5 Steps to a Cyber-Safe Culture Jennifer Erena Integrity IT
Welcome to 5 Steps to a Cyber-Safe Culture. I am Jennifer Erena from Integrity IT, we are a Managed IT Services Company from Lexington KY specializing in Cybersecurity. My background is in healthcare as a nurse at a local hospital. I worked with the IT department on clinical technology projects, which lead me to working as a clinical analyst with Integrity IT. My desire to learn and teach lead me to the sales and marketing team, where I join you today.
For many years, IT security was managed by the IT department. “Our IT Guys handle that” We hear it all the time. Many employees, especially the previous generations, are generally afraid of technology and try hard to avoid even talking about it. Many executives simply don’t have the time for it. Gone are those days. The IT departments are more like super-heros than ever before when it comes to staying ahead of the troubles. They can implement all kinds of cool technology to monitor and block malicious activity, but the weakest link is your human employees. Employees are involved in more than 90% of successful breaches! Hackers prey upon the vulnerabilities of human being because it works. Hackers steal your data because it’s valuable. Data has become an industry of it’s own – a very profitable and growing industry.
Hacking is a Prosperous Business! Social Security Number
Online Pay Service
Drivers License
$1
$20-200
$20
Passport
Medical Record
Diploma $100-400
$10002000
$1-1000
Credit or Debit Card With CVV $5 With Bank Info $15 Fullz Info $30
With these DarkWeb prices, hacking is not going away. As long as there is money to be made, hackers will thrive. Even “old data” is valuable. The amount of fraud committed based on breached data that is 2-6 years old has increased by nearly 400% over the last 4 years to $3.7B in 2016. (According to a 2017 Javelin strategy and research presentation) ------------From Experian - https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-informationis-selling-for-on-the-dark-web/ Fullz info contains a “full package” for fraudsters – SSN, BD, Account Numbers, other
Breaches are a Costly to Businesses! Average Cost of EACH lost or stolen record containing PII/PHI
Profitable for the hackers, VERY Costly to the Business. The company cost burden for each record stolen continues to rise. Average Cost of EACH lost or stolen record containing Personally Identifiable Information / Protected Health Information is up to an average of $148 Do a quick calculation for your number of records. For those in healthcare industry – the cost is even higher at an average of $408! Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record (IBM Study) https://www.hipaajournal.com/healthcare-data-breach-costs-highest-of-any-industry-at-408-per-record/
What Can Increase The Cost? Being in the United States Third Party Involvement in the Breach Extensive Cloud Migration at the Time of the Breach
Here are a few factors that increase the cost of a data breach. Being in the US Third Party Involvement, which happens more than half of the time. Vendors and Business Associates with ties to your network must be asked to prove how they protect your data. Also, Extensive Cloud Migration at the Time of the Breach Adds another level of complexity and cost. The Stolen Data Industry is devastating to ALL businesses. The statistics are shocking.
This one is worrisome - 60% of small/medium businesses hit by a data breach close within 6 months. So, it is your “IT Guy�, IT department or managed IT services provider not doing a good job? Perhaps. Cybersecurity has become a specialty for advanced security engineers. Even if your technology is confirmed and validated regularly through Security Audits, you still have a problem. What can be done?
What Can Lower The Cost? Prompt Identification and Containment Incident Response Plans and Teams Extensive Use of Encryption Employee Training
Reducing the cost are not unlike any other threat or natural disaster. Except, currently It takes an average of 3 months to LEARN of a breach. The faster you can identify the breach and contain it, the less it can impact your system. This is best done with a solid plan and a response team. Every Windows 10 device can be encrypted – you need to turn it on. Apple has encryption on their IOS devices. Companies that train their employees in information security best practices spend 76% less on security incidents than their non-training counterparts,
Information Security is involved in every aspect of your business, so everyone associated with your business has a role in protecting it.
Security Is All About People – people who hack and people who protect. People require knowledge and training. I mentioned that employees are involved in more than 90% of successful breaches. Usually it’s due to lack of training or negligence. But over a quarter (28%) of attacks involved insider threats. The insider threat can be particularly difficult to guard against—it can be hard to spot the signs if someone is using their legitimate access to your data for nefarious purposes. Research by the Ponemon Institute, found that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever. — Dr. Larry Ponemon, Chairman, Ponemon Institute, at SecureWorld Boston
Employee Role in Breaches Causing Email Compromise Clicking Malicious Links Opening Malicious Attachments Entering Credentials on a Fake Website Downloading Malicious Software Allowing access Theft of Data for Personal Gain
Preventing Learning about Risks Identifying Suspicious Emails, Links and Websites Questioning Unexpected Requests Verifying Unusual Requests Protecting the Environment
Humans are our weakest link and the cyber criminals know this – when they prey on human weaknesses it’s called social engineering. We have some technology that helps humans not make mistakes, but best security practices rely on training, workflow and policies. Email is the leading method used by hackers. From tempting the user to click in a phishing email or stealing credentials to learn about the company’s processes, approvers and workflow to pull off a more lucrative hack.
No technology can prevent human nature. One of our engineers arrived at our client’s office to obtain a backup of all their data. He forgot his badge and his keys to their server room. He had never met the client’s employees. Do you think he was able to download their data? Why yes, they lead him to the server room, unlocked the door and he spent 2 hours downloading all their Protected Health Information onto a portable drive. As he was leaving, he used the opportunity to train them on data security. Your employees guard the front lines – they need to identify risks, question unusual requests and protect the physical environment.
Boost Your Defense We want to boost your defense. EVERYONE needs to have a basic understanding of cyberthreats and actions to protect self and employer.
CREATE A CYBER-SAFE CULTURE
A Cyber-Safe Culture is for humans, not technology. Culture defines the proper way to behave within an organization. Here are 5 steps to building a Cyber-Safe Culture.
Core Values
STEP 1
Step 1: Include it in the highest level where people get their direction – your business values, vision and mission. Link cyber safety to these shared beliefs and values.
EXECUTIVES MUST LEAD
STEP 2
ASK YOURSELF – RESPOND HONESTLY Are the executives exempt from following best practice policies because they “get in the way”? Do you “practice what you preach”?
Step 2: A Cyber-Safe Culture Must Flow from the TOP Cybersecurity is NOT a grass roots campaign Cyber-Safe Best Practices must be demanded by leadership and practice by leadership. ASK YOURSELF – Are the executives exempt from following best practice policies because they “get in the way”? Do you “practice what you preach”? We’ve seen many organizations that have policies for employees and either different policies for the executive team, or an ongoing “free pass”. This is asking for trouble.
Creating a Cyber-Safe Culture
Establish your cyber safety plan with your Leadership team Empower your leaders to engage their teams and enduring cyber-safe habits.
COMMUNICATE TO ALL
STEP 3
Build into your routine communications Daily Huddle Internal Newsletters Town Hall Meetings Posters Remember to Include Contract Employees and Services
Step 3: Communicate Cyber-Safety To ALL Include cyber-safety in routine communication methods – daily huddles, emails, newsletters. Review outcomes – successes and failures – at quarterly town hall meetnigs. Posters are good, but must be changed out for fresh messaging and places in a location that will capture attention – like the bathroom stalls. One company called them “potty posters”. Don’t’ forget contract employees and services that are not always present during the typical workday. Bottom line is an Employee must be aware before they can be held accountable. Tailoring communication and training to each role improves the ability of people to transfer their knowledge to their job. Leaders and employees must see exactly how they impact the overall safety of the company.
REINFORCED TRAINING
STEP 4
Ongoing Training o Repetition is the mother of learning o Weekly Tips
Positive – Face Challenges with Optimism Not Fear-Driven or Punitive o Use incidents are learning tools o De-identify
Personal - YOU are our number 1 defense
Step 4 – REINFORCED TRAINING Annual Training just won’t cut it when it comes to Cybersecurity. Visuals Cues and Weekly Tips are needed to keep the content on the mind. Reinforcing the content leads to incorporation into habits. Adult learning research consistently shows that videos help provide an enjoyable learning experience, boost engagement, and improve the transfer of knowledge. Employees must be aware before they can be held accountable, but you don’t want to create a fear-driven or punitive environment. A healthy paranoia around cyber threats is good. A feeling of failure is not. Look first at workflow, policies and training De-identify reports / incidents and use them as a training tool In policies and written information, avoid using “the employee” and “the company”. Use personal language – YOU are our number 1 defense
What I hear, I forget. What I see, I remember. What I do, I understand.
We’ve heard the saying – What I hear, I forget. What I see, I remember. What I do, I understand. The learning curve also has a forgetting curve. Research shows that within one hour, people will have forgotten an average of 50 percent of the information presented. Within 24 hours, they have forgotten an average of 70 percent of new information, and within a week, forgetting claims an average of 90 percent of it. This study shows that visual, verbal and participatory learning methods work better in the long run.
People Remember What They‌
Here is another way to view the impact of training methods. Email is a convenient form of mass communication, but as this study shows, it is the least effective. Once again, this reinforces the use of simulations and interactive training tools. https://www.learningsolutionsmag.com/articles/1379/brain-science-the-forgetting-curvethe-dirty-secret-ofcorporate-training
How Much Cost Savings?
Training on information security best practices saves you‌.
Just a reinforcement of the ROI on Training mentioned earlier‌..76%! Prevention Quickly identifying and reporting Reduced number of records involved Fewer people to notify Possible not even reportable
HOW to ENGAGE in TRAINING Online Platforms are Cost Effective Videos Posters – simple, change regularly Games
Utilizing an established online cyber security training platform is cost effective. It is too hard to create content and gather staff for ongoing in-person trainings. It is valuable to create those in-person training opportunities to build teamwork but make them special events a few times a year. Many online training programs use practice and scenarios instead of just providing information. They utilize proven method – instant feedback, prompting behavioral change, enjoyable learning experiences. Some provide the user with a score like a credit score. Their score rises with each training completed and keeping their credentials out of the dark web! They also can include Phishing Campaigns which is a useful tool for practice, reinforcement and further training. Just make sure you are up-front with your employees that it will happen, and it’s not meant to be punitive or sneaky.
STEP 5: REWARD
STEP 5
Reward for time and effort Reward for doing the right thing Ways to advance their role for being Cyber-Safe Champions
Step 5: Reward folks for keeping your business secure. Perhaps a Gift Card for scoring 100% on the Annual Training Module Points for completing weekly modules on time with ways to use the points to get special privileges or prizes. Prizes/recognition for achieving the highest safety score or preventing a breach. For those who champion security, establish ways to advance their role Security Team Lead, Security Mentor, Member of Security Team, etc. We hope you boost your cyber security program using these 5 steps. To help business start building their employee cyber-defense team, we can setup your business with a FREE online training platform. I will tell you more about that in a bit. First, we have a suggestion for the first topic to address‌
– it is the most difficult daily thing for individuals and companies - Passwords.
Password Strength The Changing Landscape of Password Management Password Expiration
https://www.integrityky.com/nistguidelines/ We hear a lot about Password Strength, but some ideas are changing. The National Institute of Standards and Technology (which is a division of US Dept. of Commerce), revised the 14-year-old guidelines in 2017. Bill Burr, the now retired 72-year-old author of the original 2003 NIST was quoted in The Wall Street Journal as saying “Much of what I did I now regret.�
Password Strength The Changing Landscape of Password Management Password Expiration
Password expiration was leading to weaker passwords and to people recording them in an unsecure manner to help them remember. Research discovered that when a password is compromised, it is used within a week and frequent password expiration changes really offer no protection. The new recommendations are that system administrators monitor failed password attempts as an indication of possible compromise and that systems notify the end-user when their password is used in an unexpected manner. Google does this, for example, when your login is detected from a new device. These alerts may be indications that you need to change your password. This is a hard concept to tackle – many companies with highly sensitive data perform 30-45 day password changes. If you feel more comfortable with this, you MUST have a password management system so users can always create a strong password.
Password Strength The Changing Landscape of Password Management
Password Complexity
https://www.integrityky.com/nistguidelines/ We thought they were being clever by using number and special character substitutions to increase password complexity. What has been uncovered is that they were being lulled into a false sense of security as we now know that hackers are using sophisticated password cracking software that allows them to account for common letter substitutions. An example is my password might be H1gh3r$3cur1ty with a lot of substitutions, but password cracking tools account for common substitutions so they look for common substitutions like 1 for i and 3 for e, for example.
Password Strength The Changing Landscape of Password Management
Password Complexity H1gh3r$3cur1ty
https://www.integrityky.com/nistguidelines/ We thought they were being clever by using number and special character substitutions to increase password complexity. What has been uncovered is that they were being lulled into a false sense of security as we now know that hackers are using sophisticated password cracking software that allows them to account for common letter substitutions. An example is my password might be H1gh3r$3cur1ty with a lot of substitutions, but password cracking tools account for common substitutions so they look for common substitutions like 1 for i and 3 for e, for example.
Password Strength The Changing Landscape of Password Management
Password Length / Pass-phrase
https://www.integrityky.com/nistguidelines/ Password length is a key to password security. But LENGTH along with a required COMPLEXITY creates a less memorable password. The new recommendations relax the complexity but promote password length in the form of more memorable “passphrases�. The goal is for users to remember passphrases without recording them in an insecure manner (writing them down; adding them to an electronic note). The longer the password, the more difficult and longer it takes for automated password cracking tools to guess them. The 8-character limit is being expanded and recently 12 16 characters have been suggested as new standards for minimum length.
Password Strength The Changing Landscape of Password Management
eagleflagstormjupiter I really like kraut and dogs
Password Length / Pass-phrase
What is a good “passphrase”? Creating a passphrase of a few disconnected words that you can remember is the best practice, so an example might be “eagleflagstormjupiter”, but a sentence also provides length. The character complexity relaxed and using only lowercase letters. Some common sense must still apply in avoiding the use of your name, address or other easily discovered personal details in your passphrase. Also, the use of “common” passwords in your passphrase are to be discouraged and there are recommendations that system administrators blacklist these. An example would be to never word “password” or “12345”.
Check Password Strength https://howsecureismypassword.net/
Dashlane, a password management tool, has a website that estimates how long it would take an automated system to crack your password. Do not use your real passwords, but use similar styles of passwords. It is easy to see that a shorter password with complexity requirements is cracked much easier that a longer, less complex password. Here I tested “I love kraut and dogs�
Password Management Don’t do this LastPass 1Password Enterprise Password Management
There are many password management tools available at a very low cost to individuals. Many of us use and recommend LastPass. Employees, on average, have 191 passwords to remember. Most employees write down passwords and post at their desk or enter them in a spreadsheet. We need to stop expecting ourselves to remember and learn to use an app. There are also enterprise versions for multiple departments or clients that tracks access and reports on strength.
Passwords are Not Enough 2 Factor Authentication (2FA) Something You Know – Passwords Something You Have – a device with a temporary code
https://twofactorauth.org/
You can add a third layer Something You Are – biometrics
Strong passwords are a must – but credentials are stolen all the time. We need a second layer. https://www.integrityky.com/2fa/ Two-factor authentication is that second layer of security for your application and online access. Take advantage of this option and set it up where ever it is offered. This website lists websites and whether they support 2FA
RESOURCES We have a few resources to offer to help build your cyber-defense.
FREE Online Security Training Platform We are offering YOUR BUSINESS a FREE online breach security training platform. Effortless to Set-up Easy to administer Easy to track Annual Training Module Weekly Micro Training Monthly Newsletters Policies As mentioned earlier, we are giving away a free breach security training platform to help slow the epidemic of breaches and protect our local businesses.
This is not a joke. Give online training a test run to decrease your vulnerability to attacks. Call, Email or complete an online form.
We are giving away the training platform to champion National Cyber Security Awareness Month. You can be a champion too. A great way to Start Building Your Cyber-Safe Culture! Go to www.StaySafeOnline.org to learn more.
We also invite your execs and technical staff to join us at the 2nd Annual Cybersecurity and Technology Conference on September 20th. Go to www.CyberSafeKY.com to learn more .
On Two Factor Authentication https://www.integrityky.com/2fa/ On Good Passwords
http://www.integrityky.com/may-the-4th/
On Password Management
https://www.integrityky.com/password-management/
On the Verizon Breach Report
https://www.integrityky.com/11th-annual-data-breach-investigation-report/
On Phishing Emails
https://www.integrityky.com/4-e-mails-you-should-never-open/
On Destroying Your Business
https://www.integrityky.com/natural-disasters-can-destroy-your-businessbut-the-chance-is-higher-with-a-data-breach/
We have more information about topics mentioned in this presentation on our blog. You can use search words to find more topics - https://www.integrityky.com/blog
Free Dark Web Scan
https://www.integrityky.com/free-dark-web-scan/
Free Backup Consult
https://www.integrityky.com/free-backup-consult/
Free vCIO Consult
https://www.integrityky.com/free-vcio-consult/
Free Cyber Security Tips
https://www.integrityky.com/my-security-tips/
Free SRA Consult
https://www.integrityky.com/security-risk-assessment-and-analysis/
Free Hacker Report
https://www.integrityky.com/top-10-ways-hackers/
If you need specific assistance, check out some of our other free offers.
Stronger Security. Trusted Technology. Better Business. Thank you for your time. The slides and notes from this presentation are available for download at: www.integrityky.com/cybersafeculture