My Lessons Learned in Security Awareness Pedro Serrano, CISSP Security Architect Cimarex Energy
Phishing, how ransomware and malware get delivered! 215.3 Billion emails sent and received per day in 2016! The change is upward we know this, because is how we do business 85% of organizations have suffered phishing attacks I call this the new normal (expected behavior) 90% of all malware starts via email This key ingredients 1. Receive - email with a link or malicious payload (unsuspicious user clicks) 2. Go get Internet access, download malicious data, start the damage 65% of mail users worldwide access their email via a mobile device The phone is personal I carry in my pocket, the PC stays its disconnected When this access gets exploited I predict a change in how we access email
But I have a new firewall! You can add all the technical controls that you want but if your employees click and enable the wrong link, its game over! I am not against technical controls, but technical controls were my excuse (scape goat). many organizations hide behind this excuse so that they do not have to do security awareness. The human element needs to be considered as a security risk What is your company culture tolerance
Why is security awareness the new hot topic? Because what you do at home you will tend to do at work Because Web, Email, and Social Media is now accepted behavior, after all is how we do business Because of the overwhelming realization that my users will not pay attention to emails and click on the links after all this is what we do when we get an email you have to read it In many companies receiving an email requires action Because cost are less than physical controls this is huge in companies that work in a balanced budget environment
We emphasized on changing behavior How? Monthly newsletters (enhanced with images) one page, no attachments
Made it easy to report suspicious email Implemented a new icon One Click button in the Outlook email client where users could report suspicious email for the security team to review. The premise make it so easy that my CEO would use it! And it worked once I made the reporting a one click away
Bribe with food! Created Lunch and Learns to talks about security awareness with lunch provided - we called this the honey effect. We did not enforced a mandatory meeting where employees attended because they were required, instead I wanted them to want to be there! all about the expectation! Convinced upper management to budget for $10.00 per meal / per employee This was the most difficult step. Actually our first meeting was a pilot (test), and it was so successful that after the meeting we had a commitment to continue. Executive team understood the dynamic and importance of cyber education
Create competition phishing campaign After the first round of test phishing email send email congratulating the winner groups Let me tell you my engineers like to win!!! Got high fives and dirty looks in the elevators Created buzz about Pedro s tricked emails Many folks actually were impressed and wanted to know why they had fail the phishing email This open the door to discuss how to review emails and the 7 different places that I could trick you in an email.
Made the training fun, animated, easy going This created acceptance This was not the security guys trying to get me! Trust I actually received calls of employees telling me that they had failed and that they would have never look at the from in the email because everything else look legit. Elevator talks I got daily questions on web, emails, or out of office etiquette
Summary what we learned Email is the delivery method let s learn how to stop it. Technical controls work but people are going to be people Security Awareness single most effective control for the least money Behavior modification Is key, so relate to what matters to users (home) Make it easy to report bad email Bribe with Food. The Honey effect Make security awareness fun (acceptance factor) Above all create trust and acceptance, you are not the enemy!
Pedro Serrano, CISSP President ISSA Oklahoma Speak Train Motivate pedro@stmtalk.com @InfoSecPedro https://www.linkedin.com/in/infosecpedro
References 1. US Email Statistics Report, 2016-2020 http://www.radicati.com 2. https://blog.barkly.com/phishing-statistics-2016 3. https://www.wombatsecurity.com/pressreleases/new-report-state-of-phishing-attacks