It’s a vicious circle that becomes costly, wastes time and frustrates everyone.
So how can you balance the competing requirements of effective and user-friendly security? How do you communicate the 'why' of these measures to your colleagues, and encourage happy compliance?
In this session, we found out how the National Bank of Belgium, Seris and Port of Antwerp are meeting the challenges, and learned how Artificial Intelligence (AI) and Machine Learning can support security efforts.
The presentations and a link to the recording of the event are available after log in:
Protecting your workforce with Artificial Intelligence and Machine Learning
Erik Westhovens, Technical Architect & Evangelist Connected Workforce at Insight, has found his mission in helping companies leverage AI and Machine Learning to prevent end users from being ‘reeled in’ by phishing and/or ransomware. With the current increase in homeworking, that risk has only become bigger.
99% of all breaches are related to the end user, Erik started. So working on the identity and protection of end users is increasingly important.
The journey to the digital transformation began a few years ago, and most companies have started along that road. But who leads that transformation in the organisation: the CEO, the CTO or (as in the current situation) unforeseen challenges?
Offering new tools to end users who are not adequately familiar with them (for instance collaboration tools like Slack, Teams or Zoom), can lead to a rise in successful ransomware attacks and data leaks. End users need guidance in working with these new tools efficiently and securely. At times, it is difficult even for experts to tell whether a mail is legitimate or fraudulent (slide 5). This makes it even harder to make users cyber aware.
Threat protection tools, enriched with Machine Learning and AI, can offer this support and protection for users (slides 6 and 7). Comprehensive dashboards can show the current status of services (user protection, file protection, etc.), while risks, breaches and unprotected devices are shown immediately. This gives the CISO complete control of the data (slide 10). Keep in mind that the number of email accounts at risk in this example can be the result of people using professional mail addresses for private purposes, such as creating an account on a commercial website. This can generate more spam, putting the mailbox on the 'at risk' list.
Erik shared some eye-opening numbers on the massive amount of data, email and malware threats (slide 11).
Microsoft’s threat protection program protects these 5 components, Eric explained:
Case: OBI at the National Bank of Belgium
Next Wim Barthier, Security Officer at the National Bank of Belgium (NBB), described how the OBI mascot (slide 2) is a key element in how the bank implemented user awareness, within a diverse landscape of users and business services.
NBB’s campaigns, which run four times a year, all follow some key requirements
The diverse formats can include movies, quizzes, escape rooms, gadgets, etc. (slides 5). It’s an approach that does require a sizable investment in time and effort.
The NBB campaigns cover the entire user population, but also targets specific ICT and business profiles, in the Helpdesk, accounting, HR, Payments, etc. Wim also shared the various elements of the NBB campaign: the online platform, the gamification, the phishing campaigns, the escape room, and more. (slides 7-12).
To wrap up, Wim shared some lessons learned:
Case: Port of Antwerp’s journey into user awareness: creating a smarter workforce
Jan Meuris, Security analyst at Port of Antwerp (PoA), shared their vision on, and journey to, user awareness. Jan explained the Port’s many roles: from landlord, to operator, regulator and - very important - community builder, all at the same time.
Social engineering is a big topic today (slide 10). Back in 2017, an IT security audit showed that 37% of employees had clicked through on faulty emails, and 30% of staff had shared their password. For the PoA, this led to the creation of a dedicated security team, headed by Yannick Herrebaut (still the CISO of PoA today).
Like the NBB, PoA chose to have a highly recognisable program, with repetitive icons and visuals. PoA also applied the idea of the escape room, followed by an ethical hacker who explained to staff about security and breaches. However, PoA’s elaborate program (slide 17) turned out to be too much for staff, who were not ready for such an intensive track. Jan emphasises how important it is to maintain employee engagement.
At the end of December 2019, the PoA chose to first focus on phishing (slide 19), keeping in mind the high diversity in white collar and blue-collar employees at the Port, with their varying knowledge of cybersecurity and risks. The current CyberSecurity Month is also an excellent backdrop for further campaigns.
Figures show (slide 20) that it is hard work to keep employees engaged in security campaigns – team leaders need to make the effort to be encouraging.
From the recurring phishing tests (over 2 years), Jan has concluded that the awareness programme is working:
When employees report phishing mails using the button, PoA sees:
To wrap up, Jan shared his tips for a successful user awareness programme:
Case: End user security
Our final speaker was Stijn Verheyden, Project Manager at Seris, a company specialised in guarding and security solutions. Stijn went over a few insights and statistics on cyber crime:
At Seris, all employees are required to follow cyber security training. Usually, that training starts by confronting people with the potential consequences of treating passwords carelessly.
Best practice is long passwords, all unique and with a mix of characters, numbers and symbols. As it becomes impossible to remember all those passwords, Seris recommends that its staff use password managers.
Spam mails and phishing are easy and low cost for cyber criminals. It only costs about €150 to send 20 million spam mails; the worldwide trade in mail addresses only facilitates the effort.
Seris uses the F-Secure platform for detection. A key element in detection is the protection of end points - behavioural analysis helps. For identity protection, Seris uses the Microsoft Azure Security and Governance platform.
Stijn also shared how Seris handles response. A 360° approach is key:
Gamification and escape rooms as part of the #UserAwareness campaigns at the National Bank of Belgium. Wim Barthier explains.#CyberSecurity #Phishing #ITSecurity #KnowledgeSharing #DataProtection #InformationSecurity @NBB_BNB_FR pic.twitter.com/SpH0DmpdFh— @beltug (@Beltug) October 8, 2020
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login