Stefan Van Gansbeke - Governance and Awareness

And I think we will maybe wait for one or two more minutes for letting the people join in from the other rooms, but you can already Stefan join us here on stage. Hello, welcome. Thank you. Maybe you can just introduce yourself, introduce yourself a little bit before we start. I do the presentation.

Yes, I can do. I'm Stephan van GSK.

The, I think one of the longest names on, on the list, but I will go over my function. So I'm the C of the Christian health insurance fund. It's a company in Belgium. Okay. So your presentation is up. Here's the pointer. You can go back and forth from here. Okay. Thank you much. Good evening. Good moment. Thank you for sharing with me 20 minutes of your time after such a long but interesting day as security professionals, as I am, we tend to focus on tools and automated security controls, but we all know those security controls. Those tools are imperfect.

The suppliers doesn't fulfill their promises. So we left with a security gap. We can bridge that gap through security, governance and awareness, preferable, spicy awareness. I will show you some of the examples we executed in my company. So as I said, I'm the CEO of the Christian health insurance fund in Belgium. We provide compulsory health insurance. It means it's in like, like in Germany and other countries. Most citizens are assured they have an insurance.

If they go to the doctor or the hospital, they get a partial refund of the bills they paid with the market share of 50% with the biggest health insurance fund in, in Belgium. Before I go on, I have a giveaway. If a manager makes a mistake, a wrong decision, we call it a career limiting move. It's a cm M do you know what it's called? If he makes a bad decision, a stupid decision, it's a career, move a CTM. Keep that in mind, we will run through the C the risk profile of my organization, and also how we mitigate these risks.

We will see the importance of governance and for sure security awareness, risk profile, huh? Organized in three domains. We have a central hub with a shared services, such as finance and security, but with 19 independent headquarters, each having their own organizations in total 400 related organizations, they share, they use the, the shared infrastructure. They exchange information with each other. So broader connected. We get help from more than 1000 suppliers. Most of them, they desire remote access to our applications and to a service people.

We are with 6,000 employees, they come, they go, some, get promoted, some, get demoted more and more of them belong to the so-called X and Y generation. They need their Twitter account, their Facebook account to get their word done. They like their iPhone and their Samsung to get connected with the world. And even a few of them have more than one job. The final about services is good to know that we don't have clients. We have members, you need to get affiliated to our organization to be member.

We have four and a half million members and also four and a half million member fight with a lot of privacy and medical information. If someone goes to the cancer institution, if, if he follows rehab or he goes to the psychiatrist, it's all in there, 40 million Euro a day, we treat in financial transactions. So it means that confidentiality, integrity and availability is key to us. That's about the key risk domains to treat risk remains, but whatever you do in an organization, governance is important. Huh? So whatever you do in security, security governance is important.

So you need to have the right decision instructors in place. You need to get the support of the board. If you do something that counts also for security awareness, if you want to make it, it a success, you need the support. So Enterprise security governance, we have organized it based on ISO 27,000. Our security policy is linked with our corporate strategy. I need to show you with my laser beam. So it means, I dunno if it goes so far, but somewhere here we identify risks. We define the risk appetite. We apply security controls, preferable, automated controls. We measure them.

We tune them to get our risk aligned so that the company meets its targets. It's a perfect circle. You would say, but it isn't. I said before tools, aren't perfect. And we are working with humans. So security awareness is important. Indeed humans, as most employees are, they are the weakest link, but they're a strong asset for the company. So very important for a company. It means they have just take yourself and puts the in, in their, in their share hat. So try to imagine the role of, or the employee take on its role. They have a hard job. They need to identify risks.

They need to quantify the risk, but be honest. How do you, how do you, you recognize a spear fishing? It's not easy. Someone will say, oh, we have a procedure for that, But we know who reads procedures, huh? Who applies them? Who reminds them not many. The bad guys also know this. They attack the employee. It's the weak human interface. They don't go for the hardware inter firewall. They go for the human, the weak human firewall that are three reasons why security awareness is important, but there is more if you're responsible for a security team and you have, or you get the, the image of Mr.

No, huh? Then it's the right opportunity to get a better reputation. Let's move over to the first campaign we did. I will be honest. We don't have a good protection for our USB sticks, too expensive, too difficult to use. We have a simple rule saying that only corporate us B sticks can be put on corporate devices. We send out mails to our employees with the dos and the don'ts, but it didn't help. We kept on getting infections gaming through our USB sticks. So we brought together the security team and we got an ID. Let's make those risk real, huh?

Let's make the end user feel how it is to be attacked. So we set aside our white hat and we put on the black hat. We act as an attacker, huh? We act as an hacker. I saw some sparks in the eye of my team.

They, they liked it very much. So they went on the designing board and they developed a malware, a backdoor. If activated it contacted an external web server that we controlled and be sure we run the, the malware over our antivirus system of the company. And it detected it didn't detect the, the backdoor, by the way, it was a, the Scottish named anti malware. We announced our employees that a playful action would be executed coming weeks with again, the dues and the don'ts. We also said that if you find a us B stick, return it to us. Important. One inform your board members and trade unions.

You remember the CTM, the career terminating move. This is one. If you forget them, it could take your job. And then you are acting a little bit as a blackhead. Be careful ethical rules must stay in place. So the action, it was 10 years after nine 11. It was a Monday. Our villain KMO as a security consultant of my team, he prepared 20 us B sticks. He threw them a little bit everywhere on the parking lot. The reception hall also on the medical executive wing, where a lot of medical information can be found. So people should be aware of the sensitivity of information.

What was on that USB stick, some photos and HR evaluation, step PDF. And then the last one again, to tower game, be loud game. If you clicked on the PDF, the HR function, we are probably have a problem with our infection. Please contact the security officer, the game to tower game. You got that nice picture tense anniversary rebuilt your own twin towers. Nice. Let's try.

Oh, heck side, nice woman casino play. And some words about InfoSec security awareness, but let's go on. My data could be, have erased. The computer was locked. What were the results of that action? The 20 us BI were all gone. We verified at the parking reception hole. Nowhere to find of those 27 were inserted. Even one inserted it in multiple systems. I dunno why. And three of them played the game. Only one person handled as expected. He returned at the USB speak. It's a bit scary as a result. I thought another action about fishing. We have a spam fishing filter in place, but he's imperfect.

So we applied the same, the same approach we put on the black hat. We act as an attacker. We used an SP toolkit. There was an open source that time on an internal server. So we created fishing. Mails could send fishing mills with that system. We had eight fishing scenarios, four coming from an internal mail, address four from an external mail address, four Dutch for French we're living in Belgium. So we need to take this into account weeks before we made this campaign with the fish and the fishing with three easy things to remember to look for.

First of all, look to the center must be a normal email address. The content of the mail triggers. Does it trigger ancient? Does it trigger curiosity or does it trigger glory? Be careful with those three things and then last most important it's with the email, the link into email and underlying link that you can most, most of the times you can, you can find an untrustable link in it. We had some play of words. This is fish, this is smelly.

So, and then another one anus pineapple in English who can find the pineapple. Be careful. I will show you four of the mails. We used the typical service desk with a strange email asking for user ID and password, huh? So that it can get your help. Another one was in hospital asking to pay an outstanding invoice. If you don't do this within 14 days, you will have to pay more, A little weird one coming for the, also from the support asking to install windows eight, that time windows eight didn't exist. And then my favorite was the CFO, huh? He was ready to go on retirement.

And I asked him if he could participate in our action. And he agreed. So we designed a farewell drink, invitation to send out to all other board members. But knowing that that person doesn't like parties, there was an error in his name, the Gmail dot doesn't exist. And the underlying link to, to the dual was an internal server. They all got this message. So what were the final results we send out more than 1000 mails, 33% clicked on the mail. 10% of them gave extra information, like user ID password. They tried to install windows eight. Yes. Real. Yeah. And they entered dual information again.

Very scary. What are the lessons we learned? First of all, people liked it.

They, they laughed with it. They liked it. The board members gave me a dump up. Very good action. They said only a few employees were negative. Don't you have other things to do than this kind of actions. But as a positive reaction for the team that is good. There was one guy coming to me and he said, Stefan, I cannot sleep anymore. Yesterday. I clicked on that link. Are there some repercussions to expect? Good to know that some people are anxious of losing their job. We send out Dutch and French males, but we forgot that we had an English outsourcing company.

They don't understand French and Dutch. And also with images, culture is depending a cat has different meaning in different cultures, for example. And then we trained the users. You trained the user, expect more registration of incidents. You must be happy with them. It means that they are becoming risk, aware, risk aware without using any procedure. So it's a win. And then last point, watch out for revenge.

They, one day they will try to, to get also a moment of revenge on me. Okay. That was it about just one final giveaway. You remember that one person returned the USB stick? I have it on me. Is somebody interested? Thank you very Much, indeed. Yeah. Thank you very much. One question for you. Did you notice any difference afterwards? Michael Turned the mic on? I've turned it on. Sorry. So the one question is, did you notice any difference? Did you reduce the incidence of attacks on, on, on the company succeeding as a result of this On receding?

Not on, on that, that level, huh? The, but you see that people are more aware even after three years, they still send me mails and say, Stephan, I think there's something wrong. So the awareness is much more stronger.

And for, for sure, if you, you can reach a more risk attitude of the employees you reduce the risk of, of the company. Yes.

So it's, it's a positive, positive way of, of approaching the, the, the security protection of your organization company. Well, thank you very much for your insights because we certainly believe that the human factors in, in, in this area are really quite important and that information stewardship, which is what this is about. Yeah.

Is, is a key thing. Thank you very much. Okay. Thank you. Yeah. Thank you. Okay. Thank you.