Upcoming ISACA Webinar on Social Engineering

Organizations battle daily with social engineering-based cyberattacks and unfortunately often find themselves on the losing side. What can be done? To determine this we need to step back from our technological tools and start with the psychological basis of why social engineering works and why it is a tactic of choice for cyber attackers. Armed with that knowledge, organizations can begin to mount a more effective defense.

I’ll be discussing the above during an ISACA webinar on February 23, 2016.  See this link for more info and to register.


October is National Cyber Security Awareness Month

If you were waiting for a reason to start, or breath some new life into, your organization’s cybersecurity awareness program this is for you.

Recognizing the importance of cybersecurity, October has been designated as National Cyber Security Awareness Month (NCSAM). It was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.

Since its inception in 2003, under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance, NCSAM has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation.

Consider these facts from the National Cyber Security Alliance:

  • Over the last 12 months, hackers have exposed the personal information of 110 million Americans (roughly half of the nation’s adults)
  • 9 out of 10 adults feel consumers have lost control over how personal information is collected and used by companies
  • 6 out of 10 Americans “would like to do more” to protect their personal information online

The Better Business Bureau is participating in NCSAM in an effort to do its part to make the Internet safer for everyone in our community by offering a free program to help both consumers and businesses learn the risks, how to spot potential problems and how our online actions impact our safety. It will be held at UNO’s College of Business – Mammel Hall in the Marvin & Virginia Schmid Auditorium, 6708 Pine Street, Omaha NE on Thursday, October 1st from 8:00 am – 10:00 am. Included, is a continental breakfast from 8:00 am – 8:15 am.

This event will feature presentations by Steven Baker, director, Midwest Region, Federal Trade Commission; Kristin Judge, director, Special Projects, National Cyber Security Alliance; and Ken Schmutz, supervisor, Omaha FBI Cyber Security Task Force.  A panel discussion and questions from the audience will follow their individual presentations.  I’ll be moderating the program and am very much looking forward to the opportunity to hear what these experts have to share.

Space is limited and registration is required. To make reservations, please go to bbbinc.org and click on the “Cyber Security” image. For more information, call 402-898-8550 or 800-649-6714 #8550.

Keys to Risk Management for the Executive at ISACA CSX Conference

When you think about it sometimes our attention gets locked on our risk assessment programs and we neglect our more fundamental risk management activities.  Focus is typically good but in this case overlooking, or rushing through, some initial aspects of risk framing can negatively impact the very same risk assessments you are attempting to focus on.  Three areas are especially important:

  • Incorporating cyber risk into your overall risk management program
  • Ensuring you focus your program on the correct assets
  • Implementing a balanced set of security controls

I’m going to be talking about this issue at the upcoming ISACA CSX Conference in October.  ISACA has published my introductory thoughts on their ISACA Now Blog.


Omaha AFCEA Luncheon

Speaking at AFCEA luncheon at Offutt AFB tomorrow.  Will be discussing framing risk.  I think this step is often overlooked entirely or rushed through to the detriment of an organization’s cybersecurity program’s effectiveness.


ISACA CSX Presentation

I’ll be presenting at the ISACA CSX Conference in October.  Will be discussing some suggestions for actions executives can take to make their cyber risk program better integrated and more effective.  We often focus on how to better patch vulnerabilities and do assessment but we often overlook gaps in the risk management function itself.

Great Plains Contingency Planners Panel Discussion

I had the opportunity today to sit on a cybersecurity panel discussion at the 2015 Great Plains Contingency Planners Seminar and Vendor Expo.  Lots of great questions from the audience, especially related to social engineering threats.  I would recommend everyone take a look at their cyber awareness program.  A few key thoughts:

  • Has your organization determined what it considers critical information that needs to be restricted to non-employees?  This could be intellectual property, it could be what vendors you utilize, it could be what days you run patches on your IT, or the web address for your remote VPN access.  Once this information is determined then your workforce needs to be informed not to share directly to an outsider or post on social media.
  • Do you conduct training to teach employees how to recognize and respond to phishing emails?  This could be conducted by your internal IT team or by vendors specializing in providing this service.  A variety of tactics, frequency of events (monthly or quarterly), and feedback are crucial to success.
  • Establish a process for employees to report questionable activities.  It may alert your security staff to initial attempts to hack into your network.