Security awareness planning and education key to dealing with complex threats says Spitzner
UK – 2nd November 2015 – Ahead of SANS London 2015, the largest and most important security training event across the region, SANS will be running the recently updated MGT433 Building a High-Impact Awareness Campaign class on 14th and 15th November.
The course which has grown in popularity in the last few years will be taught by course author Lance Spitzner, an internationally recognised leader in the field of cyber threat research and security training and awareness. Over a 15 year career, Spitzner has worked with the NSA, FIRST, the Pentagon, the FBI Academy, the President’s Telecommunications Advisory Committee, MS-ISAC, the Navy War College, the British CESG, the Department of Justice, and the Monetary Authority of Singapore and invented and developed the concept of honeynets as well as authoring several books and over thirty security whitepapers.
In his view, based on the available evidence, it is extremely likely that every large organisation will experience an information security breach at some point in time. “People are often an organisation’s greatest weakness. However this is not their fault, but the failure of the organisation. Through a high-impact awareness program, organisations can radically change that,” says Spitzner.
The threat is increasing with the rise of more interconnected networks and new trends such as cloud, teleworking and mobile devices distributing sensitive digital data to more locations. According to the influential Data Breach Investigation Report (DBIR) which has examined over 100,000 security breaches over the last decade, 81% of the incidents can be described by just 4 root causes namely miscellaneous errors (27%), insider misuse (19%), crimeware (19%) and physical theft/loss (16%).
According to Spitzner, “The biggest factor of ‘miscellaneous errors’ are simply any mistake that compromises security. The main threat comes from human error, such as accidentally posting private data to a public site, sending information to the wrong recipients, or failing to dispose of documents or assets securely. However, lack of security awareness also has a part to play in insider misuse, physical theft and lost incidents.”
In his view, in the past organisations have had security awareness programs, but these were compliance driven programs designed by auditors to ensure their organisation could ‘check the box’. “These programs consisted of nothing more than a once year Power Point presentation or some very basic Computer Based Training (CBT). While this approach ensured compliance, they were not effective at changing behaviours.”
Yet he believes that the past several years have witnessed a fundamental shift in how organisations have begun approaching awareness and training. “They are building mature security awareness programs that identify and change high-risk human behaviours. After working with and helping literally hundreds of organisations around the world build security awareness programs, we wanted to share with others what we have seen work and what does not work.”
This intense two-day course teaches the key concepts and skills needed to build, maintain and measure just such a program. All course content is based on lessons learned from hundreds of security awareness programs from around the world and includes extensive interaction with peers’ during the course.
Spitzner also points out that the course is structured to meet the soft skills needed for effective program development and delivery, “Often security awareness programs are run by highly technical people such as security analysts or IT administrators. While these individuals understand security, they lack the skills or training to effectively communicate to a large group of people. They also tend to view security problems from only a technical perspective. Security awareness programs instead should be run by people with communications, marketing or learning backgrounds. We need people that can effectively reach and engage others.”
SANS London 2015 takes place at London’s Grand Connaught Rooms in the heart of the West End from the 14th of November and includes 14 courses spanning 4 core disciplines. For more information, please visit https://www.sans.org/event/london-2015/
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 27 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (www.SANS.org)