Overview : The purpose of this document is to outline a proposed approach to deploying the security awareness and training program at the ITPROSEC. This document will outline the proposed approach, timing and materials the ITPROSEC’s Information Security team would like to deploy over the course of the upcoming fiscal year (FY2017/2018). The intended audience for this document is stakeholders within the ITPROSEC, the Chief Information Officer, communications, and executive management.
1 Introduction 3
1.1 Overview 3
1.1.1 Background 3
1.1.2 Continuous Approach to Security Education 4
2.0 Proposed Deployment Plan 4
2.1 Phased Approach 4
2.2 Step 1: Assess Susceptibility to Attack 4
2.3 Step 2: Educate with Interactive Training Modules 5
2.4 Step 3: Reinforce with PhishAlarm and Security Awareness Materials 6
2.4.1 PhishAlarm 6
2.4.2 Security Awareness Materials: Remind, Reinforce, Retain, Respond 6
2.5 Step 4: Measure Results 7
2.6 Plan Summary 7
2.6.1 Step 1: Assess Knowledge 7
2.6.2 Step 2: Educate via In-Depth Training Modules 7
2.6.3 Step 3: Reinforce with PhishAlarm and Security Awareness Materials 8
2.6.4 Step 4: Analyze Results 8
2.6 Suggested Security Awareness and Training Timelines 8
The IT Professional Security (ITPROSEC) has acquired a subscripton to Wombat, a Software-as-a-Service platform to aid with the deployment of a robust information security awareness programme.
The Wombat platform offers both a series of online e-learning modules that cover a wide-range of information security related topics and they also offer a phishing simulation module that can be used to send employees simulated phishing campaigns.
The purpose of this document is to outline a proposed approach to deploying the security awareness and training program at the ITPROSEC. This document will outline the proposed approach, timing and materials the ITPROSEC’s Information Security team would like to deploy over the course of the upcoming fiscal year (FY2017/2018). The intended audience for this document is stakeholders within the ITPROSEC, the Chief Information Officer, communications, and executive management.
When new employees join the ITPROSEC currently they are asked to review the ITPROSEC’s acceptable use policy and are also provided a relatively short, high-level power point presentation covering security awareness. At the time of joining new employees are asked to attest to the ITPROSEC’s Code of Conduct and all employees are required to so so on an annual basis thereafter.
Security awareness was identified as an area of deficiency during the ITPROSEC’s last information security assessment. To mitigate this deficiency a RFP was issued for the creation of a security awareness training module and supporting handbook. A vendor was selected through this process, however work hadn’t formally commenced. During a cybersecurity meeting with many of the other Canadian Securities Commissions in November 2016, the ITPROSEC learned that many peer organizations are currently using or looking to use Software-as-a-Service platforms to support ongoing security awareness activities. We re-assessed the proposed approach and decided to change course and selected Wombat Security Technologies, a SaaS platform, to deliver an ongoing security awareness program to the ITPROSEC.
1.1.2 Continuous Approach to Security Education
In order to understand the proposed deployment plan for the information security awareness program at the ITPROSEC it is important to understand the “Continuous Training Methodology” upon which the Wombat platform is based.
Wombat’s Continuous Training Methodology include four key steps: Assess, Educate, Reinforce, and Measure. Wombat’s platform SaaS platform is purpose built to allow the execution of an organization’s awareness program:
1. Assess – Use predefined or custom knowledge assessments and/or simulated attacks to identify areas of vulnerability, establish baseline measurements, and improve awareness.
2. Educate – Assign interactive training modeules to teach staff how to be apply practices. These brief focused modules are available on demand, which gives administrators and end users more flexibility.
3. Reinforce – Wombat’s PhishAlarm email button can be installed to allow end users to report suspicious messages. Additionally, security awareness materials can be used to highlight best practices (e.g. posters, articles, and images).
4. Measure – The reporting and analysis features of Wombat’s platform can help drive the security education strategy and guide current and future effort
2.0 Proposed Deployment Plan
2.1 Phased Approach
The deployment of the training will follow an approach that aligns with Wombat’s Continuous Training Methodology. The major phases covered in the deployment plan include:
Step 1: Assess Susceptibility to Attack
Step 2: Educate with Interactive Training Modules
Step 3: Reinforce with PhishAlarm and Security Awareness Materials
Step 4: Measure Results
2.2 Step 1: Assess Susceptibility to Attack
The first step involves developing a baseline understanding of ITPROSEC employees’ level of security knowledge. In order to achieve this objective we would arrange an organization-wide simulated phishing campaign using Wombat’s ThreatSim module. This would provide a sense of how ITPROSEC employees respond to phish and spearphishing emails without exposing our network to an actual attack. This would also help gauge how vulnerable the ITPROSEC could be to these dangerous and pervasive threats.
Wombat’s phishing simulation pairs mock attacks with “Teachable Moments” which are “just-in-time teaching” messages that are displayed at the time a user engages with the simulated attack. These “in-the-moment” alerts explain the purpose of the exercise and offer brief, actionable tips that users can immediately apply in their day-to-day routines.
Wombat recommends the initial mock phishing attack should be a “blind” send, meaning that as few people as possible should be aware that it’s being sent. As well, Wombat recommends disabling triggered messages (i.e., Teachable Moments and Auto-Enrollment of e-learning modules) for the initial blind campaign. Disabling this will eliminate the possibility of staff members alerting others not to click, which helps preserve the integrity of the measurement.
Following the baseline assessment, Wombat recommends that organizations continue to send simulated phishing attacks on a monthly or bi-monthly basis (every 4 to 6 weeks). To start with the platform, we’d look to send simulated phishing emails to all users once per quarter. The “Teachable Moments” function would be enabled for all messages subsequent to the baseline assessment. Additionally, after the initial baseline (blind) assessment the auto-enrollment feature would be enabled on the first two or three simulated attacks to automatically assign email security related modules to any staff members who fall for the mock phish.
2.3 Step 2: Educate with Interactive Training Modules
Wombat’s training modules offer 10 to 15 minutes of interactive training about a specific security topic, which allows for ITPROSEC employees to be efficiently educated at regular intervals with minimal disruption to the business.
Modules generally include three to four separate lessons, which make content more “digestible” for users. Each lesson concludes with a brief quiz; users must exhibit a baseline level of understanding before proceeding to the next lesson. With each question, users receive immediate feedback, giving them a clear understanding of why an answer is correct or incorrect. Users who do not pass on the first attempt can review the lesson again or go directly to retaking a quiz.
The Wombat platform also allows some customization using “training jackets”. These “wrappers” allow organizations to add customized messages to the start and close of each module, including things such as policy acknowledgements and completion certificates. The training jackets could be used to communicate a message to users, explaining why the training has been selected and how it applies to the ITPROSEC’s security posture.
From a training schedule perspective, we’d like to deploy one 10-15 minute training module per quarter in addition to the email security related module that would be issued should a user click on a link in a simulated phishing message.
2.4 Step 3: Reinforce with PhishAlarm and Security Awareness Materials
As part of the overall security awareness approach we’d like to implement PhishAlarm to all end user systems. PhishAlarm is a small piece of software that is included in our current agreement with Wombat. It is essentially a button (plugin) that is added to Microsoft Outlook which allows users to report suspected phishing emails to the Information Security and Service Desk teams with a single mouse click.
This simple but effective tool can decrease the window of risk associated with active phishing attacks within the ITPROSEC. It can also reduce or eliminate helpdesk calls associated with suspicious message because it allows ITPROSEC employees to submit suspected phishing email directly to a monitored inbox.
2.4.2 Security Awareness Materials: Remind, Reinforce, Retain, Respond
Wombat’s portfolio of Security Awareness Materials includes more than 50 posters, images, articles, and other visual cues that remind employees about the security principles they learned during in-depth training. The posters, images, and articles directly correspond to the topics covered in Wombat’s training modules, reinforcing learned concepts.
The following materials would be used to keep cyber security top-of-mind throughout the year:
• Posters – Available in two sizes (11 in. x 17 in. and 24 in. x 36 in.). The posters have the same look and feel as the training and would be placed around the offices in common areas to offer a visual reminder of best practices. Different awareness posters could be deployed each quarter.
• Articles – Wombat offers purpose written articles that explore relevant security topics in greater detail. A selected article could be posted on the ITPROSEC’s intranet site on a monthly basis to assist with a continuous education approach.
2.5 Step 4: Measure Results
The Wombat platform provides the ability to monitor results as users complete training assignments. The platform provides the ability access detailed information about who completed which assignments, who fell for specific simulated attacks, which concepts employees understood well, topic areas of weakness, and improvements over time.
At any point in a learning cycle, reports can be generated to provide a summary of results to managers, executives, and any other interested parties. After each quarter, detailed reports related to both training and phishing campaigns will be provided to management within the ITPROSEC.
2.6 Plan Summary
2.6.1 Step 1: Assess Knowledge
a. Break users into functional groups by branch.
b. Issue a blind ThreatSim simulated phishing attack to develop a baseline measurement of vulnerability.
c. Deliver ongoing simulated phishing attacks every quarter.
d. Review results in order to provide education that targets areas of risk.
2.6.2 Step 2: Educate via In-Depth Training Modules
a. Select training modules that will strenghthen employee knowledge in key areas. One 10-15 minute training module to be assigned to all users every quarter.
b. Ensure that victims of simulated attacks are assigned mandatory “email security” training modules through the platforms auto-enrollment capability.
c. Schedule ITPROSEC wide training assignments to ensure all end-users have equal access to education about best practices in order improve the ITPROSEC’s overall security posture.
2.6.3 Step 3: Reinforce with PhishAlarm and Security Awareness Materials
a. Deploy PhishAlarm email reporting button to take advantage of employees’ knowledge about phish and enable them to report suspicious email.
b. Display posters, share articles, and reinforce security best practices throughout common areas in the ITPROSEC.
2.6.4 Step 4: Analyze Results
a. Review Security Education Platform reports to determine potential areas of weakness.
b. Use this data and analysis to determine the next phase of assessment and training.
Repeat the Cycle
2.6 Suggested Security Awareness and Training Timelines
Q2 – F2017/2018
July 2017 August 2017 September 2017
Year 1 Month 4 Month 5 Month 6
Training Non-Clicker – Email Security
Q3 – F2017/2018
October 2017 November 2017 December 2017
Year 1 Month 7 Month 8 Month 9
Training Non-Clicker – URL
Q4 – F2017/2018
January 2018 February 2018 March 2018
Year 1 Month 7 Month 8 Month 9
Q1 – F2018/2019
April 2018 May 2018 June 2018
Year 1 Month 1 Month 2 Month 3
Training Social Engineering