Stop the Internal Bleeding How employees are the targets of - - PowerPoint PPT Presentation

stop the internal bleeding
SMART_READER_LITE
LIVE PREVIEW

Stop the Internal Bleeding How employees are the targets of - - PowerPoint PPT Presentation

Oct 26, 2022 411 likes •627 views

Stop the Internal Bleeding How employees are the targets of cybercriminals James R. McQuiggan, CISSP Security Awareness Advocate KnowBe4, Inc. Security Awareness Siemens Energy Product Security Officer Siemens Gamesa

slide-1
SLIDE 1

Stop the Internal Bleeding

How employees are the targets of cybercriminals

James R. McQuiggan, CISSP Security Awareness Advocate KnowBe4, Inc.
slide-2
SLIDE 2
  • Security Awareness – Siemens Energy
  • Product Security Officer – Siemens Gamesa
  • Professor, Valencia College
  • CISSP, (ISC)2 Central Florida Chapter President
  • Board of Trustees, Center for Cyber Safety & Education
  • Leadership Board, InfoSec World Conference & Expo

James R. McQuiggan, CISSP

Security Awareness Advocate

3
slide-3
SLIDE 3 2
  • The world’s largest integrated Security Awareness

Training and Simulated Phishing platform

  • Based in Tampa Bay, Florida, founded in 2010
  • CEO is a former antivirus entrepreneur / IT Security pro
  • Over 30,000 organizations supported to manage the
  • ngoing problem of social engineering

About Us

KnowBe4 enables your employees to make smarter security decisions, every day.

slide-4
SLIDE 4 4

91%

  • f successful data breaches started

with a spear phishing attack A staggering

Users Are The Last Line Of Defense

  • 91% of successful data breaches started with a

spear phishing attack

  • CEO Fraud (aka Business Email Compromise)

to exceed $12.5 billion in damages in 2019

  • W-2 Scams social engineer Accounting/HR to

send tax forms to the bad guys

  • Ransomware damage costs predicted to reach

$20 billion by 2021

slide-5
SLIDE 5

Cybercriminals rely on phishing because it works…

ACCORDING TO VERIZON'S 2019 DATA BREACH INVESTIGATION REPORT, PHISHING WAS THE #1 THREAT ACTION USED IN SUCCESSFUL BREACHES LINKED TO SOCIAL ENGINEERING AND MALWARE ATTACKS.

2019 Phishing By Industry Benchmarking Report I N T R O D U C T I O N E v e r y s e c u r i t y l e a d e r f a c e s t h e s a m e c
  • n
u n d r u m : e v e n a s t h e y i n c r e a s e t h e i r i n v e s t m e n t i n s
  • p
h i s t i c a t e d s e c u r i t y
  • r
c h e s t r a t i
  • n
, b e t w e e n e ff e c t i v e t e c h n
  • l
  • g
y a n d c l e v e r a t t a c k m e t h
  • d
  • l
  • g
i e s . Y e t t h e r e ’ s a n
  • v
e r l
  • k
e d l a y e r t h a t c a n r a d i c a l l y r e d u c e a n
  • r
g a n i z a t i
  • n
’ s v u l n e r a b i l i t y : A c c
  • r
d i n g t
  • V
e r i z
  • n
’ s 2 1 9 D a t a B r e a c h I n v e s t i g a t i
  • n
R e p
  • r
t , p h i s h i n g w a s t h e # 1 t h r e a t a c t i
  • n
u s e d i n s u c c e s s f u l b r e a c h e s l i n k e d t
  • s
  • c
i a l e n g i n e e r i n g a n d m a l w a r e a t t a c k s . T h e s e c r i m i n a l s s u c c e s s f u l l y e v a d e a n
  • r
g a n i z a t i
  • n
’ s s e c u r i t y c
  • n
t r
  • l
s b y u s i n g c l e v e r p h i s h i n g a n d s
  • c
i a l e n g i n e e r i n g t a c t i c s t h a t
  • f
t e n r e l y
  • n
m e t h
  • d
s a r e d e s i g n e d t
  • p
e r s u a d e s t a ff t
  • t
a k e s t e p s t h a t p r
  • v
i d e E a c h
  • r
g a n i z a t i
  • n
’ s e m p l
  • y
e e s u s c e p t i b i l i t y t
  • t
h e s e p h i s h i n g a t t a c k s i s k n
  • w
n a s t h e i r P h i s h
  • p
r
  • n
e ™ p e r c e n t a g e ( P P P ) . B y t r a n s l a t i n g t h e i r r i s k i n t
  • m
e a s u r a b l e t e r m s , l e a d e r s c a n q u a n t i f y t h e i r b r e a c h l i k e l i h
  • d
a n d a d
  • p
t t r a i n i n g t h a t r e d u c e s t h e i r h u m a n a t t a c k s u r f a c e . A n
  • r
g a n i z a t i
  • n
’ s P P P i n d i c a t e s h
  • w
m a n y
  • f
t h e i r e m p l
  • y
e e s a r e l i k e l y t
  • f
a l l f
  • r
a s
  • c
i a l e n g i n e e r i n g
  • r
p h i s h i n g s c a m . T h e s e a r e t h e e m p l
  • y
e e s w h
  • m
i g h t b e f
  • l
e d i n t
  • p
e n i n g a fi l e i n f e c t e d w i t h m a l w a r e
  • r
t r a n s f e r r i n g c
  • m
p a n y f u n d s t
  • a
f r a u d u l e n t
  • ff
s h
  • r
e b a n k a c c
  • u
n t . A h i g h P P P i n d i c a t e s g r e a t e r r i s k , a s i t p
  • i
n t s t
  • a
h i g h e r n u m b e r
  • f
s t a ff w h
  • t
y p i c a l l y f a l l f
  • r
t h e s e s c a m s . A l
  • w
P P P i s
  • p
t i m a l , a s i t i n d i c a t e s t h e s t a ff i s s e c u r i t y
  • s
a v v y a n d u n d e r s t a n d s h
  • w
t
  • r
e c
  • g
n i z e a n d s h u t d
  • w
n T h e
  • v
e r a l l P h i s h
  • p
r
  • n
e p e r c e n t a g e
  • ff
e r s e v e n m
  • r
e v a l u e w h e n p l a c e d i n c
  • n
t e x t . A f t e r s e e i n g t h e i r n u m b e r , m a n y l e a d e r s a s k q u e s t i
  • n
s s u c h a s “ H
  • w
d
  • e
s m y
  • r
g a n i z a t i
  • n
c
  • m
p a r e t
  • t
h e r s ? ” a n d “ W h a t c a n w e d
  • t
  • r
e d u c e
  • u
r P h i s h
  • p
r
  • n
e p e r c e n t a g e ? ” K n
  • w
B e 4 , t h e w
  • r
l d ’ s l a r g e s t S e c u r i t y A w a r e n e s s T r a i n i n g a n d S i m u l a t e d P h i s h i n g p l a t f
  • r
m , h a s h e l p e d
  • r
g a n i z a t i
  • n
s r e d u c e t h e i r v u l n e r a b i l i t y b y t r a i n i n g t h e i r s t a ff t
  • r
e c
  • g
n i z e a n d r e s p
  • n
d a p p r
  • p
r i a t e l y t
  • c
  • m
m
  • n
s c a m s . T
  • h
e l p c
  • m
p a n i e s e v a l u a t e t h e i r P P P a n d u n d e r s t a n d t h e i m p l i c a t i
  • n
s
  • f
t h e i r r a n k i n g , K n
  • w
B e 4 c
  • n
d u c t s a n a n n u a l s t u d y t
  • p
r
  • v
i d e d e fi n i t i v e p h i s h
  • p
r
  • n
e b e n c h m a r k i n g a c r
  • s
s i n d u s t r i e s . C a t e g
  • r
i z e d b y i n d u s t r y v e r t i c a l ,
  • r
g a n i z a t i
  • n
s i z e , a n d t h e a m
  • u
n t
  • r
f r e q u e n c y
  • f
s e c u r i t y a w a r e n e s s t r a i n i n g , t h e s t u d y r e v e a l s p a t t e r n s t h a t c a n l i g h t t h e w a y t
  • a
s t r
  • n
g e r a n d s a f e r f u t u r e .
slide-6
SLIDE 6
slide-7
SLIDE 7 7
  • - effective phishing lures --

Greed Urgency Curiosity Fear Self Interest Helpfulness Money Hunger

slide-8
SLIDE 8 8

The Effect Of Consistency

slide-9
SLIDE 9 9
slide-10
SLIDE 10
slide-11
SLIDE 11
slide-12
SLIDE 12 12

People are a critical layer within the fabric

  • f our Security

Programs

slide-13
SLIDE 13

Cyber Hygiene

slide-14
SLIDE 14
  • In order to create a security culture and change the behavior of your employees, you have to train

everyone, from the board room to the lunchroom, and include the training in the onboarding of every new employee.

  • This should be on-demand, interactive, engaging and create a thorough understanding of how

cybercriminals operate.

Train Everyone!

  • Employees need to understand the

mechanisms of:

  • Spam
  • Phishing
  • Spear phishing
  • Malware
  • Ransomware
  • Social engineering

And be able to apply this in their day-to-day job.

17
slide-15
SLIDE 15 15

A Security Awareness Training Program that Works!

Baseline Testing We provide baseline testing to assess the Phish-prone™ percentage of your users through a free simulated phishing attack. Train Your Users On-demand, interactive, engaging training with common traps, live hacking demos and new scenario-based Danger Zone exercises and educate with ongoing security hints and tips emails. Phish Your Users Fully automated simulated phishing attacks, hundreds of templates with unlimited usage, and community phishing templates. See the Results Enterprise-strength reporting, showing stats and graphs for both training and phishing, ready for management. Show the great ROI!

slide-16
SLIDE 16

Security Awareness and Secure Behavior are NOT the Same Thing Traditional awareness programs fail to account for the knowledge-intention- behavior gap…

slide-17
SLIDE 17

Th There re are re Th Thre ree Realiti ties

  • f
  • f Se

Securit ity A Awareness

Just because I’m aware doesn’t mean that I care. If you try to work against human nature, you will fail. What your employees do is way more important than what they know.

slide-18
SLIDE 18

Executive Takeaways

  • Adding Simulated Phishing Tests
  • Increasing Frequency
  • Hiring the Right People
  • Defining Objectives
  • Measuring Effectively
  • Motivate Employees
slide-19
SLIDE 19 19

and they are dramatic

The Results are in:

Security Awareness

+ Frequent simulated phishing training = Drastically improved phishing resiliency

slide-20
SLIDE 20 James R. McQuiggan, CISSP Security Awareness Advocate Email: jmcquiggan@knowbe4.com Twitter: @James_McQuiggan LinkedIn: /in/jmcquiggan

Thank You

For more information visit blog.knowbe4.com

slide-21
SLIDE 21

Resources » Learn More at www.KnowBe4.com/Resources «

12+ Ways to Hack Two-Factor Authentication All multi-factor authentication (MFA) mechanisms can be compromised, and in some cases, it's as simple as sending a traditional phishing email. Want to know how to defend against MFA hacks? This whitepaper covers over a dozen different ways to hack various types of MFA and how to defend against those attacks. Ransomware Hostage Rescue Manual Get the most complete Ransomware Manual packed with actionable info that you need to have to prevent infections, and what to do when you are hit with ransomware. CEO Fraud Prevention Manual CEO fraud is responsible for over $3 billion in losses. Don’t be next. The CEO Fraud Prevention Manual provides a thorough
  • verview of how executives are
compromised, how to prevent such an attack and what to do if you become a victim.