now browsing by tag


#nationalcybersecuritymonth | Massachusetts Announces School Grants for Cyber Training

Source: National Cyber Security – Produced By Gregory Evans

(TNS) — The state on Tuesday announced grants totaling $250,000 to 94 municipalities and public school districts to provide cybersecurity awareness training for more than 42,000 employees.

Lt. Gov. Karyn Polito addressed award recipients at Worcester City Hall to mark the end of October as Cybersecurity Awareness Month.

Approximately 1,800 government and school employees in Worcester will receive the training. Town employees in Auburn, Berlin, Boylston, Holden and Ware, employees of the Southern Worcester County Regional School District, and school and municipal employees of Leominster will also receive the interactive online training in topics from email security to USB device safety.

Employees will also receive simulated phishing emails, as phishing is a growing threat in local government in which an attacker seeks to influence the employee to take an action that may be harmful to the organization, by masquerading as a trusted entity, according to the state.

“Raising awareness of the challenges posed by cyber threats is an important strategy for the Commonwealth’s communities to best train and equip its employees with the tools needed to defend against cyber threats,” Gov. Charlie Baker said. “We are pleased to collaborate with our partners in local government to understand how we can better protect our communities.”

“Cybersecurity is a critical issue for Massachusetts communities and schools who face cybersecurity threats but sometimes lack the resources to prepare for and combat them,” Polito added. “These first-ever cybersecurity grant funds are a crucial tool to complement the over $9 million in funding for municipal IT infrastructure projects through the Community Compact program in providing Massachusetts communities and schools the resources and tools they need to combat cyber threats.”

The grant funding was included in part in the fiscal 2019 operating budget passed by the Legislature and matched by the Executive Office of Technology Services and Security.

In June 2017, Baker filed legislation to establish the Executive Office of Technology Services and Security.

Worcester City Manager Edward M. Augustus Jr. expressed appreciation for the grant.

“Failure to proactively defend against cybersecurity threats in today’s digital world puts both the city and its residents at risk,” Augustus said. “This is why training city staff to follow best practices and to be vigilant in the prevention of online attacks is so critical. We are grateful that the state is taking this issue seriously and we will continue to work together to keep our community safe.”

“In the wake of growing concerns relative to data privacy, security and increased threats, we are taking action to improve the commonwealth’s preparedness within the cyber space,” said state Sen. Michael O. Moore, D-Millbury.

Moore, who served as chairman of the Senate Special Committee on Cyber Security Readiness, added: “These efforts complement a national conversation and need for resources to support cybersecurity readiness. I commend the administration for taking an active role in working to better prepare our schools and municipalities for these very real threats.”

©2019 Telegram & Gazette, Worcester, Mass. Distributed by Tribune Content Agency, LLC.

Source link

The post #nationalcybersecuritymonth | Massachusetts Announces School Grants for Cyber Training appeared first on National Cyber Security.

View full post on National Cyber Security

Mimecast acquires Ataata to improve #cyber #security #training

Mimecast Limited today announced it has acquired cyber security training and awareness platform Ataata The acquisition aims to allow customers to measure cyber risk training effectiveness by converting behavior observations into actionable risk metrics for security professionals.

According to research Mimecast conducted with Vanson Bourne, 90 percent of organizations have seen phishing attacks increase over the last year, yet only 11 percent responded that they continuously train employees on how to spot cyberattacks.

The acquisition of Ataata will offer customers a single, cloud platform that is engineered to mitigate risk and reduce employee security mistakes by calculating employee security risk based on sentiment and behavior, while connecting them with relevant training that is content based on their score and recommended areas for improvement.

“Cybersecurity awareness training has traditionally been viewed as a check the box action for compliance purposes, boring videos with PhDs rambling about security or even less than effective gamification which just doesn’t work. As cyberattacks continue to find new ways to bypass traditional threat detection methods, it’s essential to educate your employees in a way that changes behavior,” said Peter Bauer, chief executive officer and founder of Mimecast.

“According to a 2017 report from Gartner, the security awareness computer-based training market will grow to more than $1.1 billion by year-end 2020.  The powerful combination of Mimecast’s cyber resilience for email capabilities paired with Ataata’s employee training and risk scoring will help customers enhance their cyber resilience efforts.”



The post Mimecast acquires Ataata to improve #cyber #security #training appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hardware Security Training Berlin

Source: National Cyber Security News

General Cybersecurity Conference

 April 26 – 27, 2017 | Berlin, Germany

Cybersecurity Conference Description Security Conference is a platform for hardware and security community where researchers showcase and discuss their innovative research on attacking and defending hardware.

Read More….


View full post on National Cyber Security Ventures

“Three in four” #councils do not #provide #mandatory #cyber security #training

Source: National Cyber Security News

Three in four local authorities do not provide mandatory cyber security training to their staff, Big Brother Watch has revealed, despite human error being a significant factor in most data breaches.

The privacy campaigners behind the research said they were concerned by their findings given the rapid accumulation of personal data by councils across the country.

The report revealed that more than a quarter of councils (114) have had their computer systems breached in the past five years and that 25 had experienced a breach that resulted in a loss of data.

More than half of those hit by a breach did not report it, the report found. However, the Freedom of Information results used to gather the data did not reveal how many of those breaches affected personal information.

Organisation are not legally required to report data breaches, but the Information Commissioner’s Office urges them to do so anyway. When GDPR comes into force in late May, firms could face significant fines if they fail to.

Jennifer Krueckeberg, lead researcher at Big Brother Watch, said she was shocked to discover that the majority of councils’ data breaches go unreported and that staff often lack basic training in cyber security.

Read More….


View full post on National Cyber Security Ventures

Rethinking #Cybersecurity: #Shifting From #Awareness to #Behavior #Training

In recent years, many good things have happened in the cybersecurity world. In particular, organizations in all industries and all parts of the world have come to realize that getting serious about cybersecurity is no longer optional.

Despite this, the number of serious breaches reported each year has not fallen. In fact, quite the opposite is true.

Why? I could give you dozens of answers.

I could talk about the constant evolution of malware and other attack vectors. I could write about the difficulties faced by law enforcement agencies when attempting to apprehend known criminal groups across international borders.

I could explain why, no matter how technically sound your network, you’ll never be prepared for the latest zero-day threats.

In reality, though, none of these adequately explain the real issue.

Why Common Wisdom Will Hurt Your Organization

Before we continue, it’s important to keep one thing firmly in mind: nearly all cyber-attacks are motivated by profit. Equally, if there is money to be made from attacking your organization, you can be sure someone will.

Common wisdom suggests that the best way to defend your organization against these attacks is to implement a series of technical controls designed to prevent unauthorized access, block malicious activity and identify incoming attacks.

But there’s a problem.

If you look closely at every reported breach in the past decade, you’ll notice something interesting. Almost every single one made use of phishing or another social engineering technique at some point during the attack.

Why? Because, on the whole, fooling people is much easier than fooling machines.

If an attacker can trick a human into compromising your network, it won’t matter how good your technical controls are. Once an attacker is inside your network using legitimate credentials, the hard part is already done.

Now, you might be thinking that there are plenty of technical controls designed to mitigate the impact of a malicious email. And that’s true, but no matter how good your spam filters and content scanners might be, they will never prevent 100% of malicious emails from reaching your users’ inboxes.

The only way forward, then, is to accept one simple truth – technology isn’t enough.

The End of “Awareness” Training

I’m going to hazard a guess and say that the last time you attended a security awareness training session, it was less than helpful.

Let’s be honest, the general standard of security awareness training across all industries is pretty poor.

But here’s the thing. The problem isn’t just with the standard of training, it’s with the whole concept. Improving security awareness among an organization’s users might seem like a sensible target, but it consistently fails to reduce real-world cyber risk.

Think about it like this.

We all know we should eat more vegetables and stop frequenting McDonald’s drive-throughs. But how often does that knowledge cause us to make the right dietary choices?

Judging by the obesity epidemic, not very often.

Now, if we want to see a marked reduction in cyber risk as a result of our security training, we’ll need to choose an entirely different focus: Not security awareness but security behaviors.

And since it turns out phishing is the single greatest threat facing organizations of the world, one security behavior, in particular stands out.

Changing Email Behaviors

In basic terms, phishing emails are designed to do one thing: trick unsuspecting users into taking an action that will in some way benefits the attacker.

To combat phishing, we’ll need to change the way users interact with their email inbox.

Now, you have to realize the average business user receives dozens of emails every day. As a result, most people aim to process their unread emails in the most efficient manner possible and naturally assume that any email finding its way into their inbox is legitimate. Each individual user will have their own set of unconscious processes for managing their email inbox, which over the course of tens of thousands of repetitions have become enshrined as unconscious habits.

Naturally, conditioning your users to change these habits is not going to be possible using the standard annual security awareness training format. Instead, you’ll need to incorporate your training into your users’ standard working day.

Operation: Phish

How, then, should you go about reconditioning your users’ email habits? Simple: Develop your own realistic phishing simulations, and send them to your users on a regular basis.

Yes, to be clear, I recommend phishing your own users.

Now before you start wantonly flooding your users’ inboxes with complex phishing lures, there are a few important considerations. For starters, this is not something you can rush into and expect to see results.

If you want to see genuine, long-term improvements in your users’ email security behaviors, you’re going to need to adhere to a few core principles.

1) Executive Sign-Off Isn’t A “Nice to Have”

Realizing dramatic improvements to employee security behaviors isn’t going to happen overnight. Quite the opposite, in fact, to be consistent and maintain your efforts over the long-term. Yes, of course, you can expect to see substantial improvements within the first few months, but they will quickly disappear if you fail to stay consistent.

And how do you stay consistent? You make sure you have support from above, specifically in the form of agreed long-term funding. To be sure of this, you’ll need to develop a strong business case, accurately track ROI of the program and routinely provide senior management with clear performance reports.

2) Success Must Be Easy

If you think the goal here is simply to persuade users to delete suspicious emails, you are seriously missing a trick. In reality what you really want is for your users to report suspicious emails whenever they arise, enabling you to identify and quarantine similar emails, tighten your technical security controls to catch similar phishing lures in the future nand build up a pool of real-world source material to aid in the production of future phishing simulations.

But here’s the thing. In order to achieve this, you’re going to need to make the reporting process as easy as it can possibly be. To that end, it would be wise to add a simple “report phishing email” button to your users’ email client.

3) Point-Of-Failure Training

When you initially launch your program, you’ll notice that your users improve very rapidly. At the same time, though, they’ll fail a lot in the beginning.

But failure isn’t a bad thing. All the time your users are correctly identifying phishing simulations, they aren’t really learning anything, they’re just showing you what they can do.

Each time one of your users fails a phishing simulation, they should immediately be sent to a relevant, multimedia training web page, which will educate them about the type of phishing email they have just been tricked by and help them to identify similar lures in future.

To really embed these lessons, you should also retest users within a week or so of their failed simulation. If certain users consistently fail both simulations, it may be worth following up with them personally.

Persistence: The Number One Factor in Success

As you have no doubt already surmised, the phishing awareness training program I just described is about as far from the standard annual security awareness training program that you can possibly get. Instead of pulling users into a stuffy classroom once per year, you’ll be providing a much higher standard of training, regular real-world testing, and an opportunity for users to take an active role in the security of your organization.

At the same time though, this process never really ends. If you suddenly decide to shelve the program, you’ll find that within a few months your users are back to their old wicked ways.

And here’s another thing to consider. No matter how good your users get at identifying phishing emails, mistakes will always happen. People are not machines, and while you can certainly expect to reach a 98 or 99% success rate, you can never assume that 100% of phishing emails will be correctly identified and reported.

Naturally, then, I would never dream of suggesting that the program like this could replace the need for high-quality technical security controls and a professional, well-trained incident response team.

No, this has never been a case of “either-or”. Quite the opposite, if you are genuinely committed to securing your organization against the threat of phishing, you will need to combine a well-trained workforce with a powerful, well-provisioned security resource.

View full post on National Cyber Security Ventures

Modernizing #cybersecurity #training for the next #generation

Source: National Cyber Security – Produced By Gregory Evans

Modernizing #cybersecurity #training for the next #generation

Equifax, Verizon, Molina Healthcare, Deloitte, Whole Foods, Wendy’s… it seems like every time we turn on the television another high-profile data breach is being reported. Despite an unprecedented number of security tools on the market, breaches are occurring at a record pace. According to the Identity Theft Research Center, the number of breaches for the first half of 2017 increased by 29 percent from the same time period during 2016.

If we have more tools available than ever, why does is seem that security practices are consistently failing? All signs point to one clear industry-wide problem — the growing cybersecurity workforce shortage. Security teams are understaffed, overwhelmed by alerts and challenged with managing growing security stacks without the time to adequately prepare for emerging threats.

According to the Center for Strategic and International Studies (CSIS) report, “Hacking the Skills Shortage,” 82 percent of respondents reported a shortage of cybersecurity skills within their organizations and one in four respondents stated their organizations were victims of cyber thefts of proprietary data due to a lack of qualified workers.

What is needed to address this shortage and better prepare teams for the rapidly evolving threat landscape? Industry analysts, such as Gartner, advocate moving toward “people-centric security,” which lessens organizations’ reliance on a massive stack of tools and a compliance checkbox mentality in favor of a more powerful human element in fending off attacks and reducing security errors.

With networks growing in complexity and new threats emerging at an unthinkable pace, it is imperative that organizations focus on core skills and address cybersecurity training as more than a compliance checkbox. It has become a business-critical investment.

Traditional versus next generation cybersecurity training

For most organizations, the training budget is generally allocated per person and used by individuals to attend a conference or classroom training event in order to learn about new threats and expand their skill sets. This frequently requires travel, which takes vital team members off the front lines for days at a time. Traditional training course updates are cumbersome and take time to publish. Other shortcomings involve retention and effectiveness. Research shows that individuals lose 90 percent of information within one week of traditional classroom training.

If we are to follow the guidance of industry experts and embrace people-centric security, a paradigm shift is required. The next generation of cybersecurity training must be agile enough to adapt to emerging threats. It should engage users in realistic environments through repetition and active learning principles, while utilizing features such as machine learning and artificial intelligence (AI) to quickly adapt content.

With the Internet of Things, hybrid cloud infrastructure and a growing demand for mobile enterprise applications creating more complex technology stacks, the element of realism is critical to preparing security teams. We would not expect a gold medal to be awarded to a swimmer who learns merely from videos and classroom conversation about the newest butterfly technique.

Olympians must practice those skills repetitively in a competition pool in order to be at peak condition for a race. Similarly, we cannot expect our cyber defense teams to learn only from traditional lecture-based training. Training with real-world tools in high-fidelity virtual environments against actual threat adversary malware is the future of cybersecurity training.

Next generation cybersecurity training utilizes a team approach

Training and workforce development must also be approached with a team perspective in mind. A soccer coach does not send players home individually to practice alone. The result would be a group of players with overlapping skills and no real understanding of plays or team strategy—in this case, the opponent would most certainly win.

Likewise, it is important for cyber teams to train together to defend against the top threats. Teams that consistently practice their skills, particularly incident response tactics and event handover, as an integrated team are more confident, quick and effective in their response to cyberattacks. Training as a team is further enhanced when using training platforms that replicate the organization’s environment, including realistic threat scenarios, network traffic and the tools cyber teams have each day at their disposal.

The team approach will also better engage team members when including the concept of gamification. Consider challenges that replicate real world attack scenarios with rewards for completion and improvement, or enable your red and blue teams to “face off” in order to spark excitement and make training more enjoyable. Earning skill points also serves as a mechanism to demonstrate proficiency that leads to better retention of these scarce professionals.

Training as a team also gives cyber team leaders a more thorough understanding of cyber readiness, including any skills gaps, which helps to guide future training efforts. This holistic view of readiness can help to identify areas of vulnerability as well as help guide strategic workforce development and technology purchases.

Introducing next generation cybersecurity training

As we move to the people-centric approach to security, chief information security officers (CISOs) should first look at the way their cyber team or teams are structured. Are they meeting all the important tasks/skills/roles recommended by the National Institute for Cybersecurity Training (NICE) Cybersecurity Workforce Framework and National Institute of Standards and Technology (NIST) Cybersecurity Framework? Where are there gaps and how can these gaps be addressed through cross-training existing team members? Look at existing training programs to determine if you are taking the team approach because now is the time to make the necessary changes to embrace the next generation of training.

Often times, training budgets can be reallocated to allow for investments in technology that enable next generation cybersecurity training. When approaching senior leadership for additional funding, CISOs should use cyber readiness assessments to position training as a critical investment.

Final thoughts

Adversaries are well funded with time to develop threats that cripple unprepared organizations. The attacker only has to be right once, while understaffed security teams work tirelessly to protect their networks every day. As an industry, we must arm these cyber defenders with the skills they need to be successful.

By transforming the approach to training, we can more efficiently and effectively build a highly skilled cybersecurity workforce that is better prepared to address emerging threats in complex enterprise environments.

The post Modernizing #cybersecurity #training for the next #generation appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Why You Should Gamify Your Cybersecurity Training

Source: National Cyber Security – Produced By Gregory Evans

With big data breaches occurring almost weekly, companies are looking for ways to tighten up their cybersecurity training. Information security risks continue to evolve, and employees must be educated on the latest security vulnerabilities and encouraged to adapt their behaviors to address such exposures. The latest big data breach? Equifax….

The post Why You Should Gamify Your Cybersecurity Training appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cyber Crime Training Law Enforcement – Seminar

Source: National Cyber Security – Produced By Gregory Evans

Cyber Crime Training Law Enforcement – Seminar

Course description Law Enforcement Agents receive training every year from other law enforcement officers and outside consultants. In our technology driven world, technology is ever-changing and therefore is the driving force of the content of this course. For this reason …

The post Cyber Crime Training Law Enforcement – Seminar appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Study: Most Professional Training for Teachers Doesn’t Qualify as ‘High Quality’ – Teaching Now – Education Week Teacher

Only 20 percent of the professional development offered by districts meets the federal definition of “high quality” under the new Every Student Succeeds Act, according to researchers.

View full post on Education Week: Bullying

#pso #htcs #b4inc

Read More

The post Study: Most Professional Training for Teachers Doesn’t Qualify as ‘High Quality’ – Teaching Now – Education Week Teacher appeared first on Parent Security Online.

View full post on Parent Security Online

Cybersecurity Training and Policies Are Useless If Ignored

Protection concept: computer keyboard with Closed Padlock icon on enter button, 3d render

Source: National Cyber Security – Produced By Gregory Evans

Cybersecurity Training and Policies Are Useless If Ignored

There’s no question that there is a need for solid cybersecurity awareness training. Yet, how effective is it, really? A couple of studies I’ve seen recently make it seem like you can provide all of the cybersecurity education you want,

The post Cybersecurity Training and Policies Are Useless If Ignored appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures