SlideShare a Scribd company logo

Hacking the Human - How Secure Is Your Organization?

Download as PPTX, PDF
CBIZ, Inc.
CBIZ, Inc.

This presentation covers: Social Engineering Targets, Costs, Frequency Real Life Examples Mitigating Risks Internal Programs Data Security & Privacy Liability Cyber Liability Cyber Insurance Financial Impact Key Coverage Components Checklist for Assessing your Level of Cyber Risk

Business
1 of 42
Hacking the Human How Secure Is Your Organization? April 23, 2015 CBIZ MHM, LLC – Kansas City
• Social Engineering – Targets, Costs, Frequency – Real Life Examples – Mitigating Risks – Internal Programs • Data Security & Privacy Liability – Cyber Liability – Cyber Insurance – Financial Impact – Key Coverage Components – Checklist for Assessing your Level of Cyber Risk Agenda
Social Engineering The Art of Hacking the Human
1) The clever manipulation of the natural human tendency to trust. 2) Manipulating people into willingly doing something rather than by breaking in using technical or brute force means. 3) The act of manipulating a person to take an action that may or may not be in the target’s best interest. ~ Chris Hadnagy 4) The art of intentionally manipulating behavior using specially crafted communication techniques. ~ Gavin Watson What Is Social Engineering?
4% 14% 40% 46% 51% 0% 10% 20% 30% 40% 50% 60% Other Revenge or personal vendetta Competitive advantage Access to proprietary information Financial gain Motivations for Social Engineering Attacks Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
• Sensitive Personally Identifiable Information • System usernames and passwords • High-value assets • Trade secrets and proprietary information Social Engineering Targets
32% 12% 13% 13% 30% 38% 14% 16% 13% 19% 0% 10% 20% 30% 40% Less than $10,000 $10,000 - $25,000 $25,000 - $50,000 $50,000 - $100,000 More than $100,000 All companies More than 5,000 employees Typical Cost Per Social Engineering Incident Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
20% 32% 15% 33% 32% 36% 20% 12% 0% 10% 20% 30% 40% Less than 5 times 5 - 24 25 - 50 More than 50 times All companies More than 5,000 employees Frequency of Social Engineering Attacks Over 2-year Period Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
• Dumpster diving – Company directory and phone list with email addresses. – Client sensitive personally identifiable information. – Employee usernames and passwords to company systems. – Company policies, procedures, systems, vendors. – Vertical cut shred in trash bag in dumpster. – Hand torn documents in trash in dumpster. An Attack In Action – Stories and Examples
• Email phishing – New paid time off policy and tracking system. – Obtain false website address – Create a mirror image false website. – Use employee directory from dumpster to email false link to website. – Require Windows login to gain access. – Ask employees to update paid time off balances and requests. • Provide personal incentive to click the link. An Attack In Action – Stories and Examples
https://www.principal.com/ https://www.princlpal.com/ Fake Web Address Example
• Pretexting, Baiting, and Piggy-backing – Impersonate telecom, janitorial, security personnel, employees. – Drop a CD or USB thumb drive with a creative label. – Follow employees through secured doors. – Develop rapport and level of comfort. An Attack In Action – Stories and Examples
5% 6%12% 21% 56% Vishing Other Criminals Phishing Lack of Employee Awareness Social Engineering Threats To Organizations Source: 2014 Poll: Employees Clueless About Social Engineering, InformationWeek-Dark Reading
60% 44% 38% 33% 32% 23% New employees Contractors Executive assistants Human resources Business leaders IT personnel Risk of Falling for Social Engineering Attack Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
Social engineering attacks cannot be prevented—only mitigated and deterred. • Policies – Employees are not allowed to divulge information. – Prevents employees from being socially pressured or tricked. – Policies MUST be enforced to be effective. • Training – User awareness—user knows giving out information is bad. Mitigating A Social Engineering Attack
• Password management • Physical security • Network defenses may only temporarily repel attacks. – Virus protection – Email attachment scanning – Firewalls, etc. – Intrusion detection system and intrusion protection system – Encrypted data at rest • Security must be tested and updated periodically. Mitigating A Social Engineering Attack
• Social engineering testing – IMPORTANT! This is strictly intended to be a learning tool for the organization—not a punishment for individual employees. – Who should consider testing? – Have the tester attempt to acquire information from employees using social engineering techniques. • Attack strategically targeted areas of the organization. – May include technical testing of malware and other abnormalities. – What a tester legally cannot do. Mitigating A Social Engineering Attack
Develop Internal Programs Information Security Program The written plan created and implemented by the organization to identify and control risks to information and information systems and to properly dispose of information. Security Awareness Program Security awareness reflects an organization’s attitude toward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets.
• When assessing the weakest link, the human factor is very critical when protecting sensitive information and valuable assets. • Social engineering testing is an effective method commonly used to assess the condition of the overall security culture. • Good habits drive security culture and there are no technologies that will ever make up for poor security culture. • Awareness programs, when properly executed, provide knowledge that instills behavior. It is better to fail a test in a controlled environment than to be attacked without knowing how much information will be lost. Summary
Data Security and Privacy Liability: Why Cyber Insurance is No Longer Optional!
Threat Matrix – Where Do We Start? Threats to Cybersecurity are Decentralized and Diverse Threats to CybersecuritySpy and Malware Spammers Bot-net Operators Nation Phisher Business competitors Corporate Espionage Terrorist Hacker Insider Criminal Groups Human Error
Statistically Speaking
Why Worry? The most vigilant network security and most comprehensive privacy policies remain vulnerable to hackers, rogue employees, social engineering and human error!
“Dave” is Responsible for 31% of all Losses
Causes of Loss (2013-14)
• Frequency of privacy breaches are on the rise – 10% increase year over year • Threats and vulnerabilities are getting dramatically worse. • More than 47 states, including U.S. territories, have enacted privacy laws in response to the increased frequency of privacy breaches. Why Cyber Insurance?
• Corporate governance requires organizations address information technology risks. • The plaintiffs’ bar is becoming more active in pursing class action litigation. • Contracts may require cyber liability insurance. • Cyber liability insurance can mitigate the financial impact on a company. Why Cyber Insurance?
In the past, small businesses (SMB’s) may have been able to neglect network security with little consequence, but this is not the case today. In Symantec’s 2014 Internet security Threat report they found SMBs (defined as having fewer than 250 employees) accounted for more than half of all targeted attacks (61%) in 2013. This was an 11 percentage point increase from the previous year. A “Not So Positive Trend”
You Are At Risk!
• Cost to defend and/or settle: – Regulatory investigations. – Unauthorized access or unauthorized use. – Allegations that malicious code (such as viruses) caused harm to the data or computer systems of third parties. – Allegations that an insured’s computer system denied a third party the ability to conduct transactions. – Litigation from customers or employees for identify theft. Financial Impact of a Security/Privacy Breach?
• Cost to investigate and determine the cause of a security or privacy breach, including computer forensics. • Cost to hire a public relations or crisis management firm to mitigate against reputational harm. • Cost for legal counsel related to privacy and notification laws. Financial Impact of a Security/Privacy Breach? Example: 2,500 records times $201 equals $502,500 just in notification costs!!
Key Coverage Components The following are the essential coverage's when putting together a comprehensive cyber liability policy…
• Provides liability coverage for damages and claim expenses arising out of an actual or alleged act, error omission resulting in: – The failure to prevent unauthorized access/use to system that results in: • The destruction, deletion or corruption of electronic data; • Theft of loss of data; or • Denial of service attacks against Internet sites or computers. Network Security Liability
• The inability of a third party, who is authorized to do so, to gain access to your system. • The failure to prevent transmission of Malicious Code from your system to third-party computers and systems. Network Security Liability
• Provides liability coverage if an insured fails to protect electronic or non-electronic private or confidential information in their care custody and control. • Provides coverage for defense expenses, and in some cases penalties/fines, incurred from a regulatory proceeding resulting from a violation of a privacy law caused by a covered security breach. Privacy Liability and Privacy Regulatory Proceeding
• Covers crisis management, including credit monitoring services and public relations expenses incurred resulting from a security or privacy breach. Also pays costs of notifying consumers as required by various state, federal or international laws or regulations. Breach Response Expenses
• Covers the insured for Intellectual Property (copyright infringement, etc.) and Personal Injury (defamation, etc.) perils that result from an error or omission in content on their website. Multimedia coverage is also available. • Provides coverage for expenses and/or losses incurred as the result of an extortion threat made against an insured. • Provides coverage for business interruption loss and/or business restoration expense incurred by the insured as the direct result of a security breach that caused system failure. Media Liability/Cyber Extortion/Business Interruption
• Pays the reasonable costs incurred by the insured, in excess of any normal operating costs, for the restoration of any data stored. • Technology E&O and/or certain Miscellaneous Professional Liability exposures may be combined with the cyber coverage in one policy. Data Restoration and Professional Liability
Data Breach or cyber insurance policies are becoming a more important part of a company’s preparedness plans. In 2013, only 10% of respondents said their company purchases a policy. In 2014 the percentage more than doubled to 26% Gaining Traction
Final Thoughts • Any one who collects, stores (either on their system, a third party vendor or the cloud) and/or shares customer information (PII or PHI) has an exposure regardless of industry class or size. • Size doesn’t matter! – “Targets of opportunity” are based on “ease of access” & likelihood of breach being detected. • This coupled with the probability of human error or unintended disclosure can result in significant costs.
QUESTIONS?
Contact Information Raja Paranjothi CBIZ Business and Technology Risk Services 913.234.1869 rparanjothi@cbiz.com Kyle Konopasek CBIZ Business and Technology Risk Services 913.234.1020 kkonopasek@cbiz.com Damian Caracciolo CBIZ Risk & Consulting 443.472.8096 dcaracciolo@cbiz.com

Recommended

Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security AwarenessThe Network Support Company
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
 

Recommended

Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security AwarenessThe Network Support Company
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Cybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsCybersecurity & the Board of Directors
Cybersecurity & the Board of DirectorsAbdul-Hakeem Ajijola
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Cyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationCyber Liability - Insurance Risk Management and Preparation
Cyber Liability - Insurance Risk Management and PreparationEric Reehl
 
Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board informationAprio
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information SecuritySimoun Ung
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity reportKevin Leffew
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 

More Related Content

What's hot

Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingKimberly Hood
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessCBIZ, Inc.
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...Michael Noel
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board informationAprio
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The BoardPaul Melson
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the BoardroomMarko Suswanto
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataAccellis Technology Group
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141sraina2
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information SecuritySimoun Ung
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity reportKevin Leffew
 

What's hot (20)

Best Practices for Security Awareness and Training
Best Practices for Security Awareness and TrainingBest Practices for Security Awareness and Training
Best Practices for Security Awareness and Training
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Social Engineering Audit & Security Awareness
Social Engineering Audit & Security AwarenessSocial Engineering Audit & Security Awareness
Social Engineering Audit & Security Awareness
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasures
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
 
Aprio cybersecurity and board information
Aprio cybersecurity and board informationAprio cybersecurity and board information
Aprio cybersecurity and board information
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Cybersecurity and The Board
Cybersecurity and The BoardCybersecurity and The Board
Cybersecurity and The Board
 
Cybersecurity in the Boardroom
Cybersecurity in the BoardroomCybersecurity in the Boardroom
Cybersecurity in the Boardroom
 
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your DataLaw Firm Cybersecurity: Practical Tips for Protecting Your Data
Law Firm Cybersecurity: Practical Tips for Protecting Your Data
 
InformationSecurity_11141
InformationSecurity_11141InformationSecurity_11141
InformationSecurity_11141
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information Security
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity report
 

Similar to Hacking the Human - How Secure Is Your Organization?

Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldnetwealthInvest
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
 
Cyber 101 for smb execs v1
Cyber 101 for smb execs v1Cyber 101 for smb execs v1
Cyber 101 for smb execs v1NetWatcher
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickJacqueline Fick
 
Introduction to Incident Response Management
Introduction to Incident Response ManagementIntroduction to Incident Response Management
Introduction to Incident Response ManagementDon Caeiro
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...cyberprosocial
 
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftCBIZ, Inc.
 
Small%20Business%20Presentation.pptx
Small%20Business%20Presentation.pptxSmall%20Business%20Presentation.pptx
Small%20Business%20Presentation.pptxKENNEDY GITHAIGA
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Jay Kesan
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Chris Hails
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent ThreatsBooz Allen Hamilton
 

Similar to Hacking the Human - How Secure Is Your Organization? (20)

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
 
The Basics of Cyber Insurance
The Basics of Cyber InsuranceThe Basics of Cyber Insurance
The Basics of Cyber Insurance
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
Cyber security
Cyber securityCyber security
Cyber security
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
Cyber 101 for smb execs v1
Cyber 101 for smb execs v1Cyber 101 for smb execs v1
Cyber 101 for smb execs v1
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fick
 
Introduction to Incident Response Management
Introduction to Incident Response ManagementIntroduction to Incident Response Management
Introduction to Incident Response Management
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
 
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" TheftWhat Not-for-Profits Can Do To Prevent "Uninspired" Theft
What Not-for-Profits Can Do To Prevent "Uninspired" Theft
 
Small%20Business%20Presentation.pptx
Small%20Business%20Presentation.pptxSmall%20Business%20Presentation.pptx
Small%20Business%20Presentation.pptx
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
 
Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...Crossing the streams: How security professionals can leverage the NZ Privacy ...
Crossing the streams: How security professionals can leverage the NZ Privacy ...
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Countering Advanced Persistent Threats
Countering Advanced Persistent ThreatsCountering Advanced Persistent Threats
Countering Advanced Persistent Threats
 

More from CBIZ, Inc.

BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023CBIZ, Inc.
 
BIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special EditionBIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special EditionCBIZ, Inc.
 
The Advantage — Summer 2023
The Advantage — Summer 2023The Advantage — Summer 2023
The Advantage — Summer 2023CBIZ, Inc.
 
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special EditionBIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special EditionCBIZ, Inc.
 
BIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special EditionBIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special EditionCBIZ, Inc.
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionCBIZ, Inc.
 
Connections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of CreditConnections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of CreditCBIZ, Inc.
 
Custom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased ConsumerismCustom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased ConsumerismCBIZ, Inc.
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOCBIZ, Inc.
 
BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022CBIZ, Inc.
 
Inflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CREInflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CRECBIZ, Inc.
 
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...CBIZ, Inc.
 
Rethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top TalentRethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top TalentCBIZ, Inc.
 
Common Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your ExposuresCommon Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your ExposuresCBIZ, Inc.
 
How the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax FunctionHow the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax FunctionCBIZ, Inc.
 
Using Technology to Secure Talent
Using Technology to Secure TalentUsing Technology to Secure Talent
Using Technology to Secure TalentCBIZ, Inc.
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOCBIZ, Inc.
 
BIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special EditionBIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special EditionCBIZ, Inc.
 
Tax incentive alert KS
Tax incentive alert KSTax incentive alert KS
Tax incentive alert KSCBIZ, Inc.
 
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)CBIZ, Inc.
 

More from CBIZ, Inc. (20)

BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023BIZGrowth Strategies — Cybersecurity Special Edition 2023
BIZGrowth Strategies — Cybersecurity Special Edition 2023
 
BIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special EditionBIZGrowth Strategies - Back to Basics Special Edition
BIZGrowth Strategies - Back to Basics Special Edition
 
The Advantage — Summer 2023
The Advantage — Summer 2023The Advantage — Summer 2023
The Advantage — Summer 2023
 
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special EditionBIZGrowth Strategies - Workforce & Talent Optimization Special Edition
BIZGrowth Strategies - Workforce & Talent Optimization Special Edition
 
BIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special EditionBIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
BIZGrowth Newsletter - Economic Slowdown Solutions Special Edition
 
BIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special EditionBIZGrowth Strategies - Cybersecurity Special Edition
BIZGrowth Strategies - Cybersecurity Special Edition
 
Connections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of CreditConnections Help Law Practice Efficiently Obtain $5 Million Line of Credit
Connections Help Law Practice Efficiently Obtain $5 Million Line of Credit
 
Custom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased ConsumerismCustom Communication Plan & Active Enrollment Result in Increased Consumerism
Custom Communication Plan & Active Enrollment Result in Increased Consumerism
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
 
BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022BIZGrowth Strategies - Summer 2022
BIZGrowth Strategies - Summer 2022
 
Inflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CREInflation, Interest Rates & the Disruption to CRE
Inflation, Interest Rates & the Disruption to CRE
 
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
CBIZ Quarterly Manufacturing and Distribution "Hot Topics" Newsletter (May-Ju...
 
Rethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top TalentRethinking Total Compensation to Retain Top Talent
Rethinking Total Compensation to Retain Top Talent
 
Common Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your ExposuresCommon Labor Shortage Risks & Tips to Mitigate Your Exposures
Common Labor Shortage Risks & Tips to Mitigate Your Exposures
 
How the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax FunctionHow the Great Resignation Affects the Tax Function
How the Great Resignation Affects the Tax Function
 
Using Technology to Secure Talent
Using Technology to Secure TalentUsing Technology to Secure Talent
Using Technology to Secure Talent
 
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFOExperienced Consulting Approach Leads Engineering Firm to the Right CFO
Experienced Consulting Approach Leads Engineering Firm to the Right CFO
 
BIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special EditionBIZGrowth Strategies - The Great Resignation Special Edition
BIZGrowth Strategies - The Great Resignation Special Edition
 
Tax incentive alert KS
Tax incentive alert KSTax incentive alert KS
Tax incentive alert KS
 
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
CBIZ Quarterly Commercial Real Estate "Hot Topics" Newsletter (Jan-Feb 2022)
 

Recently uploaded

Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportMintel Group
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...lizamodels9
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCRashishs7044
 

Recently uploaded (20)

Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample Report
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR8447779800, Low rate Call girls in Rohini Delhi NCR
8447779800, Low rate Call girls in Rohini Delhi NCR
 

Hacking the Human - How Secure Is Your Organization?

  • 1. Hacking the Human How Secure Is Your Organization? April 23, 2015 CBIZ MHM, LLC – Kansas City
  • 2. • Social Engineering – Targets, Costs, Frequency – Real Life Examples – Mitigating Risks – Internal Programs • Data Security & Privacy Liability – Cyber Liability – Cyber Insurance – Financial Impact – Key Coverage Components – Checklist for Assessing your Level of Cyber Risk Agenda
  • 3. Social Engineering The Art of Hacking the Human
  • 4. 1) The clever manipulation of the natural human tendency to trust. 2) Manipulating people into willingly doing something rather than by breaking in using technical or brute force means. 3) The act of manipulating a person to take an action that may or may not be in the target’s best interest. ~ Chris Hadnagy 4) The art of intentionally manipulating behavior using specially crafted communication techniques. ~ Gavin Watson What Is Social Engineering?
  • 5. 4% 14% 40% 46% 51% 0% 10% 20% 30% 40% 50% 60% Other Revenge or personal vendetta Competitive advantage Access to proprietary information Financial gain Motivations for Social Engineering Attacks Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
  • 6. • Sensitive Personally Identifiable Information • System usernames and passwords • High-value assets • Trade secrets and proprietary information Social Engineering Targets
  • 7. 32% 12% 13% 13% 30% 38% 14% 16% 13% 19% 0% 10% 20% 30% 40% Less than $10,000 $10,000 - $25,000 $25,000 - $50,000 $50,000 - $100,000 More than $100,000 All companies More than 5,000 employees Typical Cost Per Social Engineering Incident Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
  • 8. 20% 32% 15% 33% 32% 36% 20% 12% 0% 10% 20% 30% 40% Less than 5 times 5 - 24 25 - 50 More than 50 times All companies More than 5,000 employees Frequency of Social Engineering Attacks Over 2-year Period Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
  • 9. • Dumpster diving – Company directory and phone list with email addresses. – Client sensitive personally identifiable information. – Employee usernames and passwords to company systems. – Company policies, procedures, systems, vendors. – Vertical cut shred in trash bag in dumpster. – Hand torn documents in trash in dumpster. An Attack In Action – Stories and Examples
  • 10. • Email phishing – New paid time off policy and tracking system. – Obtain false website address – Create a mirror image false website. – Use employee directory from dumpster to email false link to website. – Require Windows login to gain access. – Ask employees to update paid time off balances and requests. • Provide personal incentive to click the link. An Attack In Action – Stories and Examples
  • 12. • Pretexting, Baiting, and Piggy-backing – Impersonate telecom, janitorial, security personnel, employees. – Drop a CD or USB thumb drive with a creative label. – Follow employees through secured doors. – Develop rapport and level of comfort. An Attack In Action – Stories and Examples
  • 13. 5% 6%12% 21% 56% Vishing Other Criminals Phishing Lack of Employee Awareness Social Engineering Threats To Organizations Source: 2014 Poll: Employees Clueless About Social Engineering, InformationWeek-Dark Reading
  • 14. 60% 44% 38% 33% 32% 23% New employees Contractors Executive assistants Human resources Business leaders IT personnel Risk of Falling for Social Engineering Attack Source: The Risk of Social Engineering on Information Security, Copyright 2011 Dimensional Research
  • 15. Social engineering attacks cannot be prevented—only mitigated and deterred. • Policies – Employees are not allowed to divulge information. – Prevents employees from being socially pressured or tricked. – Policies MUST be enforced to be effective. • Training – User awareness—user knows giving out information is bad. Mitigating A Social Engineering Attack
  • 16. • Password management • Physical security • Network defenses may only temporarily repel attacks. – Virus protection – Email attachment scanning – Firewalls, etc. – Intrusion detection system and intrusion protection system – Encrypted data at rest • Security must be tested and updated periodically. Mitigating A Social Engineering Attack
  • 17. • Social engineering testing – IMPORTANT! This is strictly intended to be a learning tool for the organization—not a punishment for individual employees. – Who should consider testing? – Have the tester attempt to acquire information from employees using social engineering techniques. • Attack strategically targeted areas of the organization. – May include technical testing of malware and other abnormalities. – What a tester legally cannot do. Mitigating A Social Engineering Attack
  • 18. Develop Internal Programs Information Security Program The written plan created and implemented by the organization to identify and control risks to information and information systems and to properly dispose of information. Security Awareness Program Security awareness reflects an organization’s attitude toward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets.
  • 19. • When assessing the weakest link, the human factor is very critical when protecting sensitive information and valuable assets. • Social engineering testing is an effective method commonly used to assess the condition of the overall security culture. • Good habits drive security culture and there are no technologies that will ever make up for poor security culture. • Awareness programs, when properly executed, provide knowledge that instills behavior. It is better to fail a test in a controlled environment than to be attacked without knowing how much information will be lost. Summary
  • 20. Data Security and Privacy Liability: Why Cyber Insurance is No Longer Optional!
  • 21. Threat Matrix – Where Do We Start? Threats to Cybersecurity are Decentralized and Diverse Threats to CybersecuritySpy and Malware Spammers Bot-net Operators Nation Phisher Business competitors Corporate Espionage Terrorist Hacker Insider Criminal Groups Human Error
  • 23. Why Worry? The most vigilant network security and most comprehensive privacy policies remain vulnerable to hackers, rogue employees, social engineering and human error!
  • 24. “Dave” is Responsible for 31% of all Losses
  • 25. Causes of Loss (2013-14)
  • 26. • Frequency of privacy breaches are on the rise – 10% increase year over year • Threats and vulnerabilities are getting dramatically worse. • More than 47 states, including U.S. territories, have enacted privacy laws in response to the increased frequency of privacy breaches. Why Cyber Insurance?
  • 27. • Corporate governance requires organizations address information technology risks. • The plaintiffs’ bar is becoming more active in pursing class action litigation. • Contracts may require cyber liability insurance. • Cyber liability insurance can mitigate the financial impact on a company. Why Cyber Insurance?
  • 28. In the past, small businesses (SMB’s) may have been able to neglect network security with little consequence, but this is not the case today. In Symantec’s 2014 Internet security Threat report they found SMBs (defined as having fewer than 250 employees) accounted for more than half of all targeted attacks (61%) in 2013. This was an 11 percentage point increase from the previous year. A “Not So Positive Trend”
  • 29. You Are At Risk!
  • 30. • Cost to defend and/or settle: – Regulatory investigations. – Unauthorized access or unauthorized use. – Allegations that malicious code (such as viruses) caused harm to the data or computer systems of third parties. – Allegations that an insured’s computer system denied a third party the ability to conduct transactions. – Litigation from customers or employees for identify theft. Financial Impact of a Security/Privacy Breach?
  • 31. • Cost to investigate and determine the cause of a security or privacy breach, including computer forensics. • Cost to hire a public relations or crisis management firm to mitigate against reputational harm. • Cost for legal counsel related to privacy and notification laws. Financial Impact of a Security/Privacy Breach? Example: 2,500 records times $201 equals $502,500 just in notification costs!!
  • 32. Key Coverage Components The following are the essential coverage's when putting together a comprehensive cyber liability policy…
  • 33. • Provides liability coverage for damages and claim expenses arising out of an actual or alleged act, error omission resulting in: – The failure to prevent unauthorized access/use to system that results in: • The destruction, deletion or corruption of electronic data; • Theft of loss of data; or • Denial of service attacks against Internet sites or computers. Network Security Liability
  • 34. • The inability of a third party, who is authorized to do so, to gain access to your system. • The failure to prevent transmission of Malicious Code from your system to third-party computers and systems. Network Security Liability
  • 35. • Provides liability coverage if an insured fails to protect electronic or non-electronic private or confidential information in their care custody and control. • Provides coverage for defense expenses, and in some cases penalties/fines, incurred from a regulatory proceeding resulting from a violation of a privacy law caused by a covered security breach. Privacy Liability and Privacy Regulatory Proceeding
  • 36. • Covers crisis management, including credit monitoring services and public relations expenses incurred resulting from a security or privacy breach. Also pays costs of notifying consumers as required by various state, federal or international laws or regulations. Breach Response Expenses
  • 37. • Covers the insured for Intellectual Property (copyright infringement, etc.) and Personal Injury (defamation, etc.) perils that result from an error or omission in content on their website. Multimedia coverage is also available. • Provides coverage for expenses and/or losses incurred as the result of an extortion threat made against an insured. • Provides coverage for business interruption loss and/or business restoration expense incurred by the insured as the direct result of a security breach that caused system failure. Media Liability/Cyber Extortion/Business Interruption
  • 38. • Pays the reasonable costs incurred by the insured, in excess of any normal operating costs, for the restoration of any data stored. • Technology E&O and/or certain Miscellaneous Professional Liability exposures may be combined with the cyber coverage in one policy. Data Restoration and Professional Liability
  • 39. Data Breach or cyber insurance policies are becoming a more important part of a company’s preparedness plans. In 2013, only 10% of respondents said their company purchases a policy. In 2014 the percentage more than doubled to 26% Gaining Traction
  • 40. Final Thoughts • Any one who collects, stores (either on their system, a third party vendor or the cloud) and/or shares customer information (PII or PHI) has an exposure regardless of industry class or size. • Size doesn’t matter! – “Targets of opportunity” are based on “ease of access” & likelihood of breach being detected. • This coupled with the probability of human error or unintended disclosure can result in significant costs.
  • 42. Contact Information Raja Paranjothi CBIZ Business and Technology Risk Services 913.234.1869 rparanjothi@cbiz.com Kyle Konopasek CBIZ Business and Technology Risk Services 913.234.1020 kkonopasek@cbiz.com Damian Caracciolo CBIZ Risk & Consulting 443.472.8096 dcaracciolo@cbiz.com

Editor's Notes

  1. There are many words to define what social engineering is, and they are all satisfactory, but my favorite is simply stated: The clever manipulation of the natural human tendency to trust. It is important to point out that social engineering does not use force of any kind to gain access to the target and rarely uses any sort of technical advantage to reach a target. Social engineering is often the first method of attack chosen by hackers en route to a cybersecurity attack. That is the element that you almost never read about when you hear about the Target, Home Depot, and Blue Cross Anthem information security breaches—what role social engineering played to develop the attack. Why is that? Most likely because the social engineering phase of the attack went undetected.
  2. Why would anyone ever use social engineering to attack a company? What are the top motivators for doing so? It is probably no surprise that financial gain is the top motivator for an attack, but this Dimensional Research survey shows us that access to proprietary information and gaining a competitive advantage also rank very high. These top three motivators show why every organization that has anything to lose and/or protect need to be cognizant of social engineering attacks.
  3. $10,000 and $25,000 for 62% of all companies 48% of those same companies said that an incident cost them between $25,000 and $50,000 The cost of a social engineering attack can be significant. According to a 2011 survey by Dimensional Research of 853 companies across the globe, a single social engineering incident left a burden between $10,000 and $25,000 for 62% of all companies surveyed. 48% of those same companies said that an incident cost them between $25,000 and $50,000. Typically, the larger the organization, the more that is at stake and that can increase the number of records that are available for compromise.
  4. 68% had more than 5 incidents across a two-year period And when you have more than a single social engineering incident, those costs to the organization begin to rise quickly. From the same survey of 853 companies, 68% had more than 5 incidents across a two-year period. Do the math and that is a range of $50,000 to more than $500,000 in total. That doesn’t even quantify the reputation damage that may have been done and account for possible future losses or reductions in revenue as a result. So as you can see, the numbers support how damaging social engineering attacks can be. While the frequency may not be high for all companies, one incident could be very damaging for a small organization.
  5. MICHAEL Much like a successful company, that success usually depends on a strategic plan. Social engineering is really no different. While some attackers may only elect one type of social engineering attack, the more elaborate schemes begin with information gathering. Most of the time, information gathering begins with internet research and may then progress to dumpster diving to develop a more complete understanding of the target. When we talk about finding valuable information through the dumpster diving process it typically begins with Social Security Numbers, bank account numbers, usernames and passwords, and other sensitive personally identifiable information. However, companies often understate the importance of printed emails, company phone and email lists, schedules, vendor documentation, and new hire information. All of this information is golden to a social engineer. Even if the material has been shredded, it may be possible for the attacker to tape the document and still have perfectly valuable information in hand. Multiple times, we have found a bag full of vertically shredded documents in the dumpster. What people don’t think about is that when a vertical cut shredder empties into the bin all the shredded strips generally stay together in the same area of the bin. It then becomes a matter of having a little patience and time to reassemble those pieces back together at a remote location. The only type of shredder that anyone should ever own is a “level 4” high security shredder—at a minimum a “level 3” micro cut shredder. The same goes for hand torn documents. Just because you folded the document two or three times before your ripped it to pieces doesn’t make it any more secure. Actually, the fold lines make reassembly easier as it aides in lining up the torn sides. EXAMPLES Over the years we have found many documents in trash dumpsters. When we first began, we were in utter shock with the kinds of documentation we would find. After a while though, you begin to get numb when you find customer social security numbers, customer bank account numbers, system usernames and password listings, and other types of sensitive information.
  6. The items found through dumpster diving often lead directly to an email phishing campaign by a real attacker. Armed with a fairly recent employee phone/email listing found in the trash, the attacker has more than he needs to accomplish this task. While certain technical defenses implemented by company may impede such an attack, just one email that slips through may be all the attacker needs to get one step closer to the target or possibly attain the targeted information. While email phishing is a commonly heard phrase today, spear phishing and vishing are also two other methods used by attackers. A spear phishing attack will have the receivers name in the email to make it appear more personal—hoping it increases the odds of you clicking the link. Vishing is just phishing via the telephone. It requires a bit more practice and the ability to think quickly, but it enables the attacker to elicit certain responses and information that may be valuable to execute future attacks. EXAMPLES A success email phishing attack we have used to test employee compliance with policy is the implementation of a new paid time off policy and tracking system. A false website address is obtained by us for a few dollars and the actual URL will look very similar to the company’s real URL. The false URL will direct the person who clicks the link to a false website we also setup and takes key elements from the companies real website to make it appear authentic. However, the real hook for the attack is the body of the email where the link to the website is placed. By asking the targeted employee(s) to click the link and read the updated paid time off policy and make sure their vacation accrual and current requests are correct, we have just used the employee(s) to help us install malware on their computer just by clicking the link. And, to access the tracking system, we required the employee(s) to enter their Windows username and password so now we have valid login credentials to the company network.
  7. Here is an example of how minor changes in website addresses can confuse people and go completely unnoticed. One of these addresses is the actual website address for Principal Financial Group (the middle URL is real) and two are false. While to most of us it may seem silly and incomprehensible to not know which one is real and to easily spot the fakes, however, the attacking is hoping that when the font size is smaller you won’t be able to see it as easily and that not everyone knows how to spell correctly. Sometime, the false URL is underlain behind the real URL, but you wouldn’t know that unless you carefully hovered the mouse pointer over the link to see where the link is going to send you when clicked.
  8. KYLE With the information gathered through dumpster diving and phishing the next logical step for an attacker is pretexting. Pretexting is where an invented scenario is used and an in person attack is exercised. This is the stuff movies are made of—and it is real—and it works. Pretexting can be as simple as piggy-backing or following company employees through a secured door, but it always relies on the attackers ability to develop rapport, trick the minds of others, and successfully sell the role—be the person impersonated. This type of attack takes nerve and a calm demeanor—the ability to quickly think on your feet and adjust as needed to remain in the role. Piggy-backing: Cold day, arms full, or left access key at home routine are often successful and play on people’s emotions of sympathy. Baiting: Place a USB thumb drive in envelope with creative label and leave in a conspicuous location. Installs malware when found and inserted. EXAMPLES A highly successful pretext we have used at financial institutions is the roving telecom adapter scenario. We select a telecom vendor, typically the one used by the company, and capture that vendor’s logo from the internet. With the logo, we have created hats, polo shirts, business cards, ID badges, and automobile magnets. With all of those tools in tow, we would rent a white van from City Rent-A-Truck and put the magnet on each side displaying the vendor’s logo. When we arrive at a branch we walk in, not knowing the building layout at all, and find the first person who would seem like a logical choice to approach. Many times it is a teller, but sometimes there is another person sitting at a desk in the lobby. Regardless, our approach is the same, quickly present our fake business card and work order to the target and begin speaking the pretext by introducing who we are and what we need. The idea is the overwhelm the target with enough information so as to confuse them and get them to forget about what they should be doing. And by going into these businesses in pairs, it doubles that impact and makes us appear more legitimate. The pretext went like this, “Good morning, my name is Kyle Konopasek and I am with the XYZ Telecom Commercial Solutions Division. Our company owns the lines coming into the building up to the DEMARC and from there to the roving telecom adapter. We received a work order this morning from our supervisor for your company to check the roving telecom adapters. They were part of a recall last month and we just need to check the last four digits of the serial number to see if yours is part of the recall and put it on the list to be replaced in a couple weeks. We are not changing anything today, just need a couple minutes to look at the serial number and then we will be gone.” The key is to remain calm, speak slowly and clearly, and start developing a rapport with the target. In one instance, the person had a St. Louis Cardinals mini helmet on her desk and a photo of a young child. With that, I was able to start a calming conversation about the Cardinals and her grandson while we waited to see if we would be granted access. Be developing this level of rapport, it increases our odds of being granted access. When we are granted access to the telecommunication closet/room, we are almost always granted access to the servers and other in-house technology as they typically share the same space. There was another instance where the bank employees just gave us access to anything we wanted and allowed us to roam all secured areas of the branch with no escort. In this instance, I walked up to an unattended teller drawer that I noticed was open. In that drawer were four large stacks of $20 bills which I could have easily grabbed. They would have eventually noticed, but I would have also been long gone by that time. Aside from the cash, we could have tampered with any of the computers, servers, and surveillance equipment leading to a much larger attack and damaging results for that bank.
  9. A 2014 poll by InformationWeek’s Dark Reading found that lack of employee awareness is the single biggest social engineering threat to companies. Many organizations will spend millions of dollars on technical defenses again intrusions, but very few put significant dollars and effort behind strong employee awareness.
  10. MICHAEL The Dimensional Research survey cited earlier also provides insight into who in an organization is most vulnerable to a social engineering attack. New employees are the easiest as they are just learning the internal policies, don’t know who all their co-workers are, and will be reluctant to push back against any request that sounds legitimate. Second most susceptible are vendors and contractors. Unless the company has performed thorough due diligence and has a robust vendor management program, vendors may be an easy way to access valuable information and/or assets from you company. Third highest are executive assistants primarily because they have access to so much valuable information about the executives they support. It is not that they aren’t capable of protecting information. It is that they are targeted so frequently that for those to do give up information it can be extremely damaging to the company and helpful to the attacker.
  11. Social engineering attacks cannot be prevented—only mitigated and deterred. There are many effective methods to mitigate and reduce the likelihood of the risk of attack, but the best is awareness. Employee awareness is the key to defending and minimizing the damage from social engineering attacks. Strong policies approved by the board of directors or executive management support the employee awareness approach and reduces pressure on employees because they know they are supported by such documents. But for the policies to have their greatest impact, management must not be afraid to enforce even the smallest policy violations.
  12. Some technical means may be used to help deter email phishing attacks but as we the Dark Reading poll shows, employee awareness is the biggest threat and is the last line of defense when these technical barriers fail. Organizations never truly know how well these defenses work unless they are tested on a regular basis. It is better to test them in a controlled environment than to risk having them fail in a real attack.
  13. KYLE Many times organizations will not have the means or ability to test with internal staff so they will look outside the organization for assistance. That is when a third-party can help out, but it is critical that management view all testing as a learning tool and not a punishment for individual employees that fail or contribute to a failed test. Tests that are failed show where the organization is weak and needs to be improved through employee awareness and possibly enhanced technical means. Testing the organization’s information security policies and procedures with social engineering techniques is a positive exercise that will bring attention to the subject and contribute to the employee awareness plan. Cannot be law enforcement, fire, paramedics, public safety personnel, military, or government officials.
  14. Even the best technical security efforts will fail if the organization has a weak security culture. What are the keys to having a successful security awareness program? Understand what security awareness really is. C-suite support. Partner with key departments. Be creative—only so many dollars may be allocated. Collect metrics. # people fall victim to email phishing. # people who secure desk at EOD. # people using strong passwords. Explanation and transparency. Explain how employee can do things rather than telling what not to do. 90-day plans. Multimodal awareness materials. Blogs, newsletters, posters, internet articles—consider demographic of audience. Incentivized program. Security cube with 10 violations—reward employees and “gamify” the program.
  15. No matter how robust an organization’s firewalls, intrusion detection systems, anti-virus/malware software, or other technological and physical safeguards—the human is always the weakest link.