Cybersecurity Awareness1
CyberseCurity AwAreness
www.kaspersky.com
Cybersecurity Awareness2
Cybersecurity AwarenessWho Will benefitthese courses will be of particular benefit to:
• BusinessManagers,
• RegionalITSecurityofficers,
• Allthoseworkingonlinewithsensitivedataand/orwithexternalcontact.
Onlineinteractivetrainingmodulesandon-siteCyberSafetyGamestrainingprogramsaredesignedfor allemployeeswhousecomputersormobiledevicesatwork,andforthosewhomanagethem.
ApproACh to leArningAround80%ofallcyberincidentsarecausedbyhumanerror.Companiesarespendingmillionsoncybersecurityawarenessprograms,butfewCISOsarereallysatisfiedwiththeresults.What’swrong?
Mostcybersecurityawarenesstrainingistoolong,tootechnicalandessentiallynegative.Thisdoesnotplaytopeople’scorestrengths-theirdecision-makingprinciplesandlearningabilities-andasaresultcanrendertrainingineffective.
Soorganizationsareseekingmoresophisticatedbehavioralsupportapproaches(suchascorporateculturedevelopment)thatdeliveraquantifiableandworthwhilereturnontheirinvestmentinsecurityawareness.
KasperskyLabCybersecurityAwarenesscourseswork by:
• Changingbehavior–stimulatingtheindividual’scommitmenttoworkingsecurely,buildingacorporateenvironmentwhere“Everybodyelsecaresaboutcybersafety,soIdo,too”.
• Combiningamotivationalapproach,gamificationlearningtechniques,simulatedattacksandin-depthinteractivecybersecurityskillstraining.
Comprehensive but simple and straightforward
Trainingcoversawiderangeofsecurityissues–fromhowdataleaksoccurtointernetbasedmalwareattacksandsafesocialnetworking,througha seriesofsimpleexercises,inalanguagesuitablefornon-ITpeople.Weuselearningtechniques–groupdynamics,interactivemodules,cartoonsandgamification-tomakethelearningprocessengaging.
Continuous motivation
Wecreateteachablemoments-bygamificationandcompetition,andthenre-inforcethesemomentsthroughouttheyearviaonlinesimulatedattacks,assessmentandtrainingcampaigns.
Changing beliefs
Weteachpeoplethatitishumanbeings,notmachines,whoaretheprimarytargetsofcybercriminals.Weshowhow,throughworkinginamoresafety-consciousmanner,individualscanavoidbecomingvictimsandexposingthemselvesandtheirworkplacetoattack.
Building a corporate cybersafety culture
Wetrainmanagementtobecomesecurityadvocates;aculturewherecybersecuritybecomessecondnatureisbestachievedthroughmanagementcommitmentandexample,andcannotsimplybeimposedbyIT.
Positive and collaborative
Wedemonstratehowsecuritypracticesmakeapositivecontributiontobusinessefficiency,andpromotemoreeffectivecooperationwithotherinternaldepartments,includingtheITSecurityteam.
Measurable Weprovidetoolstomeasureemployeeskills,alongwithcorporate-levelassessmentsanalyzingstaffattitudestocybersecurityintheirdailywork.
Cybersecurity Awareness3
progrAm benefitsKasperskyCybersecurityAwarenessTrainingchangesminds,promotingsecurity-mindedbehaviorinreal-worldsituationsandreinforcingtheprinciplesofcybersecuritybestpracticeintheworkplace.
Arecentstudy1concludedthat:
• Companieswithsecurityawarenessprogramsspend76%lessonsecurityincidentsthantheirnon-trainingcounterparts(averageannualfinanciallossesofjust$162,000versus$683,000).
• Organizationswithasecurityawarenessprogramwere50%lesslikelytohavestaff-relatedsecuritybreaches.ThevalueofaneffectiveCybersecurityAwarenessProgramcan:
- Decreasethenumberofincidentsbyupto90%.
- Reducethecyberriskinmonetarytermsby50-60%.
- TranslatecybersecurityfromIT-jargontobusinesslanguage,andgenerategetbusinessmanagement‘buy-in’.
- Generatemeasurableresultsintermsofcybersecurityawareness.
Course ComponentsCybersecurityAwarenessTrainingfromKasperskyLabcompriseselementswhichintermesh,butwhicharealsofullyeffectiveifusedseparately:
1ABERDEENGROUP.TheLastMileinITSecurity:ChangingUserBehaviors,ABERDEENGROUP,October2014
Senior Managers
Line Managers
Security O�cers Reports and trainings
Short business simulation game
Face to facemotivational training
Computer-basedon-access trainings
Kaspersky CyberSafety Awareness Trainings structure
CyberSafetyGames
Online training platform
KIPS
All Employees
CyberSafety Culture Assessment
Leading to the Light Side
Cybersecurity Awareness4
online skills trAining plAtformItisimportanttobuildonskillsandknowledge,soaccesstoanonlineskillsplatformisessential,allowingthestudenttoworkthroughtypicalscenariosandsituations,gaininggreaterknowledgeandunderstandingofpotentialthreatsandhowtodealwiththem.KeyaspectsoftheOnlineelementofKasperskyCybersecurityAwarenessTrainingare:
• Skills Assessment:Todeterminethein-depthskillsandtrainingneedsoftheuser.Coversvarioussecuritydomains,includespredefinedorrandomassessments,customer-definedquestions,andcustomizablelength.
• Training Modules:Anti-Phishing,DataProtectionandDestruction,SafeSocialNetworks,PhysicalSecurity,SmartphoneSecurity,SaferWebBrowsing,SecurityBeyondtheOffice,SocialEngineering,URLTraining,EmailSecurity,Passwords.
• Simulated attacks:Ready-to-gocustomizabletemplatesofphishingemailspresentingvariouslevelsofchallenge.Iftheemployeereceivingtheemailclicksonthedangerousphishinglink,heorsheexperiencesateachablemoment,andcanbeauto-assignedtotherelevanttrainingmodule.
• Analytics & Reporting:ResultsbyCampaign,Group,DeviceType,RepeatOffender,Location.Plussupportingsecurityposters,emailtemplates,screensaverimages.
Onlinelearningallowscandidatestopracticeandlearnthroughaninteractivelearningportal.
Byusingthisportal,inconjunctionwiththeKasperskyBestPracticeGuide,theTrainingManagercanestablishanimplementapowerful,continuousandmeasurablecybersecurityeducationplan,takingemployeesrightthroughfromsimpletocomplicatedconcepts,varyingthetrainingelementsaccordingto thethreatlandscapeandindividualskillsets.
Cybersecurity Awareness5
CybersAfety gAmes trAining ThishighlyinteractiveworkshopisinstructorledbyoneofKasperskyLab’squalifiedinstructorsandprovidesthecandidateswithafoundationlevelofknowledgearoundactualcyberthreatswithinascenariobasedapproach.
Thedeliveryallowscandidatestoexploreeverydayeventsthroughaninteractivehands-onexperienceintothelatestattacksandmalwarethatnootherprovidercanoffer.Theprogramhasbeenspecificallydevelopedforenterprisesthatviewsecurityasastrategicrequirementtoraiseemployeeawarenessofthecyberthreatsduringeverydaybusinessactivities.
by the trAining line mAnAgers Are motivAted:• tounderstand“whytheyshouldcareaboutsecurity”;
• todistinguishbetweensafeandunsafebehaviour(technicalandvigilanceskills);
• Theprogramprovidespositiveexamples“Howtodo”,notonly“Don’ts”;
AndallowscandidatestounderstandhowtheylookfromtheperspectiveoftheCyberCriminals.
Value:93%-thelikelihoodofapplyingtheknowledgegainedinthetraininginthedailyjob1.
Delivery form:
• TrainingbyKasperskytrainer
• Train-the-trainer(licenseplusteachingtorunthetrainingsinternallyintheenterprise)
Formats available:
• Seriesof2-hourssessions
• Full-daysession
Michael Joseph
Send contractsto John
Log-on to Omega corporate network
Password
Enter Cancel
Michael
Joseph
hi Alex, look atme and Annie...instagram.com/p/xwu5Dqzi_/
Henry Johnson29 min ago
CLICK!Guest
Заказотклиента Unknown contact
Press
index.
1
Subject:To:From:
Salary calculations
Dear Rita,
In reply to your urgent request, please find attached the
salary calculations for March, bonuses included. Please
open the file for details.
Sophie,Omega HR
SalCalс.xls
ADDRESS NOT FOUND N trk-id: 426013860.503255001315513905
Dear Customer!
Your package has been returned to the DHL office.
The reason of the return is: Incorrect delivery address of the package!
Thank you.
DHL International
ticketparcel_VF43082865.zip
217 KB
Can’t identify the software publisher. Do you reallywant to run the software?Name: с:\users\ag\ downloads\FreeInternetSpeedTest.exe Publisher: UnknownType: Application
From: с:\users\ag\ downloads\FreeInternetSpeedTest.exe
Run Cancel
CLICK!
Event of the year!
We commence
at 8:00 p.m.
at Lexington
street, 1
1 Counter Strike
Champ.Computer Club
Confide
ntial
CLICK!
10
Account locked!
Dear Chase member,
Due to the number of incorrect attempts,
your Chase account has been locked for
your security.
At Chase Bank we care about your
security so for your protection we are
proactively notifying you of this activity.
If you didn't trigger this lockout, follow this
link to Log on to your Chase Online
Account:
htttps://chaseonline.chase.com
ToSubject:
From:
Security For your online account
bank
CLICK!
CLICK!
ComputerInternetExplorer
Copying data
Progress
Copying data from CRM to Dropbox
Ron, I'll workwith these documents
on my vacation
Заказ от клиента
John Doe
Hi! Wanna know about our college?Press http://www.interestingbox.com/
index.php?option=com_content&view=
article&id=171&Itemid=210
1
CLICK!
DinaKlein
Ron
Black
JoeHunter
AlexGreen
JennyFox
RitaSmith
124209295405398
12.200411.200610.200409.200511.2007
200 000124 000
1 005 000910 0004 200
........................
>>>>>>>>
........................
>>>>>>>>
хххххххх
Montana Oil and Gas
Client Montana Oil and Gas Ltd. Product Transportation Department
06.05.2004 Document type payment order
Logistics Solutions Ltd.Logistics Solutions Ltd.Logistics Solutions Ltd.Taxi service
Incomings
Registration date
Outgoings
Customers’ orders and payments
124
209
295405
398
12.2004
11.2006
10.2004
09.2005
11.2007
200,000
124,000
1,005,000
910,000
4,200
......
......
......
......
>>
>>
>>
>>
хххххххх
Montana
Oil and
Gas
Client Montana Oil a
nd Gas Ltd. P
roduct Transportation Departm
ent
Logistics
Solutions Ltd.
Logistics
Solutions Ltd.
Logistics
Solutions Ltd.
Taxi servic
e
CHASE
Custom
ers’ or
ders
and p
aymen
ts
4
9
26
1211
7
5
3
1
8
1DatafromcasestudiesandevaluationofKasperskyLabcustomersrunningCyberSafetyGamestrainings.
Changing beliefs
We teach people that it is human beings, not machines, who are the primary targets of cybercriminals. We show how, through working in a more
safety-conscious manner, individuals can avoid becoming victims and exposing themselves and their workplace to attack.
Change misbeliefs Into adequate perception And positive role model
Smart hacker will send the virus and it
will break my PC
I am too small target
I don’t have time for security
Beware bad people, not
broken computers
Small targets are easier and often
more attractive to criminals
Security is a part of long-term
efficiency
I understand which criminals can get
value from my digital assets, so I am
motivate to protect them
I want to be a harder target
than the others
I will choose the safest way to achieve
the business goal and cooperate with
security team
Cybersecurity Awareness6
CybersAfety Culture AssessmentCybersSafetyCultureAssessmentanalyzesactualeverydaybehaviorandattitudesatalllevelsoftheenterprise,revealinghowemployeesinyourorganizationperceivedifferentaspectsofcybersecurity.
Theresultingreportcanbeusedtounderstandimbalancesandareasforgreaterfocus,helpingtojustifyandalignprioritiesintheinternalandexternalactivitiesoftheSecurityDepartment,includingawarenessandtraining,internalPRandinformationsharing,andothercollaborationprincipleswhileworkinginthebusiness.
leAding to the light side trAining
Skills gained and instruments learned:
• Howtoinfluenceuserswithsecurityawarenessmessages;
• Howtoovercomeresistanceandignorance;
• Howtoachieveupto90%policyacceptanceandcompliance.
Thetraininghelpsyoufindthewaytotheusers’heartsandminds.Theshifttosaferbehaviorbecomestheirconsciouschoice.
Thetrainingusesgroupworktogiveyouanopportunitytoseetypical“unsafe”situationsfromdifferentperspectives.Youarethenabletostructureyourmessageinsuchawaythatstimulatescorrectchoicesandshiftstheuserattitudes.
ThetrainingisapartofKasperskySecurityAwarenessportfolio,basedonCyberSafetyCulturemethodology.
Deliveryform:
• TrainingbyKasperskytrainer,4hours
Astheenterpriseexperiencesacyberattack,theplayersexperiencetheimpactonproductionandrevenues,andlearntoadoptdifferentbusinessandITstrategiesandsolutionsinordertominimizetheimpactoftheattackandtoearnmoremoney.Scenariosavailableinclude:
Industrial:WaterPlant Financial Government
Powered by
101
201
301
401
501
102
202
302
402
502
103
203
303
403
503
110
210
310
410
510
109
209
309
409
509
108
208
308
408
508
106
206
306
406
506
107
207
307
407
507
105
205
305
405
505
104
204
304
404
504
E�Government Agency Portal
Web Portal
E�Services Area
Helpdesk
E�Complaints Portal
Old Portal
OvertimeWork
VulnerabilityBug Fix
Restore Serverfrom Backup
Black BoxSecurity Audit
White BoxSecurity Audit
InstallPatches
IncidentInvestigation
PersonalInformationRegulation
Compliance
LogAnalysis
WebApplication
Firewall
Turn ServerON/OFF
111
211
311
411
511
141312
Pen�testing
SecurityTraining
console.log( ‘Router
var Router = can.Cont
init: function() {
”#main)
PatchMonitoring
24hr
A
A
A
A
( ‘R
ale
ini
”#main)
ole.logRouter =
n t: funa
le log( ‘R
= ca
inn
leRou =
nit: funct
”#m
c
ni ti
”#m
Control Center
Corporate
Powered by
DMZ
Perform power plant network segregation into three zones by
installing additional firewalls.
OFFICE ANTIVIRUS
Antivirus software is installed on all office network computers.
Detects and removes malware.
DATACENTERBACKUP SERVER
Server performs backupof B2B Ordering website
and SAP/ERP server at theend of each turn
Back-office
SIEM
VPN
IT Department
Regional offices
HQ
B2B Orderingwebsite
Sales
SAP/ERP Inventory
Treasurer PC
Suppliers
Mobile Sales
Delivery
VPN
Back�office
Back�office
Customers
CORPORATION
HavingplayedtheKIPSGame,playersshouldhavecometoimportant,actionableconclusionsregardingtheireverydaybusinessactivities:
• Cyber-attacksdamagerevenues,andneedtobeaddressedfromtop-managementlevel,
• CooperationbetweenITSecurityandBusinessDivisionsisessentialtosuccessfulcybersecurity,
• Thecostsofsecurityneednotrunintomillions,andaremuchlessthantherevenueyourisklosing,
• Securitytoolsarenotdifficulttouse,andtheiruseisimportant.
Attendeesnotonlyrealizethecostofcyber-attacks,butmoresignificantly,theimportanceofinvestingwiselyincybersecurity.
kAspersky interACtive proteCtion simulAtion (kips) Oneofthebiggestsecuritychallengesisthatdifferentseniormanagementrolesviewcybersecurityfromdifferentperspectives,andhavedifferentpriorities.Thiscanresultinasortofdecision-making“SecurityBermudaTriangle”:
• Business,Managersmayseesecuritymeasuresasacomplication/contradictiontotheirbusinessgoals(cheaper/faster/more/better);
• ITSecurityManagersmayfeelthatcybersecurityasaninfrastructureandinvestmentissuemovesoutsidetheirremit;
• Managerstaskedwithcostcontrolmaynotseehowcybersecurityspendingrelatestorevenuesandsavesratherthangeneratescost.
Mutualunderstandingandpartnershipbetweenthese3arecrucialtosuccessfulcybersecurity.However,traditionalawarenessformats,likelecturesandred/blueexercises,areflawed:-lengthy,over-technical,andunsuitedtobusymanagers,andtheyfailtobuild“commonlanguage”atthe“commonsense”level.
kips As the solution TheaimofKIPSistobringtheseseniorprofessionalsfromdifferentareasofdecision-makingtogether,understandingoneanother’sremits,objectivesandconcernsastheyworktowardsthegreatergoodoftheorganizationasawhole.
ForIT,BusinessandSecurity–strategysimulationforcybersecuritydecision-makers.
• Fun,engagingandfast(2hours)
• Team-workbuildscross-divisionalco-operation
• Competitionfostersinitiative&analysisskills
• Gameplaydevelopsanunderstandingofcybersecuritymeasuresandstrategy
Teamscompeteatrunningasimulatedenterpriseandearningmoney.
©2015KasperskyLab.Allrightsreserved.Registeredtrademarksandservicemarksarethepropertyoftheirrespectiveowners.