Atlanta ISACA Chapter Meeting June 20, 2014 The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security AGENDA FOR THIS SESSION Why technical defenses are not enough Formal policy vs. training and awareness What does an effective security awareness program look like? LESSONS FROM DATA BREACHES Epsilon – spear phishing attack AOL – not understanding data classification Google, Yahoo and 18 others: users needed to update browsers Gawker Media –used weak passwords for multiple applications Target – began with phishing attack on 3rd party FORMAL POLICY Provides management guidance and intention Protects company liability Must be “translated” into key concepts and messages Requires partnership with Human Resources What does an effective security awareness program look like? KNOW YOUR AUDIENCE Language Work environment Types of computing devices Job roles KEEP IT SIMPLE REPEAT…REPEAT…REPEAT Screensavers Newsletters Posters Online training Webinars EXPLAIN WHY MAKE IT FUN! ASK FOR FEEDBACK TRACK AND MEASURE RECOGNITION AND REWARDS AWARENESS TOPICS How to spot Key logging devices Is Email Spam Harmful? Watering hole attacks Storing paper records Visitors who may be imposters Are cookies bad for you? All about malware MORE AWARENESS TOPICS Create and remember strong passwords Get Going with Mobile Security What is a mobile botnet? Found any free USB drives? What did you capture on camera? Erase those whiteboards! We love to share email chain letters AND MORE AWARENESS TOPICS Dialing for Dollars: Phone Scams Cell phone ringtone scams Dangers of Counterfeit Software Wi-Fi Security Tips at Home Email Etiquette for Your Career Has your Facebook account been hacked? STANDARDS NIST Special Publication 800-50 “Building an Information Technology Security Awareness and Training Program” ISO 27002:2013 Section 7.2.2 Deliver Information Security Awareness Programs Australian Government: Protective Security Governance Guidelines – Security Awareness Training COST OF SECURITY AWARENESS Budgetary Planning: $5 - $10 per person per year Online courses Posters, Screen savers Newsletters Pens, Buttons, Etc. WRAP UP AND QUESTIONS Is an annual awareness session adequate? Are acknowledgments of policy enough? Are there better ways to audit that will help to drive improvement?