Page 57 - Cyber Defense eMagazine - September 2017
P. 57

great discussion at the end and this adds to the learning experience for everyone. It also shows
               me that people are interested and engaged.

               We keep  our  presentation  to  about  15  to  20 minutes  and  try  to  use  everyday  language  that
               everyone can understand. It is important to keep the presentation fun and entertaining but most
               of all explain why this information is important to each individual and the entire organization. The
               point is to give some ownership to the end user. Companies need to empower employees, get
               them to take some pride in the organization and give them some responsibility to keep it safe.

               In  this  short  presentation  I  am  able  to  cover  a  brief  overview  of  the  history  of  cybersecurity
               threats to show how they have evolved over time. We cover social engineering tricks such a
               phishing,  spear  phishing,  whaling,  baiting  and  pretexting. We  also  cover  non-technical  social
               engineering and security issues such as shoulder surfing, tailgating and phone scams. These
               are all explained in non-technical terms to allow the end users to understand these concepts.
               We  explain  why  password  complexity  is  important  and  the  recent  recommended  changes  in
               password policies provided by NIST. The staff is also provided with some examples of each to
               help recognize the threat. They are also given instructions on what to do if they suspect they are
               being tricked or if they think they have fallen for a social engineering scam. We show examples
               of threats that target certain departments. Some of the threats target HR, Accounting, Billing
               and  other  departments with  email  and  web  sites  designed  specifically  to fool them.  Some  of
               these scams are very well done and may go unnoticed without proper training.

               How do we know that this is working? We have been getting great feedback and we also have
               seen an increase in reported incidents. People are now reporting what they find and this helps
               us in Information Technology know what is out there. Instead of just having our IT staff looking
               for and categorizing threats and blocking them, we are getting the assistance of others outside
               IT. Having our end users trained to spot these threats helps us keep our information safe and
               out of the wrong hands.



               About the Author

               Lawrence King is an IT professional with 22 years of experience in
               healthcare  environments  and  as  a  general  IT  consultant.  He
               currently  works  as  an  Applications  Analyst  for  Northwestern
               Medical Center in St Albans Vermont. He has a BS in Information
               Technology,  an  MS  in  Executive  Leadership,  an  undergrad
               certificate  in  Human  Resource  Management  and  a  professional
               certificate in Cybersecurity: Technology, Application and Policy.

               Lawrence  can  be  reached  by  email  at  [email protected]  or
               online     at    https://www.linkedin.com/in/lawrence-h-larry-king-
               172b19a/





                    57   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   52   53   54   55   56   57   58   59   60   61   62