Cybersecurity in the Workplace is Everyone's Business
•Download as PPTX, PDF•
0 likes•255 views
Building a culture of cybersecurity is critical to every organization no matter the size. Join Aaron Cohen, Director of Cyber Security Services, to learn more about how to strengthen your organization’s cyber resiliency.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Cybersecurity in the Workplace is Everyone's Business
Similar to Cybersecurity in the Workplace is Everyone's Business (20)
More from Symantec
More from Symantec (20)
Recently uploaded
Recently uploaded (20)
Cybersecurity in the Workplace is Everyone's Business
- 1. Title Presenter Cybersecurity in the Workplace is Everyone’s Business Aaron Cohen Director of Cyber Security Services, Symantec
- 2. 2Copyright © 2017 Symantec Corporation Attacks are Growing 34% Globally 64% US % of victims that pay ransom Number of people potentially impacted by Equifax breach Reportedly the mistake of one employee In the last 8 years more than 7.1 Billion Identities have been exposed in breaches 145.5 Million Business Email Compromise (BEC) Scams have led to losses of $3 Billion over past 3 years Using carefully crafted spearphishing emails Businesses increasingly impacted by ransomware Malicious Emails are Weapon of Choice 1 in 131 emails are malicious Highest rate in 5 years 30% 2015- 2016 42% 2017 (to date)
- 3. 3Copyright © 2017 Symantec Corporation Eras of the Threat Landscape 1986-1991 Era of Mass Cyber Crime Era of Transition Era of Fame & Glory Era of Discovery 1992-1998 1999-2005 2006-2012 2013-2016 Present Era of Intelligence Era of Cyber Collaboration
- 4. 4Copyright © 2017 Symantec Corporation Today’s Advanced Adversary CYBER CRIME CYBER ESPIONAGE HACKING CYBER WARFARE
- 5. 5Copyright © 2017 Symantec Corporation MONEY POWER INFORMATION Adversary Motivation
- 6. 6Copyright © 2017 Symantec Corporation Most Breaches Involve People Cyber Skills Training and Simulation People are poorly trained People are not motivated People are malicious
- 7. 7Copyright © 2017 Symantec Corporation IDENTIFICATION EDUCATION • Concentrate on the areas that present the biggest threat to any given role • Target risks with focused content specific to the user, their position, and to the organization’s overall goal • All training incorporates learning techniques that ensure maximum comprehension • Role-based training methodology ensures active participation and engagement MEANINGFUL BEHAVIOR CHANGE
- 8. 8Copyright © 2017 Symantec Corporation Prepare All Employees Aaron Cohen Director, Cyber Security Services Symantec Corporation Phone: (555) 123-4567 aaron_cohen@symantec.com Identify External Emails Add Internal Identifiers
- 9. 9Copyright © 2017 Symantec Corporation Provide Interesting Content Non-technical people are your first line of defense Strongest Ally? Weakest Link?
- 10. 10Copyright © 2017 Symantec Corporation Prepare Technical Employees
- 11. 11Copyright © 2017 Symantec Corporation 11 • Annual company- wide event • 7,000+ registrants • Security Innovation, Education, Passion • 30+ countries over five years • Cyber skills development to address the gap • Delivered as SaaS and on-site • One or multi-day Cyber Security Exercise Symantec CyberWar Games
- 12. 12Copyright © 2017 Symantec Corporation Addressing the Skills Gap
- 13. 13Copyright © 2017 Symantec Corporation Supporting the Evolution Advisory • Long-term • Strategic Facilitation • Mid-term • Operational • Selective Managed Services Implementation • Short-term • Tactical SecurityCapabilities Vendor Involvement Build/Operate Vendor Involvement Extend Internal Capabilities Ad-hoc Reactive Proactive Managed Optimising
- 14. 14Copyright © 2017 Symantec Corporation Attacks of Tomorrow Autonomous Vehicles Healthcare Oil & Gas Agriculture Power grids Financial Institutions Global Economies Critical Infrastructure Medical devices Pharma systems Patient records/EMR Trading platforms Monetary transactions Physical access Supply chain Manufacturing Distribution IoT Transportation systems Civilians, military & businesses
- 15. 15Copyright © 2017 Symantec Corporation o Know the Threats o Employ Cyber Hygiene o Partner to Extend Your Team Summary
- 16. 16Copyright © 2017 Symantec Corporation 16Copyright © 2017 Symantec Corporation Questions? Aaron Cohen Aaron_Cohen@Symantec.com
- 17. 17Copyright © 2017 Symantec Corporation o Contact: CyberSkillsDevelopmentSales@symantec.com o Register: Higher Ed Cyber Security Challenge (Oct. 19-20, 2017) o Free Assessment Tool: How Mature are Your Security Operations? o Webinar Recording: “Five Key Habits for Effective Incident Response” o Cyber Guide: “Questions Every CISO Must Answer” o White Paper: 2017 Internet Security Threat Report Resources
Editor's Notes
- Notes: Here’s what’s happened – this is why we are having the conversation today Needs to be updated LINDA Remove GDPR – put Equifax stuff in – change slant from Consequences of attacks over the last 18 months are different than we saw just a few years ago. Seeing attacks at a pace that are truly amazing Marai botnet – weaponization of IoT devices The level of sophistication of threat actor is significant And in world where user is making choices and attacks are more sophisticated than ever – data and analytics matter This is a big buzz word but analytics can truly deliver Analytics can make Security Predictive Most security is forensic and looking to the pass – but in the future with analytics we can learn if something will happen From a SOC perspective it dramatically reduces what they need to do as reduces false positives Analytics allows us to ask only when need to so employee does not get overwhelmed With Mirai could have scanned internet and learned of the incident prior to it being summoned to botnet Ransomware by Destination – Top 5 for Asia, Pacific, and Japan Source: Symantec ISTR Regional Global Country Global Detections 1 2 Japan 9.2% 2 5 India 3.8% 3 9 Australia 2.8% 4 14 Indonesia 1.3% 5 16 China 1.0% Regional Rank: 3 Global Rank: 9 Country: Australia Percentage of all Global Detections: 2.8%
- Here’s the threat landscape – taking a quick step back, here’s where we were – walk people through this slide Have to learn from the past – a lot of these build on each other – what’s old always comes back as new again (ex: Kevin Mitnick and his social engineering from 25 years ago) Cyber Collaboration? Adversaries are professionalized – have teams Nation states are collaborating Underground marketplaces – Need to collaborate as an industry
- Collaboration > Today’s Adversaries (transition from previous slide) This is the WHO slide – who are they? WHY? Adversaries are motivated by different things/reasons WHAT DOES OUR EXPERIENCE TELL US - BATTLE FIELD HAS SHIFTED AND THE MOTIVATIONS HAVE EVOLVED. Adversary motivated by: Money, Power, Information We are focused on the what, when, where and how in addition to the who and why
- Motivations (from previous slides) Money (Hacking/Crime) Lucrative Industry for Hackers Attackers Follow the Money Power (cyber espionage and cyber warfare) Control or Leverage Safety of Citizens and Nations Information > leads you in lots of different directions Trade Secrets & Intellectual Property Digital Value of Assets
- It isn’t that our users are stupid. Here are some common reasons we say our users are stupid: Poor training Not motivated Malicious Number 1 and 2 are most common. Give the story of the USCG. People are inherently good and don’t want bad things to happen to the organization. After all that’s how they get paid. Examples: How do we
- Since most successful attacks involve people > Security training isn’t a one-size-fits-all concept. C-level executives don’t need to have the same things on their radars as IT managers. You need to offer content specifically tailored for different roles in your organization. By approaching security awareness this way, you can move past minimum requirements and into meaningful change. Identify key roles within your organization, and provide those roles with the training courses they need. By doing this, you can concentrate on the areas that present the biggest threat to any given role, allowing you to target risks with focused content. When you mix these specialized modules with basic best practices modules such a building a strong password, you promote meaningful behavior change and increase your organization’s overall security. . You assess major roles within your organization, determined what they need to know, and provide training they can begin to use immediately. My example could be anything from the c-level executives to the HR department. Since time is short today, I am going to talk about the technical users, Developers, Administrators, Security Professionals. Remember them? They need awareness as well, just a different type of awareness. They don’t need literacy training, they need real world training, using the latest threats and vulnerabilities…
- Make it easy for people to not compromise the organization Adding EXT to outside emails Free drop down in O365 for enterprises Ex: Healthcare company Adding special colors/fonts to signature Password expiration (90-days) Password strength enforcement (Alphanumeric, mixed case, 9+ characters, etc) And how do you do this? Provide interesting content.
- Transition > Great that we can put technical controls in place, but we need better content Thinking outside of the box and using better techniques to get users do what we want them to do. Gamification and Making it personal. Security is not an exciting topic unless you’re in the field. This means that training should be more personal, so employees understand the implications and understand the impact they have on data protection. Instead of talking to users about protecting corporate data, try talking about how to protect their financial data – what 2 factor authentication looks like, how it should be done, how do you know what your kids are talking about on SnapChat … while doing the personal stuff, the transition of behavior will come into the corporate side. Ex: Executive Briefing on how to keep families safe at home – changing PW, not clicking on links, recognizing phishing emails > This makes it personal to executives Ex: Teach them how to protect own financial data at home
- Everyone needs basic training – technical employees need that basic training plus more – a whole other layer of training Technical staff need more to make sure they are protecting information and systems Ex: Next slide
- Example of how Symantec prepares our technical audience Talk them through this – we We eat our own dog food: Here is a really good example. Before my company was acquired by Symantec they ran an internal Wargames event- FOR EVERYONE! One attractive reason we joined Symantec. So why do this- In theory Simulation based training can: Enhance technical and functional skills Problem solving and decision making skills Interpersonal and communication skills- team based competencies Find hidden talent Retention In this case not only engage employees with something interesting and different- you keep and identify good talent. This leads to addressing the ever looming skills gap.
- Notes to 3- letter agency example Are you capable of defending your network? Have you thought about ways to find the right people? Do you need outside help? (go to next slide – evolution)
- Key Message: As security operations mature, the need for MSSP or third party doesn’t go away – internal capabilities may shift – leave things that are hard to do internally (like Incident Response) to third party It’s okay to offload things to third parties – focus on the things your team/org is best at – and offload those other things to outside parties
- You may not have resources, etc. Everything I’ve talked about is for one reason – so you are more prepared for attacks of tomorrow that are getting more sophisticate Learn from past – can be leveraged in attacks of tomorrow – we are always looking for next attack horizon – we train our people on these types of attacks in CyberWar Games We need to collaborate with each other – like the adversaries do – internally and externally with third parties If we educate people, we are prepared for what’s next
- Seeded Questions: I don’t have budget – what can I do? We don’t have enough people to do all the work – how do we find the right people to fill the gaps? If it’s everyone’s responsibility … Who’s most important? Where would you start?