Security education training and awareness. We'll look at who is responsible for security within an organization. The difference between education, training, and awareness that the use of incentives, and we'll discuss as opposed to that disincentives, and then we'll think about social engineering very briefly. Again, we've talked about phishing, spear phishing before, but we'll just recap because it's such an important topic given that it's still one of the principal vectors for malware entering organizations. Who is responsible for security? Well, there's an accountability. We said the data controller is accountable. The board, typically we consider to be accountable for security. However, everybody is responsible for security. Just think of the role of a user here. Some of our users not very competent and very capable with technology, maybe they can be a vulnerability. Some people are very good with technology, they're already strong. What we're trying to do is to help the users move from being a vulnerability to becoming neutral or even a benefit and taking our people that are already competent and capable and making them even stronger, making them an ally, an advocate. We're trying to move people on a continuum from week through to strong. Why? Well, because many of the vulnerabilities we see being exploited at the moment rely on end users clicking on the wrong thing, making mistakes. All it takes in an organization, is one person to be the entry point for malware to create an organization-wide issue. They can be an extra layer of defense or there can be a vulnerability, and really we want to be helping them move from one extreme to the other, to becoming better, to becoming part of our protections. Our users are one of the few controls we have that can help us spot zero-day threats. They can help report potential problems. I've seen this email. It looks like a threat. Can you maybe block it? That would stop not just that user getting that phishing message, but potentially the rest of the organization as well. This investment in users is not expensive. It is relatively inexpensive. If you think about the cost of some of the technical controls, SIEM systems, firewalls, that can be very high cost. Training, typically low-cost. If we're doing training, should we train other people associated with our organization? This is becoming increasingly common. You're seeing people offering training or even requiring training as part of a contracted arrangement. Why? Because those individuals, those third parties can affect your company's security. Let's just look at some of the options that we have. We have education. Typically we think of this as being a more formal environment. Can cover almost anything physical or logical security. We see technical requirements for some of our technical experts, security requirements, and so on. Again, in order to make sure you have the correct educated workforce, you need to understand what your requirements are. Pretty obvious. Training is subject-specific, much more vocational in nature. Subject matter experts deliver usually, and again, commonly associated with logical security, a technical expert security professionals. Good advice here is not to miss some of the low-visibility groups. Who is responsible for security? Everybody. Well, if everybody is responsible, then perhaps everybody would benefit from training. Just think of the maintenance staff, or the custodians, or the janitors within the organization. Why do they need training? They deal with sensitive waste, our confidential waste. They help maintain the clear desk policy. Our physical security, our security guards out of our support. Again, very low visibility groups, but very high impact. How much of a problem could a cleaner or a security guard make for us if they were non-compliant? Huge potential issues, again, huge potential benefits. Really good areas to address during training. Everybody is responsible. Typically we want to make sure everybody is trained in some way. But it's also talking here then tacitly, if we're training everybody, not everybody does the same job. Do we need to differentiate our training to look at different training types for different disciplines? It makes sense. Training with more physical focus for some of the physical security for the cleaners and so on. Very different to the training we might provide to somebody managing a set of firewalls. Awareness. Awareness is about reinforcing a message. Good examples here include things like clear desk policies, confidential waste disposal, password use, or misuse. Things that people have been told that they should do in a policy or procedure. What we're doing is using various channels to try and reinforce that message. We might send out emails, the chief executive, and a message. Don't forget to keep your desk clear. We can use internal display screens, intranets, or extranets, posters, or flyers. You guys may have seen different mouse mat or similar messages telling you to behave in a particular way. Don't forget to clear your desk. Don't forget to change your password. Don't write your password down, and so on. These are used to reinforce and remind. If we're training everybody, a good act of due diligence is to measure the training. To make sure that it's repeated as threats change, as people forget repeating training is important. We have some examples there at induction when somebody starts as part of annual development reviews. Maybe a generic training package for everybody once a year, supplemented or added to with some more tailored training, something more specific. We measure that people have attended. We can prove to any regulator that we have done this, but also that they have understood. Typically an easy way to do this with a generic training course, security course that everybody is to deliberate online and then to have some multiple choice questions and to record the outcome. How often? It varies. Again, heavily influenced by your approach to risk potentially by regulation. As a minimum, commonly what you'll see is every organization having at least one minimum training course, security course, that people sit annually. But they sit and re-sit annually. Just a very quick reminder about social engineering then. Lots of information available on social media, on corporate websites about people. This can be used to generate targeted attack spear phishing, targeting an individual, whaling, targeting a high value individual. Phishing is much more generic. Phishing might be targeting 100,000 people with a single email. With phishing, you're relying on the law of large numbers. At least all you're looking for maybe is one or two people to respond from an email to a large group. All three are a reminder that we need users to be behaving in a way that helps to protect from these attacks. Sending through messages saying you have, for example, a parcel, or click here for your receipt, or here's an invoice that needs paying, all of these are examples of social engineering. We need our users to be able to help protect against those attacks. Some of them may just be manipulating behavior. With invoicing attacks where people are trying to defraud you, some end-point detection solution is unlikely to detect a problem. That's because there is no malware here. This is trying to trick people into paying an invoice. We need our users to be aware of these risks. How to spot them, and how to avoid them, how to report them as well. Where there is malware, some of it is zero-day. Again, our user behavior or user training really helps to protect against some of these attacks. Important at the moment, because this is commonly how this email vector is commonly how malware is entering organizations. Things like ransomware are being delivered by social engineering.
