Aug 29 2023

Cyber Security Awareness

Category: Security Awarenessdisc7 @ 11:21 am

Cyber Security Awareness: Employee Handbook

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Security Awareness


Aug 11 2023

8 free cybersecurity documentaries you can watch right now

Category: cyber security,Security Awarenessdisc7 @ 9:18 am
A hacker shares his biggest fears (2021)

A white hat hacker, with over 30 years of experience as a cybersecurity analyst at a major Silicon Valley company, talks about why he turned his back on black hat hacking for the greater good. He talks about the reality of just how vulnerable our systems are – from the very real threat of hackers taking the American power grid or medical facilities offline to how easily accessible our private information is to anyone with Wi-Fi and some time on their hands.

Behind the booming ransomware industry: How hackers hold businesses hostage (2021)

The number of businesses falling victim to ransomware attacks each year is snowballing. Hackers have realized how lucrative these attacks are, with ransoms in the millions regularly being paid out. This documentary examines how hackers make their money and how much a victim can lose. Cyber security experts tell us how cybercriminals carry out the attacks and who is helping them.

Critical digital infrastructure: Why societies are becoming so vulnerable to cyberattacks (2022)

For weeks, a cyberattack paralyzed the German district of Anhalt-Bitterfeld in 2021, bringing its whole administration to a standstill. It was a stark illustration of how hackers can knock out entire communities in milliseconds — and how digital technology has become vital for running our societies. DW investigates how a criminal industry makes billions by taking computers hostage — and how governments can use similar methods as a political weapon.

Drones, hackers and mercenaries (2021)

A shadow war is a war that, officially, does not exist. Shadow wars are rising as mercenaries, hackers, and drones take over the role armies once played. States are evading their responsibilities and driving the privatization of violence. War in the grey zone is a booming business: Mercenaries and digital weaponry regularly carry out attacks while those giving orders remain in the shadows.

How cybercrime has become organized warfare (2023)

Millions of Australians have had their data stolen in malicious attacks, costing some businesses tens of millions of dollars in ransom. Four Corners investigates the cyber gangs behind these assaults, cracking open their inner operations and speaking to a hacker who says he targets Australians.

The Dark Web (2019)

Look behind the cheerful veneer of social media, communication apps, and platforms that have made our lives easier and more connected, and you’ll find criminals using the same apps and platforms to run illicit and dangerous activities.

The Digital Threat To Nations (2020)

Singapore aims to be a “Smart Nation” but the more it depends on IT, the more it opens itself to cyber threats. This is the cybersecurity dilemma. Explore global incidents of cyber espionage, disinformation, disruption and pandemics and how they endanger nations.

21st Century Hackers (2021)

In this documentary, learn about white hat hackers, and the U.S. Secret Service’s cybercrime division working to protect us from the risks associated with persistent connectivity.

The rise of cyber conflict as the primary way nations now compete and sabotage each other.

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: cybersecurity documentaries


Jul 25 2023

Lack of resources to security pose a risk?

Category: Information Security,Security Awarenessdisc7 @ 4:01 pm

The lack of resources can pose significant risks to security in various contexts, including personal, organizational, and national security. Here are some ways in which a lack of resources can impact security:

  1. Cybersecurity: Inadequate resources for implementing robust cybersecurity measures can make systems and networks vulnerable to cyber threats. Without sufficient investments in cybersecurity tools, training, and personnel, organizations and individuals may become easy targets for cyberattacks, data breaches, and hacking incidents.
  2. Physical Security: Insufficient resources for physical security measures, such as access control systems, surveillance cameras, and security personnel, can lead to vulnerabilities in critical infrastructure, public spaces, and private properties. This could result in increased risks of theft, vandalism, and unauthorized access.
  3. National Security: Nations with limited resources may struggle to maintain a strong defense posture. A lack of funding for military and intelligence agencies can hinder efforts to protect against external threats, terrorism, and cyber warfare, potentially compromising national security.
  4. Emergency Preparedness: When resources are scarce, emergency services and disaster response teams may face challenges in adequately preparing for and responding to crises. This can exacerbate the impact of natural disasters, pandemics, or other emergencies, potentially putting lives and property at risk.
  5. Personal Safety: On an individual level, lack of resources can jeopardize personal safety. For example, individuals living in impoverished or unsafe neighborhoods may not have access to adequate home security systems, leading to increased risks of burglary and assault.
  6. Public Health: In the context of public health, insufficient resources for medical facilities, research, and disease surveillance can hinder efforts to detect and respond to health threats effectively. This was particularly evident during the COVID-19 pandemic when some regions struggled to provide sufficient medical equipment, testing, and healthcare resources.
  7. Information Security: In organizations, a lack of resources for employee training and awareness programs can result in employees being unaware of security best practices. This can lead to accidental data leaks, falling for phishing scams, or other security breaches caused by human error.

To mitigate these risks, it’s crucial for individuals, organizations, and governments to recognize the importance of investing in security measures and resource allocation. Proactive planning and strategic allocation of resources can help strengthen security and reduce vulnerabilities in various domains.

InfoSec books | InfoSec tools | InfoSec services

Tags: Cyber risk


Jun 14 2023

Building a culture of security awareness in healthcare begins with leadership

Category: IT Governance,Security Awarenessdisc7 @ 3:25 am

With the rise of modern trends such as cloud computing and remote work, healthcare institutions strive to balance accessibility, convenience, and robust security.

In this Help Net Security interview, Ken Briggs, General Counsel at Salucro, discusses how fostering a culture of security awareness has become paramount for healthcare organizations. Understanding the upcoming technological shifts and trends is crucial for preemptive preparation as we look toward the future.

The healthcare industry faces unique security challenges, especially with the increasing interconnectivity of systems. How important is it for organizations to obtain vendors who understand healthcare-specific security requirements?

Monitoring healthcare-specific security requirements is a full-time job. The amount of data processed at healthcare institutions grows exponentially, but it remains some of the most valuable information to the patients and—unfortunately—bad actors. These factors require a vendor’s mastery of healthcare-specific security requirements if technology is utilized by healthcare companies in any manner.

If a vendor does not appropriately respect the complex and evolving web of security obligations that healthcare institutions operate within, the vendor may not be able to build technology that is suitable for use by sophisticated healthcare enterprises.

Organizations should not shy away from holding vendors to a very high expectation of familiarity with security requirements within the healthcare industry. These organizations should look to healthcare-specific vendors who have a deep understanding of the standards, complexity, and sensitivity of these payments over non-healthcare-specific vendors.

How would you approach implementing a security program within a healthcare organization that meets the legal requirements and industry standards and goes beyond them to ensure maximum protection? What key elements or components should be included in such a program?

A well-tailored security program must be just that: tailored. Many security legal frameworks are moving from specificity in controls towards a discretionary-based approach. This “discretionary” standard is interpreted by governing bodies that interpret the leading-edge developments in the industry.

An organization must trace what data is stored or processed and ensure security controls are mapped internally to an organization and externally across vendors. Healthcare organizations must dedicate time to ensure appropriate administrative, technical, and physical controls are in place at the organization and its vendors to protect data stored and processed.

The saying “one size fits all” is never true for how a security program is administered and applied in the healthcare technology industry, or any other industry. However, the fundamental principles are the same: understanding what data is processed by an organization, identifying true risks (internal and external) to the data, evaluating the impacts of those risks, and whether existing controls are adequate to reduce those risks to an acceptable standard.

Considering the recent trends in cybersecurity, such as the rise of cloud computing and remote work, what considerations should healthcare organizations keep in mind to maintain a strong security posture? How can they balance convenience and accessibility with the need for robust security measures?

Cloud computing and remote work are certainly unique trends, but there are always trends in one way or another whether occurring within the organization, the market, or geographically.

Sophisticated security organizations work hard to build flexible security programs, but it’s important to revisit the program on a fluid cadence to ensure that external or internal changes—small or big—are encompassed withing the security controls. For example, in response to COVID-19 many healthcare billing and revenue cycle teams transitioned to remote work. How does that impact payment acceptance security? Is it more important to adopt remote devices to accept secure, P2PE payments, or transition to a deviceless approach that prioritizes security and online patient engagement? These are all questions that providers have needed to answer in the last three years, and highlight the importance of an approach to security measures that welcome rather than avoid adaptation.

The evaluation of the suitability of a security control should not perform in a silo as it must consider business objectives to not weigh down the business unnecessarily. This evaluation may even warrant a reduced burden by offloading obligations to a qualified vendor or utilizing additional services from an existing vendor. For example, in payments, the move to Point-to-Point Encryption in payment systems can offload very complicated security burdens to a vendor while reducing administrative barriers. Companies may be surprised at how well new technologies being adapted within healthcare organization can protect data with more transparency all while promoting consumer-friendly accessibility and convenience (which are tenants of a good data governance program).

How can healthcare organizations foster a culture of security awareness among their employees?

It all starts with leadership that buys into the security program and understands that investment in a security culture is an investment in risk minimization. There are three ways a company’s leadership can fast-track a security-minded culture:

  • Establish a consistent awareness communication program, with friendly trainings and succinct reminders about security controls.
  • Ensure that security is considered at the first stages of any material initiative having to do with data or technology (this is “security-by-design” operational principles). Your security team needs to be a partner in business enablement.
  • Ensure the security team is proactive and available to other departments to ensure a clear line of sight where questions may arise. Expect your security department to be available and responsive.
How do you see the future of cybersecurity in the healthcare industry? What emerging technologies or trends do you believe will shape the landscape, and what steps should organizations take to prepare themselves for these changes?

Cybersecurity in the healthcare industry will be pushed to higher levels in at least two ways. First, legal frameworks that permit a discretionary application of security controls will reference security standards published from non-governmental security organizations as “industry standard.” These organizations have the resources and expertise to help set the standards of the industry. While this may mean more transparency of what are deemed acceptable standards, healthcare organizations may need to be subject to external third-party audits. Second, cybersecurity controls will continue to be bound together with privacy standards.

Although many laws may treat privacy and security as independent concepts, newer frameworks may treat one as dependent on the other. Sophisticated healthcare organizations are already managing to these predictions by eliminating silos between privacy and security operations, and ensuring a well-documented security program from policies to actions.

Security Awareness Program Builder: Practical guidelines for building your Information Security Awareness Program & prep guide for the Security Awareness and Culture Professional

InfoSec tools | InfoSec services | InfoSec books

Tags: culture of security awareness, Security Awareness Program


Mar 26 2023

9 addictions you must break to become your better self

Category: Security AwarenessDISC @ 12:29 pm

Master Your Emotions: A Practical Guide to Overcome Negativity and Better Manage Your Feelings 

Tags: Emotions, Life awareness, Negativity


Mar 15 2023

Self-paced online training InfoSec courses

Category: Security Awareness,Security trainingDISC @ 12:40 pm

Whether your looking to develop a career in data privacy or cybersecurity, we have the perfect training solution for you! Pick bestselling ITG self-paced online training courses today and receive 15% off till March 31st 2023

Self-paced online training courses

Business Continuity Management Lead Implementer Self-Paced Online Training Course  Business Continuity Management Lead Implementer Self-Paced Online Training CourseCalifornia Privacy Rights Act (CPRA) Foundation Self-Paced Online Training Course California Privacy Rights Act (CPRA) Foundation Self-Paced Online Training Course
Certified Cybersecurity Foundation Self-Paced Online Training Course Certified Cyber Security Foundation Self-Paced Online Training CourseCertified ISO 27001:2013 ISMS Lead Implementer and ISO 27001:2022 Transition Self-Paced Online Training Package Certified ISO 27001:2013 ISMS Lead Implementer and ISO 27001:2022 Transition Self-Paced Online Training Package
Certified ISO 27001:2022 ISMS Foundation Self-Paced Online Training Course Certified ISO 27001:2022 ISMS Foundation Self-Paced Online Training CourseCertified ISO 27001 ISMS Lead Implementer Self-Paced Online Training Course Certified ISO 27001:2022 ISMS Internal Auditor Self-Paced Online Training Course  
Certified ISO 27001:2022 ISMS Lead Auditor Self-Paced Online Training Course Certified ISO 27001:2022 ISMS Lead Auditor Self-Paced Online Training CourseCertified ISO 27001:2022 ISMS Lead Implementer Self-Paced Online Training Course Certified ISO 27001:2022 ISMS Lead Implementer Self-Paced Online Training Course
Certified ISO 27001:2022 ISMS Transition Self-Paced Online Training Course Certified ISO 27001:2022 ISMS Transition Self-Paced Online Training CourseCISMP Self-Paced Online Training Course CISMP Self-Paced Online Training Course  
Cyber Incident Response Management Foundation Self-Paced Online Training Course Cyber Incident Response Management Foundation Self-Paced Online Training CourseCybersecurity for IT Support Self-Paced Online Training Course Cybersecurity for IT Support Self-Paced Online Training Course
Certified GDPR Practitioner Self-Paced Online Training Course Certified GDPR Practitioner Self-Paced Online Training CourseThe ITIL 4 Foundation Distance Learning Course – learn about IT service management at your own pace. ITIL® 4 Foundation Self-Paced Online Training Course

 

 

Tags: InfoSec courses


Jan 26 2023

ENISA gives out toolbox for creating security awareness programs

Category: Security Awareness,Security ToolsDISC @ 9:33 am

The European Union Agency for Cybersecurity (ENISA) has made available Awareness Raising in a Box (AR-in-a-BOX), a “do it yourself” toolbox to help organizations in their quest to create and implement a custom security awareness raising program

security awareness toolbox

The package includes:

  • A guideline on how to build an internal cyber-awareness raising program tailored to employees’ needs
  • A guideline on creating an awareness campaign targeted at external stakeholders
  • A how-to guide on how to select the appropriate tools and channels to best reach the target audience and tips for effective communication in social media
  • Instructions on selecting the right metrics and developing key performance indicators (KPIs) to evaluate the effectiveness of a program or campaign
  • A guide for the development of a communication strategy
  • An awareness raising game, in different versions and styles, for a generic audience and for an audience in the energy sector. It also comes with a guide on how it should be played
  • An awareness raising quiz to test comprehension and retention of key information (e.g., how to create good passwords)

Why security awareness matters

People have become cyber-attackers’ primary attack vector, which means that programs for raising cyber awareness are crucial for an organization’s cybersecurity strategy. The goal of these programs is to promote good cybersecurity practices of employees, managers and executives and improve their cybersecurity behavior.

A lot of advice can be found online on how to upgrade your security awareness efforts and engage your employees with better cybersecurity training, but sometimes organizations don’t know where to start.

AR-in-a-BOX can help them wrap their head around the task and push them towards realization.

“AR-in-a-Box is offered by ENISA to public bodies, operators of essential services, large private companies as well as small and medium ones (SMEs). [It] is dynamic and will be regularly updated and enriched,” the agency noted.

ENISA has previously published helpful materials for cybersecurity awareness campaigns aimed at electricity operators and the healthcare sector.

Checkout our previous posts on Security Awareness

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: free cybersecurity tools, Security Awareness


Dec 26 2022

Cybersecurity Awareness Training in Companies: Why You Can’t Do Without It

Category: Information Security,Security AwarenessDISC @ 11:24 am

Cybersecurity awareness is no longer a “nice to have”; in fact, it has become a fundamental part of your corporate training process across all levels and aspects of your business.

Would you leave your business unlocked and open to all comers? Of course not – but if you don’t have solid cybersecurity in place, that’s effectively what you’re doing! As the business world becomes a digital space, security has also become a digital matter.

One cybercriminal can wreak havoc if unchecked, and our potential flashpoints for vulnerabilities are growing daily. Nor is this something you can achieve alone – a great IT security team is one thing, but if one of your other workers leaves the metaphorical door unlocked, you’ll still be in trouble. 

With top-down training boosted with the power of video, however, security can become a simple matter. 

A Growing Risk

The average cost-per-company of a data breach is over $4 million. Cybercrime currently costs companies globally $8.4 trillion a year- and that is expected to soar to $23 trillion (or more) by 2027. Fortunately, there’s a lot you can do to mitigate your risk and keep your company out of those stats. 

Humans are and will remain, the weakest link in any business’s digital security. Just as a thoughtless individual can leave a door unlocked and bypass your multi-million dollar security system in a heartbeat, one wrong move from an employee and even the best cybersecurity comes tumbling down.

It’s critical that all people in your organization are aware of cybersecurity risks, know the best practices for data and network security, and understand the consequences of laziness leading to cybersecurity failures. 

Cybersecurity Awareness Training

It’s a simple idea – using a technical approach to proactively educate employees, ensuring awareness of data privacy, identity, and digital assets permeates every level of your organization. This will immensely reduce your risk of cybersecurity breaches. In turn, that means fewer financial losses from this type of crime, making it a solid return on investment.

And being cybersecurity-aware will have knock-on positives in your reputation with consumers, making you seem more trustworthy and desirable. Prevention of security issues means no loss of brand reputation, too. 

The Learning Gap

Of course, your training is only as good as its retention rate. Cybersecurity training for employees can’t be some dull, dusty lecture or 500-page word document that’s unengaging, boring, and packed with jargon, or you may as well not waste your time. It’s critical that staff feel both empowered with their new skills, and that it comes over as simple to understand and easy to implement.

We all know that video is one of the most powerful storytelling formats out there. From the power of video shorts and reels for marketing to the way a great TV program can unite us, it’s a format that delivers punchy messages in an engaging way. 

Unlike text, where aspects like reading level can play a role, everyone can engage with video. Plus you have the benefit of being able to condense a lot of information into short, pithy, and easy-to-retain factoids. You can power that up further with the power of AI, making videos simple to create, engaging, and easy to update and adapt without a huge financial outlay.

Using a simple text-to-speech format, you can create compelling, entertaining, and educational content that will help keep every member of your organization aware of cybersecurity risks and qualified to prevent them from occurring.

Cybersecurity awareness is no longer a ‘nice to have’. It’s an absolutely essential part of your corporate training process, across all levels and aspects of your business. With the power of simple-to-use AI video on your side, creating engaging learning programs to keep staff informed and ahead of cyber criminals is a simple matter, so don’t delay in addressing this critical aspect of business security today.

Cybersecurity Awareness Training in Companies: Why You Can’t Do Without It

Cybersecurity Fundamentals

Learn cybersecurity fundamentals, including how to detect threats, protect systems and networks, and anticipate potential cyber attacks.

Cybersecurity for Remote Workers Staff Awareness E-learning Course

Security Awareness Program Builder

Infosec books | InfoSec tools | InfoSec services

Tags: Cybersecurity Awareness, InfoSec awareness, Security Awareness


Nov 18 2022

3 Simple Yet Vital Tips to Stay Safe Online

Category: cyber security,Security AwarenessDISC @ 10:44 am

The online world has never been risk-free and in 2022 the risks posed by cybercriminals are a threat to all internet users. As scams and phishing methods become more complex there is a greater need for the individual to adopt a range of best practices to protect their personal information. 

Cybercriminals can target both individuals and businesses using a wide range of methods: malware can be activated by clicking on malicious links; personal details can be harvested simply by visiting unsecure sites

Whether you like to surf the internet for fun and recreation, use it as a platform for online trading, or buy a range of products and services, staying safe online should always be a priority. It is a sobering fact that thousands of pieces of malware are created every day. 

Stay safer online by following these three top tips.

Be vigilant when trading 

Millions of people around the world now regularly trade online and increasingly that trade is in cryptocurrencies such as Bitcoin. With a wide range of cryptocurrencies now available, it is more important than ever to check that the site you trade on is secure. 

As a rule, you should only trade on sites that feature the padlock icon in their web address, such as can be seen at OKX. This padlock icon proves that the site is secure and uses SSL encryption to ensure that any financial or personal information is transmitted safely. 

It is also good practice to look at reviews from trading platforms. Customer experiences of using these sites can be a valuable source of information on the security of a platform. When trading online or undertaking any type of internet purchasing activity, it is also important to remember not to use unsecured networks.

Surfing in coffee shops and shopping malls can be an attractive proposition but should be avoided whenever any transactions are taking place; otherwise, a cybercriminal could easily pose as a contact from a website you have visited – leaving you open to phishing attacks in the future.

Use strong passwords

Whilst most people realize the value of having strong passwords across all the sites they use, it is still surprising how many people do not adhere to this best practice. Many consumers use the same passwords across numerous platforms and sites or use exceptionally weak passwords that can be cracked with a minimum amount of effort. 

Today, search engines can suggest strong passwords and store them securely. This method can make consumers safer online whilst also freeing the need to memorize complex passwords. Put simply, if you use weak or repetitive passwords across sites, you are making it easy for a cybercriminal to harvest your personal details or hack your accounts. 

Stay up to date

Another common practice that tends to be overlooked by millions of web visitors is to keep applications and devices up to date with the latest firmware. It is vitally important to check for system and firmware updates on a regular basis. Whilst many updates offer stability improvements or bug fixes, they often contain the latest security updates that keep devices and applications more secure. 

Running software or operating systems that do not have the latest patches leaves them far more vulnerable to attack, so make a point of checking for updates across your devices on a regular basis to ensure that you benefit from the latest security features. 

In summary, follow the above advice to avoid falling victim to one (or more) of the 300,000 pieces of malware that are created every day.

3 Simple Yet Vital Tips to Stay Safe Online

HOW TO STAY SAFE ON SOCIAL MEDIA: Social Media Dos and Don’ts

Tags: STAY SAFE ON SOCIAL MEDIA, Stay Safe Online


Oct 19 2022

Upgrade your security awareness efforts: Here’s how to start

Category: Security AwarenessDISC @ 11:34 am

October is Security Awareness Month, an exciting time as organizations around the world train people how to be cyber secure, both at work and at home. But what exactly is security awareness and, more importantly, why should we care about it?

The traditional approach does not work

Organizations, cybersecurity leaders and the cybersecurity community will all tell you the same thing: People represent the greatest security risk in today’s highly connected world. Organizations see it in their own incidents, and we see it in global data sets.

The most recent Verizon Data Breach Investigations Report (DBIR)- one of the industry’s most trusted reports – has pointed out that people were involved in over 80% of breaches globally. These incidents may involve people being targeted with phishing emails or smishing attacks, or people making mistakes (e.g., IT admins misconfiguring their cloud accounts and accidentally sharing sensitive data with the entire world).

If people represent such a high risk, what should we be doing about it?

The traditional approach has been (and often continues to be) to throw more technology at the problem. If cyber attackers are successfully phishing people with email, we will deploy security technologies that filter and stop phishing email attacks. If cyber attackers are compromising people’s passwords, we will implement multi-factor authentication. The problem is that cyber attackers bypass these technologies by targeting people.

As we get better at identifying and stopping phishing email attacks, cyber attackers target people’s mobile phones with smishing (SMS or message-based) attacks. As more and more organizations deploy MFA, cyber attackers began pestering people with MFA requests until they approve one (as recently happened at Uber).

This is where we also run into our second challenge: Security teams far too often blame people as the root cause of the human risk problem – as evidenced in often used phrases such as “People are the weakest link,” and “If our employees did what we told them to do, they and we would be secure.”

But when we look at cybersecurity from the average employee’s perspective, it turns out that the security community is often to blame. We have made cybersecurity so confusing, scary, and overwhelming that we have set people up for failure. People often have no idea what to do or, if they do know what to do, doing the right thing has become so difficult that they get it wrong or simply choose another option.

Just look at passwords, one of the biggest drivers of breaches. We’ve been saying for years that people continue to use weak passwords in an insecure manner, but the problem persists because the password policies we teach are confusing and constantly changing. For example, many organizations or websites have policies requiring complex passwords of 15 characters, including having upper and lower case letters, symbols, and numbers. Then we require people to change those passwords every ninety days but don’t provide a secure way to secure all those long, complex, and changing passwords.

Then we roll out MFA to help secure people but, once again, this is extremely confusing (even for me!). First, we have multiple different names for MFA, including two-factor authentication, two-step verification, strong authentication, or one-time passwords. Then we have multiple different ways to implement it including push notification, text messaging, FIDO token-based, authentication apps, etc. Every website you go to has a different name and implementation of this technology, and then we once again blame people for not using it.

From security awareness to managing human risk

Security awareness training has been the traditional approach, and it involves communicating to and training your workforce on how to be cyber secure. While a step in the right direction, we need to take this one step further: We need to manage human risk.

Managing human risk requires a far more strategic approach. It builds on security awareness, to include:

  • Risks: The security awareness team needs to be an integrated part of the security team, even reporting directly to the CISO. Their job should include working closely with other security elements (such as the security operations center, the cyber threat intelligence analysts, and the incident responders) to clearly identify the top human risks to the organization and the key behaviors that manage those risks. Once those key risks and behaviors have been identified and prioritized, then we can communicate with and train our workforce on those behaviors.
  • Policies: We need to start creating security policies, processes, and procedures that are far simpler for people to follow, we should be designing policies (and the tools that support them) with people in mind. If we want people to use strong authentication, we must focus on something that will be easy for people to learn and use. The more confusing and manual the process, the easier it is for cyber attackers to take advantage of that.
  • Security team: We need security teams to communicate to their workforce in simple, “human” terms that everyone can understand, including explaining the WHY of their requirements: Why are password managers important, what value does MFA have to them, and why enabling automatic updating is good for them. We must change the employees’ perception of the security team: from arrogant to approachable.

Managing human risk is becoming a fundamental part of every security leader’s strategy. Security awareness is the first step in the right direction as we attempt to communicate to, engage and train our workforce, but we need a more dedicated, strategic effort to truly manage human risk. Perhaps one day we will even grow and replace the role of the Security Awareness Officer with the Human Risk Officer.

security awareness

The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer

Tags: Security Awareness, Security Culture Playbook


Oct 07 2022

What Are You Doing for Cyber Security Awareness Month?

Category: Information Security,Security AwarenessDISC @ 8:51 am
Cyber Security Awareness 2022

This October is Cyber Security Awareness Month, an event designed to educate people about information security and the steps they can take to stay safe online.

Now in its nineteenth year, the campaign provides tools and resources to help people learn more about the cyber security industry and the ways they can get involved.

This year’s event focuses on phishing and ransomware – two of the biggest threats that organisations currently face.

According to Proofpoint’s 2022 State of the Phish Report, 83% of organisations fell victim to a phishing attack last year. Meanwhile, Verizon’s 2021 Data Breach Investigations Report found that 25% of all data breaches involve phishing.

The attack method is often used to deliver ransomware, which itself is responsible for significant damage. Our research discovered more than 100 publicly disclosed ransomware attacks in the first half of 2022, with intrusions shuttering businesses and creating huge financial problems.

Getting involved

There are events being held throughout October as part of National Cyber Security Awareness Month. Both national governments and private organisations have supported the campaign and are running programmes online and in person.

You can find a full list of events on Stay Safe Online, where you can also find information security tips.

The theme of this year’s campaign is ‘See Yourself in Cyber’, and individuals are encouraged to get involved online with the hashtag #BeCyberSmart.

A key component of that is protecting yourself from scams. The campaign reminds people that: “The signs can be subtle, but once you recognize a phishing attempt you can avoid falling for it.

“Before clicking any links or downloading attachments, take a few seconds (like literally 4 seconds) and ensure the email looks legit.”

The campaign also highlights the benefits of multi-factor authentication, strong passwords and regularly updating software.

How IT Governance can help

You can also follow the latest developments with Cyber Security Awareness Month by following us on LinkedIn. We’ll will provide the latest updates on the campaign to help you get involved in events near you.

Plus, our experts will provide quick and simple tips to boost your cyber security awareness. Did you know, for example, that one of the most effective ways to boost your defences is also one of the simplest – ensuring that your accounts are protected by strong, unique passwords.

This applies not only to login credentials but also to databases and other sensitive information that you store online. The InterContinental Hotel Group was recently caught out by a cyber attack, after criminal hackers discovered a database protected by the password ‘Qwerty1234’.

The breach enabled the attackers to access the most sensitive parts of the hotel giant’s computer systems, and ultimately led to a phishing attack in which an employee was duped into downloading malware that destroyed huge volumes of sensitive data.

Another top tip for preventing cyber attacks is to test your employees with Phishing Challenge E-learning Game. These are messages that use the same techniques as genuine scams without the malicious payload.

The attacks give you the opportunity to monitor how your employees respond to a bogus email. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact the IT team to alert them of the threat?

Simulated phishing is an essential technique in an organisation’s cyber security practices. It complements traditional staff awareness training to assess the effectiveness of your programme in a real-world scenario.

https://www.itgovernance.co.uk/blog/what-are-you-doing-for-cyber-security-awareness-month?

Tags: Cyber Security Awareness Month


Sep 28 2022

Time to Change Our Flawed Approach to Security Awareness

Category: Security AwarenessDISC @ 8:52 am

Defend against phishing attacks with more than user training. Measure users’ suspicion levels along with cognitive and behavioral factors, then build a risk index and use the information to better protect those who are most vulnerable.

Digital chain

Our approach to security awareness is flawed. And we must change it.

As Russian tanks creaked into Ukraine, CEOs and IT managers throughout the United States and much of the free world started sending out emails warning their employees about impending spear-phishing attacks.

It made sense: Spear-phishing was what Russians had used on Ukrainians many times in the past half of a decade, such as when they shut down the country’s electrical grid on one of its coldest winter nights. It was also what the Russians had used against the Democratic National Committee and targets across the US.

At one end, the email missives from CEOs were refreshing. People were serious about the threat of phishing, which wasn’t the case in 2014 when I started warning about its dangers on CNN.

At the other end, it was sobering. There wasn’t much else organizations had figured out to do.

Sending messages to warn people was what AOL’s CEO resorted to back in 1997, when spear-phishing first emerged and got its name. Budding hackers of the time were impersonating AOL administrators and fishing for subscribers’ personal information. That was almost three decades ago, many lifetimes in Internet years.

In the interim, organizations have spent billions on security technologies and countless hours in security training. For context, a decade ago, Bank of America (BoA) was spending $400 million on cybersecurity. It now spends $1 billion per year on it. Yet thousands of its customer accounts in California were hacked last year.

And BoA isn’t alone. This year, Microsoft, Nvidia, Samsung, LG, and T-Mobile — which recently paid out a $350 million settlement to customers because of a breach in 2021 — were hacked. All fell victim to spear-phishing attacks. No question that the employees in these companies are experienced and well-trained in detecting such attacks.

Flawed Approach

Clearly, something is fundamentally flawed in our approach, when you consider that after all this, email-based compromises increased by 35% in 2021, and American businesses lost over $2.4 billion due to it.

A big part of the problem is the current paradigm of user training. It primarily revolves around some form of cyber-safety instruction, usually following a mock phishing email test. The tests are sent periodically, and user failures are tracked — serving as an indicator of user vulnerability and forming the backbone of cyber-risk computations used by insurers and policymakers.

There is limited scientific support for this form of training. Most point to short-term value, with its effects wearing off within hours, according to a 2013 study. This has been ignored since the very inception of awareness as a solution.

There is another problem. Security awareness isn’t a solution; it’s a product with an ecosystem of deep-pocketed vendors pushing for it. There is legislation and federal policy mandating it, some stemming from lobbying by training organizations, making it necessary for every organization to implement it and users to endure it.

Finally, there is no valid measurement of security awareness. Who needs it? What type? And how much is enough? There are no answers to these questions.

Instead, the focus is on whether users fail a phishing test without a diagnosis of the why — the reason behind the failures. Because of this, phishing attacks continue, and organizations have no idea why. Which is why our best defense has been to send out email warnings to users.

Defend With Fundamentals

The only way to defend against phishing is to start at the fundamentals. Begin with the key question: What makes users vulnerable to phishing?

The science of security already provides the answers. It has identified specific mind-level or cognitive factors and behavioral habits that cause user vulnerability. Cognitive factors include cyber-risk beliefs — ideas we hold in our minds about online risk, such as how safe it might be to open a PDF document versus a Word document, or how a certain mobile OS might offer better protection for opening emails. Many such beliefs, some flawed and others accurate, govern how much mental attention we pay to details online.

Many of us also acquire media habits, from opening every incoming message to rituals such as checking emails and feeds the moment we awake. Some of these are conditioned by apps; others by organizational IT policy. They lead to mindless reactions to emails that increase phishing vulnerability.

There is another, largely ignored, factor: suspicion. It is that unease when encountering something; that sense that something is off. It almost always leads to information seeking and, armed with the right types of knowledge or experience, leads to deception-detection and correction.

It did for the former head of the FBI. Robert Muller, after entering his banking information in response to an email request, stopped before hitting Send. Something didn’t seem right. In the momentary return to reason caused by suspicion, he realized he was being phished, and changed his banking passwords.

By measuring suspicion along with the cognitive and behavioral factors leading to phishing vulnerability, organizations can diagnose what makes users vulnerable. This information can be quantified and converted into a risk index, with which they can identify those most at risk, the weakest links, and protect them better.

Doing this will help us defend users based on a diagnosis of what they need, rather than a training approach that’s being sold as a solution — a paradigm that we know doesn’t work.

After billions spent, our best approach remains sending out email warnings about incoming attacks. Surely, we can do better. By applying the science of security, we can. And we must — because spear-phishing presents a clear and present danger to the Internet.

https://www.darkreading.com/vulnerabilities-threats/time-to-change-our-flawed-approach-to-security-awareness

The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer

Security Awareness For Dummies

Tags: Security Awareness


Sep 12 2022

Cybersecurity Awareness Campaigns: How Effective Are They in Changing Behavior?

Category: Security AwarenessDISC @ 2:00 pm

The European Agency for Cybersecurity (ENISA) each October promotes cybersecurity among EU citizens and organizations, and is partnering with Anima People, specialists in behavioral science related to security, in a critical project to evaluate cybersecurity awareness campaigns in behavior change among employees. Organizations worldwide will benefit by the intelligence they need to design successful campaigns in the future, helping to drive long-term behavior conducive to a cyber-secure world. Please participate by completing this survey:https://

/eusurvey/runner/Cybersecurity_Awareness_ECSM-PreC

Cyber Security Awareness

Tags: Cybersecurity Awareness


Aug 02 2022

1 in 3 employees don’t understand why cybersecurity is important

Category: Security AwarenessDISC @ 8:57 am

According to a new Tessian report, 30% employees do not think they personally play a role in maintaining their company’s cybersecurity posture.

What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cybersecurity to mention it.

Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organization’s security 8 out 10, on average, three-quarters of organizations experienced a security incident in the last 12 months.

The report suggests this could stem from a reliance on traditional training programs; 48% of security leaders say training is one the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.

The report also reveals a disconnect when it comes to reporting security risks. Eighty percent of security leaders believe robust feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.

why cybersecurity is important

Transformational Security Awareness

Tags: Security Awareness


Apr 15 2022

Ways to Develop a Cybersecurity Training Program for Employees

Category: Security AwarenessDISC @ 8:45 am

Cybersecurity experts would have you believe that your organization’s employees have a crucial role in bolstering or damaging your company’s security initiatives.

While you may disagree, data breach studies show that employees and negligence are the most typical causes of security breaches, yet these prevalent issues are least discussed.

According to a recent industry report from Shred-It, an information security provider, 47% of top business executives believe that employee error, such as the inadvertent loss of a device or document, has resulted in a data breach within their company. According to another study by CybSafe, human errors have been responsible for over 90% of data breaches in 2020.

It’s no secret that companies of all sizes increasingly feel the sting of cybercriminals exploiting vulnerabilities in remote and hybrid working environments. However, little to no effort is made toward strengthening defenses. Now is the moment to train your personnel on security best practices, if you haven’t already.

As a result of inadequate security measures, customers have long suffered the most. However, the stakes for employees and their businesses are higher than ever this year. Experian predicts 2022 will be a hangover from the “cyberdemic” of 2021, making it crucial to stay ahead by designing a cybersecurity training program for employees and strengthening defenses.

Developing a cybersecurity training program requires knowing where the blind spots are. While there are numerous approaches to promoting a more cyber secure workplace, here are the most common and effective ways:

  • Trick Employees via a Phishing Campaign

You can test your employees’ ability to distinguish authentic email content from fraudulent attachments by mass spear-phishing them. Employees who fall for the phishing email are the ones you need to be extra careful about.

They might be the ones that eventually end up disclosing a company’s valuable digital assets. Once you have the data, you may measure the entire risk to your network and build remedies from there using custom reporting metrics.

  • Customize Your Security Training

All employees, irrespective of their designation or job role, should be a part of the security training. However, employees who fell for the spear-phishing campaign are the ones you need to observe and invest your security training into.

When delivering cybersecurity training, stress the importance of the training as an exercise that can also be applied elsewhere. Employees will be more inclined to utilize secure procedures at work if they do so at home on their computers and phones.

  • Incentivize the Security Training

Nothing motivates an employee more than being rewarded for their performance. Set up metrics and determine the level of participation, enthusiasm, and cybersecurity knowledge an employee obtains via quizzes or cross-questions. Employees who follow best practices should be rewarded, and others should be encouraged to improve their cybersecurity habits.

  • Cover Cybersecurity Topics

Engage your employees by introducing cybersecurity topics and certifications. Employees new to the cybersecurity realm would greatly benefit from relevant courses and learnings that might augment their skills and shine bright on their resumes.

Social media platforms are riddled with short instructional videos, which can be a great source of learning for those struggling to complete cybersecurity courses and manage work simultaneously.

  • Introduce Data Privacy Laws

Data privacy laws have been here for a while. However, they have recently received recognition after the EU introduced the General Data Protection Regulation (GDPR) in 2016, which came into force in 2018.

Most employees don’t know much about data protection laws or don’t know them altogether. It’s crucial to educate employees regarding existing and upcoming data protection laws and how they impact the business. According to MediaPro, a multimedia communications group, 62% of employees were unsure if their company must comply with the California Consumer Privacy Act (CCPA).

Integrating data privacy laws and regulations within cybersecurity training is crucial. While employees do not need to be compliance specialists, they should have a fundamental understanding of their company’s privacy policies, data handling procedures, and the impact of data privacy laws on their organization.

  • Address Security Misconceptions

Massive data breaches and ingenious hackers have muddied the waters of what is and isn’t possible when carrying out a cyberattack, making it challenging for novice security personnel to tell the difference between facts and made-up security misunderstandings.

Lack of understanding and misconceptions make matters worse as employees tend to become too concerned about non-existent or misunderstood risks while being less concerned about real ones. That begs the question: Are employees taking cybersecurity seriously, or will they be a liability rather than an asset?

To move forward, begin by designing a survey that starts with the basic cybersecurity knowledge and distributing it across the organization. The survey could contain questions such as:

  • What is cybersecurity,
  • Why is cybersecurity important,
  • Do employees lock their devices and keep strong alphanumeric passwords for online accounts,
  • Do employees connect to a secure WIFI network provided by the company, etc.

The results will demonstrate the current knowledge base within the organization and whether the employees take cybersecurity seriously.

While discovering the loopholes within your organization is one thing, developing a cybersecurity training program specifically tailored to patch those vulnerabilities might not be enough. Not only this, keep a strategy that focuses on zero-day attacks to avoid any damages. As an individual entrusted with developing a training program, you should know that you need a long-term solution to the existing problem.

Humans have always been the weakest link in the cybersecurity chain, and human errors will only escalate despite the depth of training given. That leaves organizations in a tough spot and struggling to meet compliance requirements.

Understand the Consequences of Inadequate Security Training

Training just for the sake of training will not benefit anyone. Employees need to dedicate their hearts and minds to the training, and continuous sessions should take place so that employees always stay current with the latest happenings and privacy frameworks. Poor training may further confuse employees, which may also draw additional dangers.

With Securiti data privacy automation tools, you can reduce or eliminate reliance on employees and move towards a more modern and error-free framework.

About the AuthorAnas Baig

With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

cybersecurity

Security Awareness Program Builder: Practical guidelines for building your Information Security Awareness Program & prep guide for the Security Awareness and Culture Professional (SACP)™

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Cybersecurity Training Program


Mar 31 2022

Every Day Should be World Backup Day

Category: BCP,Security AwarenessDISC @ 1:09 pm

Modern Data Protection: Ensuring Recoverability of All Modern Workloads

Tags: Backup Day, data archive, data protection, data storage


Feb 17 2022

50 Key Stats About Freedom of the Internet Around the World

Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.

Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.

Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.

To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:

Digital Rights

Freedom of Information

Right to Internet Access

Freedom from Internet Censorship

Net Neutrality

The Bottom Line

The Internet in Everything: Freedom and Security in a World with No Off Switch

Tags: digital privacy, Freedom of the Internet Around


Dec 08 2021

It’s Not a User Problem; It’s a Cybersecurity People Problem

Category: Cyber career,Security AwarenessDISC @ 10:29 am

There is a serious user problem out there, and whether the user makes a mistake or is intentionally malicious, it can impact the entire system and the organization. But is it really a user problem?

In their session at (ISC)2 Security Congress, Ira Winkler, CISO with Skyline Technology Solutions and Tracy Celaya-Brown, president, Go Consulting International, said the user problem is really a cybersecurity people problem.

“People can’t do things that we don’t give them permission to do,” Winkler said. As long as a user has the ability to do certain tasks, click on links or see a spearphishing email show up in their inbox, they will make mistakes that can take down the network. The problem is not that users cause a loss, but that they can potentially initiate a loss, according to Winkler and Celaya-Brown.

A Failure of Leadership

One mistake shouldn’t take down an entire network. One person shouldn’t have the ability to cause universal panic because of the access permissions they are given. But it happens all the time, and the reason is failure of cybersecurity leadership. Remember the Twitter hack a few years ago where some of the most famous names on the social media site were victims of account takeovers? Winkler pointed out that social engineering techniques coupled with the fact that about one-fifth of Twitter’s employees had permissions to change passwords led to that massive cybersecurity failure. Or, in other words, the human problem was enabled by cybersecurity people and leadership who fell short in their responsibilities. Of course, you want users that will behave the way cybersecurity leadership wants them to, but the cybersecurity team needs to take a closer look at their actions, too.

“We have to take a closer look at why problems occur,” said Winkler. “The problem isn’t a user clicking on a link. The problem occurred when the user received the message.”

cybersecurity manager talent hiring insiders

New School Safety Science

Improving Cyber Security Skills And Knowledge At Board Level

Tags: Cybersecurity People Problem, Improving Cyber Security Skills


Dec 06 2021

Staff awareness e-learning courses

Category: Information Security,Security AwarenessDISC @ 2:44 pm
Use code XMASELEARN at checkout
to get 10% off before Sunday, 19 December.*
  • Written in plain English to help non-technical staff understand the topics.
  • Real-life examples, case studies, quizzes and puzzles to engage learners and teach in an unconventional way.
  • Multiple-choice assessment included to help consolidate learning.
  • Monitor employees’ progress from a user-friendly dashboard.
  • Multiple hosting and licence options available to suit your needs.
  • Free monthly security bulletin packed with useful news and tips.
  • Content and branding customization available on request.

Training available for individual or Corporate members

IT Governance Staff Awareness E-Learning Courses

Developed by experts, ITG staff awareness training courses have been designed to give your employees the knowledge they need to protect your organization’s data while performing their roles, in compliance with relevant standards, laws and cyber security best practices.

Tags: Staff awareness e-learning


Aug 04 2021

Do You Trust Your Smart TV?

Category: IoT Security,Security AwarenessDISC @ 10:02 am

Did you ever stop to think that the office smart TV used for company presentations, Zoom meetings, and other work-related activities may not be so trustworthy?

In our latest video, we demonstrate an attack scenario that can occur within any organization – hacking a smart TV. The video shows an insider plugging a USB Rubber Ducky into a smart TV in a company meeting room. Within less than a minute, a payload is executed to set up a Wi-Fi network for data exfiltration (called kitty3) and instructs the TV to connect to it. The payload then uploads a utility that captures the screen before the insider removes the rogue device.

Smart TV Security: Media Playback and Digital Video Broadcast

Tags: Smart TV, Smart TV Security


Next Page »