Bsides DFW 2013 Valerie Thomas

well there are a few problems to say the least but but i think the biggest problem is that we're focused as an organization too much on technology and not so much on the people that use it and we really need to look at how we tie together the human element of security along with the the technical parts we're still getting attacked we're still doing all kinds of new technology next-gen firewall red blinky box you know lights whatever but we're still getting attacked and they're still getting in and they're getting in most of the time through the human elements so we need to kind of change the way that we look at the human element of

security it's really all about education so it's not so much about you know this is the way that you need to use technology it's more of an awareness of there are bad people out there and these are some of the ways that they use to attack you so one of the the most successful things that i've done recently with this is i had a client that asked me to come in and do a presentation for security day and you know that's that's no problem and um i looked at last year's schedule they said well you know we really don't have that good of a turnout so i looked at last year's schedule and it was full of

very official sounding briefings i thought um i know how to fix this so i put together a quick little just a presentation that's meant for everybody and i called it uh how hackers and scammers are stealing your personal data and i've filled it full of just security basics you know this is this is how you identify phishing emails this is what you know something suspicious looks like um this is what a card skimmer looks like so i really tied everything around the people and how technology relates to them and their personal lives and what happened was that the room was so full that they had standing room only around the edge and then they finally had to shut the

room so when i was finished they organized organizer came to me he said how did you do it i said well how did i do what he said nobody comes to these things how did you get them to show up i said well i made it important to them i didn't use the word required i didn't use the word you know annual awareness training you know that none of those official phrases were involved in this at all so i really taken that approach and just run with it it's more about connecting with folks on a personal level instead of dictating policy definitely the first takeaway that i'd like to point out is you know this is a people industry this

industry revolves around people and it's not about technology it's about how we pair them together point number two i feel so list oriented now um it's really to defend against social engineering attacks we really need to explain to folks how they work so until you understand it well enough to explain it you're not going to be do a very good job with educating folks on how not to fall prey to these attacks and third third oh there's so many um keep it simple you know when it when it comes to educating people it's not about a very splashy very complicated training method you need to do something that grabs their attention conveys the message you want

and that's it it's very much like advertising so for folks that want to develop good awareness training programs i recommend that they start to look into advertising and talk to their marketing people because it's all about just short and sweet