Information Security award entry from Ivanti

Phishing is the biggest cause of data breaches, according to multiple sources including Verizon’s 2017 Data Breach Investigations Report (DBIR). These attacks target users rather than network infrastructure, so technology can only go so far to defend an organisation from being breached. To put this into context, 46,000 phishing sites are created daily with the majority only being online and active for 4 to 8 hours – these sites have been created this way specifically to avoid detection, so black lists are largely ineffective in this scenario. Attacks that target users are evolving daily, with the development of spear phishing attacks being particularly troubling – these attacks acquire personal details on a victim so as to better target them and trick them into giving away sensitive information such as account credentials or personal information. Ultimately, if technology isn’t able to stop an attack and it gets through to a user, it is down to the user to identify the attack and not fall for the phish, thus saving the organisation from a potential breach.

Ivanti developed its security team, headed up by Phil Richards, the organisation’s CISO (Chief Security Officer), four years ago. Phil is a highly acclaimed CISO, having worked in Security and IT roles for over twenty years and having recently been awarded Computing Security’s Contribution to Cyber Security Award. His team is made up of incredibly skilled security engineers who handle all aspects of security, from updates and patching, to discovering vulnerabilities, to securing endpoints, to educating users on good cyber secure behaviour. The latter being particularly important in regards to protecting the company against inbound attacks that target users. The team are based at Ivanti’s HQ in Salt Lake City, Utah, as well as in numerous locations around the EMEA region.

Ivanti's Security Education Platform - powered by Wombat

Ivanti’s cyber security and awareness program is continuous, and employees are made aware of the importance of their behaviour and educated on any gaps in their knowledge throughout the course of their career at the company, from onboarding to offboarding. When joining the company, cyber security training is part of the HR onboarding process. End users are tested to identify their initial knowledge, and then receive some critical baseline training via a PowerPoint presentation which covers the organisation’s cyber security code of conduct (i.e. users aren’t allowed to bit torrent using company devices due to the security risks and possible illegality of the process). Users are also critically taught what legitimate company emails look like. Then, throughout the course of their time at the company, employees partake in mandatory cyber security training and awareness modules which educate them on the cutting edge elements of staying safe online: from doing everything they can to protect Personally Identifiable Information (PII) to learning how to use VPNs, and why this is important. Users who achieve 100% on a training module receive a certificate which goes into their permanent records. This training is available and mandatory for everyone: from part timers to the C-Suite. Users are also allowed to share the training modules with their families so that people working from home are less likely to compromise company data due to risky behaviour on the part of a family member – as well as this, the sharing of this knowledge means that the next generation (at least those with Ivanti employees as parents) will grow up with a higher degree of cyber security knowledge and awareness.

Training Example: protecting against ransomware

As well as training employees, the Security team also assesses the awareness of employees with so-called mock phishing attacks. This service allows the Security team to send out almost fully customisable fake phishing emails. Emails with relevance tend to work the best – for example DHL emails (spoofed as FHL) around Christmas time. If users report the mock phish to the Security team, they are entered into a draw for a prize (usually something like a cash reward of $100 or equivalent) – if they fall for the mock phish by clicking on a link or opening a file in the email, they receive a ‘teachable moment’. This means that they are called out for their incorrect behaviour and are automatically put down for some relevant training. Ivanti favours the “carrot” over the “stick”, meaning that they prefer to reward end users for good behaviour rather than punish users for bad behaviour – the Security team argues that this is because they don’t want employees to be so worried about being punished that they delete all of their emails. Rather, they have created a culture of trust and security where users aren’t afraid to report if they think they’ve made a mistake.

Training Example: avoiding dangerous links

The first time the Security team mock phished their end users, around 30% of people fell for the fake email – around 2000 people work at Ivanti, so this was quite a large number. This further highlighted the need for internal cyber security training and awareness. Since introducing training, click rates have dropped to an impressive 6-7%, which is particularly positive seeing as the Security team have been working to increase the difficulty levels of the emails over time. They follow a process whereby they identify problem areas and then exacerbate these in the mock phish that is put out the following month to determine if training has been successful, or if any users require additional training on a topic. As well as this, different departments require different types or levels of mock phishes and education, for example the highly technical developer team are sent more advanced fake emails, and the C-Suite are sent incredibly targeted spear phishing attacks. Having bespoke training and testing in place means that the company is very well prepared for any attacks that may infiltrate – both in terms of the technology in place (developed by Ivanti) and end users acting as a last line of defence against attacks.

Ivanti have also extended this culture of security wider than their internal community out to their customers and the public. They’ve done this by setting up a yearly customer event (Interchange) which happens all over the world to educate customers and potential customers about what’s new and important in cyber security and IT. This includes large keynote presentations, smaller seminars and even one-on-one training sessions. Phil, the CISO, also regularly develops blogs for the Ivanti website on cyber security – these are then promoted on social media, and anyone can access them for cutting edge cyber security knowledge. The team also attend a host of industry events such as RSA and InfoSecurity to spread their knowledge to the wider cyber security community.

At this stage, the team have been running the training scheme for around a year and a half and aside from the incredibly impressive statistics highlighted above, they’ve also been receiving very positive feedback. The education process fits in well with Ivanti’s wider outlook to security which promotes a layered approach, i.e. automated patching, application whitelisting, limiting admin privileges and, of course, educating employees.

An entry for you to assess

2017 Submission: Heading
This is the main picture that will appear at the top of your entry. At least 1200 pixels wide is recommended.
Maximum upload size: 2.1MB
Please use the internet address of a picture (it should end in .png or .jpg or similar) that will be visible to people outside your organisation until after the awards end.
No more than 10 words please.
No more than 25 words please

Save this tab if you have made any changes

Another organisation

Please provide the internet address of the organisation's logo
For inclusion in our publicity about this entry if nominated
Information will be required about the start and end date of, size of investment in and geographical scope of your initiative where appropriate

About your Entry

The information you provide here will help determine the suitability of your submission and the best shortlist for your entry if nominated

implementation
implementation
implementation
implementation
implementation
implementation
The investment on this initiative from its initial conception to now, excluding elements that would have been required for other reasons anyway, and excluding aspects that do not impact this entry. We may use this when finalising the shortlists to split a popular category into two categories by project size. Also judges take this into account when assessing Impact, and so if you can disclose this information it can only be helpful for both of these processes.
initiative's focus
Which region(s)?
Which nation?
Covering which countries?

Confidentiality

Let us know here if you would like some aspects of your entry kept confidential
We may wish to include your entry in publicity about shortlisted entries.
If you would like the candidate's organisation's name to not be mentioned by us then please ensure that it is also not mentioned in your text, images, videos or PDFs included in your entry.

Save this tab if you have made any changes

Your Entry

Here you describe your initiative or strategy; what you did and why you did it, how it was successful and what your fellow professionals could learn from your experience. You can use a mix of text, pictures, video and PDFs etc. to convey your ideas and engage the interest of judges. We recommend that you include a concise overview for judges spending less time reviewing entries, with greater depth also provided for those that wish to know more. You will be able to fine-tune (edit) your materials up until the time that judging starts.

Any background or confidential information that you would like the organisers to take into account when considering this entry for nomination. This will not be published.
Your entry in full.
If you have a video you would like included with your entry description, upload it to YouTube and paste the link here
Maximum upload size: 2.1MB
If you have a PDF you would like included with your entry description, upload it here

About the following

These input blocks for Impact, Innovation and Inspiration are provided in case you would wish to provide additional information for the judges, to help them understand the strength of your submission in terms of each of our three judging criteria.

The difference made in target communities and benefits to the organisation - good anecdotal or metric evidence of real outcomes rather than reams of stats.
If you have a video you would like included with your impact statement, upload it to YouTube and paste the link here
What's distinctive about this entry and how being creative has helped you overcome challenges - a good idea that your fellow professionals might not have thought of.
If you have a video you would like included with your innovation statement, upload it to YouTube and paste the link here
Hints and tips from your real experience to help your fellow professionals (the judges) adopt your good ideas and apply them to suit their circumstances.
If you have a video you would like included with your inspiration statement, upload it to YouTube and paste the link here

Save this tab if you have made any changes