now browsing by tag
#nationalcybersecuritymonth | Covered Security wants you to be smarter about online threats — for your employer’s sake
I took a five-minute online quiz created by a Boston startup, Covered Security. It’s designed to give you the cybersecurity equivalent of your credit score — basically, how do your online security habits compare with the average person’s, and how do they compare with the habits of security experts? Let’s just say I have some improvements to make before I reach the “average” mark on Covered’s grading scale.
What Covered is trying to do is motivate people like me to change. Not because we’re a danger to ourselves, but because we’re a danger to our employers.
“Normal people are compromised at a rate that is 124.7 percent higher than security professionals,” says Covered’s founder and CEO, Chris Zannetos.
Unfortunately, it can be tough to get people to change bad habits, such as using the same password for multiple accounts or using easy answers to the security prompt questions for password recovery (like mother’s maiden name.)
As for getting them to pay for new security software or services that might make them less vulnerable? Forget about it, Zannetos says. People are complacent about security until a hacker breaks into their Facebook account and starts messaging all of their friends or cracks a bank account and wreaks havoc.
So Covered is focusing on employers, who have a lot more at stake — billions of dollars, trade secrets, brand reputations, and stock prices. Corporate information security executives, Zannetos says, “always say that people were the soft underbelly of their security program. They are a gateway for hackers to break into the organization,” such as when employees hastily respond to an e-mail that looks like it’s from the boss requesting password information, or asking them to review an attached file. (Oops — malware, which can give the bad guys access to everything on your machine.) So Covered is planning to sell to companies, rather than to individuals, and it already has a handful that are using its software, including Aflac, the Georgia insurance company.
Covered Security was founded in 2016, and it’s still small — fewer than 10 employees, Zannetos says. The objective, he explains, was to create “a FitBit for online security. Could we make it simple, fast, and personally rewarding for people to improve their own security habits?”
Covered’s product is fundamentally about education: What are the ideal things to be doing to protect your passwords and accounts, and where have data breaches occurred recently that may affect you and your account information? The Web-based system gives you pats on the head (“kudos”) when you make small improvements, and your employer can offer prizes to people who have accumulated a certain number of kudos. (Yes, you are on the honor system: You can say that you’re using two-factor authentication — “text me a code so I can log in to my account” — without actually doing it.)
Your employer can’t peer into an individual employee’s Covered profile, Zannetos says. But they can see high-level analytic data about “where the company is weak and where they’re strong, and what behavior they need to incentivize.”
This month, to build buzz, Covered has been giving away gift cards to people who register with the site and start earning kudos.
Danahy, the security entrepreneur, says that while “most people treat the end user as a problem that is not solvable — they will always make mistakes — what Covered is doing has an optimism, and a realism, I think, that you can change that.”
The notion, he says, is that you and I should be more aware of practical behaviors, like using a password repository to create and manage our passwords, as well as read articles about the latest hacker techniques, so that we don’t become victims. Offering kudos and financial incentives to spend time doing that, Danahy says, “gamifies” the process of changing our behaviors. Danahy serves as an adviser to Covered but is not an investor in the company.
Oren Falkowitz, CEO of the California startup Area 1 Security and a former staffer at the National Security Agency and US Cyber Command, says via e-mail that the Covered concept sounds simple. “But the reality is, we humans can’t be taught to be less human. Our innate curiosity, our willingness to trust complete strangers, and our child-like interest in a good story, all work against us in cyberspace.” That’s what makes it impossible, Falkowitz says, to stop phishing attacks without relying on “specific and advanced computer software.”
“The concept of training employees so that they can better avoid being phished or falling prey to other social hacks is not new, and almost every company is doing some level of employee education in this regard these days,” says Maria Cirino, a former cybersecurity CEO and venture capitalist at the Boston firm .406 Ventures. But Covered’s approach and use of technology to change people’s bad habits could prove more effective and measurable, Cirino says. Her firm hasn’t invested. Covered has so far raised a bit more than $1 million from individual investors, and Zannetos hopes to add more to the company’s bank account in the spring.
Covered is in the midst of juggling the four balls that every startup needs to keep in the air: finding investors, closing sales, hiring skilled employees, and continually improving the product.
But the mission — making all of us a little less dumb, when it comes to online security practices — is an important one.
Scott Kirsner can be reached at email@example.com. Follow him on Twitter @ScottKirsner.
View full post on National Cyber Security
In our post last month, we talked about what companies need to do internally to adopt a holistic, long-term risk management approach to cybersecurity. The big takeaways were five steps companies can take to drive down their individual cybersecurity risks to a more manageable level.
If more companies implemented these actions to begin mitigating their own cybersecurity risks, we would elevate the level of cybersecurity across the entire digital ecosystem. However, these internal steps are not the entirety of what companies need to do to adopt a risk management approach to cybersecurity. As an organization gets its internal house in order, it also needs to take four external steps:
Step 1: Proactively decide how IT systems will integrate with the broader Internet.
In today’s world, the sharp boundary between “internal” and “external” networks has essentially disappeared, replaced by a fluid mix of bring-your-own devices, software as a service, and cloud providers. However, this fluidity does not mean you have forfeited all control. Organizations should proactively determine the rules for connecting employee devices to the company network (including rules for data stored on those devices), acquiring external services, and accessing cloud storage.
For example, storing data in the cloud can improve the ability to access data remotely, and these services are generally more secure than many on-premises solutions. However, any time data is moving, the risk of exposure increases. Thus, these policies should be based on an organization’s business process needs and its risk tolerance. Furthermore, organizations must understand their supply chain – who they rely on and who relies on them – in order to understand the complexity and scale of their digital footprint and attack surface. An organization’s supply chain decisions should also be considered and reflected in internal incident response planning. We must think holistically: make cybersecurity a key part of your procurement and supply chain decisions.
Step 2: Actively participate in an information sharing organization… or two.
The cybersecurity industry has been talking about information sharing for a long time. There’s a reason for that: Information sharing is easy to talk about, but hard to make concrete and effective. The reality is that sharing is often limited by legal concerns, cultural challenges, uncertain return on sharing, and the inability to use shared information effectively. Nevertheless, effective cybersecurity risk management requires organizations to overcome these concerns and learn to share.
While this task can seem daunting, companies have a broad array of resources available to assist with sharing efforts. In particular, a good way to engage in sharing is to join an information sharing and analysis organization (ISAO) focused on your business sector or region. These organizations have the infrastructure to facilitate sharing about threats and best practices. In joining an ISAO, a company will learn that it is not alone in the problems they face, and they can learn from how others have tackled similar challenges.
At this point, it’s important to identify the types of cybersecurity information that should be shared: technical indicators, cybersecurity risks and best practices. How an organization deals with these different types of information can vary significantly. With respect to technical indicators, many organizations may not have the capability, resources, or technical expertise to share or ingest indicators of compromise on their own. One way organizations can address this lack is by using cybersecurity companies that participate in automated cyber threat intelligence sharing, such as those that are part of CTA. Our members provide the technical indicators necessary to protect their customers and also are able to anonymously share information from their customers to other CTA members. This approach allows for a broader awareness of threats and faster implementation of protection. Our next blog will dive into this topic further.
However, the other two types of information are easier for most organizations to understand and deal with. All organizations should be prepared to ingest and share information regarding cybersecurity risks to their business operations and best practices developed to deal with those risks. Understanding cybersecurity risk enables organizations to increase their security and become more resilient to a variety of cybersecurity threats. Sharing that information with partners in your sector, and with governments when appropriate, helps to understand risk across a sector and across multiple sectors. Sharing best practices and lessons learned enable organizations to find common approaches to mitigating those risks. But, just sharing information isn’t enough.
Step 3: Take action based on the shared information.
It’s important to keep in mind that the reason to share information is to solve problems. If companies don’t use the shared information to change their behavior in some way, then it’s worthless. If a new risk emerges, an organization should work with its cybersecurity provider to determine what changes should be made to address that risk. For example, maybe the new risk means that the benefits of encrypting data at rest now outweigh the performance costs.
However, organizations should not just look internally to make changes; they must work together to mitigate shared risk within a sector or across multiple sectors. The bad guys collaborate extensively to carry out their activities, and defenders should be just as collaborative in efforts to thwart those adversaries.
Step 4: Build relationships with law enforcement and government network defenders.
The last thing you want to do during a crisis is meet local representatives of the national law enforcement agency for the first time or try to determine how to get information out of the national government’s cybersecurity center. Organizations should look to build those relationships ahead of time, so when they experience an intrusion that warrants calling law enforcement and government-based network defenders, the linkages are already in place.
States and criminals are becoming more brazen in their malicious activity as they expand their use of cyber capabilities. Tackling these challenges can surely be overwhelming, but “failure is not an option,” like President Kennedy said when attempting to put the first man on the moon. If an organization identifies how it relies on external partners for cybersecurity and then collaborates with those entities, it will help improve the level of cybersecurity for the entire digital ecosystem.
Finally, combining internal and external steps identified here will put control back into the hands of managers, employees, owners and operators and eliminate the feeling of helplessness in the face of cyber threats. In most cases, we don’t know if our actions will affect our adversaries, but we do know that working with like-minded partners to make data, systems and processes more secure, resilient and better protected will have an outsized impact on our ability to protect against malicious cyber activity.
The post SMARTER #CYBERSECURITY #THINKING: WHAT #COMPANIES NEED TO #CONSIDER #EXTERNALLY appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures