Pwning the hapless or How to Make Your Security Program Not Suck presented at BsidesLasVegas 2014

by Emily Pience, Casey Dunham,

Summary : Pwning the hapless or How to Make Your Security Program Not Suck
Customer data is our business. Whether within the financial or healthcare industries, the root of our business is to safely house and transmit information to and from trusted parties.
With the growing demand of increased access – in healthcare, from providers, employees, visitors and patients, from a variety of devices, increased federal enforcements of privacy and security requirements under the new HIPAA Omnibus Rule, there is an ongoing challenge of ensuring patient and customer information is adequately protected.
Numerous breaches within both the healthcare and financial fields have involved lost or stolen unencrypted devices, but mistakes by employees continue to be the biggest security threats to all businesses. Even tech-based companies are shown to be at risk for various social engineering attempts.
Why do these breaches keep happening? How can you, as an IT professional, or merely an employee with the safety of your customers’ data a concern, help your business create useful prevention strategies that employees will pay attention to? How do you train your non-tech employees to not be susceptible to social engineering attacks?
Emily, an insurance professional with ten years experience of working for 3 of the 5 biggest US disability insurance companies, and Casey, a Security Engineer with history working for commercial financial firms, will explore the unawareness non-tech employees have of their actions, discuss useful training and resource organization and allocation. We will walk through a few scenarios (the successful and non) and discuss what we have learned from human behavior and how it can apply to enforcing security policies or creating a culture of care.
Technical solutions will not be discussed specifically, as the focus will be on employee awareness, education and how we can do better.
By working through a few scenarios that we have personally encountered, we will address the topics of
- “Why To Care” – Problems with people caring about security
- Testing your people
- Getting the peons out of the loop
- Rewarding Security Efforts