How to Cut Phishing Exposure by 85% - TechBytes Thursday, October 22 - Superior Support ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
TechBytes
Thursday, October 22
How to Cut Phishing
Exposure by 85%
Thank you for joining us today! Press play!
Thank you for joining us today! Experiencing Technical Issues? • Try to RECONNECT; • Refresh or restart your browser; or • Chat the admin group if possible
Thank you for joining us today!
Chat with us!
Submit questions and comment in
the lower right of your view.
Thank you for joining us today!
Participate!
Answer the polling question
SSR: a trusted technology partner
1996 50+
EST
SSR TEAM IN
BROOKFIELD
24/7
ACTIVE CLIENTS
200 20+ SUPPORT FOR
YOUR TEAM
x2
SOC-1 CERTIFIED
DATA CENTERS
SSR TEAM IN
CHENNAI, INDIA
Security is
everyone’s
responsibility
“In the six months from
January to June,
• COVID-19 forced OverWatch observed
and financed digital more hands-on-
transformation – remote work, keyboard intrusions
ecommerce, automation, and data than were seen
• Crisis will always be exploited throughout all of 2019,”
says CrowdStrike in
• Infrastructure (e.g., antivirus and their 2020 Threat
firewalls) is not enough Hunting Report
Joanna Huisman KnowBe4 SVP Strategic Insights & Research • 20 years of experience in strategic, internal and customer-facing engagements • Financial services/tech industries • Previously senior research director at Gartner in the areas of security awareness, education, behavior management, culture, crisis communications, security and risk program management
Security is Everyone’s
Business
Joanna Huisman
SVP – Strategic Insights &
Research
KnowBe4, Inc.
Image Credit: Universal Studios, 2019
Joanna Huisman
SVP – Strategic Insights
& ResearchAbout KnowBe4
• Founded in 2010, the world’s most popular integrated
new-school Security Awareness Training and Simulated
Phishing platform, over 35,000 customers worldwide
• Recognized as a Leader in the Gartner Magic Quadrant for
Computer-Based Training (CBT) with the highest and
furthest overall position for ability to execute and
completeness of vision and the Forrester Wave.
• Our mission is to train your employees to make smarter
security decisions so you can create a human firewall as an
effective last line of defense when all security software
fails…
Which it will!
121. The Threat Landscape
Agenda 2. Phishing benchmark data by industry
3. Your Security Culture & “Human
Firewall”
131. The Threat Landscape
Agenda 2. Phishing benchmark data by industry
3. Your Security Culture & “Human
Firewall”
14If you discovered burglaries were occurring
in your neighborhood,
what would you do to protect your home?If you discovered cybercriminals were stealing
data from other organizations, what would you
do to protect your organization?The Threat Landscape is
All of Us
All the Time
Everywhere
In All Contexts of LifeCybercriminals rely on phishing because it works…
1891%
of cyber espionage begins with phishing
Source: Trend Micro
95%
of all security incidents involve human error
Source: Security Intelligence
19 19People influence security far more than any technology
or policy. Security leaders must invest in tools that
increase security awareness and influence behavior to
support critical security business objectives through
computer-based training.Traditional awareness efforts are based
on the belief (or hope) that information leads to action.
In other words …
the problem with awareness is that "awareness" does not
automatically result in secure behavior.If You Are Not Preparing For an attack…
You Are Heading Down A Very Ugly Road, Fast
221. The Threat Landscape
Agenda 2. Phishing benchmark data by industry
3. Your Security Culture & “Human
Firewall”
23Social Engineering
25
26
27
28
29
What techniques do hackers use most of the time?
According to our research, around 90% of the emails that are reported to us use social engineering
schemes that have been around for many years.
Bogus online
account
“verifications” or
“updates”What are the bad guys up to this year?
Most • Coronavirus-related attacks – up by 6,000%!
• Google Calendar invites
Interesting • Fake attachments
Phishing •
•
Fake “Trusted Sender” email headers
Online file sharing services…Microsoft Sway,
Techniques Dropbox
31Most Interesting Phishing Techniques: Coronavirus-Related Attacks
• Attacks related to COVID-19
have been increasing
exponentially
• Sophistication has increased
• Target-rich environment
• If you put a pause on training
and phishing your users,
rethink that ASAP!
Copyright KnowBe4 2020
32Phishing templates to use to get ahead
of Coronavirus-related attacks:
• Zoom, GoToMeeting, and other meeting
Phish Better invites…“Your meeting attendees are waiting!”
• Instacart and other grocery delivery
Than the Bad • Teladoc and telemedicine
• Document sharing and digital
Guys signatures…AdobeSign
• Shipping notices…Amazon, FedEx, UPS
331. The phishing problem
Agenda 2. Phishing benchmark data by industry
3. Your Security Culture & “Human
Firewall”
34A security culture lives and breathes within
every organization.
The question is how strong, intentional
and sustainable is your security culture.
And what do you need to do about it?
35Know Your Place and Scope of Influence!
Culture is led from the
very top of the
organization; it doesn't
originate from you or
your group.
36Organizational culture is not the sum of
roles, processes and measurements; it is the
sum of subconscious human behaviors that
people repeat based on prior successes and
collectively held beliefs.
Defining Similarly:
“Culture” Security culture is not (just) related to
"awareness" and "training"; it is the sum of
subconscious human behaviors that people
repeat based on prior experiences and
collectively held beliefs.
37Culture is:
• Shared
• Learned
• Adaptive
• Integrative
• Prescriptive:
• Rules
• Patterns
• Assumptions
• Beliefs
38We need to condition people to have the right reflexive behaviors
“Everybody has a plan
until they get punched
in the mouth.”
- Mike Tyson
"People were asking me (before a fight),
'What's going to happen?'" Tyson said. "They
were talking about his style. 'He's going to
give you a lot of lateral movement. He's going
to move, he's going to dance. He's going to do
this, do that.' I said, "Everybody has a plan
until they get hit. Then, like a rat, they stop in
fear and freeze.'"
http://articles.sun-sentinel.com/2012-11-09/sports/sfl-mike-tyson-
explains-one-of-his-most-famous-quotes-20121109_1_mike-tyson-
undisputed-truth-famous-quotes
39There are Three Realities
of Security Awareness
What your
Just because I’m If you try to work
employees do is way
aware doesn’t mean against human
more important than
that I care. nature, you will fail.
what they know.Driving Security Awareness – Comprehensive and Continuous
Baseline Testing
We provide baseline testing to assess the Phish-prone™
percentage of your users through a free simulated phishing attack.
Train Your Users
On-demand, interactive, engaging training with common traps,
live hacking demos and new scenario-based Danger Zone
exercises and educate with ongoing security hints and tips emails.
Phish Your Users
Fully automated simulated phishing attacks, hundreds of
templates with unlimited usage, and community phishing
templates.
See the Results
Enterprise-strength reporting, showing stats and graphs for both
training and phishing, ready for management. Show the great ROI!
41What you can do now… Increase the frequency in how often you train your
employees, while you decrease the time they spend in
educate the right way! training.
Go from this… to this.What you can do
now…Condition
Use immersive simulated attack
scenarios (phishing) to help condition
employee response
Go from this… to this.Five Practical Ways to Grow Security Culture
• It’s crucial for everyone from the front Include
desk to the boardroom
Everyone
• Ditch the jargon, make it easily
understood Make
Rewards & security
• Security Awareness & Training should Encourage relatable &
be monthly – it’s not all CBTs
accessible
Security
• “If work against human nature, you Culture
will fail” – accept and work with the
Shadow IT
• Build a healthy culture with examples
Offer
continuous
Embrace
of ideal behavior Shadow IT
security
awareness &
training
44What’s next?
• Increasing Frequency
• Assess & Educate
• Define Behavioral Objectives
• Phishing, Vishing, patching
• Measuring Effectively
• Employee Responsibilities
• Organization Phish Prone %
• Motivate Employees
• Carrot – Everyone loves swag!
• Make it everyday - meetingsMotivation is a fundamental driver of
employee behavior that ensures an
organization’s security.
Security and risk management leaders can
use positive and negative motivation
— rewards and consequences —
to urge staff to complete training and
adhere to policies.How to Do It
Rewards and consequences need to be balanced. Bad behavior cannot become
normalized; there needs to be an appropriate amount of consequences to drive behavior.
Rewards for good behavior include: Consequences include:
✓ Certificates ✓ Eliminate entry to entertainment
✓ Recognition or praise in front of or social sites
peers ✓ Scale back access to systems
✓ Distinguished or classified as ✓ Mark on performance reviews
security master ✓ Possible termination based on the
✓ Awards: increments of time off, risk associated with their role
points in company store to buy
things, gift cards, etc.48 48
Securing investment dollars
from executives for a security
awareness program depends on
persuasive communication and
negotiation skills.
Package your approach to
ensure executive understanding
and support.
49Level of Concern with Executive Issues
IT
Execs
50So what do you do?
• Express security requirements to non-IT executives in the context of "what's
in it for me" scenarios that illustrate how security appropriations and resources
can support specific business objectives.
• Make clear connections between security requirements and business
objectives when discussing security awareness programming with executives
and stakeholders by aiming to shape your program as a cornerstone of any
effort intended to achieve business objectives.
• Utilize measurable data to present security as management of risks, rather
than as confrontation of threats, by identifying the most appropriate metrics to
contextualize and punctuate the need for a security awareness program.
51• Humans are the de-facto top choice for
cybercriminals seeking to gain access into an
organization.
Final • Security Awareness and frequent simulated
social engineering testing is a proven method
Thoughts to dramatically slash your organization’s phish
prone percentage.
• Effectively managing this problem requires
ongoing due diligence, but it can be done and
it isn’t difficult. We’re here to help.
52Thank You
Rob Neijenhuis
SSR Systems Engineer - Cybersecurity
262-901-1879
rneijenhuis@SSRTotalIT.com
Joanna Huisman
SVP Strategic Insights & Research
KnowBe4
Questions
joannah@knowbe4.com
and Conversation
Register for upcoming events and
find more resources at: SSRTotalIT.com/news 54You can also read
