Apr 12 2016

Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

Category: cyber securityDISC @ 3:30 pm

By Kelly Jackson Higgins

New study reveals that none of the top 10 US university computer science and engineering program degrees requires students take a cybersecurity course.

There’s the cybersecurity skills gap, but a new study shows there’s also a major cybersecurity education gap — in the top US undergraduate computer science and engineering programs.

An analysis of the top 121 US university computer science and engineering programs found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don’t offer any cybersecurity courses at all. The higher-education gap in cybersecurity comes amid the backdrop of some 200,000 unfilled IT security jobs in the US, and an increasing sense of urgency for organizations to hire security talent as cybercrime and cyber espionage threats escalate.

Robert Thomas, CEO of CloudPassage, whose company conducted the study, says the security gap in traditional computer science programs is worrisome, albeit not too surprising. “The results were pretty profound,” Thomas says. “When we tested the top universities’ computer science degrees, it was disturbing to find that very few require any kind of cybersecurity [instruction] as part of the curriculum to graduate” with a computer science degree, he says.

With IT security departments scrambling to fill positions, Thomas says CloudPassage wanted to gauge how universities are preparing computer science graduates for the cybersecurity job market. “Universities have a responsibility to start moving … to [address] bigger problems in security,” he says.

Graduate-level cybersecurity programs are emerging, such as those of Carnegie Mellon, the University of Maryland-Baltimore County, and the University of South Florida, but the study was focused on undergrad computer science programs and their integration with cybersecurity. The universities in the study were based on rankings from US News & World Report, Business Insider, and QS World of the top schools in the field.

The University of Michigan, which is ranked 12th among US computer science programs by US News & World Report, is the only university in the top 36 that requires computer science students take a cybersecurity course, CloudPassage’s study found. Among the top 10, there are three universities that don’t offer cybersecurity courses as electives, either.

Michigan (#11 in Business Insider’s Top 50 US computer science schools), Brigham Young (#48 in that rankings list), and Colorado State (#49), are the only top comp sci programs that require at least one cybersecurity class for a degree.

Among the universities in the study offering the most cybersecurity electives in their computer science programs are Rochester Institute of Technology (10 security elective courses) which is in the top 50 of Business Insider’s list; Tuskegee University (10); DePaul University (9); University of Maryland (8); University of Houston (7); Pace University (6); California Polytechnic State University (5); Cornell University (5); Harvard University (5); and Johns Hopkins University (5).

Meanwhile, the University of Alabama, which is not ranked in either the US News & World Report nor Business Insider as a top comp sci program, was the only university that requires three or more cybersecurity courses, the study found.

A lack of awareness about cybersecurity among college-age students is another element of the education-gap equation. A recent study by Raytheon and the National Cyber Security Alliance found that millennials worldwide just aren’t entering the cybersecurity field, mainly due to lack of awareness of just what security careers entail. Half of women ages 18- to 26 say they don’t have cybersecurity programs and activities available to them, and 40% of men in that age bracket say the same. Nearly half of millennial men aren’t aware of what cybersecurity jobs entail.

ISC2, a nonprofit that offers cybersecurity certifications, has tracked the lack of higher-education programs in cybersecurity. Over the past two years, ISC2 via its International Academic Program has offered cybersecurity classroom materials and other services for colleges to use in their curriculum, as well as for faculty training. The goal of the program is to beef up cybersecurity content in the curriculum.

“If you look across the total number of colleges, a very small percentage have a cybersecurity curriculum,” says David Shearer, CEO of ISC2. “Many have not had the money or time or skills to develop cybersecurity programs.”

Shearer says ISC2 is working to fill those gaps with its academic outreach program. “If there’s not a formal education for kids once they get to universities, we [the US] haven’t accomplished a whole lot,” he says.

AFIS BILLBOARD POSTERS. WEB SECURITY. DEFENSE ...

AFIS BILLBOARD POSTERS. WEB SECURITY. DEFENSE BILLBOARD #132 (Photo credit: Wikipedia)

Awareness Gap

Aside from the top computer science programs not offering or requiring cybersecurity courses, many computer science graduates just aren’t aware of the opportunities in the cybersecurity field. Many are drawn to computer science because they’re interested in writing new applications to solve problems in their areas of interest. Coding is considered “cool,” security experts say, while security is seen as a hindrance to application development, for example.

ISC2’s Shearer says cybersecurity gets a bad rap sometimes in application development, and security is seen as mainly about strong passwords and patches, for instance. “They don’t see it as exciting, intriguing work, but they should,” he says. “With greater awareness and education in this area [cybersecurity], today’s youth could see things like hacking as an interesting area they’d want to learn about.”

CloudPassage, meanwhile, also is reaching out to universities: it announced today that it will offer free CloudPassage Halo security-as-a-service platform accounts to US computer science programs as well as instructional templates, tutorials, and support. “They can use our infrastructure and products as an illustration, to get some experience,” CloudPassage’s Thomas says.

Related articles




Oct 02 2015

Cyber crime costs the global economy $445 billion a year

Category: cyber security,CybercrimeDISC @ 3:06 pm

by 

A new report – A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity – reveals that cyber crime costs the world $445 billion annually, with the top ten economies accounting for more than 50% of the costs. Since 2005 there have been 5,029 reported data breach incidents in the US alone, and at least 200 breaches in Europe involving 227 million records.

It is estimated that the average cost of a data breach is $3.8 million, which is up from $3.3 million a year earlier.

AGCS_Cyber_Crime_full

Source: A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity, Allianz Global Corporate & Specialty (AGCS)

Cyber risks are underestimated

Published by Allianz Global Corporate & Specialty (AGCS), the report warns that “cyber risk is the risk most underestimated by businesses” and asserts that “everyone is a target”.

73% of respondents who took part in an Allianz Risk Barometer 2015 believe that underestimation of cyber risks is preventing companies from being better prepared for them. Other hindrances include budget constraints (59%), failure to analyze the problem (54%), IT infrastructure that is too sensitive for major changes (30%) and failure to identify the right personnel (10%).

The US shows higher levels of awareness of cyber risk due to having tougher legislation than other countries. The majority of US states require companies to notify individuals of a breach. Europe is heading in the same direction, with the European Union (EU) currently reviewing its data protection law and planning to introduce more stringent rules in terms of data breaches.

Data shows that cyber attacks are becoming more frequent and sophisticated. The number of detected cyber attacks was up by 48% in 2014 according to the Global State of Information Security Survey 2015.

In order to protect themselves from breaches, businesses should identify key assets at risk and make decisions as to what risks to accept, avoid, mitigate or transfer.

Future cyber risk trends

The AGCS report makes predictions that businesses will be increasingly exposed to risks from the supply chain and that we are yet to witness “a major cyber event of truly catastrophic proportions”.

Jens Krickhahn, practice leader, Cyber & Fidelity at AGCS Financial Lines Central & Eastern Europe, explains:

“Business exchanges with partners are increasingly electronic.

“Even if a company is confident in its own IT controls, it is still exposed to cyber risk through its business partners, contractors and supply chains.”

The Internet of Things (IoT) is seen as one of the biggest factors that will change the face of cyber threats leading to interconnected risks. It will exacerbate vulnerabilities, bringing increasing potential for physical loss and data breaches.

ISO 27001 and cyber risks

Management of information security risks is at the core of the ISO 27001, the international standard that sets out the specifications of an information security management system (ISMS).

ISO 27001 requires compliant organizations to carry out risk assessments based on agreed criteria. The outcome of the risk assessment should enable the business to balance expenditure on controls against the business harm likely to result from security failures.

Download IT Governance’s free green paper, Risk Assessment and ISO 27001, to learn more about managing cyber risks.


Tags: cyber attack, cyber criminals, cyber security, cyber threats, Cyber-warfare, Cybercrime

Jun 19 2015

Cyber Resilience Best Practices

Category: Cyber Insurance,cyber security,CybercrimeDISC @ 11:07 am
Cyber Resilience

Cyber Resilience

RESILIAℱ Cyber Resilience Best Practices

AXELOS’s new guide RESILIAℱ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle

RESILIAℱ Cyber Resilience Best Practices

Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIAℱ portfolio.

RESILIAℱ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.

The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.

  • Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
  • Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
  • Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
  • Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
  • Aligned with ITILÂź, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBITÂź and organization-specific frameworks.

 

Target market

 

  • Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
  • IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
  • IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
  • The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.

 

Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
RESILIAℱ Cyber Resilience Best Practices

Related articles


Tags: Chief Information Security Officer, CISO, Computer security, CSO, cyber crime, Cyber Defence, Cyber Insurance, Cyber protection, Cyber Resilience, cyber security, Cyber Security countermeasures, Cyber Security Safeguards, cyber threats, data security, Information Security, Information Technology Infrastructure Library, ISO, iso 27001, iso 27002

Feb 09 2015

Cyber Security safeguard offers much more than just protection

Category: cyber securityDISC @ 5:56 pm

What is most beneficial about cyber security safeguards, Well, you will not only benefit from the better protection of your own information, but you will also gain a competitive advantage by demonstrating your cyber credentials.

English: ISMS activities and their relationshi...

English: ISMS activities and their relationship with Risk Management (Photo credit: Wikipedia)

For example, certification to ISO 27001 or evidence of compliance with the PCI DSS (for merchants and service providers) is often a tender or contractual requirement because it proves that an organization has been independently audited against internationally recognized security standards.

Those that implement an information security management system (ISMS) will benefit hugely from improved processes and control of data within the organization.

Furthermore, improving and having demonstrable cyber security can also reduce your cyber security insurance. And finally, it will also dramatically reduce the chances of you experiencing a cyber attack. That’s kind of improvement.

Related articles

May 12 2014

Bestselling Books at Infosecurity 2014

Category: cyber security,Information SecurityDISC @ 9:36 am

InfoseEurope2014

by Lewis Morgan @ITG

It has now been a week since Infosecurity Europe 2014. This year was my first at Infosec, and I found it to be one of the most interesting and diverse events I have ever been to.

During my short time on the IT Governance stand, I spoke to several people who were showing a keen interest in our wide range of books. It was a common opinion that our range of books is one of the broadest in the industry – something of which we are very proud.

To demonstrate our range of books and their popularity, We have created the below list of the 5 bestselling books at Infosecurity 2014*. All of the following books are available in multiple formats.

PCI DSS Pocket Guide

    A quick guide for anyone dealing with the PCI DSS and related issues. Now also covers PCI DSS version 3.0.

ISO27001 / ISO27002 Pocket Guide

    Now updated for the 2013 editions of ISO27001/ISO27002, this pocket guide gives a useful overview of two important information security standards.

Governance of Enterprise IT based on COBITÂź5

    A perfect introduction to the principles and practice underpinning the governance of enterprise IT using COBITÂź5.

Penetration Testing –  Protecting Networks and Systems

    An essential guide to penetration testing and vulnerability assessment, which can be used as a preparation guide for Certified Penetration Testing Engineer exams.

Securing Cloud Services

    This book provides an overview of security architecture processes, and explains how they may be used to derive an appropriate set of security controls to manage the risks associated with working in the Cloud.

 

Related articles

Tags: Certified Penetration Testing Engineer, Cloud computing, cloud computing security, London, Payment Card Industry Data Security Standard, Penetration test

Mar 28 2014

How organization can handle cyberthreats

Category: cyber security,CybercrimeDISC @ 12:13 pm

CyberActivisim

CyberWar, CyberTerror, CyberCrime and CyberActivism

Successful cyberattacks can damage your organization, no matter who is behind them

The goals of the cyberterrorist, the cybercriminal, the cyberactivist and the state-sponsored hacker may not be the same – but the outcomes can be equally devastating. Each can cause serious challenges for your organisation, ranging from information theft and disruption of normal operations to loss of reputation or credibility.

Cyber security is much more than technology

Many books on cybersecurity focus on technical responses to these threats. As important as this is, human fallibility and other known vulnerabilities will still allow hackers to easily break into a system that has not taken account of these factors.

CyberWar, CyberTerror, CyberCrime and CyberActivism encourages cybersecurity professionals to take a wider view of what cybersecurity means, and to make the most of international standards and best practices to create a culture of cybersecurity awareness within their organizations that complements their technology-based defences.

A cyber aware workforce equals better security
This second edition takes a deep look at the changing threats in the cyber landscape, and includes an updated body of knowledge that describes how to acquire, develop, and sustain a secure information environment that goes beyond technology. This enables you to move towards a cyber aware organisational culture that is more robust and better able to deal with a wider range of threats. Related references, as well as recommendations for additional reading, are included at the end of each chapter making this a valuable resource for trainers and researchers as well as cybersecurity practitioners.

Pre-Order this book today and see how international standards can boost your cyber defences. (download – Adobe, ePub, kindle)

About the author
Dr Julie Mehan is the Founder and President of JEMStone Strategies and a Principal in a strategic consulting firm in the State of Virginia. She has delivered cybersecurity and related privacy services to senior commercial, department of defence and federal government clients working in Italy, Australia, Canada, Belgium, and the United States. Dr Mehan is also an Associate Professor at the University of Maryland University College, specializing in courses in Cybersecurity, Cyberterror, IT in Organizations and Ethics in an Internet Society.

Comprehensive Cyber Security Risk Management Toolkit

 

Related articles

Tags: CyberActivism, Cybercrime, CyberTerror, cyberwar

Mar 14 2014

Hacking Point of Sale

Category: cyber security,data securityDISC @ 9:28 am

Hacking Point of Sale

A hands-on guide to achieve better security at point of sale

Hacking Point of Sale – A must-have guide for those responsible for securing payment card transactions. Hacking Point of Sale is a book that tackles the issue of payment card data theft head on. It covers issues from how attacks are structured to the structure of magnetic strips to point-to-point encryption, and much more.

Packed with practical recommendations, it goes beyond covering PCI DSS compliance to offer real-world solutions on how to achieve better security at point of sale.

Hacking Point of Sale…

‱A unique book on credit and debit card security, with an emphasis on point-to-point encryption of payment transactions (P2PE) from standards to design to application
‱Explores most of the major groups of security standards applicable to point of sale, including PCI, FIPS, ANSI, EMV, and ISO
‱Details how protected areas are hacked and how hackers notice vulnerabilities.
‱Highlights ways of defending against attack, such as introducing cryptography to payment applications and hardening application code

An essential guide for security professionals that are charged with addressing security issues with point of sale systems.

Related articles

Tags: debit card, Information Security, Payment card industry, Payment Card Industry Data Security Standard, Point of sale

Feb 18 2014

Comprehensive Cyber Security Risk Management Toolkit

Category: cyber security,Security Risk AssessmentDISC @ 11:30 am

Cyber Security Toolkit

 

Govern and manage Cyber Security risk with this unique comprehensive toolkit suite

 

Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular

There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.

‱ PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
‱ ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
‱ The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
‱ Ten Steps to Cyber Security is the methodology developed by the UK’s Business Department to help organizations of all sizes secure their cyber defenses;
‱ ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.

Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkit’s modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.

This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.

Included in this comprehensive toolkit suite is:

Related articles

Tags: Cloud Security Alliance, ISO/IEC 27001, National Institute of Standards and Technology, Risk management

Jan 31 2014

How to Achieve Cyber Resilience

Category: cyber securityDISC @ 1:09 pm

Becoming cyber resilient will give your organization the best chance of defending itself against and surviving from cyber attacks.

What does ‘cyber resilience’ mean?

Cyber resilience is the ability to repel cyber attacks while protecting critical business assets, rapidly adapting and responding to business disruptions and maintain continuous business operations.

So how do I become Cyber Resilient?

IT Governance has developed a 7-step approach to achieving cyber resilience. See the graphic below and click to enlarge.

7steps

9781849285261_frontcoveronly_rgb_v1 Cyber Resilience Core Standards Kit 

These standards will help you to implement a management system that will allow you to take advantage of the opportunities associated with operating in cyberspace whilst mitigating the threats and risks.
Includes the information security standards ISO27001 and ISO27002 and the business continuity standards ISO22301 and ISO22313.

 

Build your knowledge of these key areas and be ready to help deliver your organizations cyber resilience strategy

Developing knowledge of the best practice advice and guidance in the key standards ISO27001 & ISO22301 is key to delivering a successful cyber resilience strategy. Whatever your preferred method of learning, IT Governance have the products to help build the knowledge and skills you need.

An Introduction to Information Security and ISO 27001 (2013) Written by acknowledged ISO27001 expert, Steve Watkins, this pocket guide introduces the principles of information security management and ISO27001. This guide will help you understand how to start planning a project to implement effective, reliable and auditable systems.
9781849285261_frontcoveronly_rgb_v1 ISO22301 – A Pocket GuideISO22301: A Pocket Guide will help you understand the Business Continuity international practice, and provides guidance on the best way to implement a fit-for-purpose BCMS.

Oct 18 2013

10 Steps To Assess Cyber Security Risk

Category: cyber security,Risk AssessmentDISC @ 9:00 pm

cyber attack ... Economic Pearl Harbor Will S...

October is National Cyber Security Awareness Month and it is an opportunity to engage public and private sector stakeholders – especially the general public – to create a safe, secure, and resilient cyber environment. Everyone has to play a role in cybersecurity. Constantly evolving cyber threats require the engagement of the entire nation — from government and law enforcement to the private sector and most importantly, the public.

National Cyber Security Awareness Month

A cyber security risk assessment is necessary to identify the gaps in your organisation’s critical risk areas and determine actions to close those gaps. It will also ensure that you invest time and money in the right areas and do not waste resources where there is no need for it.

Even if you have implemented an ISO 27001 Information Security Management System, you may want to check if your cyber security hygiene is up to standard with the industry guidelines. 

Cyber Security ToolKit  | Cyber Security Standards | Cyber Security Books

Cyber security risk assessment:

Use an in house qualified staff or an experienced consultant(s), who will work with your team to examine each of the ten risk areas (described below) in sufficient detail to identify strengths and weaknesses of your current security posture. All this information can be consolidated and immediately usable action remediation plan that will help you close the gap between what you are actually doing and recognized good practice. It will enable you to ensure that your cyber risk management at least matches minimum industry guidelines.

The ten risk areas that will be examined are:

Do you have an effective risk governance structure, in which your risk appetite and selected controls are aligned? Do you have appropriate information risk policies and adequate cyber insurance?

Do you have a mobile and home-working policy that staff have been trained to follow? Do you have a secure baseline device build in place? Are you protecting data both in transit and at rest?

Do you have Acceptable Use policies covering staff use of systems and equipment? Do you have a relevant staff training programme? Do you have a method of maintaining user awareness of cyber risks?

Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts? Do you monitor user activity, and control access to activity and audit logs?

Do you have a policy controlling mobile and removable computer media? Are all sensitive devices appropriately encrypted? Do you scan for malware before allowing connections to your systems?

Do you have a monitoring strategy? Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points? Do you analyze network logs in real time, looking for evidence of mounting attacks? Do you continuously scan for new technical vulnerabilities?

Do you have a technical vulnerability patching program in place and is it up-to-date? Do you maintain a secure configuration for all ICT devices? Do you have an asset inventory of authorized devices and do you have a defined baseline build for all devices?

Do you have an appropriate anti-malware policy and practices that are effective against likely threats? Do you continuously scan the network and attachments for malware?

Do you protect your networks against internal and external attacks with firewalls and penetration testing? Do you filter out unauthorised or malicious content? Do you monitor and test security controls?

Do you have an incident response and disaster recovery plan? Is it tested for readily identifiable compromise scenarios? Do you have an incident forensic capability and do you know how to report cyber incidents?

Related articles

Aug 15 2013

Cyber Security Governance & Risk Management Toolkit

Category: cyber securityDISC @ 9:56 am

Cyber Security Toolkit

The threat from cyber space is real and growing.
To strengthen cyber security in your organization, there are several frameworks you can adopt:

‱ ISO/IEC 27001
‱ ISO/IEC 27032
‱ PAS 555
‱ the BIS Ten Steps to Cyber Security
‱ the Cloud Security Alliance’s Cloud Control Matrix

These standards and guidance offer, between them, a comprehensive cyber security umbrella for your organization.

This is the only toolkit to consolidate the advice from the five leading approaches to managing cyber risk into a single, robust framework, and is made up of:

  • ISO27001 Documentation Toolkit – which will enable you to achieve external certification.
  • Independently developed Cyber Security Documentation – offering the guidance you need to put in place effective processes to achieve cyber resilience.
  • Documentation drawing on PAS 555, BIS Ten Steps, Cloud Controls Matrix and ISO27032 – extending the controls contained in ISO27001, and enhances the benefits of implementing an ISO27001 ISMS.
  • Cyber Security Framework Matrix – efficiently mapping the five separate approaches to a single comprehensive, robust, framework.
  • Bring Your Own Device (BYOD) Toolkit – these templates will enable your organization to benefit from improved productivity, reduced capital expenditure and a better work life balance for employees.

The Cyber Security Governance & Risk Management Toolkit consolidates the advice from these five leading approaches to managing cyber risk into a single, robust framework.

This toolkit helps you make an enormous leap forward by consolidating five
separate approaches into a single, comprehensive, robust framework.

Cyber Security Toolkit

Get your copy and start your cyber resilience project today!

Cyber Security Governance & Risk Management Toolkit

Jul 22 2013

Your employees aren’t the only threat to InfoSec and Compliance

Category: cyber security,Information SecurityDISC @ 1:18 pm
Information security

Information security (Photo credit: Wikipedia)

July 22nd, 2013 by Lewis Morgan 

I overheard a conversation the other day, one which left me so stunned that I’ve decided to write about it
.

Two men having dinner behind me (I got the impression they were both directors) were discussing the £200k fine the NHS received for losing patient data. Eventually, the conversation turned into a discussion about information security as a whole. I won’t go into all the details but one of them said, “We don’t particularly focus on cyber security, it’s always large organisations which are in the news about getting hacked and being a small company, we’re not under threat”. It bothered me (probably more than it should have) that someone in control of an organisation has that attitude to cyber security. If an organisation of 5 employees was hacked, the same day as, let’s say DELL, were hacked – who’d make it into the news? DELL would, why? Because it’s likely to be more of an interest to the readers/listeners and will have a bigger impact on the public compared to that of the smaller organisation.

I never see stories in the news of someone being hit by a bus in my local town, but it doesn’t mean I’ll walk in front of one holding a sign saying ‘hit me’. That’s effectively what this director is doing, turning a blind eye to a large threat just because he’s not seen an example of a small organisation being hacked – chances are he doesn’t even read the publications which cover those stories.

Ignorance

It’s a strong word, isn’t it? Personally I hate calling people ignorant, I’d rather use a more constructive word such as ‘unaware’, but I feel that using the word ignorance will raise some eyebrows.

As a director of a company, your aim is to maximise revenue, minimise costs and anything in between.

You need a future for your organisation; this is usually done by investing in your marketing efforts, improving your products/services and providing the best customer service possible. But what do you do to actually secure a future? It’s all good and well having a 5 year plan which see’s 400% growth in revenue, but how do you make sure that your organisation will even exist in 5 years?

2 years into your plan and you’re hitting your targets – but you’ve just discovered that there’s been a data breach and your customers credit card details have been sold online.

Your plans have now become redundant; they are depending on how prepared you are to handle the situation, so are your staff. The cost of recovering from a data breach for a small organisation is between £35 – 65K (and that’s not including fines). Can your organisation afford that? Probably not, but you could have afforded the costs which would have prevented this breach in the first place.

Let’s say that the breach happened because a new member of staff was unaware that they shouldn’t open emails in the spam folder. An email was opened, malicious software was installed and login credentials were stolen. You could have trained that member of staff on basic information security in under an hour, for £45. But instead, you chose to ignore your IT Manager who’s been raising spam issues at each monthly meeting but all you chose to hear is “we’ve not been hacked” and “invest” which is enough for you to move on.

What your IT Manager is really telling you is “We’ve recently been receiving a large amount of emails into our spam filter, and some are getting through. I think we need to invest in a more advanced spam filter, and perhaps train some of the staff on which emails to avoid. A virus from an email could lead to a hack, it’s not happened yet but there’s a chance it will.”

Forget blaming the IT Manager or the new member of staff when that breach happens, it comes down to you and your:

Inability to perceive cyber threats

Grey areas in appropriate knowledge

Naivety

Overhead cost restrictions

Refusal to listen to something you don’t understand

Absent mindedness

No interest in the customer’s best interests

Careless decisions

Eventual disaster

 

Cyber security threats are real, so why are you ignoring them?

To save money? Tell that to a judge

Introduction to Hacking & Crimeware

You don’t understand the threats? Read this book

 

Related articles

Tags: Computer security, data breach, Email spam, hackers, Information Security, Malware

Jul 15 2013

Boardroom Cyber Watch Report 2013

Category: cyber securityDISC @ 9:23 am

Cyber-Watch-2013-sml

Download the ‘Boardroom Cyber Watch Report 2013’ Free!

  • Almost 75% of respondents say their customers prefer to deal with suppliers with proven IT security credentials;
  • 50% say customers have enquired about their company’s security measures in the past 12 months.

 

The ‘Boardroom Cyber Watch 2013’ is the first survey IT Governance has undertaken which specifically targets chief executives, board directors and IT professionals. Our aim is to shine new light on how company directors and board members currently perceive IT security issues as well as to provide them with practical guidance on how to address these challenges.

Boardroom Cyber Watch Report 2013

Boardroom Cyber Watch Report 2013

Price: FREE PDF Download

Learn more
Related articles

Tags: Canadian Cyber Incident Response Centre, Computer security

Jun 05 2013

CyberWar, CyberTerror, CyberCrime

Category: cyber security,CybercrimeDISC @ 10:14 am

CyberWar-CyberCrime-CyberCrime

Cyber wars between companies, hacker groups and governments can force entire countries to a standstill. A lone, but sophisticated, hacker can bring global organisations to their knees from just an internet cafĂ©. The threat isn’t even entirely external; perhaps the greatest threat sits uncomfortably in plain sight – from inside your staff.  Arm yourself with the top cyber security titles:

CyberWar, CyberTerror, CyberCrime

This book is written by Dr Julie Mehan who is a Principal Analyst for a strategic consulting firm in the State of Virginia. She has been a Government Service employee, a strategic consultant, and an entrepreneur – which either demonstrates her flexibility or inability to hold on to a steady job! Until November 2007, she was the co-founder of a small woman-owned company focusing on secure, assured software modernization and security services. She led business operations, as well as the information technology governance and information assurance-related services, including certification and accreditation, systems security engineering process improvement, and information assurance strategic planning and programme management. During previous years, Dr Mehan delivered information assurance and security-related privacy services to senior department of defence, federal government, and commercial clients working in Italy, Australia, Canada, Belgium, and the United States.

Here are the contents of this book.

The world is becoming ever more interconnected and vulnerable, as has been demonstrated by the recent cyber attacks on Estonia. Thus the need for stringent and comprehensive methods for combating cyber crime and terror have never before been need more than now.
Information security should not be an after thought. It should be ingrained into the organisation’s culture. This book will help you create this forward thinking culture using best practices and standards.
Key Features:

  • Straightforward and no-nonsense guide to using best practices and standards, such as ISO 27001, to instil a culture of information security awareness within an organisation.
  • Distils key points on how to use best practices and standards to combat cyber crime and terror.
  • The information within the book is presented in a straightforward and no-nonsense style, leading the reader step-by-step through the key points.

 

 

What other people say about this book:
So what you have in CyberWar, CyberTerror, CyberCrime is a skillful blend of very readable, at times even entertaining and certain to stimulate introspection, guidance on just why and how cyber security is important to every organization connected to the internet – try to name one that is not .  I would bet that truly effective leaders will purchase multiple copies and circulate CyberWar, CyberTerror, CyberCrime throughout the entire organization.
Leonard Zuga, Partner, Technology and Business Insider (TBI)
 

“This book is a good basis for a security roadmap. It’s well researched and well written.”

Peter Wood, Chief of Operations at First Base Technologies

 

“This is a book that I will look forward to using to enhance both my undergraduate and graduate instruction in information security.”

Dr Bob Folden, Assistant Professor, Business Administration and MIS, Texas A&M University – Commerce

 

“This is an interesting book that introduces the reader to the security of the Internet industry, goes into some details on how some abuse it. This is a very good book. You will enjoy it.”

Jerome Athias, Computer Security Researcher

Related articles

May 21 2013

Cyber Security Risk Governance and Management

Category: cyber securityDISC @ 11:33 am

 

PAS 555 – Cyber Security Risk Governance and Management

ITG-RiskGovernance

What does effective cyber security look like?

The many standards and sources of best practice on cyber security tend to focus on delivery (the how).

PAS 555:2013 is the new Cyber Security Risk Governance and Management standard, and details what effective cyber security looks like (the what).

PAS 555:2013 Cyber Security Risk Governance and Management

PAS 555 is intended for use by any organization that wishes to gain confidence in their management and governance of cyber security. Any organization irrespective of their size, type, nature of business or location can employ the PAS 555.

Simply buy the standard and get started with delivering effective cyber security today!

Related articles

Apr 23 2013

Cyber Security and Risk Assessment

Category: cyber security,Security Risk AssessmentDISC @ 9:19 am

Cyber security is the protection of systems, networks and data in cyber space.

If your system is connected on the internet, you should know and uderstand the risks of cyber space to take appropriate countermeasures.

To understand the risks of cyber security,The first place is to begin with is a risk assessment. By completing a risk assessment you can understand what the risks, threats and vulnerabilities of your networks, systems and data really are and begin to comprehend how to reduce and handle them. The authors of The Information Security Risk Assessment Toolkit provides handy step-by-step guidance on how to undertake a risk assessment. As we said Security Risk Assessment is an important first to assess risks but the second step of mitigating those risks in timely manner is crucial to protect your information assets.

Once you understand what the risks of your business are, you can then decide on how to mitigate those risks based on your organization risk acceptance.

Tools and techniques which work in mitigating cyber risks

The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills) is a 10-step framework to stop around 80% of today’s cyber-attacks
1. Board-led Information Risk Management Regime
2. Secure Home and Mobile Working
3. User Education and Awareness
4. User privilege management
5. Removable media controls
6. Activity monitoring
7. Secure Configurations
8. Malware protection
9. Network security
10. Incident Management

Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.

The authors of Hacking 7 Exposed cover the latest methods used by third-parties to (logical/physical) access to information assets. They then detail how you can protect your systems, networks and data from unauthorised access.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks

Related articles

Tags: Computer security, cyberwarfare, Information Security, Information Security Management System, Risk Assessment, Risk management

Apr 15 2013

Implications of becoming a cybersecurity victim

Category: cyber securityDISC @ 7:17 pm

What are the potential implications of becoming a cybersecurity victim?

  • PWC/DTI Information Security Breaches Survey 2012
    • 93% large businesses suffered security incident last year
    • Average cost of worst incident for large business ÂŁ110k to ÂŁ250k
    • The average large organisation had 71 security breaches in the previous year, up from just 45 two years previously.
  • National High Tech Crime Unit survey 2004
    • Of 201 respondents 167 (83%) experienced high-tech crime in 2003
    • Impact of these crimes > ÂŁ195million

Online, Keep Safe Resources

Below are some free online resources which any smaller business or home owner will find useful:

Safeguard your computer

* Workstations should be set up in a secure, clean, calm, stable environment.

* Don’t have loose cables that might be a safety hazard; tripping over a cable and pulling it out of the computer

*  Always log out of and shut down Windows, and switch your computer off when it’s not in use.

* The biggest risk associated with laptops (also known as notebooks) is, in fact, the loss or theft of the laptop.

The Essential Guide to Home Computer Security

Related articles

Tags: Computer security, National Institute of Standards and Technology

Mar 06 2013

Your Cyber Security Project

Category: cyber securityDISC @ 12:04 pm

by James Warren

Internet technologies have revolutionised the way that business is conducted but these innovations expose your business to various cyber security risks.

Inadequate security can lead to the theft of customer data and, in the event of technological failure or a cyberattack, your business could lose its ability to function altogether. An effective risk management strategy is, therefore, vital to your company’s survival.

Cyber Security Risks for Business Professionals: A Management Guide Cyber Risks for Business Professionals: A Management Guide 

A general guide to the origins of cyber security risks and to developing suitable strategies for their management. It provides a breakdown of the main risks involved and shows you how to manage them.

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks. As the leading provider of cyber security products and services, ITG can help you with any aspect of your project:

  • ITG publish books & documentation toolkits and sell the full range of cyber security standards. Saving you the hassle of shopping around;
  • ITG is responsible for world’s first certificated programme of ISO27001 education, offering delegates the opportunity to help their organisation achieve compliance and best practice and attain an industry-standard qualification;
  • ITG have created a comprehensive range of staff awareness solutions, an often overlooked element of a well-implemented IT project;
  • ITG industry-leading software tools, developed with your needs and requirements in mind, make Information Security Risk Management straightforward and affordable for all;
  • And ITG team of expert consultants are on tap to help you along the way. From an hour of live-online consultancy or a gap analysis to full certification projects, ITG focus on transferring knowledge and skill to you and your people, so that you can continue meeting compliance targets after the initial implementation period ends.

Cyber Security Risks for Business Professionals: A Management Guide  >> ITG | eBay | Amazon

Related articles

Tags: Computer security, cyber security, Information Security, ISO/IEC 27001, Risk management

Jan 23 2013

How public distrust is affecting cyber security strategies

Category: cyber securityDISC @ 11:44 am

According to this article published in SC magazine ’80 per cent of the UK public implicitly do not trust organisations to keep their data safe; with nearly half (41 per cent) feeling that it has become inevitable their data will be compromised by hackers.’ Do your stakeholders trust you?

Consumer confidence in cyber security has clearly eroded over the past couple of years, and there is an urgent need for organisations of all industries, whether public or private, to reassure consumers they are capable of…
How public distrust is affecting cyber security strategies

Cyber Cecurity Strategy Titles

Related articles

Tags: Computer security, Fire and Security, Government Communications Headquarters, Government of the United Kingdom, Minister for the Cabinet Office

Dec 04 2012

Advanced Persistent Threats are the main challenge for businesses

Category: cyber security,ISO 27kDISC @ 11:27 am

Advanced Persistent Threats’ are top infosecurity challenge for businesses in 2013

Mitigating Advanced Persistent Threats (APT) is going to be a main challange and should be the highest of information security priorities for businesses in 2013, according to governance, risk management and compliance firm IT Governance.

Latest APT threats should be taken into account in an organization risk assessment process and depending on the current vulnerabilities, these threats should be treatetd based on the organization risk appetite. Risk appetite or risk threshold is where an organization draw a line to accept or treat any given risk to an organization.  

Alan Calder, Chief Executive of IT Governance, says: “Today, through benign neglect, staff carelessness or insufficient preparation, every business, large and small, is vulnerable to cyberattack. ITG Top 10 identifies the biggest online threats to your business in the coming year and shows how you can tackle these.”

1. Advanced Persistent Threats: APTs refer to coordinated cyberactivities by sophisticated criminals and state-level entities. With the aim of stealing information or compromising information systems, these target governments and corporations which have valuable intellectual property. By their very nature, manufacturing and the high-tech, oil and gas, finance and pharmaceutical industries all come under the greatest threat of attack by APTs. While there’s no single, stand-alone solution, coordinated and integrated preparations can help you rebuff, respond to and recover from possible attacks. Adopting ISO27001, the best practice infosecurity standard, is the most practical way for companies to develop and implement a tailor-made and comprehensive cybersecurity management system to counter the APT threat.

2. Cyberwar: Cyberespionage and cyberterrorism have become a major threat to UK and US governments. In the form of high-profile malware attacks, state-backed entities are seeking commercial advantage against international competitors, as well as preparing for a new front in modern warfare. China is the best known example of a state believed to engage in such activities, so much so that many larger corporations now forbid employees from taking their laptops on business trips into China for fear of data loss. Effective, enterprise-wide cyber-defence must therefore be in place at all levels, to provide strategic, tactical and operational protection, alongside linkages between operational management, operational processes and technical controls.

3. Cybercrime: As opposed to APTs or cyberwar, cybercrime is a threat to every individual and organisation, no matter how small. Cybercriminals exploit modern technologies in order to commit criminal activities, ranging from identity theft to the penetration of online financial services. All businesses should implement an integrated cybersecurity strategy which, among other issues, includes securing your cyber-perimeter to making sure that your staff are trained to recognise and respond to social engineering attacks and follow a well-thought-out social media strategy.

4. Personal data protection: 2012 has seen a slew of data breaches involving the theft of customers’ personal information. This trend will continue unless businesses change their approach to handling personal data. The proposed new EU Data Protection regulation aims to strengthen individual rights and tackle the challenges of globalisation and new technologies. The EU Commission is also putting pressure on businesses to tighten information security measures. Again, the most logical and sensible way to do this is via ISO27001 implementation and certification.

5. Mobile security: USB devices, laptops, tablets and mobile phones make it very easy for employees to transport massive amounts of information out of the door – potentially to your rivals. Also, whenever employees save username and password data onto their mobile devices, they make it exceptionally easy for fraudsters to crack the passwords of a range of applications, thereby increasing cyber risk. All confidential information stored on these devices must be encrypted to avoid data breaches as a result of theft or loss.

6. Data security: Given that many data breaches are due to human error, insider threats play a significant role. Continuous staff awareness training is essential, but companies also need to manage access to data as part of the overall information security management system. For example, restrict access to people with a ‘business need to know’, or set up a unique ID for users which, combined with logging and audits, protects against the ‘insider’.

7. Bring Your Own Device: BYOD policies are becoming the norm at a growing number of both companies and state organisations. Protecting and controlling company data on your staff’s personal mobile devices poses a stiff challenge – best answered by implementing a mobile device management policy.

8. Identity theft: Identity fraud, which involves someone pretending to be somebody else for financial or other gain, is rife. We all need to be aware of ‘phishing’ and ‘pharming’ emails, but we also need to be wary of how we use social media and how much personal information we provide. Antivirus software and spyware removal software alone cannot protect against these attacks. Effort also needs to go into user education to cut exposure to risk.

9. Payment Card Security: Ever-growing numbers of payment cards are being threatened as a result of the migration of payment apps onto mobile devices. Companies should apply regular website security testing, known as ‘vulnerability scanning’, which should be conducted by qualified ethical hackers. It’s also important to regularly apply all relevant patches, and to have a basic understanding of common hacking techniques and new threats and computer viruses.

10. Cloud continuity and security: If you are using a Cloud provider for mission-critical applications and data storage, check the contract carefully. What security policies does the provider have in place? Do they have ISO27001 certification? Evaluate the risks of using a Cloud provider and make them part of your own information security management system.

Related articles

Tags: Advanced persistent threat, APT, Corporate governance of information technology, Information Security, iso 27001, threat

« Previous PageNext Page »