, protect it!
- 5. Risks & consequences The data’s value The added risk of a direct attack – on our people or our systems The cost of regulatory fines The cost of restoring or recreating what’s lost Reputational damage
- 6. When it goeswrong Bank fined £500k for data loss Target loses personal data of 70m customers MP’s notes photographed in Downing Street HIV clinic accidentally leaks patient details Social worker leaves court data on car roof
- 7. Information Security breaches Whydo information security breaches occur? a. Ignorance of the rules e.g. policy violations caused by a lack of training b. Failing to realize data was confidential c. Insufficient methods to protect data d. Deliberate leaks e. User error e.g. sending an email with data to the wrong people
- 8. Understanding the datauniverse Data classification system Lifecycle Creation Storage/Retrieval (Use) Disposal
- 9. Classifying information 1. Confidential 2.Inside 3. Internal 4. Public
- 10. You make thecall: What type is it? Last year’s annual company report Confidential Inside Internal Public A client’s payment details Confidential Inside Internal Public Our company phone directory and handbook Confidential Inside Internal Public
- 11. Communication & informationsecurity I forwarded the email without thinking. I forgot to check what else was further down the thread. I clicked on Reply to All by accident. The message went to all our 3,000 employees. The system was swamped when people replied back. Email Instant messages
- 12. Information security &the internet Happy Birthday to my favourite client Lydia Clarke In Leeds today with Magee Investments – exciting times ahead Bye desk – see you in 2 weeks
- 13. Information security onthe move Eavesdropping Shoulder surfing Unsecure WiFi connections Loss of physical information Loss of equipment or devices
- 14. Opinion: Security &portable media I lost a memory stick after travelling to a client meeting. The data wasn’t encrypted. My laptop was stolen on the train. There wasn’t much information on it but that’s not the point.
- 15. Security in thecloud Avoid content dumps – copying everything as a backup ‘just in case’ Conduct due diligence before granting shared access Allow shared logins Create new folders to give access to third parties YES YES NO YES Give everyone the same privileges and access rights NO Vet IT professionals who have access to our cloud and file- sharing services YES
- 16. When it goeswrong Email error blamed for massive data breach Security firm warns of ransomware risk Lightning strikes Google’s cloud data Greater Manchester Police fined £120k for memory stick robbery Clinton used personal email Dropbox targeted by Trojans
- 17. GDPR penalties aresevere 4% of global turnover €20 million
- 18. Scenario 1: Gloria’sholiday What should she do? I may be going away but I still need to keep on top of what’s happening a) Log in via remote access to access her work email account b) Ask her colleagues to cc all the emails to her personal email account c) Forward emails directly to her mobile so she can pick them up on the go d) If it’s important, her team should call her instead – it’s more secure
- 19. Scenario 2: Adam’smeeting What should he do? I’m off to Manchester today for a meeting and need to take my laptop… a) It’s best to travel without devices to limit the risks b) Ensure that he travels with minimal information, in case of theft c) Only use iOS products as they pose no security risks d) Avoid discussing work in public places or in earshot of others
- 20. Our Information SecurityPolicy Providing information and training – raising awareness Carrying out regular risk assessments Testing our systems are secure Providing appropriate technology to keep information safe Appointing people with specific responsibility for information security Requiring everyone to read and implement our Information Security Policy
- 21. Do Read our Company'sInformation Security Policy – make sure you understand our rules and know what to do Be aware of how data you use is classified Take appropriate precautions whenever you use our information, right throughout the lifecycle – from creation to disposal Report any issues or breaches immediately to your manager – so we can limit our losses
- 22. Don’t Assume thateveryone is entitled to see the same information as you Leave your computer logged on or leave information unattended on your desk Send or store sensitive information electronically without encryption Forward our information to your personal devices Share your login with anyone else Let visitors walk around our offices unattended
- 23.
- 24. Next steps Call _____on _____ if you need information or guidance Call _____ on _____ if you need to raise concerns Access self-study courses on our e-learning portal for further training [or optionally – Complete your mandatory training on our corporate e-learning portal]
- 25. About Skillcast Skillcastprovides digital learning content, technology and services to help you train your staff, automate your compliance processes and generate management reports to help you keep track of it all. Our best-selling Compliance Essentials Library provides a complete and comprehensive off-the-shelf compliance solution for UK businesses. Register for a free trial at https://www.skillcast.com/free-trial Copyright © 2022 Skillcast. All Rights Reserved.
Editor's Notes
- #2 Welcome to this session on Information Security. Thank you for attending. This session should take us around 20 mins.
- #3 In this session we’ll look at: Why information security? What information is covered? Classifying information Information security in practice Our company’s information security policy
- #4 [Ask delegates] Why is information security important? Every day we generate and consume ever-increasing amounts of information. Much of this information is of immense value to our business and the cost of losing it or having it stolen is hard to quantify. The information we use often relates to individuals too. It’s vital that we take extra care to safeguard personal information. If we fail, it can have disastrous consequences. That's why it's crucial that we protect all our information from those who shouldn't see it, from unauthorised use or access, from illegal copying, viewing, and deletion.
- #5 So, what information do we need to protect? The main types are: Personal information – eg about our customers or our employees, including their names, addresses, birthdates, contact details, bank or payment details, buying preferences, etc Legal information – eg contracts and agreements with third parties, including our suppliers, partners, affiliates, customers, consultants, and employees Corporate information – eg relating to our financial position, our strategy or corporate plans (expansions, mergers and acquisitions), and especially including anything which is not already in the public domain Operational information – eg information about our internal processes or procedures, and how we operate; market intelligence But, don't be fooled into thinking that it's just online information that's at risk. Physical documents are every bit as vulnerable. Security is important for all our data - whether it's held physically or electronically, whether it's created by us or provided to us by third parties. If it's not in the public domain, it needs protecting.
- #6 To understand the importance of information security, think about what impact it would have if any of our information was lost. The consequences would be serious – both for our customers and our company. We can assess the overall impact by considering: The data’s value The added risk of a direct attack – on people or systems The cost of regulatory fines The cost of restoring or recreating what’s lost Reputational damage
- #7 Despite the obvious reputational damage, companies still get it wrong. Here are some examples of cases that have hit the headlines recently. [As an add-on, discuss other recent cases, if required.]
- #8 [Ask delegates] Why do you think information security breaches occur? [Allow time for reading and reflection before clicking next.] In summary: There are many reasons why information security breaches occur. The most common ones include: Failure to appreciate the importance of information security Malicious attacks by hackers Accidental loss Negligence Deliberate policy violations by internal staff (think Edward Snowden)
- #9 One of the best ways of safeguarding our information is to understand our entire data universe – ie what data we're dealing with - and then deciding what's appropriate. We use a classification system to help us understand data sensitivity and ensure that our information is always given the right level of protection. And, that classification also governs what we can do with it – whether it can be shared and with whom, how it should be stored, who can see it, what they can do with it, etc. By looking at the entire lifecycle, from the moment data is captured or created, its storage and retrieval, right through to disposal, we can ensure that we're taking the right action – at every stage - to safeguard it.
- #10 Any information we create or receive is classified, based on its value or criticality to us. Of course, some of our information is publicly available and freely disclosed without restrictions, whereas others are strictly confidential and therefore subject to tighter controls. There are 4 ways in which we classify information: 1. Confidential – This applies to information that is only available to those who have a 'need to know'. It includes customer account details and HR records. Compromising confidential information could lead to significant financial or reputational damage. 2. Inside – This is a sub-set of confidential information. It relates to the value of publicly traded securities, eg unpublished financial accounts, information on the progress of large projects, pending mergers, etc. Releasing inside information inappropriately is a criminal offence punishable by imprisonment and fines. 3. Internal only – This can be freely shared with all members of staff but not released to third parties. It includes internal telephone directories and most of our compliance policies and procedures. 4. Public – This can be released to anyone outside our Company without restrictions. Examples include press releases, marketing material and some research produced by our Company.
- #11 Take a look at this example and decide what type of information it is. [Allow for thinking time before clicking next] By understanding how information is classified and its value to our business, you'll find it easier to protect it.
- #12 Like most companies, we rely on technology, especially for communication and to share information across our Company and beyond. Everything from email and instant messaging, to online conferencing, forums and smartphones. But, the speed in which we communicate today can sometimes put data at risk, as these examples show. [Include other examples from your own experience – corporate anecdotes – and allow time for discussion.]
- #13 Using the internet can also sometimes compromise information security, if we’re not careful and don't take precautions. You’ll need to watch what you share, particularly when using social media. Oversharing information can cause serious problems. For example: Even the mere mention of a meeting with a company may breach our confidentiality agreements or privacy. And, a seemingly harmless tweet about being in a certain place to 'seal a deal' with a kindred company may allow others to 'piece together the jigsaw' and forewarn of a merger. It’s important to let our PR/Media department handle all official disclosures and public announcements. Refrain from sharing corporate information online unless it’s part of your job.
- #14 Keeping in touch with what's happening back at the office when you're on the move (for example, when travelling or working in different locations) is essential for most of us. But, there are risks too. You may have to take calls, respond to emails, refer to corporate information on our internal servers, and more as you work at a distance. You’ll need to take precautions and ‘think information security’ whenever you travel. What can you do? [Allow time for discussion before continuing] Check over your shoulder before having a conversation on your mobile or using a laptop or tablet – who else is within earshot or can see it? Move somewhere private or offer to call them back to maintain confidentiality. Set up password protection on all your devices – including Touch ID, two-factor authentication – before you travel Keep data to a minimum when travelling, especially when travelling abroad on business Don’t access our network or sensitive information using public WiFi connections - they aren’t secure
- #15 We often insist on having all our information at our fingertips whenever and wherever we need it. Different types of media have helped make our data more portable, including DVDs, CDs, SD cards and USB memory sticks, and most store vast amounts of data. But, there are risks here too. Portable devices may be lost easily There can be problems keeping it up-to-date – especially if it was downloaded some time ago Malware can be spread easily by USBs and other portable media. [Hold a discussion with delegates, before continuing. Are portable media allowed? If so, what precautions do they take? What more can they do?] [Note: USBs containing malicious software are often dropped by cyber criminals outside company offices. Accessing them via our network can lead to serious cyber security breaches.]
- #16 Cloud storage and file-sharing sites (such as iCloud, Dropbox, Google Drive, Mega, and OneDrive) have revolutionised information storage and use, allowing us to access and exchange corporate information wherever and whenever we like. Add to that the ability to make real-time synced changes to information, and it's not hard to see why they're so popular. But, there are risks too so we need to take precautions. [Allow time for discussion before clicking next to identify best practice.]
- #17 Whenever and wherever we use information, we must prioritise security. Information security breaches are serious. There may be devastating consequences for the individuals involved, not to mention significant damage to our reputation and fines. Yet, companies are still failing to do enough to protect information. [As an add-on, discuss other recent cases, if required.]
- #18 But, now, there’s an even greater incentive to get this right. Under the General Data Protection Regulation there’s a much stricter regime and the fines have increased dramatically. Companies now face fines of up to 4% of global turnover or €20 million (whichever is the higher). So, it’s time to up our game and take this more seriously… [Download our other presentation on GDPR for more.]
- #19 Gloria’s taking annual leave. She’s off to the South of France for a few days. But the project she’s working on is at a critical phase – she wants to keep on top of her emails while she’s away. What should she do? [Allow for discussion and thinking time before clicking next again] Business emails must not be forwarded to your mobile or personal email address - this creates a security risk.
- #20 Adam’s going to a meeting in Manchester. He needs access to key statistical information so he’s taking his laptop with him. Then, after the meeting, he’ll need to call the office on his way home to give a progress report. What action should he take to maintain information security? [Allow for discussion and thinking time before clicking next again] Travel can sometimes increase the risk of security breaches. For example, there may be eavesdropping on the train, you may leave documents at a client office in error, or use an unsecured connection as you take a break in a coffee shop. You can't avoid travel, but you must at least limit the risks.
- #21 Our Information Security Policy outlines our rules, processes and procedures. We demonstrate our commitment to information security by: Providing information and training – raising awareness Carrying out regular risk assessments Testing our systems are secure Providing appropriate technology to keep information safe Appointing people with specific responsibility for information security Requiring everyone to read and implement our Information Security Policy [As an add-on, provide everyone with a copy of your Information Security Policy and explain the key points. You might also introduce your Information Security/Data Protection Officer in the session giving them a 5-min slot to explain their work and offer advice.]
- #22 We can’t do this alone. Here's what you should do: Read our Company's Information Security Policy – make sure you understand our rules and know what to do Be aware of how data you use is classified Take appropriate precautions whenever you use our information, right throughout the lifecycle – from creation to disposal Report any issues or breaches immediately to your manager – so we can limit our losses Talk to your manager if you have any concerns or if you have any suggestions on how we can improve data security.
- #23 Don't: Assume that everyone is entitled to see the same information as you Leave your computer logged on or leave information unattended on your desk Send or store sensitive information electronically without encryption Forward our information to your personal devices Share your login with anyone else Let visitors walk around our offices unattended
- #24 Do you have any questions?
- #25 You can get more help and information on this issue from these contacts. Or, for a more in-depth look at this topic, access our self-study course.