I’ll be presenting a webinar on the use of social engineering in cyber attacks on February as part of ISACA’s CSX Cyber Security Series. See my blog post at ISACA for more details and to register.
Organizations battle daily with social engineering-based cyberattacks and unfortunately often find themselves on the losing side. What can be done? To determine this we need to step back from our technological tools and start with the psychological basis of why social engineering works and why it is a tactic of choice for cyber attackers. Armed with that knowledge, organizations can begin to mount a more effective defense.
I’ll be discussing the above during an ISACA webinar on February 23, 2016. See this link for more info and to register.
The famous bank robber Willie Sutton, when asked why he robbed banks, reportedly stated “because that’s where the money is.” Today, if you ask a cyber criminal why do you hack into businesses they could just as honestly answer “because that’s where the money is.” Today it may not be cash walking out the door but credit card numbers, intellectual property, and fund transfer authorizations leaving over the network. Unfortunately, many businesses are coming to the realization they haven’t identified their critical information, they don’t know where their information assets are the most vulnerable, how best to protect them, and how to detect and respond to attacks to limit losses. Symantic’s 2015 Internet Security Threat Report reported that 60% of targeted attacks strike small and medium businesses due to their less robust security architecture. Of those small businesses who are subjected to a cyber attack greater than 50% will close within 6 months of the attack. Large businesses should take note as well because many of these small and medium sized business attacks were used as stepping stones to attack large businesses through trusted network connections. Clearly there is much more we need to do and October is a great time to get more involved in making those around you aware of cybersecurity needs.
National Cyber Security Awareness Month began in October 2004, growing out of awareness efforts of the National Cyber Security Alliance, working in conjunction with industry and Government partners. 2015 marks the 12th year programs on Cyber Security Awareness have been conducted across the United States during the month of October. The National Cyber Security Alliance and several partners have a large collection of information you can use at the individual and business level. Take a look and get involved. Here are two great places to start: www.dhs.gov/stopthinkconnect-toolkit & www.staysafeonline.org
If you were waiting for a reason to start, or breath some new life into, your organization’s cybersecurity awareness program this is for you.
Recognizing the importance of cybersecurity, October has been designated as National Cyber Security Awareness Month (NCSAM). It was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.
Since its inception in 2003, under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance, NCSAM has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation.
Consider these facts from the National Cyber Security Alliance:
- Over the last 12 months, hackers have exposed the personal information of 110 million Americans (roughly half of the nation’s adults)
- 9 out of 10 adults feel consumers have lost control over how personal information is collected and used by companies
- 6 out of 10 Americans “would like to do more” to protect their personal information online
The Better Business Bureau is participating in NCSAM in an effort to do its part to make the Internet safer for everyone in our community by offering a free program to help both consumers and businesses learn the risks, how to spot potential problems and how our online actions impact our safety. It will be held at UNO’s College of Business – Mammel Hall in the Marvin & Virginia Schmid Auditorium, 6708 Pine Street, Omaha NE on Thursday, October 1st from 8:00 am – 10:00 am. Included, is a continental breakfast from 8:00 am – 8:15 am.
This event will feature presentations by Steven Baker, director, Midwest Region, Federal Trade Commission; Kristin Judge, director, Special Projects, National Cyber Security Alliance; and Ken Schmutz, supervisor, Omaha FBI Cyber Security Task Force. A panel discussion and questions from the audience will follow their individual presentations. I’ll be moderating the program and am very much looking forward to the opportunity to hear what these experts have to share.
Space is limited and registration is required. To make reservations, please go to bbbinc.org and click on the “Cyber Security” image. For more information, call 402-898-8550 or 800-649-6714 #8550.
When you think about it sometimes our attention gets locked on our risk assessment programs and we neglect our more fundamental risk management activities. Focus is typically good but in this case overlooking, or rushing through, some initial aspects of risk framing can negatively impact the very same risk assessments you are attempting to focus on. Three areas are especially important:
- Incorporating cyber risk into your overall risk management program
- Ensuring you focus your program on the correct assets
- Implementing a balanced set of security controls
I’m going to be talking about this issue at the upcoming ISACA CSX Conference in October. ISACA has published my introductory thoughts on their ISACA Now Blog.
Speaking at AFCEA luncheon at Offutt AFB tomorrow. Will be discussing framing risk. I think this step is often overlooked entirely or rushed through to the detriment of an organization’s cybersecurity program’s effectiveness.
I’ll be presenting at the ISACA CSX Conference in October. Will be discussing some suggestions for actions executives can take to make their cyber risk program better integrated and more effective. We often focus on how to better patch vulnerabilities and do assessment but we often overlook gaps in the risk management function itself.
I had the opportunity today to sit on a cybersecurity panel discussion at the 2015 Great Plains Contingency Planners Seminar and Vendor Expo. Lots of great questions from the audience, especially related to social engineering threats. I would recommend everyone take a look at their cyber awareness program. A few key thoughts:
- Has your organization determined what it considers critical information that needs to be restricted to non-employees? This could be intellectual property, it could be what vendors you utilize, it could be what days you run patches on your IT, or the web address for your remote VPN access. Once this information is determined then your workforce needs to be informed not to share directly to an outsider or post on social media.
- Do you conduct training to teach employees how to recognize and respond to phishing emails? This could be conducted by your internal IT team or by vendors specializing in providing this service. A variety of tactics, frequency of events (monthly or quarterly), and feedback are crucial to success.
- Establish a process for employees to report questionable activities. It may alert your security staff to initial attempts to hack into your network.
Link to a recent ISACA blog posting I made with some of my thoughts on cybersecurity legislation currently being discussed in Washington.