How the NIST Cybersecurity Framework Improves Security Awareness

Transcription

1

2 How the NIST Cybersecurity Framework Improves Security Awareness 79,790 security incidents were reported in (source) 90% of all data breaches in 2014 were the result of human error. (source) That s a substantial amount of sensitive data put into the wrong hands, published to public web servers, incorrectly disposed, or otherwise lost at the hands of the people that you pay to grow your business; you can t risk that. With security breaches making mainstream headlines and the average breach costing $3.79 million (source), internal errors and a lack of concern for security are no longer acceptable. In recent high-profile incidents, investigations proved that the necessary experience and knowledge to pinpoint the severity of a cyberattack was missing. Now more than ever, it s imperative that security awareness programs are implemented at every tier of an organization, from executive to entrylevel, to help mitigate potential threats. 72% 72% of companies where the security policy was poorly understood had staff-related breaches. (The policies were in place; but the people didn t understand them). (source: pwc 2015 Information Security Breaches Survey) 2

3 If you re reading this, you probably already know that in 2014 the National Institute of Standards and Technology (NIST) introduced a Cybersecurity Framework in response to an executive order calling for a set of industry standards and best practices to help organizations manage cybersecurity risks (source). Since then, this Framework has evolved to become one of the most cited guidelines used by enterprise auditors to standardize cybersecurity expectations. With this evolution, security awareness and security awareness training programs are no longer considered recommendations but rather unofficial requirements for businesses of every size. That s good news! Research shows that investing in security awareness training not only decreases the likelihood that your organization will face a breach, but lowers the cost if you are hit. To protect your organization, you must do a better job educating employees on how to identify risk and react appropriately. Do it by developing a security awareness training program that aligns with the NIST framework. Elements of a Security Awareness Program We know that humans continue to be the weakest link in the data security chain (source). To fix this, we need security awareness programs that are designed to educate, raise awareness, and change the behavior of our staff from entry-level to executive to information security officer. The NIST Framework has an entire section devoted to awareness and training of personnel, from understanding their roles and responsibilities to learning appropriate procedures and policies. The Center for Internet Security notes that No cyber defense approach can begin to address cyber risk without a means to address this fundamental [human] vulnerability. Conversely, empowering people with good cyber defense habits can significantly increase readiness. (source) 3

4 With a more knowledgeable staff, fewer phishing s will be opened, more care will be taken to save data in secure locations, and team members won t be given unauthorized access to protected information. When an organization is avoiding errors like these, its cybersecurity training can result in a 76% decrease in the cost of security incidents. (source) Developing good security awareness means adopting a program that is predictive, adaptive, can continuously be improved upon, and that becomes part of the organizational culture through constant reinforcement. Historically, developing such a program has been difficult for security professionals, but today, there s finally a solution... Meet the Adaptive Awareness Framework The Adaptive Awareness Framework, designed by MediaPro and tightly aligned to the NIST Cybersecurity Framework, offers businesses an actionable and measurable way to introduce better security awareness into their organizations. It organizes and integrates a variety of wellknown and widely dispersed standards into a single overarching framework that is easy to implement, manage, and adapt. Below, we ve broken out each step of the Adaptive Awareness Framework to see how it can be leveraged in your own business. The outlined process (analyze, plan, train, and reinforce) has been modified from the NIST Framework s core recommendations to aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. (source) 4

5 1 ANALYZE Why would you ever deploy an Awareness program without really understanding the severity of your risks, or without a way of measuring whether or not it s successful? You wouldn t (or, at least we hope you wouldn t). When it comes to both understanding the risks you face and then measuring the success of your security awareness program in addressing those risks, you need data. You want to be able to quantify the baseline knowledge and behavior of your employees at the start of your program, and you want to know if the education you provide to them has made an impact. Most importantly, you should prepare from the start to ask yourself, Has this program led to behavior change? But how you do that? What tools are available to help you understand what your employees know and do, and how it changes over time? Below are some measurements tools to look at: Knowledge assessments/surveys Knowledge assessments are a great way to measure what your employees know before training and what they retain after training. Once you ve identified where staff needs additional training, you can build your program around these areas. With that baseline recorded, you can deliver follow-up surveys every six months to measure how your environment is changing over time, and to help gauge effectiveness. 5

6 Phishing/social engineering: Since phishing is one of the most common social engineering tactics in use today, it makes sense to run simulated phishing and social engineering attacks. These simulated attacks can employ a wide variety of clever techniques to obtain passwords, attain access to sensitive information, or gain physical access through tactics as simple as an or a phone call, tailgating, or dropping a USB device. Data accumulated from these simulated phishing and social engineering attacks can be used to make improvements to your overall security awareness program because these attacks allow you to understand how users actually respond to various types of simulated attacks and determine what type of messages carry the most risk. Incident reporting: Another way to measure the success of your security program is to look at the number of incidents being reported. If people are more aware of potential threats, it stands to reason that you ll see a spike in your incident reporting. Arguably a noisy channel, but one to watch nonetheless. Completions of training/reinforcement: If security awareness training is required at your organization, then this isn t a great measure of success. However, if it s not required, then it may be a great measure of how well people are engaging with your message. You could also measure traffic to reinforcement material to see how many people have viewed them and whether your message is getting out there. 6

7 2 PLAN You can t implement a successful security awareness program without first understanding the key risks, and specific business and security goals you re looking to achieve. To create the right training model: assess your baseline risk profile and then map out the plan that makes the most sense for the business. During this process, it s important to identify the most important risks facing the organization and the behaviors you want to change relative to those risks. Ask yourself: What is your overall goal? What are your key risks associated with the human behavior? (If you ve done a survey, you ve got valuable data.) What behaviors do you want to change? What tools will you use to bring about change? How will you measure knowledge and behavior change? When referencing the NIST Cybersecurity Framework, you might align the Planning process with the core function of identifying risks. Similarly, the Framework recommends that an organization take an inventory of the data or programs necessary for business functions, the company s overall mission, potential risks against its assets and staff, and more. Use this inventory to complete a Security Awareness Risk and Intervention matrix where each identified risk is mapped to desired behaviors, training solutions, and reinforcement solutions. 7

8 Employees are not consistently following data protection and reporting policies, standards and guidelines. DESIRED BEHAVIOR All employees will: Electronically certify that they have read the policies. Validate they understand the key policy points. Identify common policy mistakes and missteps. Correctly identify how to report a security incident or whom to contact if they have any questions. Describe the possible consequences of inaction. Result: 50% reduction in policy violations TRAINING SOLUTIONS Increase calls to the help line by 10% Interactions within the training will allow students to practice identifying data security threats, view ways to prevent threats, as well as show common examples of mistakes, identify contacts, and discuss consequences. REINFORCEMENT SOLUTIONS Make the policy certification (pledge page) part of the annual training. Place posters on all breakroom walls and rotate every 2 months. Host an open round table lunch each quarter where employees can share their ideas on preventing data security incidents (prizes awarded). Include 2 brief articles in the company newsletter and the InfoSec website about recognizing and reporting incidents. 8

9 RISK: Employees not identifying threats properly, or classifying personally identifiable or company sensitive information correctly. DESIRED BEHAVIOR All employees will: Be able to identify what information needs to be protected and classify information correctly. Apply the correct protections and procedures on a consistent basis. Be able to identify and respond to phishing and social engineering threats. Result: 40% reduction in misclassification and misuse of data Reduce phishing response rates by 50% and reduce social engineering responses by 75% TRAINING SOLUTIONS Interactions within the training will allow students to: a) practice identifying PII and company sensitive information; b) practice classifying that information into the correct categories; and c) practice identifying phishing s and view common social engineering threats. REINFORCEMENT SOLUTIONS Provide job aids to all employees that handle PII and sensitive company information. Host a Security Awareness Day in October (cyber security month). a reminder (with links to a game or animation) to all departments with employees that handle PII and/or sensitive data 3 times during the year. Use an outside company to apply social engineering tests to at risk employees and senior Deliver a simulated phishing test to all employees 2 times a year and to senior management 3 times a year. 9

10 By creating a plan that aligns each risk to a specific behavior and to training and reinforcement deliverables, you ensure the desired level of protection and diligence for the organization. Such a plan also allows you to identify cybersecurity roles and responsibilities for your team, including staff, third-party stakeholders, etc., and ensures the right levels of education and production for the right people within your organization. The NIST Framework notes that with the right plan, organizations will be capable of making strategic decisions regarding cybersecurity implementations and will be able to better determine the scope of systems and assets that support the selected business line or process. 3 TRAIN Training is the single most influential way to deliver your security awareness message to staff. With training, all eyes are on your organizational security program and it s your chance to clearly communicate to employees the risks that they face, and the policies and best practices recommended by the company to help avoid them. So make this time count! Assemble security training that not only addresses security concerns, but also regulatory needs (like the ability to prove training was issued). Training should also engage staff, to aid in it being remembered and acted upon. Of course, that s no easy task. There are so many different options available when it comes to security awareness training, and many of the choices to be made are outside the realm of the IT professional s expertise. While they don t cover everything, use the following list of key questions to ask yourself when you re in the market for a security training solution. 10

11 Should I go with web-based or in-person training? This can be a difficult decision for many. The right answer for your company will depend on both its size, as well as the size of the program you re looking to deliver. Smaller companies running smaller security awareness programs may opt for an in-person training solution that is more cost-effective. Larger companies (especially where employees are dispersed throughout locations), or companies investing in larger training programs, will likely favor web-based training as it s easier to deploy, manage, and measure. Should I build an in-house training solution or buy one? Whether you opt to build something or buy something, each decision comes with its own pros and cons. Building your own solution may allow you to customize it directly to the needs of your business, but anyone who has attempted the task knows it can quickly become painful, difficult, and time-consuming. Buying a solution, of course, comes with the built-in cost of paying for the program, as well as the additional risks that you may not like what you bought or that it may not be as easy to work with as you hoped; however, it will likely save you the internal investment of creating it on your own, and provides a variety of training solutions to choose from. Ultimately, you ll have to have to balance your decision against your budget and your time availability. Will this be easy to refresh and/or customize? This is a big one, especially for organizations looking to build an adaptive program (referred to as a Tier 4 program in the NIST Cybersecurity Framework). You ll want to assess whether the training will be easy to refresh as new risks come to light. Will it be easy to customize, or are you locked in to what you bought with no ability to easily swap topics or modify content to fit your organization? 11

12 Will training be required? If you require training, you re likely to get a 100% participation rate. If you re not going to require training, you ll have to ask yourself, How do you make sure that people take it, or are interested in it? Again, you ll want to look for a solution that is easily customizable and is designed to engage the end user. Is it trackable? If you are in an audited environment, or if measurement is something that is important to you, you probably want to opt for a training solution that is both trackable and measurable. This may mean going with a computer-based training solution, as they are the easiest to track and measure. Thankfully, there are lots of options out there, including many cloud-based solutions that provide an easy way to deliver and track your training. Do I believe this will change behavior? This is really the heart of it, right? When evaluating training solutions, ask yourself, Is this going to work? Does it bring about behavior change? Let this be your mantra, and consider what it takes to get people to really engage with content and to commit to what they ve learned. Is this training directly relevant to the work people perform? If yes, does it provide opportunities within the training itself for people to practice the kinds of behaviors that you want to target? The answer should be yes to both questions. 12

13 4 REINFORCE As you ve probably noticed, we re big believers in training. However, we re also big believers that training alone is not enough to create new habits. A habit is something you practice, and it must be constantly reinforced. Security-aware behaviors must be fostered the very same way. Otherwise it s too easy for a staff member to attend training once, only to never use (or think about) that information again. Creating a reinforcement program around your security awareness training increases the effectiveness of that training, which helps you to not only see a bigger impact but also furthers staff engagement. When building a reinforcement program, below are some factors to consider: COST. You don t have to spend a lot of money to create, or even to source, really great security reinforcement material. You can start by downloading some free posters or free worksheets available online from different government websites. You can even find free security reinforcement materials from your friends at MediaPro. It s not important that you spend a lot of money on these items, what is important is that you make security reinforcement part of your awareness program, and keep the training content accessible and relevant to your organization s everyday experience. 13

14 CULTURAL FIT. When deciding on which reinforcement materials are right for you, consider how well will these materials fit into your culture and your business. For example, humor is proven to be a great way to help people retain information. However, humor is also tricky. Anyone who has ever tried to build funny approaches to security awareness (or anything else, for that matter) knows that while you may get some chuckles, you re also likely to get some eye rolls or worse yet, someone who is offended by the material. The trick is to know your company culture, and what s going to work for you and grab your staff s attention. LOGISTICS. Something else to consider is the logistics and hidden costs of creating and delivering reinforcement materials. Sure, creating 5,000 fortune cookies with security awareness messages inside sounds like a great idea until you have to ship those cookies to 40 locations spread across a 5-state region. It would have been cheaper to hire a chef to cater your training! We re not saying don t be creative, but run the numbers first. Also, remember that creative online content works just as well. There s no need to break the bank. WE HOPE IT GOES WITHOUT SAYING, BUT LET S SAY IT ANYWAY: the four components of Analysis, Planning, Training, and Reinforcement should work together in a continuous feedback loop. These elements are not meant to stand alone or proceed in linear fashion. Rather, in a truly adaptive program, you would gather the data from all of the above activities and use it to refresh your annual training and reinforcement materials. 14

15 Creating Your Security Awareness Program Okay. You re ready to go. You ve been versed on the steps and the elements necessary to put together an integrated security awareness program all that s left to do is build the program. GULP! Don t worry, we wouldn t send you out there without a plan. Following the plan laid out below (though not necessarily in the order it is laid out) will help your organization aspire to Tier 4, NIST s highest possible risk tolerance level. While this isn t a requirement, it is something we believe businesses should aspire to. Aiming higher will put you in a better position to comply with future cybersecurity and privacy regulations, and can only serve you well down the road. With that said, here s how to pull it all together into an adaptive program. 1 Survey employees to assess their existing knowledge. A great way to launch your security awareness program is with a knowledge assessment that helps you understand exactly what your employees know and what they don t. This baseline assessment can help you build a plan, but if you use follow-up assessments months later, you can also get a great measure of whether you are improving over time. It s a sure way to demonstrate the ROI on your awareness investment. 2 Plan your overall effort with an eye to suspected risks. With your assessment in hand, and your own knowledge of the risks facing your organization, you re ready to create an adaptive program plan. You need to know where you re going and what your objectives are, but you also need to be open to the idea that things will come up. Maybe you have five key risks you want to tackle so you plot them out over the year but then something comes up and changes that plan. That s okay. Leave gaps in your plan for surprises you re sure to discover along the way. 15

16 3 Announce the overall awareness program to all employees. Announcing your program will help to get internal buy-in, thereby increasing the number of employees who participate in your surveys and who are open to the training. This will help employees to not only understand what you re doing, but why you re doing it, why it s important, and how it relates to their everyday job functions. And announcements always work better when they re delivered by people with real credibility, like CISOs or CEOs. 4 Phish your employees and provide minimal correction. Again, it s all about collecting the data you need to create and implement your plan. By running a simulated phishing attack you ll be able to identify where your team is weak and how you can help them improve their phishing prevention skills. 5 Train all employees. Whether it s training you ve built from scratch or training you ve purchased, find the program you believe best meets your needs and deploy it to your staff. 6 Reinforce the top risks identified in your initial survey. Strengthen your training by reinforcing the messages related to the highest risks. Reinforce with materials like animation videos, posters, tent cards, games, and other material designed to gain attention and convert training to memory. 7 Survey and phish again at appropriate intervals. Run a follow-up simulation of social engineering and phishing attacks to see how many employees take the bait, and see whether the bites have decreased (showing a positive sign), if they remain the same or worse. 16

17 8 Analyze and adapt. With your security awareness program live and running, you can analyze its success by measuring training completions, survey results, and phishing scores. You may need to target frequent phishing victims with more in-depth phishing training, begin using role-based training in areas that show functional deficiencies, or use personal follow-up messages to reinforce pressure points. Get Started! Let s recap. We know that the number of breaches affecting businesses every year continues to skyrocket. We know that the costs associated with those breaches also continues to rise year-over-year. We know that implementing an adaptive security awareness program, one which aligns with NIST s Cybersecurity Framework, decreases the likelihood that you ll be breached, and the costs you ll face should it happen. The only question today is, will you adopt the Adaptive Awareness Framework now, putting your company at the highest risk tolerance immediately, or will you wait until you suffer a breach? If you d like to discuss how MediaPro s Adaptive Awareness Framework can put your business ahead of the curve, WE D LOVE TO SPEAK WITH YOU. 17

18 Sources 2015 Data Breach Investigation Report Verizon Verizon Data Breach Investigation Report: What You NEED To Know MediaPro Cost of Data Breaches Rising Globally, Says 2015 Cost of a Data Breach Study: Global Analysis, Security Intelligence 2015 Global State of Information Security Study pwc Framework for Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology 2015 Attendee Survey Black Hat The Critical Security Controls for Effective Cyber Defense SANS Institute US Cybercrime: Rising Risks, Reduced Readiness pwc Framework for Improving Critical Infrastructure Cybersecurity National Institute of Standards of Technology 18