Welcome to the cybersecurity leadership and management course. Today we will be discussing Cybersecurity Communication Channels to the Key stakeholders, the Employees. My name is Cicerochi Banda and I am your instructor for this course. Cybersecurity communication channels to the key stakeholders, the employees. We will be discussing how to design the proper communication channels that are developed and executed to the employees to ensure security. In this course, we will discuss the following topics. We will look at overview communications to the employees. We will then talk about the importance of having that communication within the senior leadership management. Then we will subsequently talk about the importance of user awareness, how to convey the importance of cybersecurity communications to the employees. Lastly, we will talk about communication channels within the cybersecurity task force. Let us begin. Cyber communication channels to the employees and overview. Cyber communication, as we have talked about in previous courses, it really starts with the top-down model. It is important for that cybersecurity assigned leader to have sponsorship and to be understood that he or she is a conduit to protect the organization's vision, understanding the vision, understanding the mission, and protect the strategy and the goals to make sure that there is no liability, no risk associated to the delivery of these four components. But again, the bottom-up communication that must be done from the cybersecurity leadership is to convey what are the key performance indices within the cybersecurity risk framework? What are the key risk indices within the delivery of cybersecurity program? Ultimately, that STS is what we want to deliver at the security meaning that data, the information is secure, the trust, the regulatory obligations are being met. There's integrity of the data and stability that there is availability of data and there's operational excellence within your cybersecurity program. Let's look at some of the principles of communication. This is our project management organization principals and talking about communication. There's 5Ws and 1H. Not in any particular order in terms of W and H, but we will go in the left, going top-down, and then move over to the right. The first one is why, which is the intent? Why is the communication information essential? Basically, understanding the level of importance. Then who. Who is the source and who are the recipients? That must be defined the audience based on the communication formula that needs to be determined. Where. Where should the meeting take place? If it's a lot of people, for example, it might be a physical meeting in a boardroom. If it's individual, maybe a phone call or walking up to the individuals desk, or perhaps an email. Then how, which is the H, which is the channel, the communication channel. Will this be done virtually, through a video conference? Will be an email, would it be or will there be a physical meeting like as we stated before. Then what, what is the message? This is important. Being able to construct the message in a way that it makes sense to your audience. Then lastly, when, what is the timeline? When is the communication needs to be distributed? Again, these are the five principles or six principles of communication. We're going to talk about the communication channels within the senior management. As we stated before, security and confidentiality is of the utmost importance when there is that communication within the leadership. There must be a demonstration that we will protect confidentiality of the data. We will have security of the Infrastructure and this is done through several mechanisms. Obviously, understanding the organization's strategy, having what's called an executive dashboard. These are what most senior management or board meetings are used to receiving information security. This is an example of a dashboard that might convey the information security posture within the organization. Broken down in different business units, usually RAG, which is the red, amber, and green mechanism makes it simple for an executive board to understand where is the maturity of that cybersecurity strategy. Then bringing in trust and integrity. That must be communicated within the senior management. Again, this will be done through the collaboration of the legal department. We will talk more about that. But conveying that is the integrity of the data is preserved, that there is a trust element to all the regulatory obligations that need to be adhered. Based on the industry, obviously, there'll be different types of regulatory obligations. But these are some of the deliverables within this particular element delivered to the senior management. There must be an understanding by the senior management what are the legal, regulatory, and compliance reports. There must be an annual or semi-annual risk assessment, a third-party vendor risk assessment. These are important to be delivered to the senior management. If there's any particular event or action that's been taken between the scheduled meetings, if there are any legal holds, if there's any forensic term to say investigation reports, that too needs to be communicated. This is a dashboard of compliance and control. Again, the collaboration of compliance or legal is important for the Chief Information Security Officer. Lastly, within this particular slide, stability. Again, in order to have a seat at the table, there needs to be a demonstration of stability and the availability of the resources. This is the operational excellence that must be conveyed. Infrastructure report will be provided. For example, audit risk issues, patching, and antivirus coverage, again, these are just some samples. We will look more into detail later on in other courses. But this is an example of a dashboard of the information security audit. Again, showing graphs, bar graphs, or pie charts to the senior management for them to see the maturity or lack thereof of your cybersecurity program. The cybersecurity communication channels user awareness. As we talked about in previous courses, 40 percent of breaches within the last two to three years have always been within internal actors, insider threat as it's called. If anywhere from 30-40 percent of the breaches, depending on the industry, depending on the year. It brings the highlights, the importance of user awareness training, training those employees that already have privilege access, some escalated privileges, other role-based privileges but nevertheless, these individuals have access to your jewels, to your data. Therefore, user awareness is very important, training your employees. Let's look at some elements of user awareness training. This is from an article taken from the InfoSec Institute talking about the top 10 security awareness training. Email scams. Yes. This is the number one vehicle of threat, split within emails. Training employees to, for example, phishing attacks that are most common method of cybercriminals, they use to gain access into the organization networks and solution is to train users to not trust unsolicited mails, to not send any information of funds to people through email and check, especially not before checking with leadership. Always filtering spam. The organization needs to provide those tools. Configuring your email client properly. Again, installing antivirus firewall programs and must keep them update. Do not click in unknown links or email messages. Lastly, beware of email attachments. These are some tips that organization users need to understand. Malware, the problem malware, they're malicious software. The cybercriminals used to steal sensitive data. Typically use financial information. They harvest credentials. These can cause damages to organization systems. Ransomware, wiper malware. These are some examples of malware. The solution is to be suspicious, training the employees to be suspicious of files, emails, websites, and other places. Don't install unauthorized software. Keep the antivirus running up-to-date and obviously contact the IT security team if there is any malware infection of the urgent. Password security, it's important. Passwords are the most common and easiest way to use to authenticate into systems. Employees need to typically have dozen online accounts with username and passwords. It's important that the employees have the awareness to always use a unique password for each online account. Password should be randomly generated. Passwords should contain mix of letters and numbers and symbols that complexity. Password managers. Technical technology has the ability to offer and generate strong passwords highly recommended, and then using multi-factor authentication when available to reduce the impact of compromised passwords. Removable media. Training on the useful tool of cybercriminals. Usually, they like to use malware by bypassing the network and introducing media where they would be impacted having autorun when you are plugging this media. Enticing file name to trick the employees by clicking. Solution is never plug untrusted removable media into a computer. Obviously, the technology department needs to remove that, disable those features, but training employees not to do that, especially if they are within the exception of the policy. To bring all and trusted removable media to IT security for scanning if they receive proposals or vendor material or documents or white papers through a show or a conference, through a media, providing that to the IT security for scanning. Obviously, disable autorun on all computers. Safe Internet habits. Again, training the employees because every worker, especially technology, has access to the Internet. Now, every single individual for research. The security usage of the Internet is important for the company. The ability to recognize suspicious and spoof domains similar like yahooo.com having triple o instead of yahoo.com. Having the employees be vigilant. The differences between HTTP and HTTPS, the security of connections or insecure connections are not to be aware of that. The dangers of downloading untrusted suspicious software off the Internet, the risks of entering credentials and login information, including spoofed and phishing pages. Understanding waterholes or dry-by downloads. In other threats, browsing, suspicion sites. Again, these are important for user awareness training. Lastly on this slide, social network dangers. Social networking is a powerful tool. They use the brand, it generates online sales. Unfortunately, cybercriminals use social media for attacks and reputation risk. Some solutions is to train your employees the awareness of phishing attacks that can occur on social media. Cybercriminals, they like to impersonate trusted brands. They like to steal data and push malware. Then lastly, the information published in social media can be used for spear phishing of emails. In this second slide continuing on user awareness, we can look at physical security in environmental controls. Just training your employees to be aware that potential security risks on the physical aspects of the workplace. There's, for example, visitors or new hires like to watch employees and typing the password known as shoulder surfing. Or for example, letting in visitors in the exterminators or guests where they impersonate the employees and so they command or allowing someone to follow you through the door which is known as tailgating. Leaving passwords on piece of papers on the desk, or leaving one's computer not password protected, or leaving the office issued phone or devices in plain sight. These are some things that employees need to be aware. The clean desk policy, making sure that employees' sensitive information, that are not left in sticky notes or printouts on a desk. Thieves or individuals that clean the desk can steal some of these. So having a clean desk policy that states that visible or limited information should not be left out. The employee should clean or put away sensitive and confidential information securely stored. Data management and privacy policies. Organizations need to have a great deal of policies around customer data, employee records, business strategies. PII. There must be a business data classification strategy that's communicated, understood by the employees. Employees, depending on their role, depending on their function, need to understand the regulatory requirements that impact their day-to-day operations. There must be approved store location of sensitive data using strong word passwords and multi-factor authentication for accounts with access of privilege or sensitive data. Lastly, BYOD, Bring Your Own Device policies. Again, this is not limited to these things that I'm sharing here. These are some examples, a top 10 that listed for 2020 of last year focused for user awareness. But Bring Your Own Device policies, which enable employees to use devices that they bring, but they must be locked down by the organization. Now, if employees want to have more of the features that are there for their mobile, so they're willing to pay for their own device and have corporate data be placed on that. So all devices used in the workplace should be secure with strong password protection, enabling full disk encryption. Using a VPN on devices, especially if they're working in untrusted Wi-Fi. Approved devices should be running anti-viruses and disabling download of apps from non-approved or non-manufactured websites. Again, these are some of the components of user awareness. Now, we're going to transition to the task force. Now, this slide is a little bit of a review. We have talked about constructing a cybersecurity task force and the same elements are the importance of that communication. So this is a reinforcement of something we've talked about before. It starts with the CISO, it starts with the top. It starts with that guy who's creating or is responsible for the creation of the cybersecurity password, which is the Chief Information Security Officer. He constructs the leadership task force and does so by creating relationship within that design, the execution evaluation, there's that program. The relationship, you have the Chief Compliance Officer that usually brings trust to the table. You have the Chief Information Officer which is the IT might be responsible for that stability. You have other elements. Back-office, you have the business units. Then this is what constructs that Cybersecurity Task Force and that communication, the link, that relationship of these individuals is so important. Understanding and respecting each other's functions, seek to understand and then to be understood within that life cycle. For example, during that phase 1, which is the design, having the definition and developing information, this is where the task force and the committee, you really understand the security, the trust, the stability. Then during the execution of that phase is the implementation and delivering, making sure there's accountability and recognition. These are some of the deliverables. Information, accountability, the recognition. Then phase 3, the evaluation and feedback of this assessment and reviewing. That's important as well. That communication is so important. Having that life cycle of communication within the cybersecurity task force. Again, we will look at different elements of building that security, trust, and stability within the cybersecurity leadership task force. But this concludes this particular course on the cybersecurity communication channels.
