Hello, everyone. My name is Polish from Lucy security. Before, just before we start, I have two, three questions to the physical audience. How many of you guys are running security awareness trainings or no? Who does not run? Okay. Okay. 20%. And who of you guys is not running fishing simulations as awareness training, more or less the same amount. And who of you guys has a fish reporting button? A fish button in place in the company have. So we have about among the physical audience, we have about 20% of, of the attendees who have not formalized awareness training. Surely they do something against or training the people. And about the half has not fishing reporting button. Yes. Welcome from my side, the three major reasons why your employees get hacked. Did you know that 97% of all attacks go against the employee? And did you know that 85% of all successful attacks start with the negligent employee? This is an incredible amount, even if it became better. Because last year I had 91% of all successful attacks started with the users. So at the end, as long criminals are humans and creative humans, there will be attacks who will succeed. And that's why firewall and anti-virus is not enough anymore.
And why does it happen? I already mentioned it a little bit because, because we let the criminals in it's us. And, and why does this happen? You know, and because of these three reasons, a either there are technical flaw or misconfigurations of the computer or the lack of, of it knowledge among the employees, or then a human behavior, let's, let's start with, with the easiest and one, yeah. Outside easiest. When a workplace computer has its antivirus and firewall activated, latest updates are applied and, and backups are made and under InfoSec gear is in place. Of course, then at least the foundation for a secure job is, is done. So do misconfigurations play a BELE role at all of, of course. Sure. Because such a situation can, can be how you say exploited by the cyber criminals. Sure. So, so of course we need to fix that. And what you see here, this is a report of ELL wellness simulation, who really tries to exploit the, the workplace computer in a good way so that you can access this kind of, of vulnerabilities. Then let's go to the next reason, lack of InfoSec knowledge among employees. I think we all agree that in the past years, the requirements on the, on the cybersecurity knowledge really tremendously increased among the employees at we at Lucy security, we identified close to 20 of cybersecurity knowledge, regular employee needs to have and needs to master. You know, and this is a long run because you're not going to train stuff like that in just one training in three weeks. Yeah. So this is already a challenge. And then the third reason
Behavior patterns
From a cyber crime prevention point of view, behaviors like gullibility ignorance, false sense of duty overcome are the biggest risks that can be successfully exploited by the criminals. There's a reason why 90% of all successful hacks start with the employee, right? And this becomes really a challenge because it's not about awareness. It's about innovation among the workforce so that the people are not aware, but they behave in a safe manner. And this is an innovation project and it needs the whole company to get there. Not only it, not only CISO management, HR, communication, marketing, everything. So changing behaviors in a company, that's really a challenge. So when you ask yourself how to master that challenge, I was gonna skip that.
How to master such a challenge. Of course you train your employees, you drill your employees. Drill is also an important part. Not only doing trainings, you know, I see it in Germany. Lot of company want to train the people in the us. They don't care about training. They drill the people with fishing simulations. I personally, as a Swiss, I'm convinced you need to do both. So, so you do that with an awareness program using the right tool because the right tool helps you a lot in this ongoing process, which lasts at least tell me one year, two year forever, I would say probably forever. So when you look at the building blocks of an effective awareness program, then certainly the awareness campaigns where you train the people and then you also test or drill the people using realistic fishing simulations is the core of the program.
Then we also already covered, you know, the infrastructure audits. You also need to assess the workplace computer because that belongs to the employee, right? And then also you want to have engaged people and you want to know those males who go through and still arrive in the inbox of your users. And that's why you need to provide a phishing reporting button so that the user itself can contribute to the safety of the company. You create engagement, you en and then also you get the dangerous emails much quicker than through a ordinary process with mail or with JIRA or a ticketing system. And then the fourth building block extremely important is also reporting because, you know, you need to provide results, numbers, trends, benchmarks to the team, to the management and to the employees itself, because they're also curious how do they score against the others?
It's also motivate on motivating feature. So, so these are the four building blocks you should set up and maintain during the awareness program. And when it comes to the tool selection, I just, you know, collected two, three things. You should, you should have a look for it's. It's not just about fancy features and the goi. It's also about the price because an awareness program should last forever and that price and the affordability is really an important topics. Sorry. And then we have the challenge of customizable training content. Why is it so important? Why is it highlighted? Yeah. You know, because from the experience of over hundred awareness projects, I can personally say, tell myself that there are four points that make up effective training courses must be fun. There really needs to be entertaining. They needs to be varied. You know, so please, you know, don't create courses with the marketing department who tries that everything looks the same way.
They need to be measurable because what you can't measure, you cannot manage. And then they need to be integrated into the context of, of the learner or of the company, you know, because identification and engagement is only done when you really at your local context. And then often especially bigger companies, you know, have their own compulsory trainings. So in integrate in them as well, or take an existing training and modify it for your personal needs, that's why customizable training content is important. Of course the solution should be, should be safe. Consider also on-prem installation. You know, so Lu Tanza or Bosch or Heidelberg cement, they have on-prem installations because they don't want that these males leave their, their systems. They stay in their Petter. And, and then also when it's a long lasting program, you want to have full control over the solution so that you can, that you also can protect your investments. So that's it.
I just mentioned abortion, Berg, cement. So if you want to take a picture, these are the case studies from these companies. And just to finalize, you know, with the help of an awareness program, your employees will become smarter and your company much safer. And basically, I don't know how I'm in the time, 10 minutes. So I was quite fast, but nevertheless, I'm looking also forward to the next speaker because body voice from Aon will share his own experience. How to build up such an awareness program at Aon site. That's it for me? Are there any questions.
