Stop the Internal Bleeding How employees are the targets of - PowerPoint PPT Presentation

Stop the Internal Bleeding How employees are the targets of cybercriminals James R. McQuiggan, CISSP Security Awareness Advocate KnowBe4, Inc.

• Security Awareness – Siemens Energy • Product Security Officer – Siemens Gamesa • Professor, Valencia College • CISSP, (ISC) 2 Central Florida Chapter President • Board of Trustees, Center for Cyber Safety & Education • Leadership Board, InfoSec World Conference & Expo James R. McQuiggan, CISSP Security Awareness Advocate 3

About Us • The world’s largest integrated Security Awareness Training and Simulated Phishing platform • Based in Tampa Bay, Florida, founded in 2010 • CEO is a former antivirus entrepreneur / IT Security pro • Over 30,000 organizations supported to manage the ongoing problem of social engineering KnowBe4 enables your employees to make smarter security decisions, every day. 2

Users Are The Last Line Of Defense • 91% of successful data breaches started with a spear phishing attack A staggering 91% • CEO Fraud (aka Business Email Compromise) to exceed $12.5 billion in damages in 2019 • W-2 Scams social engineer Accounting/HR to send tax forms to the bad guys of successful data breaches started with a spear phishing attack • Ransomware damage costs predicted to reach $20 billion by 2021 4

Cybercriminals rely on phishing because it works… 2019 Phishing By Industry Benchmarking Report ACCORDING TO VERIZON'S 2019 DATA BREACH INVESTIGATION REPORT, PHISHING WAS THE #1 THREAT ACTION USED IN SUCCESSFUL BREACHES LINKED TO SOCIAL ENGINEERING AND MALWARE ATTACKS. I N T R O D U C T I O N E v e r y s e c u r i t y l e a d e r f a i n c e c r s e a t h s e e t h s a e m i r e i n c o v e n u s t n m d r e n u m t i : n e v s o e p h n a i s s t i c t h a t e y e d s e c b u e t r i t w e y o e r c A n n e h o ff e s r g e c t r a a n t i v t i i z e o n a t t e , i o c h n ’ s t h n P e o l P P r e o g i ’ s y l i k n d a n a n e l i c o d y t a t v e c l e o e s r l v f a h o o e r l l f o w k e a t o r m d t a a a o l a c k s o n r g y e m c y o a n r e i a l f i z t h t h t h e t h a t a t o d e n g e i r i o c a o l e m i n e n ’ s n o g p e e m v r a i e l o r i p l u l d i s . y e n g o y n e c a Y e e s o e e r a l l y t w r p s b r h h a r i l i t e d o i s h e y : u c m i n e w i g h g a n i t h t s c m b e a m a f . l w o o T h a l e e r e d s e o r i n t a t r o r e a n o p s e o f e n i ff s r r i n g h n g a o r c fi l e b o m e a p i n n k a f e c a n y t e c c f u d A c o u n c o n d s r d p t . t o i n o i A h a g n t i g f r t o s t h a u V o P P d e r a P u l i z o h i i n e n n g h d t ’ s e r i c a p h 2 0 n t e i s 1 9 u m s h i D s b g r n g a c a e r e a w t a m o t e a B r s . f s r r s t e a A t a i s h e c l o ff k , # h I w w a s 1 n v P P h o i t t h e s P t l i n r e t i i s y p k a t g a o i c e d a t i o s p t a l l t o c t i n e c i m y f s o n R u a l a l o c u e p r i t , a l f i a s e o r y - s o r l e d t , s a i t i t h n i n v v n d e s g i n s y a i c e e u c n a t s u e r c e d e s c i n s s u n t h c e g a f u d e s s n l b e r s t f u d m r e s t a a ff l l y a a c n i e l w h d s s v a a e s h d e r e o w a a t n t t a o c o r c k r e l e v g a s . c o e r n i T g n p z a h e i z h i t i o s e e s h n c a n i n ’ s r i m d g s e i s h a n c u n a u d r i l s t d s o t y o w c i c o n a l n e n t r o g l s T h i n e b e e y u o v r i n s e g i n g r a t a l l P c t h i c s i s h m t - p e h a r o t h t o n o d f t p e s e n l a c p e a r r e d r c e e l i e n d e y o n t a s i n c o g e g n n t o e e x ff d t t . e r o A f s e p e t e v r s q r s e n u u e e e m a d s t i n o e i o g r e s t a n s t h v a ff s e i l u t o u c r n e t h u w a k a s m h e e “ H b e n s t o r , e p a w m s n d d o a n t h “ e y a t W s m l e p r h a y a d o v t c o e r i d a r g s e n w a n a s e i z k E a d a t c h o i o o t o n r g r e c o a n d m i z u c p a a t e r e i o o u t n ’ s r o o e P h t h m i s e a t p l h - r s t a o y p r ? ” c k e e K o n s i s n e s k u s o w p e n c e B r c o w p e 4 e n n t i b , t t a a i l i h e g s t t y w e ? h e t o o ” t r i r t r l d a n P h e ’ s s l h i s s e S l a a t h p i m r g i n g - p h i u e s t r o s h l a t h e n e i n t e S e i r ™ g d c u r i p P h r i s k e r i s t y i n c e h i A w t h t o n t n g a e m a g p r e i r e e l a n e b r a s ( P t h t f o s e a u r P P e i r r m s T c h a b ) . v , r a l i l e B y u l h a i n k e t e n e s i n l i h r m r a h e g o s b i l p a n o d , l i t e d h a l e y b d o u m n d a d y r g a a e r t r a n d s a p a i n n i a t o p c a p i n z a t a t t n r o g t i o c k r a q u p r t h n s i n a n i a e i s r u r i n t i t e l r s e d f a g t f y y t a u c e h a t o ff c e . t c o t o r e m r d u m e c c e t h o n o g s e i s n i t h r P c a z e e i P m a r P s . n d a n T r d o h e s u n e p o d l p n e r c o d s t a m K n p n o d a n w t h i e B e e i s e 4 m v c o p l a l u n i c a a d u t i t e c t o n s a s n o f p a t h h i n n e i s h u a r r - p l a n r o s t u k n e d i n b y g , e n t o c p r h m o v a i d i n r k e d i n d e u s g fi t r a c n i y v r o t i v e s s e r t i i n c a d u l , o s r t r i g a e s o n i . C f z a a s e t i o t e c u n g o r i t s i r i z y z e e d a w , a b a n d y r e t n e h e s s a l t r m i g h a i o u t n i n t h n g t o e , t r w a h e f r e y s q t o t u u e a d y n s t r c y r o e v n e a g e l s r a p n a t d s t e r a n f e s t r f h a u t t u r c a e . n

-- effective phishing lures -- Greed Curiosity Self Interest Money Urgency Fear Helpfulness Hunger 7

The Effect Of Consistency 8

9

People are a critical layer within the fabric of our Security Programs 12

Cyber Hygiene

Train Everyone! • In order to create a security culture and change the behavior of your employees, you have to train everyone , from the board room to the lunchroom, and include the training in the onboarding of every new employee. • This should be on-demand, interactive, engaging and create a thorough understanding of how cybercriminals operate. • Employees need to understand the mechanisms of: • Spam • Phishing • Spear phishing • Malware • Ransomware • Social engineering And be able to apply this in their day-to-day job. 17

A Security Awareness Training Program that Works! Baseline Testing We provide baseline testing to assess the Phish-prone™ percentage of your users through a free simulated phishing attack. Train Your Users On-demand, interactive, engaging training with common traps, live hacking demos and new scenario-based Danger Zone exercises and educate with ongoing security hints and tips emails. Phish Your Users Fully automated simulated phishing attacks, hundreds of templates with unlimited usage, and community phishing templates. See the Results Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI! 15

Security Awareness and Secure Behavior are NOT the Same Thing Traditional awareness programs fail to account for the knowledge-intention- behavior gap …

Th There re are re Th Thre ree Realiti ties of of Se Securit ity A Awareness What your Just because I’m If you try to work employees do is way aware doesn’t mean against human more important than that I care . nature, you will fail . what they know .

Executive Takeaways • Adding Simulated Phishing Tests • Increasing Frequency • Hiring the Right People • Defining Objectives • Measuring Effectively • Motivate Employees