awareness

now browsing by tag

 
 

Rethinking #Cybersecurity: #Shifting From #Awareness to #Behavior #Training

In recent years, many good things have happened in the cybersecurity world. In particular, organizations in all industries and all parts of the world have come to realize that getting serious about cybersecurity is no longer optional.

Despite this, the number of serious breaches reported each year has not fallen. In fact, quite the opposite is true.

Why? I could give you dozens of answers.

I could talk about the constant evolution of malware and other attack vectors. I could write about the difficulties faced by law enforcement agencies when attempting to apprehend known criminal groups across international borders.

I could explain why, no matter how technically sound your network, you’ll never be prepared for the latest zero-day threats.

In reality, though, none of these adequately explain the real issue.

Why Common Wisdom Will Hurt Your Organization

Before we continue, it’s important to keep one thing firmly in mind: nearly all cyber-attacks are motivated by profit. Equally, if there is money to be made from attacking your organization, you can be sure someone will.

Common wisdom suggests that the best way to defend your organization against these attacks is to implement a series of technical controls designed to prevent unauthorized access, block malicious activity and identify incoming attacks.

But there’s a problem.

If you look closely at every reported breach in the past decade, you’ll notice something interesting. Almost every single one made use of phishing or another social engineering technique at some point during the attack.

Why? Because, on the whole, fooling people is much easier than fooling machines.

If an attacker can trick a human into compromising your network, it won’t matter how good your technical controls are. Once an attacker is inside your network using legitimate credentials, the hard part is already done.

Now, you might be thinking that there are plenty of technical controls designed to mitigate the impact of a malicious email. And that’s true, but no matter how good your spam filters and content scanners might be, they will never prevent 100% of malicious emails from reaching your users’ inboxes.

The only way forward, then, is to accept one simple truth – technology isn’t enough.

The End of “Awareness” Training

I’m going to hazard a guess and say that the last time you attended a security awareness training session, it was less than helpful.

Let’s be honest, the general standard of security awareness training across all industries is pretty poor.

But here’s the thing. The problem isn’t just with the standard of training, it’s with the whole concept. Improving security awareness among an organization’s users might seem like a sensible target, but it consistently fails to reduce real-world cyber risk.

Think about it like this.

We all know we should eat more vegetables and stop frequenting McDonald’s drive-throughs. But how often does that knowledge cause us to make the right dietary choices?

Judging by the obesity epidemic, not very often.

Now, if we want to see a marked reduction in cyber risk as a result of our security training, we’ll need to choose an entirely different focus: Not security awareness but security behaviors.

And since it turns out phishing is the single greatest threat facing organizations of the world, one security behavior, in particular stands out.

Changing Email Behaviors

In basic terms, phishing emails are designed to do one thing: trick unsuspecting users into taking an action that will in some way benefits the attacker.

To combat phishing, we’ll need to change the way users interact with their email inbox.

Now, you have to realize the average business user receives dozens of emails every day. As a result, most people aim to process their unread emails in the most efficient manner possible and naturally assume that any email finding its way into their inbox is legitimate. Each individual user will have their own set of unconscious processes for managing their email inbox, which over the course of tens of thousands of repetitions have become enshrined as unconscious habits.

Naturally, conditioning your users to change these habits is not going to be possible using the standard annual security awareness training format. Instead, you’ll need to incorporate your training into your users’ standard working day.

Operation: Phish

How, then, should you go about reconditioning your users’ email habits? Simple: Develop your own realistic phishing simulations, and send them to your users on a regular basis.

Yes, to be clear, I recommend phishing your own users.

Now before you start wantonly flooding your users’ inboxes with complex phishing lures, there are a few important considerations. For starters, this is not something you can rush into and expect to see results.

If you want to see genuine, long-term improvements in your users’ email security behaviors, you’re going to need to adhere to a few core principles.

1) Executive Sign-Off Isn’t A “Nice to Have”

Realizing dramatic improvements to employee security behaviors isn’t going to happen overnight. Quite the opposite, in fact, to be consistent and maintain your efforts over the long-term. Yes, of course, you can expect to see substantial improvements within the first few months, but they will quickly disappear if you fail to stay consistent.

And how do you stay consistent? You make sure you have support from above, specifically in the form of agreed long-term funding. To be sure of this, you’ll need to develop a strong business case, accurately track ROI of the program and routinely provide senior management with clear performance reports.

2) Success Must Be Easy

If you think the goal here is simply to persuade users to delete suspicious emails, you are seriously missing a trick. In reality what you really want is for your users to report suspicious emails whenever they arise, enabling you to identify and quarantine similar emails, tighten your technical security controls to catch similar phishing lures in the future nand build up a pool of real-world source material to aid in the production of future phishing simulations.

But here’s the thing. In order to achieve this, you’re going to need to make the reporting process as easy as it can possibly be. To that end, it would be wise to add a simple “report phishing email” button to your users’ email client.

3) Point-Of-Failure Training

When you initially launch your program, you’ll notice that your users improve very rapidly. At the same time, though, they’ll fail a lot in the beginning.

But failure isn’t a bad thing. All the time your users are correctly identifying phishing simulations, they aren’t really learning anything, they’re just showing you what they can do.

Each time one of your users fails a phishing simulation, they should immediately be sent to a relevant, multimedia training web page, which will educate them about the type of phishing email they have just been tricked by and help them to identify similar lures in future.

To really embed these lessons, you should also retest users within a week or so of their failed simulation. If certain users consistently fail both simulations, it may be worth following up with them personally.

Persistence: The Number One Factor in Success

As you have no doubt already surmised, the phishing awareness training program I just described is about as far from the standard annual security awareness training program that you can possibly get. Instead of pulling users into a stuffy classroom once per year, you’ll be providing a much higher standard of training, regular real-world testing, and an opportunity for users to take an active role in the security of your organization.

At the same time though, this process never really ends. If you suddenly decide to shelve the program, you’ll find that within a few months your users are back to their old wicked ways.

And here’s another thing to consider. No matter how good your users get at identifying phishing emails, mistakes will always happen. People are not machines, and while you can certainly expect to reach a 98 or 99% success rate, you can never assume that 100% of phishing emails will be correctly identified and reported.

Naturally, then, I would never dream of suggesting that the program like this could replace the need for high-quality technical security controls and a professional, well-trained incident response team.

No, this has never been a case of “either-or”. Quite the opposite, if you are genuinely committed to securing your organization against the threat of phishing, you will need to combine a well-trained workforce with a powerful, well-provisioned security resource.

View full post on National Cyber Security Ventures

GDPR #Raising #Cybersecurity #Awareness Among #EU Business #Leaders

Source: National Cyber Security – Produced By Gregory Evans

As if the daily beating of data breach news wasn’t enough reason to bring the stark reality of cyber risks to the attention of corporate leaders, here comes the European Union’s General Data Protection Regulation (GDPR). Taking effect in May 2018, GDPR is managing to elevate cyber risks to the top of the corporate agenda for organizations that store data in citizens of the European Union.

According to a survey of more than 1,300 senior executives, conducted by insurance and risk management firm Marsh, 65 percent of respondents from organizations that operate in the EU say that they consider “cyber” to be a top risk. That’s a doubling from a similar survey conducted last year that found 32 percent citing “cyber” as a top five risk. Further, the survey finds that 23 percent of those organizations that fall under GDPR have endured a successful cyber attack in the past year.

The heightened cybersecurity concerns and looming GDPR deadline have EU organizations upping their security and risk management spending. “Of those respondents whose organizations have plans for GDPR implementation, 78% said they would increase spending on addressing cyber risk over the next 12 months, including spending on cyber insurance. Notably, 52% of those who do not have a plan for GDPR indicated that their investment in cyber risk management would increase,” Marsh writes in this news release.

Surprisingly, with about seven months left, only 8 percent of survey respondents claim that their organizations are currently GDPR compliant and a startling 57 percent say that their enterprises are currently developing compliance plans. And another 11 percent of respondents are in for a very rude awakening, as they’ve reported that they have no compliance plans at all. “Smaller organizations were more likely not to have a plan for GDPR with 19% of respondents from businesses with less than $50m annual revenue replying that no plan was in place,” Marsh wrote.

For those not familiar, GDPR mandates:

  • EU citizens’ personally identifiable information (PII) must be adequately protected, managed, and controlled.
  • Data breaches must be reported within 72 hours.
  • Non-compliant organizations risk significant fines, from 4 percent of annual revenue down to €20 million.

Forty-nine percent have fully developed a data breach incident response plan. Another 10 percent, however, have no plans to do so. It’s shocking that any organization today doesn’t have an incident response plan should sensitive data be exposed.

It is not pragmatic for an organization to assume it will never have to disclose a breach as required by GDPR – that’s just hope. It’s much more sensible to expect to be breached at some point and consider how to make a public disclosure. Because when it comes down to it, the difference between the winners and losers here is how well the breach is mitigated and managed, and the effectiveness of the public response.

 

The post GDPR #Raising #Cybersecurity #Awareness Among #EU Business #Leaders appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Five cool things happening for National Cyber Security Awareness Month

Source: National Cyber Security – Produced By Gregory Evans

National Cyber Security Awareness Month (NCSAM) is in full swing. The month and its events have become top of mind for people and businesses in recent years, given the staggering number of recent data breaches and global ransomware attacks. The Equifax data breach, WannaCry ransomware and Petya/NotPetya attacks have dominated the news headlines. So, where…

The post Five cool things happening for National Cyber Security Awareness Month appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

During Cybersecurity Awareness Month, Experts Say Too Many Remain Unaware of Threats

Source: National Cyber Security – Produced By Gregory Evans

After an onslaught of hacking, breaches and malware this year, and the resultant waves of publicity, National Cybersecurity Awareness Month should be a bit anticlimactic. But for some people, the message never gets old. One of the organizations most aware of cyberthreats and most active in countering them is CIS,…

The post During Cybersecurity Awareness Month, Experts Say Too Many Remain Unaware of Threats appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Department of Homeland Security Cyber security Awareness Newsletter – May 2017

Source: National Cyber Security – Produced By Gregory Evans

Department of Homeland Security Cyber security Awareness Newsletter – May 2017

Help Older Americans Protect Against Online Scams
Americans young and old are using the Internet and mobile devices on a daily basis. Specifically, older Americans are increasingly utilizing mobile phones, tablets, and wearables to stay connected, informed, and involved with family and friends. This increased connectivity has many advantages, but it also presents a unique set of risks for people over 65.
May is Older Americans Month, a month that celebrates the vitality of older adults and their contributions and achievements. This offers a unique opportunity to talk with the people over 65 in your life about the importance of cybersecurity.
Cyber criminals often target older Americans, believing they are more likely to fall for online scams like phishing, online fraud, and identity theft. For example, a cyber criminal may email an older adult claiming to be a real financial or government organization, like their bank or the Internal Revenue Service (IRS), asking for money or for them to share their sensitive personal information.
Learning how to protect your identity and personal information online – and how to spot an online scam – is just as important as understanding how to use the latest technology.
Since cyber criminals are more likely to attack aging Americans, it is critical to equip them with the knowledge to protect themselves online. The Department of Homeland Security encourages older Americans, and all citizens, to follow these three tips to be safe online:
AARP’s Fraud Action Network
Con artists are constantly coming up with new ways to scam you on the Internet. To protect you from cyber criminals, the AARP offers the Fraud Action Network.
By joining this service, you’ll receive email alerts about the latest frauds and scams, access to resources, and tips about avoiding threats.
The AARP Fraud Action Network is free and available to people of all ages, including non-members. Visit the Fraud Action Network to sign up.
Beware of “free” gifts or prizes. If something is too good to be true, then it probably is.
Most businesses or organizations don’t ask for your personal information over email. Beware of any requests to update or confirm your personal information.
It is important to add only people you know on social media sites and programs like Facebook and Skype; adding strangers could expose you and your personal information to scammers.

The Administration for Community Living (ACL), a Stop.Think.Connect. Campaign partner, leads the national celebration of Older Americans Month (OAM) each year. The theme for OAM 2017 is “Age Out Loud,” which gives aging a new voice—one that reflects what today’s older adults have to say. For more information on OCM and how to get involved,
For more tips on how to stay safe online, please visit the Department of Homeland Security’s Stop.Think.Connect. Campaign at www.dhs.gov/stopthinkconnect.
Teacher Appreciation Week
The first week of May marks Teacher Appreciation Week. Teachers lead the way for students to exciting careers in a variety of fields. Some of the fastest growing and in-demand careers fall under the Science, Technology, Education, and Mathematics (STEM) fields. Skilled cybersecurity professionals are especially needed to help meet the workforce needs of an increasing digital world. Careers in cyber offer students a wide variety of opportunities. It’s important to stimulate interest in these careers at a young age. This is where teachers play a critical role.
The Department of Homeland Security (DHS) is committed to supporting teachers in this effort and providing them with the resources they need to accomplish this goal. Through grant funding from DHS, the curriculum developed by the Cyber Innovation Center (CIC) offers professional development opportunities for middle and high school teachers. Workshops and professional development trainings are available to teachers to help them bring new STEM and cybersecurity projects, technology, and curriculum into their classrooms.
Teachers touch almost all of our lives – whether you are a parent with children in school, in school yourself, or have a friend or neighbor that is a teacher. DHS encourages you to share the news of the CIC curriculum with the teachers in your life. For more information, please visit />
Partner Spotlight: The International Public Safety Association
The International Public Safety Associate (IPSA) is a 501(c)3 nonprofit dedicated to building a stronger, more integrated public safety community capable of an effective joint response to all public safety incidents. Their mission includes breaking down the cultural barriers and fostering the relationships among all first and allied emergency responders.
As a Stop.Think.Connect. Campaign partner, the IPSA continues to demonstrate itscommitment to raising cybersecurity awareness.
In the past year, they have shared cybersecurity tips and resources on social media, hosted cybersecurity related webinars for public safety, and they participated in National Cybersecurity Awareness Month.
final-logo-ipsa-email-small_crop.jpg
If you are part of the public safety community, the IPSA encourages you to become a member. Their membership represents law enforcement, fire service, EMS, telecommunicators, emergency management and allied emergency responders. For more information about why and how to join, visit their article in their Public Safety Column “Three Reasons to Become an IPSA Member” or their website at www.joinipsa.org.
If you would like to join IPSA and 360+ non-profit, academic, or government organizations and become a partner of the Stop.Think.Connect. Campaign, visit www.dhs.gov/stopthinkconnect-join-campaign or email at stopthinkconnect@dhs.gov.
Cyber Quiz
Test your cyber IQ with the quiz question below. You can find the correct answer at the bottom of the Newsletter.
Question: True or false— Some cyber criminals specifically target older Americans in many of their online scams and frauds.
Ready to Use Social Media Posts
Here are suggested posts that you can share on social media to bring attention to cybersecurity and online safety resources from the Stop.Think.Connect. Campaign: • Older Americans are prime targets for cyber criminals. Stay #CyberAware with tips from @DHSgov www.dhs/gov/stopthinkconnect
Learn how to protect your older loved ones from online scammers with resources from @DHSgov www.dhs.gov/stopthinkconnect
Follow the DHS @cyber Twitter handle for more cybersecurity news and tips.
June is Internet Safety Month
Internet Safety Month, celebrated annually each June, is less than a month away! The month is a great opportunity to talk about online security with your family, community, or stakeholders. The Stop.Think.Connect. Campaign Toolkit provides a variety of resources, including presentations and tip cards, to help you start the online safety conversation. You can find the toolkit at www.dhs.gov/stopthinkconnect-toolkit.
Cyber Quiz Answer
The answer to this week’s Cyber Quiz above:
Answer: True! Many scams and frauds are directed at older Americans, who are at increased risk of being victimized online. Older Americans are thought to be less cyber savvy and often have more established finances, which make them prime targets for online criminals. Check out our website for tips and resources to stay safe online created specifically for older Americans:

Source:

The post Department of Homeland Security Cyber security Awareness Newsletter – May 2017 appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

The cruel irony of Autism Awareness Month: There’s still much to learn about autistic people

To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ There is a cruel irony to John Benjamin Haygood’s being arrested during Autism Awareness Month. Video has gone viral of Haygood, a 10-year-old boy who is on the autism spectrum, being …

The post The cruel irony of Autism Awareness Month: There’s still much to learn about autistic people appeared first on Become007.com.

View full post on Become007.com

13-year-old Allen Park student battles bullying with autism awareness club

A 13-year-old boy with a big heart is working to help kids who are struggling with autism.

Braden Albright started an autism awareness club at his school and is hoping for a big turnout for an event he’s organizing.

“I have a couple friends with autism,” he said. “School is hard enough but it is even worse if you are being made fun of, for the way you look or the way you act when you can’t help it.”

Albright is an Allen Park Middle School 8th grader and is using the courage of his convictions he decided to start the club. They even hold weekly meetings.

Read More

The post 13-year-old Allen Park student battles bullying with autism awareness club appeared first on Parent Security Online.

View full post on Parent Security Online

Mum raises awareness of bullying after seven-year-old son is hospitalised with head wounds

The mum of a seven-year-old boy who was continuously bullied at school has taken to Facebook to raise awareness after he was hospitalised with head wounds.

Seven-year-old Jak had complained of bullies at his school in Telford to his mum, but despite talking to the school she had been unable to stop the latest attack happening.

On a Facebook page called ‘Justice for Jak’, his mum has posted an upsetting account of what she has already been through to get help for her son, who was left with a serious head injury after ‘the bully was hitting my son in school and pushed him so hard he hit his head on a metal pole’.

Read More

The post Mum raises awareness of bullying after seven-year-old son is hospitalised with head wounds appeared first on Parent Security Online.

View full post on Parent Security Online

We all have roles to play in child abuse awareness, prevention

As you are getting ready to begin your day, pick out something blue to wear. Not to support your favorite University of Kentucky Wildcats team, but to show your commitment to giving all of Kentucky’s children the opportunity for a great childhood.

Today is “Wear Blue Day,” one of the many designated days throughout April that encourages action to support Child Abuse Prevention Month. The overall goals during April are to raise awareness and the understanding of child abuse, and find ways in our local communities to strengthen and support families while educating children on their right to be safe.

The number of Kentucky children who died from abuse, as well as overall cases of abuse, continues to be on the rise.

Read More

The post We all have roles to play in child abuse awareness, prevention appeared first on Parent Security Online.

View full post on Parent Security Online

Bikers ride across western Wisconsin to raise awareness for child abuse

Bikers jumped on their Harleys and rode across western Wisconsin to raise awareness about a serious topic.

The Great Rivers Chapter of Bikers Against Child Abuse rode through seven counties, including stops in Eau Claire and Dunn Counties, bringing attention to child abuse.

The group of bikers started their journey Monday morning in Pierce County, stopping at county court houses along the way.

“Everyone was very receptive, the sheriff’s, CPS officers, victim witness, they all came out said hi to us, it’s been really, really good,” said Lionheart.

The Drug Endangered Child Committee, in partnership with the Child Advocacy Center, has created a positive activities calendar and bingo cards for families to fill-out this month.

Read More

The post Bikers ride across western Wisconsin to raise awareness for child abuse appeared first on Parent Security Online.

View full post on Parent Security Online