How to Create a Cyber Security Culture

all right welcome everyone to cyber security awareness programs just because they're aware doesn't mean they care by myself anthony green and penny with me and before we get started with the presentation we do want to introduce ourselves here so i'll start with quickly introducing myself and i'll hand it off to penny so my name is anthony now i have a few different hats right now i'm currently full-time the manager of security operations and compliance at cpa bc i'm also the incoming president at the asaca vancouver chapter and i'm also a part-time instructor at ubc teaching their micro uh sorry their cyber security micro credential and i'm teaching at vcc the cyber security fundamentals penny to you

yes so hi everyone um i'm penny longman i'm the director of information security and data stewardship at fraser health so um i'm just finishing up my first year and i don't know in two or three more years i'll have got a handle on all the medical acronyms that are the same as security acronyms um i'm new to public sector as well but i have a lot of experience in the private sector mostly in mining and geoscience i moved into security via it which was already a second career so i bring a really broad background having been on the outside as a customer of i.t and uh security as well as kind of you know being here in the thick of it so

all right and so i'll get i'll introduce our agenda a little bit today and then i'll get started right get right to the meat of it so today we're going to talk about what is the security awareness program to start then we'll talk about why you should care and then why your employees should care we're also going to talk about different types of learners we're going to talk about how you can start creating a program yourself and lastly penny's going to talk in detail about how you can mature your program and your culture so once you've created that security awareness program where do you go next with that all right and to get it started what is

a security awareness program well everyone a lot of people have different definitions this definition is taken from the provincial government and the definition says that the security awareness program consists of a formalized program with the goal of training users of potential threats to their organization and how to avoid situations that might put the organizational data at risk so according to our own government here in order to satisfy the this uh a security awareness program you need to have the following you need to have a documented program that is followed and updated regularly through policies we need an annual information security for employees and part of this annual information security we need to ensure that we

educate users on common threats and impacted businesses such as not sharing credentials not clicking on suspicious links and attachments reporting security incidents maintaining your clean desk and locking any inactive systems they should also be tailored for employee roles and there should also be annual sign off on the plan meaning that all your employees should not only be doing it going through the plan regularly on an annual basis but also signing off to ensure that you that they actually have completed that training so this is the more formal definition of a security awareness program now i want to talk to you about what a security awareness program means to me and penny so i believe that a security and firm

awareness a successful security awareness program should be pushed from the top down meaning from the board level from the executive level meaning that it shouldn't be your i.t team begging the rest of the organization to take cyber security seriously but it should be your organization leading your it team to implement security technologies right this is important because it's gonna speed up your um speed up your awareness program speed up your entire security maturity very quickly if you get your executives on board now staff actually need to understand that they are doing cyber security awareness training right how many times do you have you done a some kind of awareness training with some staff maybe not even cyber security maybe hr

policy and the staff are just clicking next trying to get through it and at the end of the day they just um they see it as they could see it as just a hindrance in their job oh there's another hour that i have to spend doing some kind of training right sometimes staff will just skip to that training and say they've done it so we've noticed a lot of times when we ask staff not within other organizations we say hey did you do any cyber security awareness training and they say um i don't think so and then you talk to their manager and you say well here's uh the document they signed saying that they did the annual training this year

right so make sure that they know that they're doing security awareness training and not just a regular kind of policy reminder you also need to ensure you have tangible results based on your fishing simulations and we'll talk about that in more detail phishing simulators but essentially you need to create you need to uh figure out a way to have tangible results when it comes to your security awareness how do you know whether your organization's getting better or worse this can be done with phishing simulations or even surveys staff should not be afraid of the security team and we'll get to some stats about that later as well but you do not want your staff to be afraid of

reporting any security incidents to you you would actually rather have your staff over share than undershare because you don't want staff to feel like if they accidentally got breached even if it was by accident you don't want them to be scared of you and therefore not reporting and lastly privacy and security have a lot of overlap so this is a great time to do privacy awareness training at the same time as the security awareness training there's a lot of things that you can just simply talk about the data more uh and why and why you're doing what with the data you know what are the regulations that your organization might need to follow when it comes to that data and now you're

also uh increasing you're sorry you're also at privacy to the security awareness program um and the you know in a in larger sort of more mature organizations you'd actually have a formal security awareness and training program policy um which would give high-level guidance on when and how the training would be provided as an onboarding and then ongoing how often the training is reviewed who approves it and the actual uh enforcement mechanism and that policy would be endorsed and approved at sort of at an executive level can be less formal in in other words but in bigger orders it does tend to be really formal like that thank you penny um now i do want to talk about why

you should care so there's a few stats that even when i myself was reading them i got quite surprised and we're going to go over a lot of them today and hopefully this will help you understand why there's such a lack of security or how we know that there's such a lack of security awareness training in the average organization well 20 of staff are unsure if they could describe the security risks with storing work information and personal cloud applications so one in five staff can't tell you what's wrong with storing sensitive security uh sorry sensitive work documents on their personal google cloud google drive in a dropbox 43 of employees are not aware that clicking a suspicious link or opening an

unknown attachment in an email is likely to lead to malware inspections so four out of ten of your employees don't actually think twice when clicking on suspicious links or up opening unknown attachments a lot of them might think that if they somebody has their email then they obviously know this person and we know that this is not the case 55 are not convinced that connecting their laptop smartphone or tablet or public public wi-fi network such as a coffee shop or an airport in the airport can lead to a malware inspection and as we know that public wi-fi especially joining a random public wi-fi can be a dangerous way uh can be dangerous because it can lead to

malware infections man in the middle of attack uh things along those nature as once you're on someone else's wi-fi they can they have a lot more access to you know leads to trick you in different uh phishing attacks some employees are misinformed about cyber security rights so 14 actually believe that if their computer or mobile device is kept close to a device that is already infected with malware their device can also become infected with that same malware so yes this might be right when it comes to network there's devices on the same network but just because you have one iphone sitting beside another iphone doesn't mean that the virus will be able to transfer that's actually very

unlikely and but about 14 of employees actually believe that is the case 50 percent of employees said that they are very likely to report a security incident now that is a very small number of people that are gonna report a security incident you would like to have that number above 90 um the reason being is that if there is a security incident like i said earlier you'd rather have your employees over share than undershare right if somebody clicked on a malware if they're comfortable letting the security team know you the security team could get you know a head start on remediating that malware or essentially isolating the you know the user's computer from the network right

the more data that your team has about the security incidents that are happening or even potential security incidents that are happening in your organization the better prepared your team will be to fight back or to remediate and privacy best practices seem to be even less well understood than cyber security best practices so 66 percent of staff did not know if their organization needs to be complying with pci dss and for those of you that don't know any organization that takes any credit card information needs to be compliant with pci dss in some way or another so two-thirds of all staff does don't even know what compliancies that their organization uh falls under 69 and the last stat here is 69 of

employees don't believe that storing their personal data on their desktop and laptop computers such as their mobile devices can create a policy violation so again just like the previous slide here most staff don't know why data needs to stay within your organization they don't understand the risks of taking data outside of your organization so you need to care that the staff um you need to this is why you need to care that staff should be learning about cyber security awareness so that you don't have as many gaps like that within your organization and so why should they care right um something to keep in mind there's there's three three fundamentals to uh creating a cyber safe culture so first we have to

make people aware that's the core of the program right but you also you have to make them care because people don't act without motivation now that motivation can be extrinsic we can like make them do it but our long-term goal is to make that intrinsic because they will care we need to make them aware of the issues but we also need to make them aware of the role that they can play which leads to them you know investing and and caring but there's a last step which i'm just getting you to think about here in sort of the beginning i'll talk about it later that we actually have to also make sure that they can easily do the right

thing right because they can be aware and they can care but if it's a lot of friction for them to do the right thing they're still not going to do it because they have a job to do right you can't make them fear doors but still expect them to you know turn up inside the building yeah user experience can be sometimes just as important as the actual security tool themselves you know users are a lot smarter than they even know let's just say when it comes to getting around security loopholes the other thing i want to mention is why you should care under the compliance section so security awareness or security program management security awareness program management is actually

a requirement for many if not most compliance cyber security compliance frameworks i've listed a few here there's a few that i haven't listed but essentially if you look through all of them cyber security canada pci dss sock 2 socks hipaa iso cobit these are all really big uh com sorry these are the most well-known compliance frameworks and if you actually look through the requirements they're all very similar when it comes to employee awareness training if you create a security awareness program that fits all the requirements that we talked about on the first or second slide by the bc government and we'll come back to that later if you create a program that fits those requirements you will actually be able

to hit most of these compliances most of these compliancy requirements right so pci dss for example um needs you to educate employees but also require employees to acknowledge in writing right again this is the formalized annual and onboarding trainings and then the um the annual sign off right if you if you go to the sock 2 you need to communicate information to improve security knowledge and awareness again same thing can be used for sock too the same program can be used for sock 2 and pci dss the main things that they all have in common here is they educate employees they need some kind of formal acknowledgement so you need a sign off and the last thing is that it a lot of

it if possible needs to be role based meaning that you might want to do more intense security awareness training for i t your it team versus the your you know communications team because your it team might have much more access to critical assets while your communication team might only have access to the minimum amount of user information that they need for their job right so creating a security awareness program isn't going to only make your organization more secure and potentially stop some of these uh stats that we were mentioning or at least lower them but it's also going to make sure that you hit the compliances that you're most likely required to in some form or or another either way

now your goal for security awareness shouldn't be to just trick your staff um or sorry well your goal when you're doing phishing training training or security awareness isn't to um throw as much information at them as possible right you can send them papers you can send them white papers you can send them a lot you can even send them on a course but the most important thing is to change their mindset about cyber security right cyber security as the manager of security cyber security isn't actually my job i'm just curating the cyber security of the organization cyber security is every single staff's job right every single staff should have that in mind and that's what you want to

train your staff with the security awareness training you're essentially chaining changing your staff's mindset to um we can do whatever we want you know we got a security team that's gonna you know if we get hacked they've got these antivirus in this firewall they'll figure it out two we are the first line of defense right you the staff is the first person that's going to be able to stop this phishing attack and for those of you that may not know these days i believe over 98 of attacks start with fishing so you don't need to let the fish get all the way to the antivirus or all the way to your firewall you can get the fish to stop

right from your email service right from when your staff notices it they can fish it what does that mean well you can fish you can um we'll talk about this in more detail about the stuff you can actually implement but you can actually implement a fish alarm so every time there's a phishing email you can get your staff to report it and have it sent to your security team once and once your security team is able to monitor those phishing emails they can then make decisions for example if we get this very sneaky phishing email from one of our ceos or an impersonation uh email from a ceo we can take a look at that say oh yeah this is

definitely a fish and then we can run a script to actually get rid of that from everybody else's inbox in our organization so that first person that fished it essentially got rid of that malicious email for the entire organization right didn't even need to get get past our you know maybe sandbox or antivirus you name it additionally if staff understand have this mindset where cyber security is their job they with this informed mindset they can actually help spot unsecure processes and hopefully work with your team to fix it right so if they're not scared of the security operations team they'll work with the security operations team to fix their insecure processes right um meaning that

let's take two organizations for example one that isn't security aware one that is one that isn't security aware maybe they're sending out emails with personally identifiable information right without that's not encrypted but if they find out that um that's not secure there a non-security aware organization will just try to hide that under the rug they'll say okay well don't tell the security guys they're going to make our lives a lot harder right versus a security aware organization they're going to come to me and say hey this is how we're currently doing the emails is this secure if not how can we make this process more secure and hopefully if you're doing your annual cyber security awareness training

around shortly after the training is when most staff will come to you and say hey these are the processes that we have can you help us secure them we talked about reporting phishing emails um and yeah last thing that i want to mention staff are not afraid of reporting security events so meaning a little bit of customer service goes a long way if somebody sends you an email hey is this a fish hey i think i clicked a malicious link as the security team you want to be very supportive you want to thank them for letting you know you want to get them to the point where they almost feel like well you don't want them to almost feel like you want

them to feel like you and them are partnering up to fix an issue it's not security isn't coming in to fix fix their mess but you they maybe made a mistake and security is coming in to help them mitigate the risk of their mistake you want them to feel comfortable asking your security team you want your staff to feel safe reaching out to your security analyst or manager rather than feel stressed out worried that there's going to be consequences and stuff like that to their job so a little bit again a little bit of customer service goes a long way uh to make sure that staff are not afraid of reporting any security events yeah and and you know

you know as i said this can this can be a bit of a change for your security team's mindset you know i i like to joke that you know we used to be but we're not the department of no now we're the department of police no you know and so it's going to be a change in the mindset it's hard sometimes for more hardcore security teams um to step back from the stern parent kind of mindset you know your team has to view themselves as part of the solution and not the arbiter of good and bad and right or wrong and that that can that can be you know a bit of their own sort of security culture shift as

well exactly you do not want to be known as the office of no

so now let's talk now we talked about security awareness the importance of security awareness let's talk about how we can implement security awareness within our organizations now excuse me before we get into that into details of that we need to talk about how we can make it successful and before we do that we need to understand the type of learning that most i guess the type of learners that most people are most users and obviously there's different methodologies that you can use i personally like to use this one because it keeps it simple uh the rule of three visual so we've got uh staff that use visual objects like infographics charts pictures network diagrams process flows that help

people understand then we have auditory uh retain information through hearing and speaking we have staff that this would be stuff like podcasts videos um stuff along those lines and lastly we have kinesthetic and kinesthetic essentially likes to use the hands-on approach to learn new material we have a lot of those especially in the it department in the it area but again security awareness isn't just for it it's for everyone so it's important to understand the types of learners that you have visual auditory and kinesthetic in order to be able to reach them in the most efficient way right with um and i want to talk just a little bit more about this before we move on with a visual learner it's

really um a lot of the things that you can get and we'll talk else there will be i think some links later on but um this would be stuff like security awareness graphics uh maybe a psa maybe a quick update about what's going on in the industry right if uh for example when life lobs or the cra got hacked you can send a little picture information a little infographic about how it got hacked why it got hacked and that would do that would do a lot more for these visual learners than the same information in email format right podcast you can turn that you can turn you can read out that entire infographic and turn it into a two-minute podcast or

two-minute listening piece and now you've hit the visual and auditory learners and kinesthetic we'll talk about that later but there's a few ways that you can actually test your user's security awareness with the kinesthetic so how do we start doing it now and ideally for free well i have a whole bunch of tools that you can just to get at least the base started the first tool is the fishing awareness tool a fishing reporting tool so this tool will allow you to monitor fishes from the that the organization receives so you can look at the picture see at the in your email box you would have a little uh phishing alert button where if you clicked it it would go to a special

inbox that hopefully your security team monitors next you want to find a baseline so you want to send a fishing simulated fishing test to see how your organization does this baseline is going to be now it's okay if you get a lot of clicks this baseline is meant to see your improvement not your not where you're at right now going forward you'll be doing different baseline tests to ensure that you've improved but even if your first one has a really high click rate don't feel discouraged then you want to run monthly bi-monthly quarterly whatever your organization size whatever works but you want to create fishing campaigns so fishing campaigns essentially is a fake fish that you send out on your organization's

behalf to actually see how well your staff would have caught it or fell for it now going back one step for a phishing reporting tool there's a free one called know before they have a free add-on you can install that sends that to a phishing inbox for the baseline and running bi-monthly phishing campaigns i suggest using trend micro so trend micro fish insights i believe uh i believe that's the full name it'll allow you to actually do free security awareness training for up to 200 users so when i started when i say free training i mean free uh phishing training so you will be able to fish up to 200 users on a monthly basis

and they actually have some great templates you can use that's a great place to start then you can move on to spear fishing so pretend you are your department head right if you're fishing the it team you take the it director's email and pretend to be the i.t director and see the difference between the fishing the clicks there and the general fishes and then ideally you're looking for patterns you're validating your results and you're creating harder fishes as you go because what you want is your goal isn't to trick your staff your goal is to educate them and what's the difference well the difference is when you're tricking your staff there's a whole bunch of sneaky things you can

you can throw in right you know there's a once in a million once in a lifetime fish that you'll get that's probably undetectable to most people but 99 99.9 of fishes all have very common um indicators and what you need to do is you want to get your staff to be as comfortable with those indicators as possible so that they don't get phished by that 99.99 of phishing emails right such as hover over the hyperlink check who it's from right what's the tone of the message right stuff like that excuse me and the last thing i want to talk about here under awareness is your cyber security and awareness presentation this should be a yearly thing on

onboardings as well as something on multiple fails and phishing tests so if you have someone that failed three tests in one year maybe you want to send them to some training and here's a little example program that you can take a look at that's a great way to start as you know for an smb it's a great way to get your feet wet when it comes to a security program you start wounds with uh the seminars and you're doing quarterly fit with your test i forgot to mention this testing so the fishing campaign testing that best way for kinesthetic learners to learn and i have a slide about that and just actually it's the next one but

finishing with this slide you start with the greens once you're happy with that you move and add yellow to it so now you're fishing on a bi-monthly as well as you've added a lunch and learn and in october cyber security awareness month and then once you get to red now you're doing monthly fishing campaigns you're also adding in quarterly infographics you're doing spear phishing and you're doing cyber security month in october so this is a great way to build out your smb to at least start doing start creating a security awareness program so phishing tests i did mention we're not trying to trick we're trying to educate so it's very important to have a oops page

once you've clicked the link where does it take the staff and how are you going to inform the staff of how not to click the link going forward so in this case this is a template from know before however you can also just do this in microsoft paint with some little text boxes if you need to that's what i used to do before but essentially what you want to do is you want to highlight all the different areas that the user could have looked at in order to have not gotten phished so they can learn that next time and it always it's nice to have a little tagline ours is when in doubt fish it

out easy to remember and we keep repeating it so let's bring it all together how does a security awareness program look well it has yearly and awareness training where we educate users on policies and why and this usually is our auditory and visual training then we've got our monthly phishing campaigns and our goal is to educate not to trick this can be done this is a kinesthetic learning type and we can do this for free from fish trend micro then we also want to be adding supplementary supplementary contact content infographics webinars psa whenever you have a great idea or you think your organization maybe even lunch and learns right um if you have any other content ideas just remember

about the auditory visual and kinesthetic right you want to have a mix of all three if you're doing a whole bunch of infographics maybe you want to go for a podcast or a lunch and learn right uh and the last thing is cyber security month and cyber security month is a well-known month for the entire industry this is usually more common for smbs not necessarily larger organizations and i'll let penny explain why afterwards um but essentially with a cyber security month um you are aiming to actually do a little bit of everything and try to get staff to almost it's essentially a campaign it's a marketing campaign so this is your thinking like marketing here where this

is a full month dedicated to cyber security maybe you download a theme from a security awareness provider like infosec institute these can be online for free you can find these online for free you also want to have a lunch and learn where you can present a trending security topic and provide some information in october it's a great month to prevent a topic around the lines of uh when how to stay safe shopping online you can also run a contest so that way you get more people fishing your fishes yeah using your fish report on your phishing email you know if there's a chance they can win some money make it personal don't only repeat your

policy for lunch uh that it's about um make sure that it's about keeping yourself safe online other than just the corporate organization because if people are thinking of their cyber security at home probably take well and lastly you want to inform them the progress you want to let staff know of the collective improvement and then penny can you just give us a second why this might not scale well in a larger organization specifically the public security um yeah so it's because you know i mean i work at fraser health and as you might know there's there's a month for everything right there's a month but cancer and and and they're all equally well they're all very important um so

it's you know it's just a situation where that kind of theme doesn't doesn't work and sometimes in large orgs again there's there's a whole lot of competing priorities but in many situations it's a great thing that you know isn't there's often a lot of material out there already for you to use but but yeah sometimes in larger words you just have to get a little a little more creative because um you know just because of the size of the organ the formality of the processes thank you um and the last thing that i want to bring it up for creating the security awareness program before i hand it off to penny here is remember that first um

slide that we looked at about what the government of bc considers a security awareness program well if we create that docu if we document it formalize that policy and make sure that it's updated regularly we got that annual information security for employees we do that annual awareness training we hit the second point we make sure our annual awareness training has all the things that the government wants or other potential compliancy standards we're good there too we tailor the employee tailored for the employees roles such as more in-depth training for it admins now we get a check mark there and at the end of their session at the end of the yearly awareness training we get their

signature to get the annual sign off and now we've essentially created a security awareness program that fits the goals of our own government as well as most compliancy programs security compliancy programs that are out there specifically now once you've done this what are the next steps and that's where penny will take over here yeah so thanks anthony so you've got your comp and has given a great comprehensive overview of all the parts of a program and sort of what you need to do to be in compliance with them with most of those um um frameworks now i'm going to present some thoughts on how you can take that up a level or two in it it

could be because you've already got the basics and you want to take the next step or because you're maybe in a really big organ you kind of really need to scale it up so um excuse me i'm getting over a bit of a respiratory so i'm drinking and coughing a lot my apologies so um either way fully mature program has four parts so formal customizable training ongoing dynamic fish training various and varied outreach and a formal managed and up-to-date themed caler calendar of events and a lot of the all of those are things that anthony sort of already um already talked about so uh next slide let's start with formal training um sorry all right

here we go we're a team here um so this is what most when you say security awareness and training this is what most people think of right it's the the the the meat of the meat and potatoes but this is actually the scaffolding of the whole program it's not the whole meal deal there's a couple parts of it so everyone needs some sort of introduction to your organization's security during onboarding right honestly mature program would have that actually quite basic because you're going to also have ongoing training where you can flesh things out where it's going to be more relevant but we'll talk about that in a minute um two key things to think about in your onboarding

can you pre-test the person to determine what training they need to meet your onboarding requirements can they just challenge the quiz why should a brand new security analyst have to answer all six modules of the basic cyber safe training right um some platforms do have that uh and i will tell you in a mature program it's a really good idea to build goodwill onboarding training can be really long and boring so reductions wherever possible can help and secondly and this is you know similar to what anthony's talked about a program in general an intern doing research needs uh doing internet research needs really different onboarding than a volunteer greeter right then the developer the cfo and

your tool should allow you to create groups and this is often done through 80 integration and in more mature platforms so that you can choose the relevant modules for you know the specific job roles and again i can't emphasize enough how important this is in generating goodwill people that way don't feel like they're standing there wasting their time reading a clean desk policy when they don't their job doesn't actually have a desk right um for your ongoing training you know and and the in its in its in its functional form that's yearly training a presentation a course or a program when you're getting to a mature system for your ongoing training you know most people assume okay every year they'll

just do the same the same modules well you know that's can be really boring and it can actually be kind of pointless because as anthony said people will find a way to invest as little as possible and try and they'll defeat excuse me that'll defeat the purpose of it you'll get your checkbox for your compliance but compliance checkboxes are only part of what keeps security professionals up at night right it's the actual fact that they need the training as anthony said so far better is what i call drip training now i don't know if that's an injured industry term i don't think i made it up but i'm running with it anyway so what it means

is that employees on an ongoing basis they do their on-boarding ongoing they'll get an email or some prompt could totally be through slack or whatever other asynchronous um communications that that directs them to this month's training um which should be you know a three to seven minute chunk of training if you're using a sort of more formal platform most of them will have modules that are about that size and that'll be this month's module and it should tie into some other uh um to a theme or some other activities you're doing in your program um we'll talk about that in the calendar ideas so um and that's their task for the month and then next month or whatever cadence you

choose look at the next installment and so throughout the period of the year um they'll have covered all of the required training if they have outstanding modules that they haven't done then those have to be finished up for their you know for their compliance so this keeps it interesting they can do the courses at their leisure or all at once just gives people a lot of flexibility and gives you org flexibility if you have people in really different you know job roles so um also in more mature organizations how do you enforce this well as i said you've got your executive approved security awareness and training policy uh which says you know the d some

training will be done on onboarding you'll have exec buy-in specifically you'll have exact buy-in that the completion be tracked and reported and again most platforms will allow you especially if you have like ad integration to be able to track and report back but it also needs to be tied back into your year-end performance reviews right i have to have my fire safety training done i also have to have my security training done before the end of my review year and that's that's you know one of the the the most common so many other training uh things that are tied into that let's use the same thing for our security training lastly you have a plan for the training but if you

just have an event where somebody goes and plugs in a usb stick and and your you know your security team spends three days cleaning up malware your program needs to be able to respond to that you need to be able to pull that in you need to have some stuff in reserve about usb so you can put it out there with that month's batch training because everything's context dependent and you know as anthony said there's different kinds of learners that sort of experiential learner of like oh my goodness i remember so and so that happened right that makes it a lot more current and you do need to be able to respond to that because that's going to

just make it all that much more real for um for all for for for everyone and make them to see a little bit more value so um okay so you got your formal training set up now you're going to look into maturing your uh your fish training so next slide um one of the elements of a fully mature program is and anthony alluded to this even sort of in the the initials is it's potentially asynchronous especially if you're a larger divorce organization right you need to be able to send potentially different fishes to different groups but also your platform needs to be able to create dynamic groups based on responses to fishing so you need to if a group fails a fish test

you need to be able to resend a fish test to that group without in larger orgs you can't do that manually you have to be able to say okay everyone who failed this make a make a a group and we're going to resend um a fish to them um then you should if you can you know that dynamic grouping you can then if those of that group that pass you can generate a lot of goodwill by sending them an email saying hey did you know we sent you another fish and you caught it so congratulations and that can generate a lot of good will because people often have a lot of baggage um when they fail

and then again it will also allow you especially if your fish training and your security training are tied in you can actually take create a group from that of the people who failed the second time and direct them specifically towards some training as well um but these groups need to be able to be dynamically frasier all three of forty thousand people i can't you know my team can't be manually sort of you know managing these things and then your decisions need to be data driven you need to see if your training is working you need to know if groups maybe certain groups are more f vulnerable to fish certain kinds of fishes on the night shifts right that's really

really relevant when you have a large org you have to start focusing in on those those kinds of things so and it means your reporting will change over time as well some platforms have robust reporting um but sometimes you also have to export it depending on what other attributes you want but um you know that is going to have to change over time because your executive are going to get more mature in the in in the detail that they want to see as well so okay so you've got phishing and training maturing as we go what are some other uh tools that we can that we can use so there's lots of options but the key

keys are to make sure first of all that they're custom you need to hack whatever you see and make sure it works in your org so anything that you see in a book or on slides um you need to you need to use that as a placeholder for what you're going to develop right you can't can't just parrot stuff across and in the same vein it has to be authentic it looks like you're just replacing stuff from microsoft's website or re-running it or running a canned webinar your staff aren't going to be impressed and they're not going to be engaged right all of this has to provide them some value phishing training they're obliged to do

that attending your programs participating in your context and all that has to provide them with something tangible or they simply won't engage right really useful actionable information hey here's about password managers that's a um you know the sort of thing swag from swag is also something that you can provide them we're human right um and fraser we have these cool mugs that say passwords are like coffee not for sharing we also have we have socks that say socks are like passwords you always need more than one um yeah we're just totally going with the sort of cheesy nerd nerd line so and and to give away i have a little stack of tiny notepads that say don't write

your password here um to which my adult children i always forget the password for our wi-fi um and then when guests come i have to ask them so they actually took one of these wrote our wi-fi password and then laminated it and that's what i have to hand to to staff so i don't know why other people take me seriously because my children evidently don't but anyway that's an aside um security champions this is one of my favorites it's it's it's it's great but you have to have a formal program for this you can't wing it right the security team because it's complicated they have to get something from you more training swag kudos and

there's and we have to get something from them they have to get our messages out to the teams but there's another sort of element of the the two-way street that we we need they have to um um bring information back to us so that we better understand what their segment of the organization needs so wow those those you know those mugs are great but they're really heavy for kids if that's relevant or wow everyone really appreciated that email last night but the night shift kind of didn't understand it because it's really not relevant to their to their work or hey that article on password managers that was it's great for most of us but any a

lot of our esc esl people struggled to understand it so we might just want to you know rephrase that a little bit we need our ambassadors champions whatever you call them to help us change our security to help us change security culture but they also need to bring things back to help us change our security program and that's a you know that's why it it there's lots of resources out there in security champions programs i won't even begin to to you know most of mine is anecdotal um but so i won't go into too much detail here but remember it can be a really fun and rewarding part so don't leave it out but it can't be your first step because

it's it's not as simple as it seems so um one of the other things content right if you have a website that um has constantly changing content that's relevant that's another thing that you can use to drive engagement if you have an internal internal comms or internet team you actually want to use all the tricks from from your internet group because you know you want to you want to make sure it's new content from a security perspective you have to make sure that there's no stale content and there cannot be incorrect content or out of date content or you'll lose all credibility so but that's uh you know that's that's another one one day i'll have to do a whole session

on different outreach options but uh you know for now you know there's there's there's actually there's often a lot of talks about this sort of thing a lot of conferences um one suggestion i can say is if you're large enough or to have a marketing department and anthony alluded to this talk to your marketing department because they're used to marketing outside ask them to work with you to market inside right and um and they actually find it quite quite interesting so one of the things they will tell you to probably create as will your internet team is to create a calendar um so for the next slide um this is where you set a theme for each cadence

right um you match up your articles your blogs your training and and then you sort of you're planning ahead so what what i've done is here's all the difference we have um you know our overall theme and then we have um our blog and we have our webinar and we have our email tagline and we have what what outreach are we doing what what training are we giving to specific groups and then that way for each month you can just figure out everything that's relevant for that month um and base it back to the theme so it just allows you to plan um plan ahead and it gives you a structure i also have categories for my

articles like definitions uh real life which is you know what's it like in our org in general and i every now and then i just make up a bunch of topics fit them into those uh categories and then in my calendar i alternate between the three categories so all i have to do is find a definitions topic that's about frontline workers and boom i have my topic for the for the for the time so it's just a kind of a way to to to hack what can be a really over a really large um issue so um and you know when you have all this it doesn't look like it's you know done by frantically understaffed security

analysts so next slide so that the elephant that's in the room is that a lot of this can actually be leading horses to water like like we talked about right all this effort can make them aware and we talked about awareness of the issues but also awareness of the power that they have that your users have to protect against the issues but it's not actually going to make him care unless you have that as a central tenant of your program right i'm aware that jaywalking is a crime right but if i think the road looks clear i don't care about i'll do it because there's really no consequence unless i get caught and i don't see any cups but

if i see a little kid right i'm often not going to jaywalk because there's a real reason not to that kid could copy me and run out you know so suddenly i care about that because there's a relevance to me and and so i'm going to make better choices right so what can i do to protect my my organization which is everyone around me as well as myself but then the next step is can they actually do that just because they are aware and then they care are they in a position to always make the right choice so it means this means embedding security in the way we approach a lot of things for instance

your dlp stops them from sending certain files by email great but you also at that point have to make sure that they're then informed how to send those files safely right because when was the last time if ever that that information was presented to them maybe at their onboarding a year ago it's not going to pop into mind so can we have that info be part of the message that tells them they're not allowed to do that right the organization does not allow this to happen here's where how you can send files it has to be pretend presented in context and yeah you go to that's a very specific ask to your i.t department right

and that is the key to the cultural shift that's the key to a real cyber safe security culture it's that second order effect right your ip department has to be invested in security like the average user but also in the implementation of their work so they're not just worried about them not clicking on usbs but they're also going to hear your requests and go oh wow yeah that makes total sense we need to do that because that's going to make um everything that much more that much more secure um so we have to get and that's what i mean by that second order effect everyone has to care everyone has to has to has to be making

the right choices but the whole organization also has to be working to make sure that people can make the right choice when they are because as we know at the coalface um it's all about friction so people will take the easiest path next slide and we will and people doing will be doing their job they're going to do it they need to do their job right and to do their job faster and better and that statement that's benign not uh not critical in any way because you know i i j walk but it's critical to creating that cyber safe culture it's not just those first order things like people using safe file transfer methods but also needing to

permeate the culture so we don't you know we don't do things like this we can't just have security saying not allowing people to do things we need to be creating an environment where making the right choice is the easier choice to make so that we don't end up with things like this picture on the screen so that's it awesome awesome thanks penny all right so now i know we do have some questions let me just get out of the screen here um and we'll see what we can answer here okay yeah just looking at the well apparently we should probably apparently we should give a lot of food as well apparently food's a good choice

yes it is um yes so just one question i wanted to answer quickly just because i know that one will be easy to answer uh would it be possible to get a copy of these slides to refer back to later um feel free to reach out to myself on linkedin if you want an actual copy of them however this event will is recorded and will be posted on youtube so you will be able to reference this whenever you'd like anthony can i answer one question here or one comment here so i see a couple of times people have said you know security is not everyone's job unfortunately i didn't get a chance to watch that but

yes and then more sort of the next level of some of the conversations i was having is that you as a security team and as but not even as a security team as an organization if you can make do the thing so that the user never has to be given the choice absolutely that's the next step to take right so if we can make it so that if they try to put the email it's stuff in their email it routes it through it routes it securely and then it's not an issue absolutely we want to get there but we're not there yet um and not everything can be can be done that way so i totally agree and i will go back

and watch the that presentation but that's in many cases a level of maturity that i think a lot of organizations aren't necessarily at yet so agreed um yeah we haven't had a chance to look at all the questions as we were speaking um another question we have and this one's probably closer for penny um in a security awareness program say for two to three years we developed and given training on various topics like phishing malware passwords especially for existing non-technical people how do we make it more interesting after two to three years because existing staff would have gained information about common awareness topics yeah you know what i would i if you don't have a um a champions

program i would say that's definitely an opportunity to get some of your security champions to design some training that's a little bit more um um really focused on on sort of what they've learned as they've as they've gone along that i think just ties back into needing to make it um constantly updating it as well um and and um you know uh you know develop again i don't know what your budget is but develop some contests or you know um um [Music] treasure hunts whatever where they where all of the things that they need to learn about passwords they have to actually put into practice in certain environments so there's some you know lots lots of things but it all just ties

back to that thing of having to just be changing it up every year and maybe maybe having one stream for the newer people and another stream for or for the more people have been there longer maybe where they can just even um challenge the quiz and not necessarily have to have to do the training so i think we might be at our time yeah uh do i think we are moving to another session task to answer more questions uh ashley just want to confirm because i know another speaker is coming on in just a minute here

all right i think in that case um we'll just have the next speaker hop on um if you have any questions absolutely feel free to reach out to either of us on linkedin um probably an easier way to get in chat with us to get in touch with us and from there i guess we'll pass it on to your next presenter here