Download - 2017-019-Ms. Jessy Irwin, Effective Training in Small/Medium Businesses

Discover

Podcast Features
Your all-in-one podcasting solution.

Blog to Podcast
Turn your blog into an engaging podcast.
Livestream
High-performing audio live, without limits.

Podcast Studio
Easy-to-use audio recorder app.
Podbean AI
AI-Enhanced Audio Quality and Content Generation.

Podcast App
The best podcast player & podcast app.

Ads Marketplace
Join Ads Marketplace to earn money
through sponsorship on your podcast.

PodAds
Manage your ads with dynamic ad insertion capability.
Apple Podcasts Subscriptions Integration
Effortlessly publish and manage exclusive episodes for your
Apple Podcasts subscribers directly from Podbean.
Live Streaming
Receive livestream rewards from your audience and earn
recurring income from your Fan Club membership.

All Arts Business Comedy Education
Fiction Government Health & Fitness History Kids & Family
Leisure Music News Religion & Spirituality Science
Society & Culture Sports Technology True Crime TV & Film
Live

How to Start a Podcast
How to Start a Live Podcast
How to Monetize a podcast
How to Promote Your Podcast
How to Use Group Recording

Log in
Start your podcast for free

Podcasting
Monetization
Advertisers
Enterprise
Pricing
Discover

BrakeSec Education Podcast

News:Tech News

2017-019-Ms. Jessy Irwin, Effective Training in Small/Medium Businesses

2017-06-06

Download Right click and do "save link as"

This week, we invited Ms. Jessy Irwin (@jessysaurusrex) on to discuss the issues Small and medium businesses and startups have with getting good training, training that is effective and what can be done to address these issues.

We also go through several ideas for training subjects that should be addressed by training, and what maybe would be addressed by policy.

-------

Upcoming BrakeSec Podcast training:

Ms. Sunny Wear - Web App Security/OWASP

14 June - 21 June - 28 June at 1900 Eastern (1600 Pacific, 2300 UTC)

$20 USD on Patreon to attend the class

$9 USD for just the videos to follow along in class

Patreon: https://www.patreon.com/bds_podcast

If you want the videos and don’t care about the class, they will be released a week after class is over for free.

--------

Jay Beale’s Class “aikido on the command line: hardening and containment”

JULY 22-23 & JULY 24-25 AT BlackHat 2017

https://www.blackhat.com/us-17/training/aikido-on-the-command-line-linux-hardening-and-containment.html

---------

Join our #Slack Channel! Sign up at https://brakesec.signup.team

#iHeartRadio App: https://www.iheart.com/show/263-Brakeing-Down-Securi/

#SoundCloud: https://www.soundcloud.com/bryan-brake

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast on #Patreon: https://www.patreon.com/bds_podcast

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://player.fm/series/brakeing-down-security-podcast

#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr

#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/

Show Notes:

http://www.darkreading.com/endpoint/cybersecurity-training-nonexistent-at-one-third-of-smbs-/d/d-id/1328766

I don’t trust articles written with a survey created by a company that is touting their new education track at the bottom of the article. -- brbr

https://twitter.com/jessysaurusrex/status/859123589123121152

“So sick of the tired narrative that sec awareness is just about phishing when there are ~10 basic skills we need to be educating people on”

What are the ~10 things?

First off, most corporate security training misses the incentive mark by a mile. If training were refocused in a way that showed the incentives to improving personal safety, we might get somewhere. Teaching people how to take care of themselves first works-- those habits carry over into their work life, not usually the other way around.

Passwords
Multifactor authentication
Device encryption
1. Ad blocking
2. Browser hardening via extension/plugin
Safe browsing (this breaks into a few different topics)
1. Phishing doesn't just happen via email anymore: social media inboxes, text message inboxes, messaging apps, etc.
2. Most users won't come to social engineering defenses on their own-- important to educate and give alternatives that encourage them to confirm information out of band or navigate to a site in their browser
Social engineering (this breaks into a few different topics)
Segmentation/compartmentalizing data + communications
Secure storage(local vs cloud data)
Media storage safety (thumbdrives! Charge-only cables for mobile devices!)
1. Google Apps + Slack allow for OAuth; most people set it and forget it, don't review what apps can act on their behalf until it's too late
Regularly reviewing permissions granted to apps through oAuth
Backups

http://www.zdnet.com/article/sans-security-awareness-study-reveals-technical-communication-skills-and-proper-resourcing-critical/

“The report goes onto say that security awareness professionals with more technical backgrounds are more keen to recognizing behaviors that might bring risk, however, at times communications training is critical given that human interaction soft skills make changing risky employee behavior. They know what behaviors are the most effective in managing those risks. Often however, the challenge is that these same individuals often lack the skills or training to effectively communicate those risks and engage employees in a manner that effectively changes behavior.” summed up our entire industry in this paragraph --brbr

https://securingthehuman.sans.org/resources/security-awareness-report-2017

^^^^ saw this on Twitter yesterday -brbr

Key takeaways:

The study recommends the following for addressing communications:

Communicate to leadership monthly about your security awareness program -- in a way that business leaders will value.

Find a strong champion within leadership, and ask them to help relay the program value to other leaders, or assist with message crafting.

Partner with those in the org that you've found to appreciate and adhere to security awareness inputs, especially those who can help partner on better communications.

Take communications training; they can be easily developed with the right focus.

Align with human resources to ensure an awareness program is tied into company culture.

Keep an eye on your audience, as it grows and shift, and recognize that the same message that works for developers may not be effective for marketing, and vice versa. A one-size-fits-all communications approach can be limiting.

You writing a book?

I've been working on a book about security that's focused on education and communication. We do such a horrible job at this-- we don't do very much that helps the average person or our non-technical, non-expert colleagues have a chance at being successful online. Our terms are too technical, our framing is unbelievably negative and toxic, and the lack of empathy for the people at the other end of the computer is absolutely astounding. It is entirely fixable, but we all have to stop contradicting one another and really start working together. :)

You make it sound so bleak and self-destructive :|

I would like to hope that we can get better.

Oh yea, the echo chamber, “who has the right answer?” no one, we all just have pieces...

Yes! And sometimes the right answer changes very, very quickly! It's less about the silver bullet answer and more about what we’re defending from and hoping to accomplish.

Are SMBs the issue?

Are they more insecure than bigger companies?

Or do bigger companies get more media coverage?

Are bigger companies any better at training employees?

Or are they better at ‘checking’ the box?

If we take the statement ‘paid for security training sucks’ as a given, what do we do about it?

What trainings should we be giving?

And what training should actually be policy driven? (make it a requirement to follow)

Clean desk

Password manager

Coding practices

Acceptable use