Today’s Cyber Threats
and the
Best Way to stop end users causing security
incidents.
Mark Payne, Infosec Cloud
About us
 Infosec Cloud is a specialist IT Security Provider established in 2005
 I personally have over 10 years experience helping organisations of all sizes and all sectors improve
their IT Security.
 We specialise in combatting the risk that all end users pose to organisations cyber security.
Why am I here today?
 Currently we are helping hundreds of organisations combat cyber security risks caused by end users.
 We do this with our flagship “Security Awareness Training and Testing” (SATT) managed service.
Key benefits
 SATT takes up none of your time or resources
 SATT is very affordable
 SATT is proven within all business sectors to stop end users from causing security incidents
Common Objectives?
Threat Landscape
From malicious hackers to employee
errors, cyber attacks and data
breaches no one is safe…
Recent Cyber Attacks
Recent Cyber Attacks
Recent Cyber Attacks
The Numbers
Sources:
www.infosec-cloud.com/security-awareness-training-the-numbers/
Technology alone is not enough!
“The most popular technology
solutions were designed to catch
a wide variety of attacks and
have not proven effective in
detecting and deflecting spear
phishing, since respondents
report that 28 percent of attacks
are getting through their
defences on average.”*
* Vanson Bourne Research: http://blog.cloudmark.com/2016/01/13/survey-spear-phishing-a-top-security-concern-to-enterprises
/
Which would your End Users Click On?
Example Test Email
Example Test Email
Example Test Email
Example Test Email
Example Test Email
Example Test Email
Example Test Email
Example Attack – cheap, quick and easy
THE FACTS
Can be completed in <20 mins at a cost of only £4.99
Skill level LOW
Cost of Attack LOW
Firm’s IT team is unlikely to be aware that an attack has occurred
Results in a likely data loss
We are using Mimecast as a simple example. The following attack
could be created against a whole host of different services and
solutions that you have in place.
Step 1 – Buy your Fake Domain.
Step 2 – Create your Spoof Page
Step 3 – Send the targeted email
URL looks fine…
But is the URL Correct??
Step 4 – Capture login details…
…and then re-direct them to the correct
Mimecast Admin Page
The Administrator remains unaware that the attack has taken place
Step 5 – Criminal can then login using the
captured credentials to the actual Mimecast
Portal – accessing your data!
The Only Way to Stop These Attacks
 Is with Security Awareness Training and
Testing
 A 12 month program that’s not just a
‘compliance’ tick in the box – but actually
changes end user behaviour
 Other training programs leave a security gap
 Our ongoing, targeted, phish attacks ensures
Cyber Security remains top of mind
 Your End Users will STOP, LOOK and THINK
before they CLICK
Security Awareness Training and Testing Process
 1) Baseline: Company-wide Baseline Phish Test
 2) Training: Company-wide 15 min online.
 3) Monthly Phishing: Regular, targeted, Phishing Emails
– 1 per user per month, randomised. “Oops Page”
 Additional 40min Training for Vulnerable End Users
PLUS:
 Fully managed service - you provide a list of email
addresses. Infosec SATT team do the rest.
 Full reporting
 Multiple videos inc 15 + 40 min SA
 Very low cost per user per month
Example Monthly
Phishing Landing
Page
Best Available Security Training covering:
Email:
Phishing
Spear Phishing
CEO Fraud
Whaling
Mobile:
SMS
Vhishing
APPs
Secure passwords
Physical:
Removable Media
Social Engineering
Clear Desk
ID Badges
Confidential Data
Best practices:
Passwords
Clear desk
AV
Updates
Info sharing
Web:
Social
Pop ups
Ad’s
Websites: Fake, spoof, malicious content, hostnames
Wifi:
Trusted
Rogue
Laptop
Mobile
All training modules follows the Same
Structure
1.Overview & introduction to Module.
2.Risk’s posed & associated Impacts.
3.Example of the risk.
4.Training on the risk.
5.B.A.I.T. (Beware, Analyse, Identify, Terminate.)
6.Recap with Key Points.
Plan B – Sign off as you go!
When the IT Team don’t have the authority to instruct staff to watch Security Training.
 12 months of targeted phishing tests: Regular, targeted, Phishing Emails – 1 per user per month, randomised.
 Instant “key point training” for anyone who clicks = Oops you’ve clicked on a phishing email, here’s what to
look out for so you don’t make this mistake again.
 Regular reports so you can prove to management that all staff need training.
 Training can be deployed to any or all staff at any time within the 12 months service.
How & Why
 This is an IT security spend, purchase out of IT funds.
 The above even without training will go a long way to making users vigilant which in turn stops security
incidents.
 You will have undisputable proof that all staff need to watch 15 mins training.
Sample Report
Example Cases
Legal Firm
Manufacturing
Financial Services
Regulatory Advisors
• Baseline Result: 66.7%
• Training deployed straight after
baseline
• All users trained within 3 months
• Phishing Month 1: 4.8%
• Training issued to clickers: Yes
• Phishing Month 2: 1.2%
• Training issued to clickers: Yes
• Phishing Month 3: 0%
• Phishing Month 4: 0%
Packaging Solutions
Investment Management
• Baseline result: 45.6%
• Training deployed straight after
the baseline
• All users trained within 2 months
• Phishing Month 1: 3.1%
• Training issued to clickers: Yes
• Phishing Month 2: 0%
• Phishing Month 3: 0%
• Phishing Month 4: 0%
• Baseline result: 57%
• Training deployed straight after
the baseline
• All users trained within 2 months
• Phishing Month 1: 8%
• Training issued to clickers: Yes
• Phishing Month 2: 0%
• Phishing Month 3: 2%
• Training issued to clickers: Yes
• Phishing Month 4: 0%
Case Study: Education
All organisations. All sizes. All sectors…
Our Customers…
Excellent thanks, very
interesting results indeed,
better than I thought.
That is much better 62% clicked
down to 3%
That’s is brilliant news! What a
result, let’s hope we can sustain
this.
We’re a business full of highly educated
people, who often think that they won’t
be caught out by phishing emails.
Running the initial baseline test
confirmed the need for the training and
I’m pleased to say that Infosec Cloud’s
SATT service has already made us all
more aware and vigilant
I’m obviously pleased that the
majority of users have taken the
training and from users I have
spoken to today, they have
definitely taken this seriously and
learnt a great deal, which is exactly
what we wanted to achieve.
Our Partners particularly liked the
convenience of the online training
videos, which they could watch as and
when they had time – and could pause
and replay as necessary
Guaranteed Reduction in Employee Risk
The Infosec Cloud SATT Guarantee:
If we do not reduce your employees’ susceptibility to phishing attacks
within 60 days
then we will refund 100% of your investment.
Key Recap Points
Bespoke – the whole service is created for each individual customer. All emails are created from
scratch.
All of our targeted emails (both Baseline and Monthly Phishing) will have errors (e.g. domain / link
incorrect when hovered) for the users to spot.
The service is a lot more than phishing – phishing is how we test staff but the training covers all areas
of cyber security.
Training alone makes no difference – if you train staff but don’t have a way of monitoring and
reporting then the old bad habits sink in after a week or 2. Our service is different because the regular
targeted emails mean staff actually apply the training on a day to day basis. You don’t get this with
training alone.
Fully managed – we do everything for you as we are the experts and do this with hundreds of
companies.
Common Questions
Staff Turnover? (Jim replacing Bob)
Adding staff? (co-termed cost)
Why baseline before training? We baseline first because it raises awareness (users know emails
are there to catch them out) staff also take much more notice of the training when they see the
results that “60% of staff” compromised the company’s security.
Thank you
Next Steps:
Contact Mark Payne:
[email protected]
T: 01256 379970, opt 1
And request your no obligation quote.
Don’t let your end users be the weakest link in your IT security.