now browsing by tag


#nationalcybersecuritymonth | Cyber Risks Cloud Census With Resources, Congress Seats at Stake

Source: National Cyber Security – Produced By Gregory Evans The U.S. Census Bureau’s decennial count is raising concerns that its new digital systems are vulnerable to attacks or malfunctions that could unfairly rejigger congressional seats or shuffle federal resources. The 2020 headcount, for the first time conducted primarily online, kicked off in remote parts of […] View full post on AmIHackerProof.com

#cybersecurity | #hackerspace | 3 HR Risks and How to Avoid Them

Source: National Cyber Security – Produced By Gregory Evans

HR professionals may handle everything from recruiting, interviewing, and training to payroll and benefits. That means they are the keepers of a lot of important information. And not only do they have information about their organization, but also personal information about employees too. If the wrong hands get ahold of the right information, it can be a disaster for your company and your employees. According to a survey by the National Cyber Security Alliance, after small or medium-sized businesses experienced a data breach, 37 percent suffered a financial loss, 25 percent filed for bankruptcy, and 10 percent went out of business. 

Proactively protecting yourself from HR risks can give you peace of mind and let you focus on how you use your data, not how you store it. Here are some common HR risks and how to avoid them. 

Risk #1: Keeping Your Data in Spreadsheets

While using spreadsheets to keep track of data may seem like a convenient and cheap solution, spreadsheets are not an incredibly secure way to store data and can leave you vulnerable to a security breach or hackers. And if your data is stored across multiple spreadsheets, it can be easy to lose track of the information you need to access. 

Solution: Store your HR data in an HRIS. With a single, secure database you can store your confidential data safely. An HR software solution like BambooHR can protect your data with web application firewalls, frequent vulnerability scans, continuous security management and monitoring, and more.

Risk #2: Forgetting Security Issues When Offboarding Employees

Onboarding employees is the fun part: introducing them to new coworkers, sharing your organization’s incredible culture with them, and getting them set up to start doing great work. But employees have to be offboarded too. And when they leave, their access to all types of secure information, passwords, and applications needs to be removed. In an Intermedia Risk Report, 13 percent of people reported that they have accessed systems belonging to their previous employers after they left the job.

Solution: Automated account licensing and management. With an automated account manager, you can instantly revoke access on the day an employee leaves using a single app directory. Instead of having to individually track down which applications they had access to and nudging IT to revoke access, HR can manage accounts on their own in one convenient place.

Risk #3: Having Weak, Insecure Passwords

We all know that coworker who keeps their passwords on a Post-it-Note on their desk, visible to anyone who walks by. Or how about the team member whose passwords are all the same easy-to-remember pet’s name? Not surprisingly, these aren’t the safest ways to store or set your passwords, and once again leave your sensitive HR data at risk. But once you convince everyone on your team to use secure passwords stored in a secure place, your troubles aren’t necessarily over. There’s a good chance it will just mean more work for IT, constantly recovering passwords (which is still better than having your data stolen!).

Solution: Single sign-on. With single sign-on, your HR team has one-click access to all their apps and improves security by only having to memorize one very secure password. (You can remember just one, right?)

An HRIS like BambooHR and secure access software like Idaptive can be the difference between keeping your employee and company information safe and confidential and having a costly data breach. Don’t let your HR risks be the reason your employee’s identity gets stolen! 



Source link

The post #cybersecurity | #hackerspace |<p> 3 HR Risks and How to Avoid Them <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | 4 Steps to Managing EdTech Security Risks

Source: National Cyber Security – Produced By Gregory Evans EdTech security risks create ransomware, account takeover, and data security risks for school districts New EdTech supports innovation in teaching and enriches learning. However, that same technology can leave you vulnerable to cyberattacks. It poses risks to student privacy and safety, and increases the risks you […] View full post on AmIHackerProof.com

#nationalcybersecuritymonth | Don’t let these scary cyber safety risks creep up on you | Features/Entertainment

Source: National Cyber Security – Produced By Gregory Evans THE CONCERN: October is National Cybersecurity Awareness Month, and the Better Business Bureau is scaring up the latest on cyber security risks and ways to avoid them. Watch out for these spooky dangers lurking in the corners of our everyday digital lives. HOW THE SCAM WORKS: […] View full post on AmIHackerProof.com

SEC #Issues New #Guidelines for #Disclosing #Cybersecurity #Risks

Source: National Cyber Security News

The U.S. Securities and Exchange Commission issued new guidance calling on public companies to be more forthcoming when disclosing cyber security risks within their organization, even before a breach or cyber-attack occurs.

The commission’s five members voted unanimously to approve the guidance, however, both democratic commissioners feel there needs to be more action taken by companies. These two members hope that this is just the first step towards defeating actors who use technology to threaten the United States.

In the guidance, the commission urged companies to create policies that allow them to quickly assess cyber security risks and decide when to tell the public, and also prevent executives, board members, and other corporate insiders from trading shares when they having important information that hasn’t been released to the public yet.

“Given the frequency, magnitude and cost of cybersecurity incidents, the commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cyber security risks but may not yet have been the target of a cyber-attack,” the SEC said.

The SEC added that while companies are not required to disclose sensitive information that could compromise the company’s’ cyber security measures, they absolutely cannot use internal or law enforcement investigations as an excuse for not informing the public of the security incident, something that’s been done all the often in the past.

Read More….


View full post on National Cyber Security Ventures

Cyber Risks and Blockchain

Source: National Cyber Security – Produced By Gregory Evans

General Cybersecurity Conference

 February 12 – 13, 2018 | Saint-Petersburg, Russia

Cybersecurity Conference Description

Cyber-risks and practical cases – Russian and foreign experience.
How to improve information security? How to protect databases?
What is cyber insurance and how to determine the amount of coverage?
What innovative solutions contribute to cybersecurity and how does cyber security relate to BLOCCHAIN?
How to build a trust corridor between a client and a partner?
What BLOCCHAIN start-ups investors are looking for today and how BLOCKCHAIN will change our life?

The post Cyber Risks and Blockchain appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Focusing on #human-centric #cybersecurity to #identify, #adapt and respond to #risks

Source: National Cyber Security – Produced By Gregory Evans

CIOs and CISOs today must address new security challenges that come with operating in a world where traditional network perimeters are shifting.

Digital transformation has empowered employees to access and interact with data and intellectual property (IP) through a myriad of systems, applications and devices. However, for too long, the security industry’s focus has been on the wrong things. Traditional security perimeters are eroding or becoming obsolete, and so, rather than focus on building bigger walls, the industry needs better visibility.

This year’s headline grabbing breaches prove a paradigm change is needed in cybersecurity. CIOs and CISOs today must address new security challenges that come with operating in a world where traditional network perimeters are shifting.

We now face behaviour-centric risks ranging from the common user error that turns an email lure into a ransomware debacle, to sporadic, anomalous activities that, once presented in context, can be the breadcrumbs leading to the early stages of a malicious insider threat.

This continuously shifting threat landscape requires an equally transformative view and it starts with examining how people interact with critical business data and IP, and understanding how and why these interactions occur. These “human-points” of interaction have the potential to undermine even the most comprehensively-designed systems in a single malicious or unintentional act.

With this in mind, the questions of behaviour and intent are rising priorities as cybersecurity professionals look to get a better handle on the risk posed to critical business data. Organisations need to develop and deploy behaviour-centric security that includes understanding the nature of human intent and the ability to dynamically adapt security response.

Risk is itself not constant and by looking at the reasons behind a breach – accidental or malicious – security teams can better tackle the challenges facing their organisations in the current threat landscape.

Category of risk

Fundamentally, insiders typically fit into three groups along a spectrum that we call ‘the continuum of intent’, which categorises users as accidental, compromised or malicious. However, it’s important to note that people can move in and out of these categories depending on a number of factors, so examining their typical behaviours is crucial.

Accidental insiders are those individuals who make honest and unintentional mistakes, inadvertently exposing the organisation to data theft. This could be down to a lack of training, awareness of processes or negligence.

Meanwhile, compromised insiders are those users with access to networks whose credentials have been stolen and used by a hacker to misuse the system to their own ends. It was this approach that caused much of the damage in the case of the Petya outbreak in June 2017.

Administrative credentials were obtained through the use of built-in credential stealing code, resulting in the malicious activity effectively blending into the background noise of a big network, thereby allowing the attackers to maximise their dwell time on networks.

Cybercriminals are focusing on exploiting the human point of weakness in an organisation’s security defences, due to their undeniably inherent wealth of value.

These attacks are designed to deploy a social incentive for employees to open email attachments or click on a link. Email, by far, represents the greatest risk to an organisation, followed by mobile devices and cloud storage deeming as other areas of concern to organisations critical infrastructure.

More targeted attacks are also seen with specific individual attacks based on membership to a hacked website database, or even with information gleaned from social media accounts.

Concerned with the implications of sharing login credentials with third-parties, banks and other financial institutions have previously warned they would not be held liable if their customers shared account access with third parties such as Mint, a free web-based financial management service.

Finally, there are malicious insiders. This group includes individuals who have both knowledge and access to vital company networks, as well as the intent to cause harm. Forcepoint’s Insider Threat European Survey revealed that 29 per cent of European employees have purposefully sent unauthorised information to a third party. To put this in wider context, one third of organisations have suffered from an insider-caused breach, with potential losses from each incident totalling more than $5m, according to the SANS Institute.

Cybersecurity investment continues to rise, but so does the volume of threats

We recently surveyed over 1,250 cyber security professionals worldwide to ask them about the state of sector and the changes that need to be made. The resulting research, The Human Point: An Intersection of Behaviours, Intent & Data, discovered that most experts do not hold high hopes that more cyber security tools will improve security. Instead, an overwhelming majority of respondents felt that understanding the behaviours of people as they interact with IP and other data was the path to success.

In other words, to determine the underlying cause of security incidents (e.g. data theft and intellectual property loss) and prevent them from occurring again in the future, security professionals must look at the intent behind peoples’ actions, understand the categories of risk and adapt their security offerings accordingly.

Data is everywhere

Modern working practices rightly allow for anytime, anywhere access to data by employees and authorised third parties (including APIs) and data aggregators offer efficient and effective ways of working that companies and their employees have wholeheartedly adopted.

However, with data everywhere and accessible from anywhere, the attack surface becomes much wider. The recent Equifax breach should be a wake-up call for businesses worldwide; to improve their systems so that attackers taking aim at data goldmines such as these will meet with increased resistance. Examining the flow of the data through an organisation is the only scalable defence mechanism, and by looking for and identifying uncommon consumption patterns or the misuse of account credentials on a database, malicious behaviour can be identified.

A human-centric future

Going forward, it is vital that organisations implement intelligent, integrated security solutions that provide visibility into user behaviour, coupled with robust cyber security programmes. By understanding how data flows, who has access to it and why, we can increase the efficacy of security. Compounding this, homing in on normal and irregular data and user patterns, we can reduce complexities and focus on the events that really matter.

It’s time for the industry to stop playing catch-up and start thinking differently about security by understanding human behaviours and cadences. This will enable companies to ensure their most valuable data is surrounded by the right behaviours that enable them to protect against breaches now, and into the future.

The post Focusing on #human-centric #cybersecurity to #identify, #adapt and respond to #risks appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Feds Eye #Cybersecurity Risks of #Tech #Providers

Source: National Cyber Security – Produced By Gregory Evans

Financial regulators just named cybersecurity as one of their top concerns going into 2018, with a heap of worry specifically about third-party contractors supporting the financial system.

So for compliance officers looking for yet another reason to move third-party risk management up the priority scale, now you have one.

The alarm was raised last week in the 2017 report of the Financial Stability Oversight Council. (That’s the council of U.S. financial regulators mandated by the Dodd-Frank Act, to help coordinate regulatory policy and anticipate future financial crises.) Financial firms have come to rely on technology service providers so much, the report said, that a poor understanding of their cybersecurity postures could create risk for the financial system overall:

Maintaining confidence in the security practices of third-party service providers has become increasingly important, particularly since financial institutions are often serviced by the same providers. The Council encourages additional collaboration between government and industry on addressing cybersecurity risk related to third-party service providers, including an effort to promote the use of appropriately tailored contracting language.

What’s more, the FSOC even raised the idea of regulating tech providers in a more uniform fashion, so the current patchwork of supervision doesn’t allow cracks in the system that others could exploit:

[T]he authority to supervise third-party service providers continues to vary across financial regulators. The Council supports efforts to synchronize these authorities and enhance third-party service provider information security. The Council recommends that Congress pass legislation that grants examination and enforcement powers … to oversee third-party service providers and encourages coordination among federal and state regulators in the oversight of these providers.

Wow. When a group of Republican regulators tell a Republican Congress that they might need more regulation, you know things are bad.

Will Congress actually respond to these ideas? Probably not, given the floundering leadership in Washington these days. But the fundamental point — that service providers can now pose dire cybersecurity risk to the financial sector and many others — is not news to compliance officers. So let’s ponder a few other points about how to manage third-party risk in useful ways right now.

The Business Imperative
First, consider the FSOC’s true worry here. Regulators are one party, acting to protect the interests of a second party: the public, which ultimately supports and pays for the financial system. Regulators do that by imposing standards on third parties (financial firms) — and now regulators are worried about the tech service providers supporting those financial firms.

In other words, the FSOC is really worried about fourth-party risk to the financial system.

This underlines a point I’ve been making for a while: the better your firm is at at managing third-party risk, the more attractive you become as a third party yourself. After all, your third parties are your customer’s fourth parties. Fourth-party risk is where your customers start to get antsy, because they can’t easily see what those risks might pose to them. They don’t have visibility into those distant parties.

And that’s what third-party risk management is all about: making your supply chain more transparent, so you can see those risks more clearly. So any compliance program that can achieve that transparency, and pass that assurance along to your customers, will have a strategic advantage over your rivals.

The compliance community likes to talk a lot about the strategic advantage of a strong compliance program. This is the most urgent example. When your board or CFO start complaining about that budget request for more investment in third-party governance, remind them: “If we can’t govern our third parties and possible cybersecurity risk, eventually we’ll get locked out of courting financial services firms.” That’s why investing in third-party governance is worth it.

Three Practical Challenges
So what bumps will compliance and audit officers hit on the road to better cybersecurity assurance? A few come to mind.

Scoping SOC 2 audits. A SOC 2 audit examines a service provider’s data security controls. A Type I audit determines whether vendor’s controls are designed properly at a certain point in time; a Type II audit examines whether the controls work as designed for a set period of time.

Yes, your big firm can probably squeeze an eager vendor to pay for the SOC 2 audit — but scoping the audit correctly is still your responsibility. If the scope is too narrow, you might miss risks that the vendor has, but weren’t audited; if the scope is too broad, you’ve wasted money on “over-compliance” for risks you won’t face.

I wrote a longer essay about scoping SOC 2 audits earlier this year for Reciprocity Labs, if you want to read more there. Suffice to say, you need to understand your own firm’s cybersecurity risks, and the risks of outsourcing some data functions to a vendor, and the vendor’s own security protocols, to do this well.

Implementation of NIST protocols. NIST has several sets of controls it recommends for cybersecurity. They are an outstanding resource, and should be adopted. The FSOC praised NIST, and urged financial regulators to keep current with new advances in the NIST standards as they evolve.

In the private sector, compliance officers, audit executives, and internal control departments should examine the standards and see how to implement those controls into your own operations — and this is especially true for tech service vendors themselves. NIST 800-171 is the standard government contractors are supposed to use to comply with DFARS, which spells out cybersecurity standards if you want to bid on defense contracts.

I have another essay, and companion white paper, about the NIST standards that I wrote for Rapid7 earlier this year. Companies may have a long want to go for compliance, but the NIST standards are the clear destination.

Preparing for more scrutiny. The Securities and Exchange Commission already pressures companies to disclose cybersecurity concerns as risk factors. Good news: many more companies are. According to a report from Intelligize released last week, the number of firms disclosing cybersecurity as a risk factor went from 426 in 2012 to 1,680 this year.

The bad news: those disclosures usually don’t say much, and they certainly don’t capture the full picture of risk from tech service providers. Hence the SEC is talking about enhanced disclosure of cybersecurity risk, or even required disclosure of cybersecurity incidents. (Imagine filing a Form 8-K to disclose a breach every time you have one.)

Likewise, the Public Company Accounting Oversight Board wants audit firms to step up their scrutiny of your cybersecurity risks. I still struggle to understand what that scrutiny will look like in practice, since cybersecurity breaches rarely lead to a material risk of misstated financial results — but that’s the point, really. Regulators know they need to do more about cybersecurity; they just aren’t quite sure what.

I suspect many of us feel the same way.

The post Feds Eye #Cybersecurity Risks of #Tech #Providers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity #risks just part of #captain’s #job

Source: National Cyber Security – Produced By Gregory Evans

The view from the 128-foot M/VGrand Floridian in the center of the Fort Lauderdale International Boat Show overlooked hundreds of yachts rigged with intricate electronics. For this month’s Triton From the Bridge lunch we gathered 11 captains to learn how they handle these yachts’ potential cybersecurity risks.

Large yachts, like other businesses, try to stay ahead of hacks, spams, viruses, intrusions or otherwise compromised electronics. Yacht captains respond to these threats in the same way they handle a yacht fire, accident or flooding: They focus on prevention and implement solutions when there is a problem.

Each of the captains tries to stay educated, but most have had a cybersecurity incident related to the yacht.

“My experience has been with vendors and contractors being hacked,” a captain said. “Someone duplicating the invoice and following up for payment. They are very slick. It will even have the picture of the vendor and the full thread of all previous correspondence.”

In this case, the vendor called the captain to say he had been hacked. Fortunately, the payment was not sent.

“It never got to that point, but it was headed that way,” the captain said. “I could have paid a rather large invoice to a source that was mimicking as someone else.”

Individual comments are not attributed to encourage candid discussion; attending captains are identified in the  accompanying photograph.

Most of the group had experience with emails from a friend or contact that had been hacked. And there were other common themes.

“We were locked out of our computers in Mexico; someone had tried to log in too many times,” a captain said.

Several yacht credit card numbers had been stolen. One was charged $27,000 and another was hit for $5,000 at Target. One captain switched credit cards after frequent small unauthorized purchases.

Most anyone connected to a computer is exposed to cybersecurity problems. Captains are aware of global incidents, as well as issues that may be tailored to yachts, and implement policies to try to prevent them on board.

“We are proactive,” a captain said. “We try not to log into any open source marina Wi-Fi; that’s usually where the trouble comes into play. The crew are required to use the boat system. And I cut down on opening of attachments and things that are recognizable as problems.”

Another captain protects yacht business by connecting via hardwire instead of wireless or bluetooth, and he requires crew to use their own laptops for personal emails. Several captains protect the owners by separating their access from the yacht business and crew.

“The owner has his own network,” a captain said. “It is important to separate bands and sites to monitor and set controls for everyone. I can block and set timers on the crew.”

By isolating each IP address, which identifies specific users, this captain can monitor and protect crew bandwidth use,  and he can block specific internet sites such as social media. When crew use is too high, this captain has gone to extremes to make a point.

“Sometimes I’ll walk to the rack and turn it off,” he said.

“Crew should be careful with their social media anyway,” another captain said. “Most crew agencies check Facebook and those sites.”

Another captain uses different emails and changes passwords on a regular basis.

Several captains said well-defined crew confidentiality agreements address privacy issues in regard to electronics.

“But it can be contentious,” a captain said. “Crew live and work on board. It is hard to shut everything down.”
Confidentiality agreements vary by yacht, but one common clause is that no pictures of crew on board or pictures of the yacht are allowed for the public, a captain said.

“As captains, we have to define clearly what the owner wants,” he said.

Charter guests present a challenge. Celebrity guests are common on some yachts, and several captains had stories of fans and paparazzi waiting at the dock.

“If it’s a charter, you have to figure out how to handle the guests because they do not have a nondisclosure,” a captain said.

“You can watch TMZ [celebrity news] and see the boats, so I don’t know how you can control that,” another captain said. “They can check online and see who’s on board.”

One yacht owner said to a captain, “If Google can find my name, it doesn’t matter – there’s nothing you can do.”

There are other systems on board that link yachts to the cloud of information. Automatic Identification System (AIS) is required on many yachts to display vessel location through a satellite system. This can include ship name, course and speed, classification, call sign and registration number.

The captains agreed that AIS is vital to navigation, but is typically turned off when not underway. But the system is popular with yacht owners who follow their yacht’s locations through a public website that shares AIS information.

“The boss calls when he’s using it,” a captain said. “I can see you are using a lot of fuel, can you throttle back?”

Another owner was watching the yacht online and called when he saw it had not moved for several hours.

Basically captains don’t have a choice because the system is helpful and often mandated. But there are a few precautions available.

“AIS yachts are allowed to turn it off in dangerous situations,” a captain said.

“There is a stealth mode where the yacht does not broadcast,” another captain explained.

And there is a delay with Marine Traffic, the online private version of AIS. A captain said yachts can pay for premium services to increase security on the program.

Several captains were familiar with a 2013 experiment in which a yacht was taken off course by GPS spoofing.

“I read about that,” a captain said. “There can be transmitters that confuse the signal to navigation.”

Spoofing and loss of power or electronic contact are a couple of reasons why several captains have the crew plot a course on a paper chart.

“I had a crew say, ‘The electronic navigation is down, how are we going to get into port?’” a captain said. “They had no idea.”

“If something looks wrong, they should check,” the first captain said. “It’s important to teach them how to use the charts.”

Many yacht electronic systems are complex and not under crew expertise; that is why two of the yachts have remote information technology companies.

“We have an IT guy in Indiana who controls the boat,” one captain said. He said the technician recommended that the yacht’s satellite service run through the United States instead of other countries so he could better monitor service.

So much of the technology frequently changes, it’s difficult to keep current. A captain recommends people ask for help.

“When techs are on board servicing your sat system, make sure to have the security checked,” this captain said.

Many yachts have monitoring systems and most have camera security systems. Many captains receive messages when the bilge runs or an alarm sounds. One captain logs in and monitors the systems remotely. Another captain recommended that all systems be evaluated by a trusted technology company to confirm systems cannot be compromised.

We asked what the future holds for cybersecurity risks in yachting.

“There’s nothing different in yachting than in other industries,” a captain said.

So, like anyone in business or using personal electronics, the captains seek good technical advice and try to stay alert to what could happen.

“I’ve heard of many different things that can happen, and it doesn’t take long,” a captain said. “I think it’s going to be a concern from here moving forward. All our information is out there anyway.”

“I think in the future there could be a meltdown,” another captain said. “Maybe everyone is hacked all at once.”

“We were in the Bahamas with no communication for two days; the cell towers were down,” another captain said. “We could use our old sat phone but we really could see the limitations.”

“The government can shut down the satellite system, but we have other nations’ satellites to use,” a third captain said.

“Or we can use our Stargazer app,” another captain said with a laugh as he held his phone to the sky.

“Yes, maybe sometime in the future, whether weather- or terror-related, we will have to function without,” a captain said. “But for now, it’s a tool.”

It is a reason to know celestial navigation, and one captain noted yachts still need their compasses.

“If it turns out our power is completely out and everything is down, we can’t make it to shore anyway,” a captain said. “Everything runs on power now.”

“We’ve been careful,” another captain said. “But lucky is probably the real word.”

The post Cybersecurity #risks just part of #captain’s #job appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Millennials are more aware of #cyber risks yet are ‘alarmingly’ careless #online. What gives?

Source: National Cyber Security – Produced By Gregory Evans

Millennials are more aware of #cyber risks yet are ‘alarmingly’ careless #online. What gives?

Millennials are more aware of cybersecurity careers than they were four years ago and believe that cyber attacks influenced the 2016 presidential election, and yet they’re not interested in pursuing cyber professionally and exhibit careless online habits in their everyday lives.

No, this is not the head-scratching dichotomy of the latest viral video from Simon Sinek explaining this either self-absorbed and entitled or passionately idealistic generation — it depends on whom you ask — born between 1981 and 1997. Rather, the insights are from a new survey from Raytheon Co.’s Intelligence, Information and Services business unit, based in Dulles, along with the National Cyber Security Alliance and Forcepoint, an Austin, Texas-based cyber company owned by Raytheon.

The annual study, in its fifth year, captures what the companies call “alarming” trends among millennials when it comes to cybersecurity. And why does a $24 billion gov-con giant like Waltham, Massachusetts-based Raytheon (NYSE: RTE) care?

Because “the demand for skilled cyber talent has become a national security issue,” Dave Wajsgras, president of the company’s Intelligence, Information and Services division, said in a statement. “While great strides have been made to increase millennial awareness in the cybersecurity profession, there is still work to be done.”

Indeed, hacks and breaches seem to grow more damaging and widespread by the day. At the same time ISACA, a nonprofit information security advocacy group formerly known as the Information Systems Audit and Control Association, predicts there will be a global shortage of 2 million cybersecurity professionals by 2019.

Every year in the U.S., 40,000 jobs for information security analysts go unfilled, and employers are struggling to fill 200,000 other cybersecurity-related roles, according to cybersecurity data tool CyberSeek. For every 10 cybersecurity posts that appear on careers site Indeed, only seven people even click on one of the ads, let alone apply, according to Forbes.

Opinion research firm Zogby Analytics independently conducted the Raytheon survey, polling 3,359 young adults ages 18-26 in nine countries: Australia, Germany, Jordan, Poland, Qatar, Saudi Arabia, United Arab Emirates, United Kingdom and United States.

Some of the survey’s findings are encouraging, showing rising cyber awareness and engagement among millennials:

  • 34 percent of U.S. survey respondents (37 percent globally) said a teacher discussed cybersecurity with them as a career choice, up 21 percent from the number of respondents who said a career in cyber had been mentioned to them by a teacher, guidance or career counselor in 2013.
  • 51 percent of U.S. respondents (52 percent globally) said they know the typical range of responsibilities and job tasks involved in the cybersecurity profession, up from 37 percent in the U.S. in 2014.
  • Globally, 46 percent of men have met or known someone studying cybersecurity at the high school, university or graduate level.
  • 71 percent of young adults surveyed think it’s their responsibility to keep themselves secure online rather than relying on the government, commercial companies or other individuals.

At the same time:

  • Globally, only 38 percent of millennials were willing to consider a career in cybersecurity. That percentage is unchanged from 2016.
  • Only 26 percent of women globally have met or known someone studying cybersecurity at the high school, university or graduate level.
  • Globally, 63 percent click on links even if they aren’t sure the source of the link is legitimate.
  • The proportion of U.S. young adults who share passwords with non-family members nearly doubled from 23 percent in 2013 to 39 percent in 2017 (42 percent globally this year).
  • 74 percent reported using unsecured public Wi-Fi today in the U.S. as a matter of convenience even though the security risks are well documented, up from 66 percent in 2013.

“We need to be providing the tools for this generation to take action and embrace safe online practices,” Michael Kaiser, executive director of the National Cyber Security Alliance, said in a statement. “We also need strong role models – including parents, teachers, colleagues, and friends – to help improve cyber practices nationwide and encourage the pursuit of cybersecurity careers among young adults.”


The post Millennials are more aware of #cyber risks yet are ‘alarmingly’ careless #online. What gives? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures