This webinar covered the importance of security awareness education for employees. It discussed how human error is the primary security risk for most companies and how training employees can help reduce that risk. The webinar provided an overview of the key elements of a security awareness program, including content, delivery methods, and reinforcement strategies. It also reviewed the benefits of implementing a program, such as a potential seven-fold return on investment, and the typical costs involved, which range from $10-14 per user per year. The presentation recommended that security awareness education be one part of a company's overall security strategy.

1. Live Webinar:
Webinar Audio:
You can dial the telephone numbers located on your webinar panel.
Or listen in using your headphones or computer speakers.
Welcome!

2. • Presentation is roughly about 30- 45 minutes
• All phone lines are muted
• If anyone has any questions during this webinar – please type them in your
Questions Box located at the bottom of your webinar panel
Webinar Details

3. Today’s Presenters
Steve Moisoff
Net@Work
Account Executive
Cando Wango
Net@Work
IT Solutions Architect
John Verry
Pivot Point Security
Enterprise Security Consultant

4. 180+ Business
Technology Architects
and Consultants
IT Road
Mapping
& Strategic Planning
Business
Process Review
Ecosystem
BI, Analytics
& Reporting
Cloud & IT
Managed Services
ERP/
Accounting
Web Development
& e-Commerce
Sister Company
Payment
Processing
SWYPE
Sister Company
CRM &
Marketing
Automation
HRMS/
Employer Solutions
Document
Management
Compliance
Solutions:
Sales Tax | Fixed
Assets
Managed Print
Services
Sister Company
Net@Work
Partner Alliance
Program

5. Our Previous Webinar Topics
Access on our website: netatwork.com/resource
✓ Managed IT Services: What It Is and Why It Matters
✓ The Myths & Realities of Managed IT Services
✓ Uncovering the Business Value of Managed IT Services
✓ Data Recovery Best Practices - Survival of the Fittest
All Recorded Webinars Available to Watch On-Demand:

6. “A company that includes 1,000 employees with poor
online hygiene has 1,000 insecure endpoints.”
Anuj Goel, co-founder of Cyware Labs

7. Email Defense
End Point Protection
PerimeterThe Essential Elements
• Perimeter – e.g. the Firewall…inspecting data coming in and
out of your corporate network
• Email Defense – Filtering, Inspection and protection of
email boundaries
• End Point Protection – Zero Day Threat Protection, Anti-
Virus definitions
• Backup Solutions – Full Recovery of critical systems
• Training for End Users – Regular education sessions and
testing of knowledge on company standard security posture
Backup Solutions
End User Training
Overview

8. Do you have a Defense Strategy for Staff Accessing
Personal Email Accounts on Corporate Devices?
 Yes
 No
 Don’t think we need one
 Don’t know
Does your Company have a mobile device or
Bring Your own device strategy defined?
 Yes
 No
 Don’t think we need one
 Don’t know
Polling Questions

9. Why Security Awareness Education?
• What risks does it address?
Who needs Security Awareness Education?
• Different companies & roles benefit from different messaging
Security Awareness Education vs. a Program
• The common ways to effectively educate employees
Benefits and Costs (both in time and money)
• What you can expect from your investment
Agenda

10. By The Numbers…
Human error, not technology, is your primary risk factor:
95% of successful cyberattacks are the result of a phishing scam
These social engineering scams are hitting our businesses hard:
Over 400 businesses are targeted by spear-phishing scams every day
Phishing is the primary vector for ransomware, which is also on the rise:
4,000 ransomware attacks occurred every day in 2016, & Symantec logged a 36% increase in infections
These attacks are costing us trillions of dollars:
The cost of cybercrime is expected to hit $6 trillion in 2021 (up from $3 trillion in 2015)
Awareness training is perhaps your most powerful defense:
Investing in training can reduce the risk of a breach by as much as 70%
Why Security Awareness Education?

11. Management
• Senior Management is often not aware of the extent of the risk.
• “Tone at the Top” is essential to success … if management isn’t
focused, employees aren’t.
Information Technology (IT) & Information Security (IS)
• IT and/or IS are often the first places people turn with ‘real life’
questions about phishing, vishing, & potential security incidents.
End Users
• Quality education and good direction from management move End
Users from your greatest threat surface to your greatest threat
detection mechanism.
Who Needs Security Awareness Education?

12. What measures has your company
taken to provide security awareness
education to their employees?
 Program in place
 Being discussed
 Not on radar but want to pursue
 Not interested at this time
Polling Questions

13. Content
• Roll Your Own
• Use an SAE Vendor
• Customize an SAE Vendors content
Delivery Options
• Learning Management System
• Digital - Video, PowerPoint, etc.
• Human delivered
Not unusual to blend content & delivery options in a program.
Primary Options to Educate Your Employees

14. The Basics:
• Social Engineering
• Phishing
• Vishing
• Ransomware
Supportive Topics:
• Security Fundamentals (password mgmt., mobile device mgmt., etc.)
• Compliance Fundamentals (PCI, HIPPA, GDPR, DFS-500, 800-171, etc.)
• Security Frameworks (ISO 27001, NIST CSF, SOC 2, HITRUST, etc.)
***Social Engineering & Phishing Assessments to ensure training is working***
Key Considerations:
• Simple lessons – this is a case where less is more
• Engaging content
Education Should Include

15. 7X Rule – If people haven’t absorbed your message 7 times,
they haven't fully grasped it.
Reinforcement is essential for successful education and
behavioral change.
Difference between SAE and a “Program”.
Options include:
• Newsletters
• Memes
• Lunch & Learns
• Posters
• Webinars
• Mention in corporate presentations
Effective Education Needs Reinforcement

16. Remember… Have Some Fun!

17. “Ponemon recently calculated the effectiveness of anti-phishing training
programs. The least effective training program still had a seven-fold return
on investment, even taking into account the loss of productivity during the
time the employees spent being training. And the average-performing
program resulted in a 37-fold return on investment.”
By Maria Korolov
Contributing Writer, CSO
csoonline.com
Benefits & Costs: ROI

18. • This is an investment in your company but
more importantly your people.
• Educated employees take their knowledge
home with them to their families and friends.
• The implications of successful education
means better lives for your people and
their communities.
Benefits & Costs: Your People

19. SAE provider costs range from
~$8 to $25 per user / per year based on:
• Total number of users
• Company you hire or resources you purchase
• Depth of content licensed
• Complete set of services you include in the package
(e.g., Phishing, posters, etc.)
Typical costs for a program focused on
Social Engineering & Security fundamentals:
$10 - $14 per user / per year range (80/20 point)
Benefits & Costs: $$$

20. Expected time commitment ranges based on
quantity of content:
• Basic Social Engineering is typically an hour.
• Basic Security Fundamentals is usually an hour.
• Online training provides greater flexibility to break this up and
ensure that the content is absorbed via quizzes.
• In-person training provides less flexibility but provides greater
interactivity.
Benefits & Costs: Time

21. Do you believe company ownership/management will
embrace a program of this type?
 Absolutely
 Possibly
 Unlikely
 Not At All Likely
How valuable do you believe this training program will be?
 Extremely valuable
 Moderate value
 Fair value
 Not valuable
Polling Questions

22. Summary & Recommendations
Security Awareness Education is an Important Part of Your Security “Stack”:
• Security Awareness Education minimizes the likelihood someone will make a mistake
• But when a mistake happens…
• Vulnerability & Configuration Management minimizes the impact of a mistake
• But when there is an impact…
• Network Segregation can contain the impact of a mistake
• But when an impact cannot be contained…
• Incident Response planning will let you respond quickly and efficiently
• Disaster Recovery planning allows you to recover quickly and efficiently
• Test to verify your stack is working as planned

23. Has your company had a security
(penetration test/vulnerability
assessment) review in the last two years?
 Yes
 No
 I have no clue
 Don’t believe we need one
Polling Questions

24. Please type in
your questions
Any Questions?

25. Thank You For Attending!
Connect with
646-293-1735
www.netatwork.com
netatwork.com/blog
Net@Work YouTube
Follow us on Twitter: @netatwork_corp
Follow Net@Work on LinkedIn
Follow Net@Work on Google+
Follow Net@Work on Facebook
Contact your Net@Work Account Manager for any questions or concerns.
Or you can reach out to us via the information below!
Steve Moisoff | Net@Work
Senior Solutions Executive
Phone: 212.997.5200 Ext. 1735
Direct: 646.293.1735
smoisoff@netatwork.com
www.netatwork.com