Before
launching into the content of her talk, Enterprise Security Awareness Programs
That Work, at the 2018 (ISC)2 Security Congress,
Theresa Frommel, acting deputy CISO for the state of Missouri, confronted the
elephant in the room, asking the audience, “How many of you are
nonbelievers?”
When asked whether their programs were
delivered only annually, many in the room mumbled yes. Frommel also received
affirmation from the audience when she asked, “Most of you are not doing
repetitive monthly trainings?”
Many organizations still don’t
understand why security awareness training programs matter when they don’t see
significant improvements in end user behavior, but Frommel said behaviors can
change.
Missouri consists of 600 municipalities
comprising 114 counties that broken into 30 state agencies across all
legislative and judicial branches. Of the 40,000 employees, the state boasts
950 IT staff of which 20 are in the office of cybersecurity.
Why do companies need effective security
awareness programs? Primarily because, Frommel said, 90% of breaches are the
result of phishing attacks.
"In the first quarter of 2018,
phishing activity trends were up 46%. More than a third of phishing sites were
hosted on sites with HTTPS and SSL certificates, and the number of sites
hosting phishing pages rose from 60,000 at the beginning of 2018 to
113,000 in March,” Frommel said adding in a reminder that many of the high
profile breaches in the past several years were the result of someone opening a
phishing message.
That’s why an effective awareness program
needs to understand human behavior, Frommel said. Phishing campaigns are
successful because attackers
hit the emotion of fear and uncertainty.
“Sometimes it’s hard to blame the user because
they are thinking and asking, ‘Am expecting an attachment? Do I know this
user?’ and the answer is yes,” Frommel said.
In advising the audience on how to mitigate
the human risk, Frommel assured, “Human behavior can be changed. Make users
another security control, not a security
problem. Phishing is no different than any other swindle, but technology
can only mitigate email risk to a point. Training should be frequent, brief,
targeted and able to change people’s thought processes, which over time, changes
the culture.”
Recognizing that technology is only going
to go so far, it’s incumbent upon security practitioners to keep encouraging
change and thought processes. As for Missouri, it has 40,000 interactive
lessons deployed monthly that are 10-15 minutes in length with each lesson
focusing on a different topic. Additionally, agencies compete against each
other through gamification.
Part of successful programs requires that
you are able to track results and ensure employee participation, but it’s also critical
that you are able to recognize
when the content has become stale and be able to adapt to find more engaging
material, said Frommel.
No comments:
Post a Comment