Everyone has a Role

National & OrganisationalStrategies for Resilience to

Cyber Attack

www.CyberRescue.co.uk

agenda

www.CyberRescue.co.uk

1. UK National Cyber Security Strategy to 2021

2. Building Resilience – everyone has a roleNick Wilding, General Manager, Cyber Resilience, Axelos

3. Recovery – what should CEOs do?

These presentations were given at a meeting organised by Cyber Rescue on 29/6/16. Participants included senior representatives from the Cabinet Office (UK Government), Capita, E.ON, Institute of Directors, Microsoft, Saga plc, Zurich Insurance, and others.

For similar material, follow Cyber Rescue on LinkedIn here.

Strategies for Resilience to Cyber AttackBUILDING RESILIENCE: EVERYBODY HAS A ROLE TO PLAY 29 June 2016

AXELOS.COM

...it’s about behavioursIt’s not just about bits and bytes...

We all have a role to play

90%......NEED TO

INFLUENCE AND ENABLE POSITIVE CHANGE IN USER

BEHAVIOURS

Stats and facts

“253 days is the median number of days it takes an organisation to realise that they have been successfully attacked.”

(Verizon 2015 Data Breach Investigations Report)

“Only 29% of companies rate their cyber resilience as high. Nearly 33% said collaboration was poor/non-existent.”

(Ponemon Institute research with 450 IT and security professionals)

(PWC UK Data breach report, Feb 2015)

“90% of all successful cyber-attacks rely on human vulnerability to succeed.” (Verizon 2015 Data Breach Investigations Report)

“65% of large firms detected a cyber security breach or attack in the last year.”

(UK Cyber security breaches survey May 2016)

“17% of UK businesses have had their staff attend some form of cyber training in the last 12 months”

(UK Cyber security breaches survey May 2016)

1 person can enable an attacker to compromise

your systems and access your most valuable

information.

Who are we?

Cyber Resilience best practice

Cyber Resilience is the ability for an organisation to resist, respond and

recover from attacks that will impact the critical information they require to do

business.

Reliance on checking the box

Lack of engaging and appropriate materials

Reliance on a single training exercise

Metrics are not collected

Unreasonable expectations

Failure to acknowledge that awareness is a

unique discipline

Why do security awareness programmes typically fail?

Attitudes to awareness training

99%Fairly or very important

“How important is information securityawareness training to minimising the risk of cyber security breaches at your organisation?”

“How important is minimising human errorin managing the risk of cyber security breaches at your organisation?” 98%

Fairly or very important

And yet when asked how manypeople within their organisation completed awareness training only

52%said it was between

75%-100% of staff

How effective is awareness learning?

42%Very

effective

49%Fairly

effective7%

Not at all effective

When asked “How effective is your InfoSec awareness programme?”

28%Very

effective

55%Fairly

effective13%

Not at all effective

When asked “How effective is your InfoSec Awareness programme in changing behaviours?”

Is your learning relevant?

When asked: “Overall, how confident are you that the information security awareness training your organisation provided to all staff is relevant to their day to day work?”

32%Very

confident

62%Fairly

confident

6%Not at all confident

When asked: “How effective is your awareness learning in ensuring compliance with required regulatory requirements only?”

37%said it

was very effective

Awareness learning – delivery methods

14%Games

61%Face to face

80%E-learning

43%Posters26%

Animations

• Clear that majority of respondents still rely on traditional E-learning.

• Is this an engaging, fun way to learn?

• ...Face to face and posters

• An effective and efficient control?

• Face to face in small organisations may be, but it both cases it can be challenging to measure ongoing progress of the learner

• Animations & Games

• 79% of respondents to a TalentLMS survey said that they would be more productive and motivated if their learning involved gamification.

• “Games have the power to teach, train and educate and are effective means for learning skills and attitudes that are not so easy to learn by rote memorization” (Michael & Chen, 2006,)

13 AXELOS - GLOBAL BEST PRACTICE AXELOS INTERNAL USE ONLY

…in summary - some principles

On-going, regular learning

Adaptive & personalised

Measurable benefit

Principle

Engaging, competitive and fun

• Regular learning• Short and concise• Supporting updates and refreshers

• Suit individual learning preferences• Content tailored to different skill levels• Focus on the priority security issues

• Tracking changing behaviours over time• Qualitative and quantitative metrics• Demonstrate value of investment

• Different learning styles and formats• Ability to learn inside and outside work• Play to the competitive element of games

Summary and benefits

Questions and observations?

Nick WildingGeneral Manager, Cyber ResilienceE: nick.wilding@axelos.comT: 07860 950108

www.CyberRescue.co.uk

Who should ownthe human element of cyber defence?

vote

Board CEO CFO CIO COO HR Director

There was a strong consensus at the meeting that the CEO must own the human element of cyber defence, including prevention & response. All roles listed above were share some responsibility, but the CEO has to define the “Command & Control” as well as the Culture that is key to Cyber Resilience.

thank you National & OrganisationalStrategies for Resilience

to Cyber Attack

www.CyberRescue.co.uk

Kevin DuffeyManaging Director29th June 2016

For similar material, follow Cyber Rescue on LinkedIn here.