SESSIONID:SESSIONID:
#RSAC
EmilyHeath
HowToImprovePhishingAwarenessby300%in18Months
HUM-T11
GlobalCISOAECOM@CISOEmilyHeath
#RSAC
OneWorldTradeCenter,NYC
EtihadTowers,AbuDhabi
InternationalTerminal,LAX
MillenniumPark,Chicago
2016RioOlympics
NYSubway
BarclaysCenter,NYCTaizhouBridgeYangtzeRiver,China
PortWashingtonGeneratingStation FillmoreWaterRecyclingPlant
HalleyVIResearchStation,Antarctica
WoodrowWilsonBridge,DC
FerrariWorld,AbuDhabi
HurricaneKatrinaRecovery&Reconstruction
Projects
AbuDhabiInternationalAirport
SentinelDataCenters
Settingthestage
AECOMScopeFortune500(#156)$20BillionRevenue100,000Employees150CountriesGlobally
#RSAC
Introduction
3
Evidenceshowsthatastaggeringamountofincidentsbeginwithphishingemails
Wedecidedtofocusoureducationpredominantlyonphishing
Usingmultiplechannelsandmethodsofawareness
Wereducedour“clickrate”over300%in18months
TodayIwillsharesomeofthewayswefoundthatworkedforus
#RSAC
WhoWePartneredWith
6
Executives
CorporateCommunications
Marketing
GraphicsandDesign
HumanResources
YourITColleagues
Facilities/OfficeManagement
OtherPeopleofInfluence
#RSAC
OurEducationProgram
7
• Importanttonotethatourphishingawarenesscampaignwasaugmentedwithotherawarenessactivities
• Don’tjustphishandexpectchanges• Usethedatatobestofyourability• Findwaystokeeptheconversationgoingregularlyandengagewithworkforceinmultipleways
• Lookforpositivereinforcement– i.e.whenpeoplereportphishingemails,etc
#RSAC
Monthly
8
• Simulatedphishingexercisetoallemployees• Eventhoughwesendto150countries,wesendinEnglish,RussianandFrench• Workwithcorporatecommunicationsonpoliciesforyourorg• Whenemployeesclickthesimulatedphish– immediatelytakesthemtoeducationalsite
• CISOcommunicationwith“Clickers”• Everyonewhoclickedgoesintoanemailgroup• Emailexplainswhyphishingawarenessisimportant,andasksthemtotakephishingtraining• BCCthem..Nonamingandshaming• CISOmailboxaccountthatcanbemanagedbyyourteamifneeded
• “Clickers”takephishingtraining
• Chatter‘theme’eachmonthwithweeklyCISOposts
• Articleinenterprisenewslettertoaugmentthetheme
• Managernotes&securitymomentstoaugmentthetheme
#RSAC
Quarterly
9
• QuarterlyphishingresultsdistributedtoExecutivesinregions• ExecutiveshadbeenbriefedbyCISObeforereceivingthese– importanttosetcontextandaskforhelp
• Distributionincludes“Top10”officelocationsbyregiontomakeitmoremeaningfullocally
• Phishingresultsatregion/countrylevelsharedonChatter
• Localcampaignsbasedonphishingresults– trainthetrainer• LocalITstaffusedtohelpwithlocalcampaigns– cyberbriefings,postcards,localawarenessetc
• SecurityQBRwithITleaders• Notphishingrelated– butimportanttokeepITengaged
• IncludekeypartnerslikeERM,InternalAudit,etc
• Securityawarenesspostertoallofficesplacedincommonareas
#RSAC
Annually
10
• Securityawarenesstrainingannualprogram• Allemployees,tryandmakeitmandatory
• WorkwithHR,communicationsandtrainingteamstohelpyouwiththedelivery
• TrainingforallITstaff• TakeresponsibilitytotraintheITteam..Noteveryoneisasecurityexpert,helpthemunderstandwhyitmatters,sharerealincidents,askfortheirhelp
• Yearlylookbackonphishingcampaign• Annualresultssharedwithregionalexecutivesandsummariespostedonchatteraswellasfeaturedincorporatenewslettersetc
#RSAC
AdHoc
11
• CISOinpersonCyberBriefings• Tryandmeetfacetofacewithemployeeswhereverpossible
• Executivebriefings• Youneedexecutivesupport– helpthemunderstandwhythisisabusinessdriver
• Tailoredtrainings/briefings
• Swag!
• Featuredspeakerinotherpeoplesstaffmeetings• Offeryourselfandyourteamtopresentatstaffmeetings,etc.
• Onboardingmaterials– setthetoneforyourorganization
• Securitymoments– beforeeverymeeting
• OutlookPhishingReporterButton– thebestthingweeverdid!!
#RSAC
Observations&GeographicalDifferences
12
• Atfirstwereceivedmixedresponsesfromemployees• SomeQuotes….
• Soonbecamethenormal,andbecamecompetitive• SomeExamples….
• Whatwefoundinregions• SomeExamples…
• Veryimportanttoconsiderculturaldifferences• Localmaterialsinlocallanguagesreallyhelp• Makesureit’snottooUScentric- AsiaisdifferenttoAustralia,differenttoUK,MiddleEast,India,etc..• Leveragelocalexpertisetolearnhowpeoplebestrespond• Examples
• Makeitsafeforpeopletoruntowardyou,notawayfromyou
• Thereisnoshameinclickingaphish..Theshameisinnottellinganyoneaboutit!
#RSAC
Summary
13
• Talkaboutsecuritytoanyonewhowilllisten– neededforculturalchange
• Findyourpartners,youcannotdoitalone
• Knowyouravailablechannels
• Takeownershipoftrainingandeducatingeveryone
• Noteveryoneisacyberexpert– maketrainingrelevanttothem
• Usetheclickdatatothebestofyourability- peoplelovestatisticsandcompetition!
• Havefunwithit!
#RSAC
ThingsYouCanDotoApplyIt
14
3Months• EstablishregularITbriefings
• Establishwhichchannelsareopentoyoutocommunicatewithyouremployees
• Beginengagingwiththeemployeepopulation–chatter,articles,posters,etc.
NextWeek• Understandyourstatistics
• TalkTalk Talk aboutsecurity
• Makeiteasyforpeopletocontactyourteamwithquestions
• Makeiteasyforpeopletoreportphishing
6Months• Lookatwaystodo
simulatedphish
• Educateyourcompanyontheirphishingstatisticsandturnitintoeducation
• Looktoimplementthereporterbutton
Top Related