Here are some examples of how we train employees: I try and spend some time with each new employee to reinforce our security culture from the beginning. Guide to Continuous Integration, Testing & Delivery, Network Security Audit Checklist: How to Perform an Audit, Continuous Delivery vs Continuous Deployment vs Continuous Integration, Bare Metal Cloud vs. Think about it. What has been most impactful is showing people real phishing emails that have been received by our employees, as opposed to boilerplate examples. access to or . The most efficient way to educate your employees on how to fortify the human element of your company's security is through cybersecurity awareness training. of information systems . Role-Based: Security is a shared organizational responsibility, and there are many stakeholders including general staff, infrastructure, cloud, and development teams, and managers that need to write policy and ensure adherence to compliance and other mandates. Last year, 28% of attacks involved insiders. My style is to lighten the mood and tell them from my perspective which makes it more cinematic in their mind. To stay ahead of security risks, here are the top three practices to put in place: Mike Meikle is a Partner at secureHIM, a security consulting and education company that provides cybersecurity training for clients on topics such as data privacy and how to minimize the risk of data breaches. Hackers are always evolving their approaches and technologies, and so your company must always be upgrading its defense training to keep vulnerabilities low. Instead of clicking on the link to find out what it resolves to, hover your mouse or right click to see what the whole string looks like. According to Verizon’s 2018 Data Breach Investigations Report, internal actors still account for an alarming number of data breaches. Rather than cyber security awareness training for employees that packs loads of instruction into hours of content in a one-off session, we package learning in 3- to 5- minute modules that employees interact with once a month on a continual basis. It only takes one employee to cause a data breach or cyber-attack. One of the following might have what you’re looking for. A project to crowdsource a security awareness training checklist. The same is true of malicious URL’s. Mindfulness with safeguarding your Identity. James Goepel, Vice President, General Counsel, and Chief Technology Officer at ClearArmor Corporation. Cybercriminals are staying on top of this change too, evolving their capabilities at a similar pace. The human element. This keeps them much more attentive than just a boring statement of policy and procedures. Contents: Cyber Security Awareness Training (CSAT) • Applicability 2 • General computer and information use 6 • Responsibility and Accountability 9 • Using a WAPA Computer –Limited Personal Use 10-11 • Telework and Travel - Employee Access and Protection 13-14 • Password Management 15 • Using Email 16 • Local Administrator Accounts 17 • Portable and Removable Media 18-23 Delivering these cyber security awareness topics should be prioritized to identify the biggest risks. Jeff Towle is an industry veteran in the Information Security, Governance, Risk and Compliance industries. Gamify the security awareness training program, so there are points amassed, a leaderboard or prizes. denial. While standard role-playing is good, testing and cybersecurity certification are required. BeenVerified is a leading source of online background checks and contact information. [I hope you don't mind … Pay attention to irregular content that’s posted, the amount of time it takes to process information on systems or any strange errors reported in a business process flow. It should have dedicated time and location even if it requires them to use their own laptop. Secondly, and most importantly, organizations must realize that humans alone – no matter how much training – can never be relied upon as an actual security safeguard. If you click on this link, if you open this email, if you share your password, etc. In fact, Verizon estimates that only 17 percent of phishing attacks get reported. These changes in behavior can really make a difference beyond just updating antivirus, OS patching, and firewall security controls. Also, the Information Security group can send out regular email blasts on threats and create a monthly newsletter or blog to keep security in the forefront of employee’s minds. If you are implementing new cybersecurity rules, create consequences for following or not following them. ), top hacker targets (Facebook, Twitter, LinkedIn), defense techniques, an overview of the hacking ecosystem, and the cost of lost data to the organization. As the Chief Scientist of the Static Code Analysis division at WhiteHat Security, Eric oversees all research and development for Sentinel Source and related products, defining and driving the underlying technology. I explain that if we can make ourselves safe, it is better for our employer, our family, and society in general. In many businesses today, it might be just a matter of days or hours. But to be clear, I am not claiming any personal credit for such a trend – there are many dedicated infosec professionals doing far more than I to advance the worthy cause of security training and awareness. Capitalize on just-in-time training by educating at the moment a mistake is realized. Simplify messaging to its bare essentials and do not cover more than one topic in a single security awareness program. We keep formal, recurrent security training to a minimum to avoid cyber safety burnout from employees. President, PlanetMagpie IT Consulting A good rule of thumb is to treat all the files, folders, documents, social media, corporate websites you have been granted access to as would your own bank account. After presenting information about security awareness, come up with a scheme to set up a situation where employees are given the opportunity to open a very alluring link in their email. Companies should include information on general security threats, how hackers compromise systems (social engineering, malware, etc. And it is the right way for new hires from the get-go to understand the robust security and data protection culture we have at Anonyome, and thus what will be expected of them.32. Especially on the ones that know they were tricked. According to the Verizon Data Breach Investigations Report, 30 percent of phishing messages were opened, and around 12 percent then actually clicked the malicious link or attachment. This is called a “phishing simulation.” This link will actually take the worker to a safe page, but you must make the page have a message, such as “You Fell For It.” You should also make sure that these emails look like a phishing email, such as adding a misspelling. If it included the public details from Uber, Equifax, Ashley Madison, Delta, etc. In late summer, 2015, after Bullseye Breach was published, he accepted a job offer with a large, open source software company. Takes an hour or less and have someone come prepared with some best practices and stories of how people have made poor security decisions (we play this part for our clients). I use colorful stories from my past exploits to make the lessons more enjoyable. If the email is from someone you know, call them to double-check. Greg Scott is a veteran of the tumultuous IT industry. This can be achieved, for example, through gamification, with employees who do comply receiving positive rewards, such as Starbucks or Panera gift cards if they achieve and maintain certain scores. Want to connect with other people working on cybersecurity? No other organization boasts a similar depth or range of cybersecurity expertise. Do NOT send attachments if you do not know who requested them. Neil Readshaw is a seasoned security and compliance executive, who spent over 20 years at IBM overseeing technical direction for security architecture, leading the security workstream for the IBM Cloud Computing Reference Architecture, and programming new global data security products. Researcher and writer in the fields of cloud computing, hosting, and data center technology. Even boring training is better than no training. I try and share these examples through our intranet platforms as they happen, to try and capitalize when other employees may be receiving similar phishes. Utilize games, trends, gifs, memes, etc. Similar activities can target mobile devices or laptops by asking employees to download unauthorized software. I don’t make it just about the company. Founder and CEO of Fluid IT Services has more than twenty years of experience including leadership and operational responsibility for functions related to both business and information technology. Make it real-world. Phishing test exercises are a valuable tool to demonstrate vulnerabilities. Whether its a reward or special monthly recognition, or if its some kind of punishment for not following your new security rules, give your employees a reason to get engaged. Robert has worked in the IT industry for 30+ years, consulting on everything from network infrastructure to cybersecurity. ISSA: this is the Information Systems Security Association and it offers you “a network of 10,000 colleagues worldwide to support you in managing technology risk.” There are many chapters around the world. – For whom the message matters most, i.e., vary the training content or its delivery by job role, as much as is practical. whatever you need to convey your cybersecurity message. Sharing your corporate ID is never a good idea, even under temporary circumstances. Lauren’s company partners with document shredders across the nation and aim to make it easy to keep private business and personal information safe. These world-leading authorities have identified the most critical threats and developed a quality curriculum to teach an end user the appropriate behaviors to take when faced with security risks. This page at the National Council of ISACS will lead you to them all. For starters, if they are going to invest in phishing training, then they should adopt tools that are gamified and tailored to each user’s specific level of awareness. Joshua Feinberg is a digital strategist and revenue growth consultant, specializing in the data center, mission-critical, and cloud services industries. Create cybersecurity scenarios that employees can easily understand. – Whether we are educating our clients or. Roleplaying phishing scenarios, talking through real work attacks, watching the Pwn videos from Rapid 7 that detail some of the ways they have successfully breached client’s security are all fun ways to engage the audience. Training needs to be engaging to build internal expertise and competency. Over 35 years in IT. This goes way beyond just making sure you update your password with strong alpha-numeric characters regularly per corporate password reset policy. Dean Coclin has more than 30 years of business development and product management experience in cybersecurity, software, and telecommunications. Rewards can be simple gift cards or a more complex points program which can be redeemed for prizes. In reality, a huge proportionof breaches are initiated using very low-tech attack vectors like phis… Here are the must-have topics for your security awareness training. This 35-slide PowerPoint (PPT) presentation provides an overview of security awareness training basics and best practices to educate and prepare your organization for a comprehensive training program. Leave a Comment Cancel Reply. There is no reason that security teams should stop there. End-user support and dealing with security issues occupied most of my working career. Liven it up, don’t speak in a monotone voice, and don’t just read bullet points. Phishing Training: People rely on emails and websites to function on a day-to-day basis, and phishing continues to be an effective means of victimizing users. People like to talk about themselves. Hands-on simulations/real-world training and tabletop exercises are influential in building offensive and defensive cybersecurity skills and help assess an organization’s situational preparedness. Sessions are often boring wastes of time, both for employees and the IT teams responsible for them. I give out candy when someone answers a question posed to the group. If you do not have the resources in-house, seek outside sources. is the owner and Principal Cybersecurity Consultant of Shades of Gray Security. Security Awareness - Introduction Welcome! It is amazingly powerful seeing one employee explain how they got a phishing email and how they fell for it and say how they avoid it in the future and then hearing weeks later that someone else in the room saw the same thing but were not a victim because they listened to that story. Often we will have 2-3 hacker stories in a briefing to introduce better security practices or ideas. For those who tried to do so but failed and for those who are not sure how to start, we asked top cybersecurity experts for their best advice. Include role-playing and testing. Use these security awareness training topics as a guide to help build a strategy for your own security awareness program. President, Data Center Sales & Marketing Institute. Watching videos, hours of powerpoint, or even mindless cartoons does not work. | Privacy Policy | Sitemap, Start a Cyber Security Awareness Training Program Your Staff Can’t Ignore, Start a Cyber Security Awareness Training Program Your Staff Can't Ignore. Whether the training is online or in a classroom, it must be interactive and engaging. unauthorized. It’s a sad fact, but SAT programs are often dreaded by end users. Motivate with incentives: From simple recognition to formal awards, incentive programs like belts, certificates, spot bonuses, gift cards, etc. – When the message is relevant to the employees. After the recorded session there should be a quiz to measure how effective the presentation was with the target employees. I am Mihai Corbuleac, Senior IT Consultant at – IT support company providing professional IT support, cloud and information security services. We presented the material dozens of times all over the central United States both publicly and behind closed doors. Social engineering attacks are the most insidious. With security threats evolving every day, it’s important to not only train your employees on thwarting cyber attacks but also to convey the importance of security awareness training. Not only will an attacker need to compromise your username and password, but they will also need to compromise a device as well. Keep it actionable. Like a good suspense thriller. Identity Theft Expert with HotSpot Shield, Marketing Associate, Hummingbird Networks. People enjoy videos these days. Hi,Does anyone know of a generic (non-branded) cyber-security slideshow (updated for 2019) that can be used to train employees? Cloud Solution Security Architect, Intel Corporation. By way of example, Software Engineers need to have an understanding of the security implications of clicking an untrusted link, and they must also have an understanding of the security implications of building SQL queries at runtime using user-data. A few years ago I joined something called Peerlyst, which describes itself as a “place where security experts share their knowledge, learn from each other, and build their reputation.” Although it is not a non-profit, a lot of free resources have been posted in its wiki-style website. It can also reward those who do. If you have an admin handling your mail, make sure they ASK directly, or by phone or text, before they take any action. The reality is that dealing with security is a business issue (not an IT issue) and it involves hundreds of little things (usually not expensive or time-consuming) and not just the several big things you think you need to be doing (which can be costly and time-consuming). Information Security and Cyber Crimes About Presenter Kandarp Shah has worked at a managerial position for leading Info security consulting organization and has been engaged to provide advisory and auditing services to customers across verticals for … Here are some that I think may be useful in the current context: A project to crowdsource a security awareness training checklist, The 9 Security Awareness Training Topics Your Employees Need for 2019! Make this happen by relating every concept you. In other situations, the company is about to go through, or ... Why Your Team Needs Cyber Security Education January 2, 2019. You can apply here. Bring the information down to their level so that it is at the very least relevant. This is an awareness technique that’s easy to adopt once you start to just ask the question. Initially, training should be done in-person with a presenter. Despite this, there are at least two fantastic reasons to maintain a strong SAT program: 1. Cyber security awareness for your staff Help your staff stay aware of the cyber security risks your business faces, and how they can play a part in keeping your business information secure. Call it a lunch and learn or do it in the afternoon and call it a snack and learn. Sr. Complacency is the biggest threat to security, no matter if it is physical security or computer security. Award-winning news, views, and insight from the ESET, Cybersecurity training still neglected by many employers, Cybersecurity Woke: Effecting Positive Change Through Outreach and Education, SPARE: Five tips for a safer online shopping experience, Five ways to make Halloween less cyber-scary for kids, A great place to start is the National Cyber Security Alliance or NCSA. ISACA: previously known as the Information Systems Audit and Compliance Association, it serves 140,000 professionals in 180 countries, so there is probably a chapter near you. Additionally, Tom serves as the company’s internal auditor on security-related matters. Yahoo, Blue Cross Blue Shield, Equifax and other large organizations have experienced devastating data breaches. Product Marketing Manager at phoenixNAP. She enjoys researching and writing about all things cybersecurity. Joining requires vetting, but the benefits are well worth the effort. As an example, 1 in 3 workers in the utility industry in Michigan recently opened a fake phishing email even though those people are mandated to go through security training. Take a look at what they said and start implementing their tips today. Eastwind Networks is a cloud-based breach analytics solution that aims to protect government agencies and enterprise organizations from cyber threats that bypass traditional security measures. A big part of thwarting attacks is to keep the team trained. For remote workers in particular, phishing, social engineering, compromised passwords and weak network security can expose your business to attackers. In this scenario, each time there is an attack, both the human firewall and the machine get a little smarter, further reducing the risk of future phishing emails being successful.
2020 cyber security awareness training for employees ppt 2019