Effecting Behavioural & Organisational Change in Cyber Security Philip Hall 28th July 2017
Effecting Behavioural & Organisational Change
in Cyber Security
Philip Hall
28th July 2017
Page 2 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
1. The perfect storm & cyber awareness relevance
2. Cyber attacks - the human / people element
3. Insights from our cyber security awareness & culture journey
• Planning, behaviours & metrics
• Phishing simulations, reconnaissance & targeted phishing attacks
• Cultivating “Cyber Heroes” and a positive culture change
• “Gamification”
• Walking in the shoes of the cyber attacker
3. Summary & catalysts for success
Agenda
Page 3 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
Means Motive Opportunity
Cybercrime industrialisation,
digital underground, gov hacking tools,
anything as a service, crypto currencies
2016:
Cyber Crime $450 Billion Dollar industry
2019:
Predicted to reach $2 Trillion
Digital growth,
“everything” online / connected,
mobile, IoT,
hackable buildings,
smart meters, smart tvs, locks, cars…
The perfect storm & cyber awareness relevance
Page 4 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
• Attackers are increasingly focusing on people in order to circumvent controls & processes
• When technology capabilities are strong, attackers move on to the next weak point
• Quickest and fastest way of attack is to bypass the technology, through people
Cyber attacks – the human / people element
Page 5 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
Planning, behaviours & metrics – “Engineering” View
Page 6 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
Planning, behaviours & metrics – “Markitecture” View
Page 7 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
5507 AMP Staff targeted
Very low sophistication
generic click only scenario
Phishing simulations, reconnaissance & targeted phishing attacks
Page 8 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
Cyber intel, reconnaissance and targeted simulated attacks
• We utilise intel from real phishing attacks for AMP wide phishing simulations• Perform reconnaissance using publicly available information from public social media • Create and send customised phishing emails to AMP threat communities and teams
If an AMP staff member does fall for a phishing email, they are instantly presented with information to help them learn how to spot and report the phishing email.
We only promote and highlight the skills required to successfully spot & report a phishing email, rather than victimising those that do fall for a phishing email.
• There are no losers – only “AMP Cyber Heroes”• We congratulate & reward those who demonstrate the correct
response & behaviours
Page 9 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
Building a culture of “Cyber Heroes”
Page 10 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
“Gamification” – Top down, bottom up
Competitiveness drives engagement
PWC “Game of Threats”
with Board, C level,
and key AMP staff & threat communities
Page 11 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
Bringing Cyber To Life – Cyber lunch & learns, workshops & presentations
Relevant & topical
Page 12 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
Walking in the shoes of the cyber attacker
Page 13 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
AMP Cyber Security Awareness & Culture Outcomes - Artefacts
Page 14 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
Suspicious email reporting has increased dramatically, and click throughs has decreased
High participation & engagement in cyber events we run across all of AMP
We’ve extended our influence across the entire business
We’ve grown our cyber team (without any additional FTE!) and now have active security ‘ambassadors’ across the business and IT
Dollar for dollar – the awareness and culture program has been the most cost effective control we have ever implemented
AMP Cyber Security Awareness & Culture Outcomes
Page 15 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall
1. The commitment of all your staff to protect your organisation is an essential component of strong cyber defence and response
2. A critical part of your cyber strategy must be to keep all your staff “cyber savvy”
3. Think outside your immediate business / organisation – make it personal
4. Integrate gamification whenever possible
5. Develop a positive security culture – reward your staff for the right attitudes & behaviours
6. Keep it topical, reward and repeat!
Summary & Catalysts For Success
Thank you
For additional information, contact:
Philip Hall
Cyber Awareness & Cyber Intelligence
https://www.philiphall.com