70 Million Responses Can’t be Wrong - ISSA …pittsburgh.issa.org/Archives/Wombat-Beyond the...

70 Million Responses Can’t be WrongAmy BakerVP of MarketingWombat Security Technologies

Assess, train and gather intelligence about end user cyber security knowledge & behavior

Leading Behavior Change Company

Global customer base including many Fortune 500 companies

Wombat sells cyber security software solutions that change

end user behavior

More than

millionquestions asked and answered

Beyond the Phish

NEW! Highlights from our 2017 User Risk Report, which compiled results from a third-party survey of 2,000 working adults.

10% increase in correct answers (7 million)

How Are End Users Doing?Average Percentage of Questions Answered Incorrectly

OVERALL

22%QUESTIONSINCORRECT

Further Focus on Industry DataAverage Percentage of Questions Answered Incorrectly by Industry

24 24 24

23 23 23 23

22 22 22

21 21 21 21

20 20 20

Look Beyond The Phish to Root Cause

Failing to identify phishing threats

Failing to protect confidential

information

Unsafe mobile device practices

Disposing of data improperly

Social media oversharing

How Are End Users Doing?

Protecting confidential information

Protecting and disposing of data securely

Identifying phishing threats

Protecting mobile devices and information

Using social media safely

Average Percentage of Questions Answered INCORRECTLY

Protecting Confidential Information

QUESTION

One of the questions users struggled with the most was around the use of shared login credentials.———

To minimize this practice, employees should be made aware of the personal implications of allowing coworkers to access sensitive retail and healthcare systems using their credentials.

Protecting Confidential Information

Industries Struggling the Most:

Education

29%Energy

Transportation

Healthcare

Professional Services

Insurance

Defense Industrial Base

27%Other

Knowledge of End-User Cybersecurity Best Practices forPCI DSS and Healthcare Data Protection

Protecting and Disposing of Data Securely

QUESTION

Protecting and Disposing of Data Securely

Transportation

28%Consumer Goods

Healthcare

27%Technology

Retail

Energy

Topics addressed include destruction of electronic and paper documents, use of USB devices, and classification of sensitive data.

Entertainment

Hospitality

Identifying Phishing Threats

QUESTION

Identifying Phishing Threats———

This topic was the most popular with our customers. More than half of the assessment and training questions delivered to end users during our reporting period were related to phishing threats, and there was an even bigger emphasis on this topic than last year.

This category focuses on the different indicators and ramifications of phishing attacks

Identifying Phishing Threats

Click rate data is from our 2017 State of the Phish Report.

Healthcare

26%Click Rate*

On Simulated Phishing Attacks

Questions IncorrectIn KnowledgeAssessments

14% 24%Click Rate*

On Simulated Phishing Attacks

Questions IncorrectIn KnowledgeAssessments

Check out our State of the Phish™ Report for more data about phishing attacks.

Government

Protecting MobileDevices and Information

QUESTION

According to Pew research, as of January 2017:

Protecting Mobile Devices and Information

of Americansaged 18-29 have a smartphone

92%of Americansaged 30-49 have a smartphone

Protecting Mobile Devices and Information

Energy

27%Hospitality

Healthcare

27%Manufacturing

Retail

Questions pertain to the implications and ramificationsof unsafe mobile applications and invasive permissions

Insurance

Using Social Media Safely

QUESTION

Keep These End-User Risks in Mind ———

71% regularly use corporate devices outside the office

54% view or post to social media on those devices

43% allow friends or family members to view or post to social media on those devices

Using Social Media Safely

Hospitality

Retail

Social Media concepts include recognizing imposters and oversharing on social media networks

Transportation

29%Consumer Goods

Defense Industrial Base

33%Telecommunications

How Are End Users Doing?

Working safely outside the office

Using the internet safely

Protecting against physical risks

Protecting yourself against scams

Building safe passwords

Average Percentage of Questions Answered CORRECTLY

What is my password?

Effective Approaches to Improving End User Knowledge

Application of Learning Science Principles

• Present concepts and procedures together

• Bite-sized lessons• Story-based environment• Learn by doing• Use conversational tone• Create teachable moments• Provide immediate feedback• Collect valuable data

Continuous Training Methodology

Analyze and

Repeat

Simulated attacks and knowledge assessments

Interactive training modules and games

Attack reporting, videos, posters, and articles

Detailed reports show progress

o Assess knowledge and vulnerabilityo Gather baseline resultso Intelligence for planningo Motivate users

Knowledge Assessments & Mock Attacks

Leveraging Teachable Momentso Intervention messageo Less than 30 secondso Immediate feedbacko Provides context

In-Depth Education• Bite-sized education• Learn by doing• Stories & scenarios• Provide immediate

feedback• Collect valuable data

Reinforce and Repeato Remind employees of security principleso Encourage them to report attackso Reinforce training moduleso Retain knowledgeo Respond appropriately

#StateofthePhish

o More than 89% reduction in phishing susceptibilityo 90% reduction in successful phishing attackso More than 67% reduction in click rateso 42% reduction in malware infections

Achieving Measurable Results

Methodology• Regular phishing simulations and knowledge

assessments with Auto-Enrollment to address vulnerable users

• Quarterly organization-wide training

• Use of customized Training Jackets on all modules to emphasize policies

• Consistent measurement and reporting

Results• Average click rates went from 19.8% to 2.1%

Problem• IT team was tasked with developing and

delivering an organization-wide security program

• Complete executive- and board-level buy-in from the beginning

Case Study: Employee Benefits Organization

More than 89% reduction in click rates

“Without Wombat, it would be very hard to do as comprehensive a program as we do. We absolutely feel there’s a big benefit to partnering with an expert to quickly incorporate assessment and education tools.”

• End Users need to be more knowledgeable– Protecting Confidential Information– Protecting and Disposing of Data Securely– Identify Phishing Threats– Protecting Mobile Devices and Information– Using Social Media Safely

• It’s time to focus on the root cause • How would your end users’ knowledge

compare in these areas?

70 Million Responses Can’t be Wrong

Clear Leader for Four Years

Free Resources for You – wombatsecurity.com

• Wombat Cybersecurity Blog

• Wombat Ransomware Resource Center

• Wombat Webinar Library

• Wombat Case Studies and POCs

• Wombat Research Papers

• Cybersecurity Communications Calendar

• Security Awareness Infographics

70 Million Responses Can’t be Wrong - ISSA …pittsburgh.issa.org/Archives/Wombat-Beyond the...

Documents

2009 Golden Wombat

Wombat Security’s 2016 Beyond the Phish and Documents_49201… · most, missing 31% of the questions we asked them around what they should and shouldn’t do to keep themselves

Teaching Johnny Not to Fall for Phish, for ISSA 2010 on May 2010

Fame's Wombat Adaptation

Wombat Voting

Reading Eggs - Turtle, Wombat poems

Teaching Johnny Not to Fall for Phish, for ISSA 2011 in Pittsburgh on Feb2011

As The Phish Turns

Shooting phish in a barrel

2018 - Wombat Security State of... · The 2018 State of the Phish Report is a study in four parts: Business Intelligence In this section, we explore the simulated phishing data generated

Phish market protocol

Newsletter - Wombat State Forest

The Northern Hairy Nosed Wombat

Phish, flop, or fine

Catch Phish Outlook Plug-In

Phish - Mike's Corner

Wombat Security’s 2017...Wombat Security’s 2017 Report #BeyondthePhish 2017 / 1 wombatsecurity.com Beyond the Phish It is standard knowledge for infosec professionals worldwide

PHISH OR NO PHISH? Masquerades, Deception, and Thievery On the web…

Wombat Mitigation Program · Wombat Mitigation Program is a free service offered to farmers in exchange for wombat protection. ... (Sarcoptes scabiei); and vehicular accidents this

Jeremy Bednarsh's Great Phish Songs