Implementing Effective CyberSecurity Awareness

okay so jump right into it is about 3 55 pm and i think we have about 50 minutes they're about to take this presentation and also take questions yeah so the topic i'll be discussing is implementing an effective cyber security awareness program and from my slides definitely you see the reason why this is such an important topic my name is sherry fat basically just the way it looks sherry fat so no problems i'm sure you can everyone can pronounce it it's quite simple but for short you can also call me sherry if um you feel more comfortable with that okay so great um i'll start off a little about me this is me i'm a cybersecurity

specialist it's ufa i started i'm pretty new um join a wonderful team um i have cisspo i am an iso 27001 lead implementer and lead auditor and also a certified information security manager i'm a modern and wife i have three children all 10 years are under so you can imagine my life right now and then i love to travel i love to cook the picture on the left is me at a place back home in nigeria i'm originally from nigeria and um it's a place called the luma rock part of my traveling experience you know i had to go there to to have some fun and i attempted to take a i jump and this this is the best i could

do well well good for today so i just thought i'll give a brief introduction about me so you get to know me better so what's the agenda really this is a reminder so i'm sure there's we are all security peeps here there's nothing i'm going to talk about that you haven't probably heard before but it's just a reminder on why we need a good cyber security awareness program and so that will be the first topic i'll cover and then i'll actually describe what an effective cyber security awareness program is and then we take questions just three points nothing you know nothing too too complicated so just a quick disclaimer all thoughts are definitely mine may not necessarily be that of my

employer but of course uh i don't think i'm saying any doubt though that's totally wrong so and just to say this as a disclaimer so we go right into it so let's wait for why why do we need a cyber good cyber security awareness program basically um first of all if you look in the news a lot of information out there uh you know different reports phishing remains one of the predominant attack vectors that people use to you know the attacker used to to to to perpetrate their attacks fishing is one of the most you know active vectors used by 2021 the global crime damages would cost about six trillion dollars annually you know 20

billion of those due to ransomware which could be you you know fishing can be used to also deliver that and and that is from three million in 2015 just about five years ago and this was gotten from you know the announcer that server can report i receive another crime report and then you know a bit of some of the information i was able to get during my research for this talk 27 000 more than 27 000 attacks in the first quarter of 2020 was really were all due to you know as a result of fishing similarly in q2 over 20 000 attacks as well you know for the fifth quarter in a row you know has been by far the most

frequently targeted country in terms of phishing attacks and you see why in the next slide not not necessarily see why but more information around that in q1 of all the targeted fishing attacks six to six percent came to canada i really don't know why they're focusing on this on on on canada for 66 percent and this this is due to rsc quarterly fraud report um as well as in q2 59 of fishing attacks came to canada now imagine if your if your in colleagues if your employees are not aware imagine the states if we keep falling for this if if as a country we keep getting targeted and our employees are now away imagine what the

what the situation would be so this this is this is me trying to shape the reason why this topic is so important and i'm also going to further buttress that with this scenario i'm going to share two scenarios so this is scenario one yeah in a normal situation it may not be this straightforward but this scenario is a possibility yeah so i have my guy there the bad guy who has gone to investigate and really research this company you understand what payroll system they have he's looked at their logo and he has designed a fake page a fake payroll page which you know and has kept it somewhere then it also designs this perfishing attack

email puts the link of the payroll page in the fishing phishing in the in the spare phishing attack and sends it to an organization of course he's looked up their email addresses on linkedin and seen a couple of people and then sends that email to them and then they fall for it a couple of people you know because of lack of awareness proper awareness some couple of people fall for it and the email is basically says oh this email is from hr and we need you to update your you know your bank account details because of some reasons we need so that you don't miss your your salary payment for this month or for this week and

and so and you never but nobody wants to lose money i don't want to lose money so definitely some people quickly update it and then they send off their credentials to the fake guy and it captures this and they use it to log into the main payroll account and then updates it as you know puts his own bank account it can't pay the hr credits the wrong account and employees are going um you know without the salary and the salary has gone to the bad guy of course it may not be that straightforward but this is the possibility of what can happen where your employees are not you know really really cyber aware scenario two very similarly

but not really in the not like the first example but very similar to that and this time around is sending a phishing mail containing a payload of course sent it to the had me who obviously has admin rights on his machine can execute you know um some files he receives that without due diligence runs it it encrypts the disk and also because he has real-time online synchronization to their cloud storage that also gets things to their class sorry so it's lost his laptop there's lots of files on his laptop there's lots of files on the cloud as well then the bad guy is happy and they as happily demand the ransom or worst case scenario beyond the ransom it

could even blackmail to you know publish the information on the internet affecting their reputation so all of these are really really things that should give us concern as an organization and even beyond that in our personal lives a lot of people i had i had a colleague sometimes ago and the wife is a photographer photographer she had taken wedding pictures you know for for some of our clients and unfortunately she was a victim of a ransom where all the lovely photos she took we're all gone what is she gonna say to the bride and groom you know you know we couldn't even they cannot replace the wedding so it was it was a lot of issues so

beyond just that organization these are real scenarios where you know fishing or where you're gonna your your employees are not cyber awake could actually be a lot of issues for your organization so we move to the second agenda which is what should you do so how what should you do to actually limit or minimize the risk first things first your security controls your technical your management controls must be watertight so i'm not here to preach to say yeah um cyber security awareness or awareness of your employees solves all the solutions your one one size fits all definitely not your security controls must be watertight it must be top notch you have to implement your security

controls like your users are not aware and i also create awareness like your users like you don't have controls at all so we've had a lot of talks about defense in-depth today about things to do to ensure that your security is up to place we had very fantastic speakers all through today i've actually learned a lot so having your cyber security awareness program supporting all of those efforts that you've put into your security control is actually you know the way to go to have a balanced cyber security program is like a three-legged store you need the technology to be uptight your people you really need to be aware and then your processes have to support all of

that as well so which is why i wanted to put this first at the first things you have to do you cannot overly rely on your awareness of the users because we are people humans tend to make mistakes so your security must be designed in a way that it is you know a proof of when those mistakes happen okay so getting that sorted then when we come to the actual awareness program what are the things you have to do you have to make sure your awareness program is institutionalized which means that it has to be part of the dna of the company and the best time to capture this for your employees you know when they are just new on board

when they are coming on board as new employees as part of their induction or their home budding program it's good to put in some cyber security awareness program for them so that they can you know get to see because trust me the best time to capture any employee before they get busy with their work and get into the system is when they are new and then at that time they are eager to learn they are eager to learn about the company they are eager to learn about what matters to the company you got to learn all the things that they feel the company take very important and at that time it's good to put in cyber security awareness

so that they capture it right there and forms part of um you know their their culture and their mindset as as they go along with your work use same language the second point i want to talk about is using the same language so if you look to the right this was the survey i got from a report from proofpoint about what do employees even know a lot of employees you know we we tend to use some language some some language that the employee would struggle with only about 20 15 percent didn't know what the meaning of fishing was you know a lot of in a particular company about 15 percent of the employees did not even know the

meaning then some 24 percent didn't answer correctly and then 61 percent knew the the meaning of fishing so what exactly do you do do your employees know i when you carry out those fishing awning programs and you put in words like fishing do they actually know what it means have you checked to even know okay what kind of language that you're rather than say phishing should i just say malicious email which you better connect with depending when you build on the cyber security maturity for the organization so check the language make sure that you your language your users in sync with the level of your colleagues and your employees then personalize your awareness if there's nothing you're going to take

away from what i'm saying this is a very important um a very important you know aspect personalize your awareness every time when we create awareness and we make it to seem like it's just about the organization we tend to lose our colleagues because they have a lot to do trust me a lot of people have the work they're doing and they're making your awareness seem like another chore another work for them they just sometimes will disconnect from the whole program but when you personalize it when you make them see it says this is for you not even only for the company this is for you how you yourself can lose your personal money how yourself can lose your information

how you could suffer an identity theft attack you know a clone of you could be somewhere there because you've not done you're not doing your due diligence to make sure that you are taking care of your personal information then that way they tend to connect to it don't make it seem as if it's all about your organization make your awareness program connect your employees on a personal level let them see it as being for them let us see as if you're creating this awareness for them and then they can connect with it more and that way they imbibe it and it becomes part of them and when it becomes part of them guess what they bring it to work

and the same thing is going to happen on on what they do every day as they do their work in cyber security maturity level matters a lot so when you're doing your awareness program you cannot do one size fits all which means that you cannot uh dish out the same program for everybody if you've been doing your cyber security awareness every time and on a consistent basis you will be able to have gauge your security awareness level of your employees you know okay maybe a particular department or personal unit tend to fall for this kind of phishing attack attack simulated attack or this is the level of this kind of should we focus more on

this um department on this topic area should we do this so you should be able to have that cyber security maturity level to have an idea where your organization is and then be able to program your awareness accordingly to the level in consideration you need to you know a continuous awareness it's not it shouldn't be an october thing like you know cyber security awareness month is october and every year that's the only time to get to talk about cyber security awareness in your company you need to have a plan for your cyber security awareness program you need to know okay what are we going to do this month or this week what do we do to make sure that's

continuous because of employee turnover employees come and leave you have new employees joining and you have some living it's important that you know your con your awareness is continuous it's not just one once a year and and then to the following year and also sharing similar stories similar story from within the organization yeah some people may not agree maybe like oh maybe for the fear of being stigmatized or failed being appearing like a failure they don't want to talk about it but part of what i encourage is that if someone has fallen a victim of you actually even feel the fishing test it's good to talk about it so that people know that yes anybody can feel this you know and then

sharing that experience actually shows that yes i if this person has learned from this experience i can also do that so sharing your personal experience you know from similar stories actually helps and helps other people to connect with it or industry from the industry if you know from you know similar organization and it's been in the news that this happened it's over the bridge because of the phishing attack or something similar it's good to share such information with your colleagues so they actually know that these things are happening and it's not just you know the security team just saying that this happens then test test test simulator phishing attack um there are a lot of tools automated

solutions that can help you know that you can use to test your employees because if you don't test you are unable to determine the level of awareness that the um your your colleagues where where they are and you'll be able to plan for your security awareness program properly so i recommend you to test and use the results of the test accordingly then consequence management i know this is a big control you know there's a bit of controversy around this a lot of people may say oh why why would should i get punished for for a mistake but you only it really depends on what you call punishment so i know a lot of organizations try to

also give you know to monitor and someone a colleague or an employee over time so if you fail phishing simulator simulated test the first time your you know consequence may be to go take a training it could be an online training that you take for an hour or a few minutes just to help you do better next time by the second time if you're failing they take a big step further so it could be a one-on-one a discussion with the manager or with the departmental head or with the caesar or someone just to get to new york a lot of people don't want to be in that category having to sit down you know to talk about okay why are you

failing fishing tests what's the problem and things like that and then in some of the organizations after the toilet time i've seen some organization even taking it as far back as termination where they asked the employee to leave because such organizations believe that they're only as strong as their weakest and in some cases in a practical case we have seen is that they've actually put it as a missed performance for such a colleague so if that even if the person had met all the performance objectives for the year but the fact that he consistently failed fishing test for the third time in a row could actually be considered a missed performance so if employees see that yes this thing

there's a consequence management workers they tend to you know sit up but like i said it's very controversial it depends on your company's policies and you know and what um how um and what governs the operations of the company and of course fishing awareness solution like i mentioned before there are a lot of fishing awareness solution markets i'm not going to market for any company but i know there are many fish awareness solutions that you can you can use to automate your testing to automate your training so to make your reporting and to help you make you know insightful decisions from from it so you can make that and that makes your life easier you don't need to

develop awareness materials from scratch or to do your reports manually and things like that that really helps they make make reporting of your security incidents very easy and this also ties to the sufficient solution a lot of fishing solutions do have like add-ons that they give into you know that they deploy with their solution and and it's a plug-in on outlook that people can easily report fishing meals for all you know even if you're not buying a solution you should really make it easy your employees should know where to report their security incidents if they don't have to think hard about it it should be in their faces say if i have a suspicious mixed

meal or if i suspect that something is going wrong and you know i don't seem to understand it or if i've accidentally clicked on the link i shouldn't i should know who to go talk to immediately without having to overthink it and then measure your program you know you want to know how good it is your investments in the fishing solution your investment in creating the awareness program isn't even working at all you want to know in this quarter or in this month what was the performance from your simulated fishing attack that you've had what were the you know the areas what kind of meals the people fall for as victims and what else can you do to improve on

it you know you want to know the number of reported cases the performance of simulated attack so that this can help going forward so as i'm grounding up i want also to take the commitment that you will do better and what i'm saying is wherever you are you could raise your hand and say hi i'm going to save mine and i'm going to mention the name of the organization where i work and i'm committing hi sharifah commits building a culture of security at ufa because i know that anyone can be a target and i want to keep ufa secure so that's it folks about my presentation um if you've got any questions i'm happy to take them

and then that's my twitter handle basically nothing much happens there but yeah i'm mostly on linkedin just my name on linkedin and then you can find me there for this discussion i hope this has really been insightful like i said it's just a reminder um is basically nothing you haven't had before but it's just a reminder on the importance of cyber security awareness program in our organization thank you so much for spending time and coming to hear me thank you bye