Stephen Cobb, profile picture
Uploaded byStephen Cobb
PPTX, PDF24,429 views

Cyber Security 101: Training, awareness, strategies for small to medium sized business

The document discusses the critical need for computer security training, highlighting that a significant majority of U.S. adults have not received such training, which leads to numerous security vulnerabilities. It outlines the steps for improving security awareness, including assessing risks and educating employees, emphasizing that a well-informed workforce can reduce the impact of cyber threats. The document underscores that effective security policies and continuous training are necessary for organizations to protect sensitive information and maintain compliance with industry regulations.

Embed presentation

Downloaded 1,314 times
Security 101 Training, awareness, and strategies Stephen Cobb, CISSP Senior Security Researcher ESET NA
The SMB Sweet Spot for the cyber-criminally inclined Enterprises SMB “Sweet Spot” Consumers Assets worth looting Level of protection
The challenge • Organizations of every type rely on computers to handle information • Everyone today is a computer user • Most have no security training • Lack of security training leads to problems
How big is the challenge We asked U.S. consumers if they had ever received any computer security training No: 68% Yes: 32% *Savitz Research for ESET, 2012
68% is sadly consistent We asked working adults in the U.S. if they had ever received any computer security training No: 68% Yes: 32% *Harris poll for ESET, 2012
73% is even worse We asked adults in U.S. who use social media if they had ever received online safety training No: 73% Yes: 27% *Harris poll for ESET, 2012
Security training is not yet part of our society* • This has serious implications for your business • 93% of American adults say they’ve had no computer security training in the last 12 months • How many of them work for you, or for your clients, suppliers, etc? *Savitz Research for ESET, 2012
Some problems that lack of security training can cause • Unauthorized access to information • Loss of access to information • Loss of information • Corruption of information • Theft of information
The implications are non-trivial • Loss of revenue • Loss of business • Fines, lawsuits, headlines • Unbudgeted expenses – Breach costs currently estimated at around $190 per record exposed* – 5,263 records = $1 million hit *Ponemon Institute
Trojan terminates escrow firm • $1.1 million wired to China and could not be retrieved • Firm was closed by state law, now in receivership, 9 people out of a job • So what’s the best weapon for keeping that kind of Trojan code out of your company’s system?
A well-trained workforce • Knows not to click on suspicious links in email or social media • Knows to report strange activity (e.g. the two-factor authentication not working) • Knows to scan all incoming files for malware – Email, USB drives
Does training make a difference? • Yes • A significant percentage of problems can be averted, or their impact minimized, if more employees get better security training and education* *A bunch of different studies in recent years
Security training or awareness • What’s the difference? • Training makes sure people at different levels of IT engagement have the right knowledge to execute their roles securely • Awareness makes sure all people at all levels know what to look out for
Not that kind of actor… Do your employees know what motivates bad actors? IMPACTADVANTAGEMONEY CREDENTIALS
Do you know how the bad guys operate?
Taken to exploit site Malware server Popular Attack Technique !?**! User clicks a link Gets infected/owned Command & Control
• RAT has full access to victim PC • And its network connections • Search and exfiltrate files • Access to webcam and audio • Scrape passwords • Execute system functions • Chat with victim
What happens next?
So how do we move forward?
The road map: A B C D E F • Assess your assets, risks, resources • Build your policy • Choose your controls • Deploy controls • Educate employees, execs, vendors • Further assess, audit, test A B C D E F F E D C B A Technology
Assess assets, risks, resources • Assets: digital, physical – If you don’t know what you’ve got you can’t protect it! • Risks – Who or what is the threat? • Resources – In house, hired, partners, vendors, trade groups, associations
Build your policy • Security begins with policy • Policy begins with C-level buy-in • High-level commitment to protecting the privacy and security of data • Then a set of policies that spell out the protective measures, the controls that will be used
Choose controls to enforce policies • For example: – Policy: Only authorized employees can access sensitive data – Controls: • Require identification and authentication of all employees via unique user name and password • Limit access through application(s) by requiring authentication • Log all access
Deploy controls, ensure they work • Put control in place; for example, antivirus (anti-malware, anti-phishing, anti-spam) • Test control – Does it work technically? – Does it “work” with your work? – Can employees work it?
Educate everyone • Everyone needs to know – What the security policies are – How to comply with them through proper use of controls • Pay attention to any information- sharing relationships – Vendors, partners, even clients • Clearly state consequences of failure to comply
Who gets trained? • Everyone, but not in the same way, break it down: – All-hands training – IT staff training – Security staff training
How to deliver training • In person • Online • On paper • In house • Outside contractor • Mix and match • Be creative
Incentives? • Yes! • To launch programs, push agendas • Prizes do work • But also make security part of every job description and evaluation
Use your internal organs • Of communication! • Newsletter • Intranet • Bulletin board • Meetings • Company-wide email
How to do awareness • Make it fun • Make it relevant • Leverage the news • Bear in mind that everyone benefits from greater awareness, at work and at home
Resources to tap • Industry associations • FS-ISAC, NH-ISAC, others • CompTIA, SBA, BBB • ISSA, ISACA, SANS, (ISC)2 • Local colleges and universities • Securing Our eCity
Need more motivation? • Security training is the law – HIPAA – Red Flag Identity Theft Prevention – Gramm-Leach-Bliley, Sarbanes-Oxley – FISMA • Or required by industry – PCI Data Security Standard
Or just plain required • To get that big juicy contract • Many companies now require suppliers to certify that they have security training and awareness programs in place as a condition of doing business
Further assess, audit, test… • This is a process, not a project • Lay out a plan to assess security on a periodic basis • Stay up-to-date on emerging threats • Stay vigilant around change such as arrivals, departures, functionality A B C D E F F E D C B A
Backup and archive Firewall and scan: Incoming traffic emails files devices media Encrypt Monitor Filter and monitor outbound Authenticate users The Technology Slide
Thank you! • stephen.cobb@eset.com • WeLiveSecurity.com • www.eset.com • More info in the lobby

More Related Content

PPTX
Cyber Security Awareness Session for Executives and Non-IT professionals
byKrishna Srikanth Manda
 
PDF
Employee Security Awareness Program
bydavidcurriecia
 
PPTX
Cyber Security Awareness Program.pptx
byDinesh582831
 
PDF
Customer information security awareness training
byAbdalrhmanTHassan
 
PPTX
Employee Awareness in Cyber Security - Kloudlearn
byKloudLearn
 
PPT
End User Security Awareness Presentation
byCristian Mihai
 
PDF
Cybersecurity Employee Training
byPaige Rasid
 
PPT
New Hire Information Security Awareness
byhubbargf
 
Cyber Security Awareness Session for Executives and Non-IT professionals
byKrishna Srikanth Manda
 
Employee Security Awareness Program
bydavidcurriecia
 
Cyber Security Awareness Program.pptx
byDinesh582831
 
Customer information security awareness training
byAbdalrhmanTHassan
 
Employee Awareness in Cyber Security - Kloudlearn
byKloudLearn
 
End User Security Awareness Presentation
byCristian Mihai
 
Cybersecurity Employee Training
byPaige Rasid
 
New Hire Information Security Awareness
byhubbargf
 

What's hot

PPSX
Security Awareness Training
byWilliam Mann
 
PPTX
Cybersecurity Awareness Training
byDave Monahan
 
PPTX
Information Security Awareness Training Open
byFred Beck MBA, CPA
 
PDF
End-User Security Awareness
bySurya Bathulapalli
 
PPT
Employee Security Training[1]@
byR_Yanus
 
PDF
Security Awareness Training
byDmitriy Scherbina
 
PDF
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
PPT
IT Security Awareness-v1.7.ppt
byOoXair
 
PPTX
Security Awareness Training.pptx
byMohammedYaseen638128
 
PPTX
Hyphenet Security Awareness Training
byJen Ruhman
 
PDF
Best Practices for Security Awareness and Training
byKimberly Hood
 
PDF
Cybersecurity Awareness Training Presentation v2024.03
byDallasHaselhorst
 
PDF
14 tips to increase cybersecurity awareness
byMichel Bitter
 
PPTX
Awareness Training on Information Security
byKen Holmes
 
PPTX
Security awareness
byJosh Chandler
 
PPTX
Information Security Awareness
bySnapComms
 
PPTX
Information security
byavinashbalakrishnan2
 
PPTX
Information security awareness - 101
bymateenzero
 
PPTX
Employee Security Awareness Training
byDenis kisina
 
PPTX
Basic Security Training for End Users
byCommunity IT Innovators
 
Security Awareness Training
byWilliam Mann
 
Cybersecurity Awareness Training
byDave Monahan
 
Information Security Awareness Training Open
byFred Beck MBA, CPA
 
End-User Security Awareness
bySurya Bathulapalli
 
Employee Security Training[1]@
byR_Yanus
 
Security Awareness Training
byDmitriy Scherbina
 
Cybersecurity Awareness Training Presentation v1.3
byDallasHaselhorst
 
IT Security Awareness-v1.7.ppt
byOoXair
 
Security Awareness Training.pptx
byMohammedYaseen638128
 
Hyphenet Security Awareness Training
byJen Ruhman
 
Best Practices for Security Awareness and Training
byKimberly Hood
 
Cybersecurity Awareness Training Presentation v2024.03
byDallasHaselhorst
 
14 tips to increase cybersecurity awareness
byMichel Bitter
 
Awareness Training on Information Security
byKen Holmes
 
Security awareness
byJosh Chandler
 
Information Security Awareness
bySnapComms
 
Information security
byavinashbalakrishnan2
 
Information security awareness - 101
bymateenzero
 
Employee Security Awareness Training
byDenis kisina
 
Basic Security Training for End Users
byCommunity IT Innovators
 

Viewers also liked

PDF
Cyber security awareness for students
byKandarp Shah
 
PPTX
Cyber crime and security ppt
byLipsita Behera
 
PPTX
Cyber security presentation
byBijay Bhandari
 
PPTX
INFORMATION SECURITY
byAhmed Moussa
 
PPTX
ISO 27001 - Information security user awareness training presentation - part 3
byTanmay Shinde
 
PPT
Computer Malware
byaztechtchr
 
PPTX
Cyber security
bySiblu28
 
PPTX
Cybercrime.ppt
byAeman Khan
 
PPT
Employee Security Awareness Program
byCommLab India – Rapid eLearning Solutions
 
PDF
Trustwave Cybersecurity Education Catalog
byTrustwave
 
PDF
Security Awareness Training
byDaniel P Wallace
 
PPS
Physical security.ppt
byFaheem Ul Hasan
 
PPTX
ISO 27001 - information security user awareness training presentation - Part 1
byTanmay Shinde
 
PPTX
Social Media Cyber Security Awareness Briefing
byDepartment of Defense
 
PPT
Introduction to Cyber Security
byStephen Lahanas
 
PPTX
Cyber Awareness presentation for Parents
bylisluandaprimary
 
PPT
Cyber security awareness training by cyber security infotech(csi)
byCyber Security Infotech
 
PPTX
ISO 27001 - information security user awareness training presentation -part 2
byTanmay Shinde
 
Cyber security awareness for students
byKandarp Shah
 
Cyber crime and security ppt
byLipsita Behera
 
Cyber security presentation
byBijay Bhandari
 
INFORMATION SECURITY
byAhmed Moussa
 
ISO 27001 - Information security user awareness training presentation - part 3
byTanmay Shinde
 
Computer Malware
byaztechtchr
 
Cyber security
bySiblu28
 
Cybercrime.ppt
byAeman Khan
 
Employee Security Awareness Program
byCommLab India – Rapid eLearning Solutions
 
Trustwave Cybersecurity Education Catalog
byTrustwave
 
Security Awareness Training
byDaniel P Wallace
 
Physical security.ppt
byFaheem Ul Hasan
 
ISO 27001 - information security user awareness training presentation - Part 1
byTanmay Shinde
 
Social Media Cyber Security Awareness Briefing
byDepartment of Defense
 
Introduction to Cyber Security
byStephen Lahanas
 
Cyber Awareness presentation for Parents
bylisluandaprimary
 
Cyber security awareness training by cyber security infotech(csi)
byCyber Security Infotech
 
ISO 27001 - information security user awareness training presentation -part 2
byTanmay Shinde
 

Similar to Cyber Security 101: Training, awareness, strategies for small to medium sized business

PDF
Information Security Awareness
byNet at Work
 
PDF
Fissea09 mgupta-day3-panel process-program-build-effective-training
bySwati Gupta
 
PPTX
Be More Secure than your Competition: MePush Cyber Security for Small Business
byArt Ocain
 
PPTX
Information Security and your Business
byCyberCon Security Solutions, LLC
 
PPT
sanfranAIG3
byIan Murphy 2500+ all connections welcome
 
PPTX
(2016_01_20)_IS_Management_Basics_LinkedIn
byIan Naumenko, CISSP, CRISC
 
PDF
Maximizing ROI through Security Training (for Developers)
byRochester Security Summit
 
PDF
Фишинг — проклятие или возможность для ИБ?
byPositive Hack Days
 
PPTX
Network Security - What Every Business Needs to Know
bymapletronics
 
PPT
Information Security Seminar
byAcend Corporate Learning
 
PDF
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
ODP
CISSP Week 12
byjemtallon
 
PPTX
Role-Based Security-Training benefit for organizations
byCWambugu
 
PDF
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
bycentralohioissa
 
PDF
Security Training: Making your weakest link the strongest - CircleCityCon 2017
byAaron Hnatiw
 
PPTX
Human Factors_MODULE_2.pptx
byShreeveni
 
PPTX
Security Transformation
byFaisal Yahya
 
PPTX
Security Awareness and Training
byPriyank Hada
 
PPTX
10 Components of Business Cyber Security
byComodo SSL Store
 
Information Security Awareness
byNet at Work
 
Fissea09 mgupta-day3-panel process-program-build-effective-training
bySwati Gupta
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
byArt Ocain
 
Information Security and your Business
byCyberCon Security Solutions, LLC
 
sanfranAIG3
byIan Murphy 2500+ all connections welcome
 
(2016_01_20)_IS_Management_Basics_LinkedIn
byIan Naumenko, CISSP, CRISC
 
Maximizing ROI through Security Training (for Developers)
byRochester Security Summit
 
Фишинг — проклятие или возможность для ИБ?
byPositive Hack Days
 
Network Security - What Every Business Needs to Know
bymapletronics
 
Information Security Seminar
byAcend Corporate Learning
 
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
CISSP Week 12
byjemtallon
 
Role-Based Security-Training benefit for organizations
byCWambugu
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
bycentralohioissa
 
Security Training: Making your weakest link the strongest - CircleCityCon 2017
byAaron Hnatiw
 
Human Factors_MODULE_2.pptx
byShreeveni
 
Security Transformation
byFaisal Yahya
 
Security Awareness and Training
byPriyank Hada
 
10 Components of Business Cyber Security
byComodo SSL Store
 

More from Stephen Cobb

PPTX
advancing accurate and objective cyber crime metrics
byStephen Cobb
 
PPTX
Towards an international who-cares-ometer for cyber crime
byStephen Cobb
 
PPTX
Staying ahead of cyber crime, cyber security awareness for consumers
byStephen Cobb
 
PPTX
Improving Cyber-Risk Analysis and Communication: 4 fresh ideas
byStephen Cobb
 
PPTX
Cybercrime-as-health-crisis-shared.pptx
byStephen Cobb
 
PPTX
Cybersecurity Risk Perception and Communication
byStephen Cobb
 
PPTX
What Makes a Good CISO
byStephen Cobb
 
PDF
Sizing the Cyber Skills Gap
byStephen Cobb
 
PPTX
Security and Wearables: Success starts with security
byStephen Cobb
 
PDF
The Hacking Team Hack: Lessons Learned for Enterprise Security
byStephen Cobb
 
PPTX
How to assess and manage cyber risk
byStephen Cobb
 
PPTX
Cybercrime and the Hidden Perils of Patient Data
byStephen Cobb
 
PPTX
Cybersecurity for the non-technical
byStephen Cobb
 
PPTX
The mobile health IT security challenge: way bigger than HIPAA?
byStephen Cobb
 
PPTX
2015: The year-ahead-in-cyber-security
byStephen Cobb
 
PPTX
NCSAM = Cyber Security Awareness Month: Trends and Resources
byStephen Cobb
 
PPTX
Using Technology and People to Improve your Threat Resistance and Cyber Security
byStephen Cobb
 
PPTX
The Evolution of Cybercrime
byStephen Cobb
 
PPT
HIPAA, Privacy, Security, and Good Business
byStephen Cobb
 
PPTX
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
byStephen Cobb
 
advancing accurate and objective cyber crime metrics
byStephen Cobb
 
Towards an international who-cares-ometer for cyber crime
byStephen Cobb
 
Staying ahead of cyber crime, cyber security awareness for consumers
byStephen Cobb
 
Improving Cyber-Risk Analysis and Communication: 4 fresh ideas
byStephen Cobb
 
Cybercrime-as-health-crisis-shared.pptx
byStephen Cobb
 
Cybersecurity Risk Perception and Communication
byStephen Cobb
 
What Makes a Good CISO
byStephen Cobb
 
Sizing the Cyber Skills Gap
byStephen Cobb
 
Security and Wearables: Success starts with security
byStephen Cobb
 
The Hacking Team Hack: Lessons Learned for Enterprise Security
byStephen Cobb
 
How to assess and manage cyber risk
byStephen Cobb
 
Cybercrime and the Hidden Perils of Patient Data
byStephen Cobb
 
Cybersecurity for the non-technical
byStephen Cobb
 
The mobile health IT security challenge: way bigger than HIPAA?
byStephen Cobb
 
2015: The year-ahead-in-cyber-security
byStephen Cobb
 
NCSAM = Cyber Security Awareness Month: Trends and Resources
byStephen Cobb
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
byStephen Cobb
 
The Evolution of Cybercrime
byStephen Cobb
 
HIPAA, Privacy, Security, and Good Business
byStephen Cobb
 
Malware is Called Malicious for a Reason: The Risks of Weaponizing Code
byStephen Cobb
 

Recently uploaded

PDF
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PPTX
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
PPTX
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
PDF
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PPTX
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
PDF
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
PPTX
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PPTX
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
In this document
Powered by AI

Introduction to security training by Stephen Cobb, emphasizing awareness and strategies.

Small and medium businesses are targets due to valuable assets and inadequate protection.

Many organizations rely on user computers without proper security training, leading to vulnerabilities.

68% of U.S. consumers and working adults report no computer security training received.

73% of social media users lack online safety training, indicating widespread training gaps.

93% of adults without recent training can lead to significant business risks and costs, quantified at $190 per record.

Example of a Trojan attack resulting in $1.1 million loss, highlighting the need for preventive measures.

A well-trained workforce is essential for preventing security breaches through informed user behaviors.

Emphasizes that proper security training can substantially minimize issues related to cyber threats.

Differentiation between training (skill-building) and awareness (general knowledge) in cybersecurity.

Employees must understand the motivations behind cybercriminals to better protect against threats.

Illustration of user vulnerabilities leading to malware infections through clicking on harmful links.

Details on what malware can do once it gains access, including theft and surveillance.

Introduction to a roadmap for improving security measures within organizations.

A structured approach to assessing risk, building policies, and deploying controls for security.

Importance of identifying digital and physical assets to prioritize security measures.

Creating security policies requires commitment from leadership to ensure data protection measures.

Controls must be implemented to enforce security policies, ensuring authorized access.

Testing ensures effectiveness of security controls and compatibility with operational practices.

Education is vital; all staff must understand security policies and share accountability.

Security training should be adapted based on employee roles to maximize effectiveness.

Utilize various creative delivery methods for effective security training, combining in-person and online.

Incentives can enhance participation in security training programs, making security integral to job roles.

Internal communication tools should be used to promote security awareness among employees.

Awareness initiatives should be fun and relevant, demonstrating benefits for both work and home.

Various industry resources to support security training and awareness programs are available.

Security training compliance is mandated by law and necessary for industry standards.

Companies may require supplier certifications for security training to maintain business relationships.

Continuous monitoring and assessment of security practices are crucial to adapt to new threats.

Overview of key technologies such as backups and firewalls to protect organizational data.

Closing remarks with contact details for further inquiries and additional resources.

Cyber Security 101: Training, awareness, strategies for small to medium sized business

  • 1.
    Security 101 Training, awareness,and strategies Stephen Cobb, CISSP Senior Security Researcher ESET NA
  • 2.
    The SMB SweetSpot for the cyber-criminally inclined Enterprises SMB “Sweet Spot” Consumers Assets worth looting Level of protection
  • 3.
    The challenge • Organizationsof every type rely on computers to handle information • Everyone today is a computer user • Most have no security training • Lack of security training leads to problems
  • 4.
    How big isthe challenge We asked U.S. consumers if they had ever received any computer security training No: 68% Yes: 32% *Savitz Research for ESET, 2012
  • 5.
    68% is sadlyconsistent We asked working adults in the U.S. if they had ever received any computer security training No: 68% Yes: 32% *Harris poll for ESET, 2012
  • 6.
    73% is evenworse We asked adults in U.S. who use social media if they had ever received online safety training No: 73% Yes: 27% *Harris poll for ESET, 2012
  • 7.
    Security training isnot yet part of our society* • This has serious implications for your business • 93% of American adults say they’ve had no computer security training in the last 12 months • How many of them work for you, or for your clients, suppliers, etc? *Savitz Research for ESET, 2012
  • 8.
    Some problems thatlack of security training can cause • Unauthorized access to information • Loss of access to information • Loss of information • Corruption of information • Theft of information
  • 9.
    The implications arenon-trivial • Loss of revenue • Loss of business • Fines, lawsuits, headlines • Unbudgeted expenses – Breach costs currently estimated at around $190 per record exposed* – 5,263 records = $1 million hit *Ponemon Institute
  • 10.
    Trojan terminates escrowfirm • $1.1 million wired to China and could not be retrieved • Firm was closed by state law, now in receivership, 9 people out of a job • So what’s the best weapon for keeping that kind of Trojan code out of your company’s system?
  • 11.
    A well-trained workforce •Knows not to click on suspicious links in email or social media • Knows to report strange activity (e.g. the two-factor authentication not working) • Knows to scan all incoming files for malware – Email, USB drives
  • 12.
    Does training makea difference? • Yes • A significant percentage of problems can be averted, or their impact minimized, if more employees get better security training and education* *A bunch of different studies in recent years
  • 13.
    Security training orawareness • What’s the difference? • Training makes sure people at different levels of IT engagement have the right knowledge to execute their roles securely • Awareness makes sure all people at all levels know what to look out for
  • 14.
    Not that kindof actor… Do your employees know what motivates bad actors? IMPACTADVANTAGEMONEY CREDENTIALS
  • 15.
    Do you knowhow the bad guys operate?
  • 16.
    Taken to exploitsite Malware server Popular Attack Technique !?**! User clicks a link Gets infected/owned Command & Control
  • 19.
    • RAT hasfull access to victim PC • And its network connections • Search and exfiltrate files • Access to webcam and audio • Scrape passwords • Execute system functions • Chat with victim
  • 20.
  • 24.
    So how dowe move forward?
  • 25.
    The road map:A B C D E F • Assess your assets, risks, resources • Build your policy • Choose your controls • Deploy controls • Educate employees, execs, vendors • Further assess, audit, test A B C D E F F E D C B A Technology
  • 26.
    Assess assets, risks,resources • Assets: digital, physical – If you don’t know what you’ve got you can’t protect it! • Risks – Who or what is the threat? • Resources – In house, hired, partners, vendors, trade groups, associations
  • 27.
    Build your policy •Security begins with policy • Policy begins with C-level buy-in • High-level commitment to protecting the privacy and security of data • Then a set of policies that spell out the protective measures, the controls that will be used
  • 28.
    Choose controls toenforce policies • For example: – Policy: Only authorized employees can access sensitive data – Controls: • Require identification and authentication of all employees via unique user name and password • Limit access through application(s) by requiring authentication • Log all access
  • 29.
    Deploy controls, ensurethey work • Put control in place; for example, antivirus (anti-malware, anti-phishing, anti-spam) • Test control – Does it work technically? – Does it “work” with your work? – Can employees work it?
  • 30.
    Educate everyone • Everyoneneeds to know – What the security policies are – How to comply with them through proper use of controls • Pay attention to any information- sharing relationships – Vendors, partners, even clients • Clearly state consequences of failure to comply
  • 31.
    Who gets trained? •Everyone, but not in the same way, break it down: – All-hands training – IT staff training – Security staff training
  • 32.
    How to delivertraining • In person • Online • On paper • In house • Outside contractor • Mix and match • Be creative
  • 33.
    Incentives? • Yes! • Tolaunch programs, push agendas • Prizes do work • But also make security part of every job description and evaluation
  • 34.
    Use your internalorgans • Of communication! • Newsletter • Intranet • Bulletin board • Meetings • Company-wide email
  • 35.
    How to doawareness • Make it fun • Make it relevant • Leverage the news • Bear in mind that everyone benefits from greater awareness, at work and at home
  • 36.
    Resources to tap •Industry associations • FS-ISAC, NH-ISAC, others • CompTIA, SBA, BBB • ISSA, ISACA, SANS, (ISC)2 • Local colleges and universities • Securing Our eCity
  • 37.
    Need more motivation? •Security training is the law – HIPAA – Red Flag Identity Theft Prevention – Gramm-Leach-Bliley, Sarbanes-Oxley – FISMA • Or required by industry – PCI Data Security Standard
  • 38.
    Or just plainrequired • To get that big juicy contract • Many companies now require suppliers to certify that they have security training and awareness programs in place as a condition of doing business
  • 39.
    Further assess, audit,test… • This is a process, not a project • Lay out a plan to assess security on a periodic basis • Stay up-to-date on emerging threats • Stay vigilant around change such as arrivals, departures, functionality A B C D E F F E D C B A
  • 40.
    Backup and archive Firewall andscan: Incoming traffic emails files devices media Encrypt Monitor Filter and monitor outbound Authenticate users The Technology Slide
  • 41.
    Thank you! • stephen.cobb@eset.com •WeLiveSecurity.com • www.eset.com • More info in the lobby