InfoSec Compliance & AI Governance For over 20 years, DISC InfoSec has been a trusted voice for cybersecurity professionals—sharing practical insights, compliance strategies, and AI governance guidance to help you stay informed, connected, and secure in a rapidly evolving landscape.
According to a new Tessian report, 30% employees do not think they personally play a role in maintaining their company’s cybersecurity posture.
What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cybersecurity to mention it.
Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organization’s security 8 out 10, on average, three-quarters of organizations experienced a security incident in the last 12 months.
The report suggests this could stem from a reliance on traditional training programs; 48% of security leaders say training is one the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.
The report also reveals a disconnect when it comes to reporting security risks. Eighty percent of security leaders believe robust feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.
Cybersecurity experts would have you believe that your organization’s employees have a crucial role in bolstering or damaging your company’s security initiatives.
While you may disagree, data breach studies show that employees and negligence are the most typical causes of security breaches, yet these prevalent issues are least discussed.
According to a recent industry report from Shred-It, an information security provider, 47% of top business executives believe that employee error, such as the inadvertent loss of a device or document, has resulted in a data breach within their company. According to another study by CybSafe, human errors have been responsible for over 90% of data breaches in 2020.
It’s no secret that companies of all sizes increasingly feel the sting of cybercriminals exploiting vulnerabilities in remote and hybrid working environments. However, little to no effort is made toward strengthening defenses. Now is the moment to train your personnel on security best practices, if you haven’t already.
As a result of inadequate security measures, customers have long suffered the most. However, the stakes for employees and their businesses are higher than ever this year. Experian predicts 2022 will be a hangover from the “cyberdemic” of 2021, making it crucial to stay ahead by designing a cybersecurity training program for employees and strengthening defenses.
Developing a cybersecurity training program requires knowing where the blind spots are. While there are numerous approaches to promoting a more cyber secure workplace, here are the most common and effective ways:
Trick Employees via a Phishing Campaign
You can test your employees’ ability to distinguish authentic email content from fraudulent attachments by mass spear-phishing them. Employees who fall for the phishing email are the ones you need to be extra careful about.
They might be the ones that eventually end up disclosing a company’s valuable digital assets. Once you have the data, you may measure the entire risk to your network and build remedies from there using custom reporting metrics.
Customize Your Security Training
All employees, irrespective of their designation or job role, should be a part of the security training. However, employees who fell for the spear-phishing campaign are the ones you need to observe and invest your security training into.
When delivering cybersecurity training, stress the importance of the training as an exercise that can also be applied elsewhere. Employees will be more inclined to utilize secure procedures at work if they do so at home on their computers and phones.
Incentivize the Security Training
Nothing motivates an employee more than being rewarded for their performance. Set up metrics and determine the level of participation, enthusiasm, and cybersecurity knowledge an employee obtains via quizzes or cross-questions. Employees who follow best practices should be rewarded, and others should be encouraged to improve their cybersecurity habits.
Cover Cybersecurity Topics
Engage your employees by introducing cybersecurity topics and certifications. Employees new to the cybersecurity realm would greatly benefit from relevant courses and learnings that might augment their skills and shine bright on their resumes.
Social media platforms are riddled with short instructional videos, which can be a great source of learning for those struggling to complete cybersecurity courses and manage work simultaneously.
Introduce Data Privacy Laws
Data privacy laws have been here for a while. However, they have recently received recognition after the EU introduced the General Data Protection Regulation (GDPR) in 2016, which came into force in 2018.
Most employees don’t know much about data protection laws or don’t know them altogether. It’s crucial to educate employees regarding existing and upcoming data protection laws and how they impact the business. According to MediaPro, a multimedia communications group, 62% of employees were unsure if their company must comply with the California Consumer Privacy Act (CCPA).
Integrating data privacy laws and regulations within cybersecurity training is crucial. While employees do not need to be compliance specialists, they should have a fundamental understanding of their company’s privacy policies, data handling procedures, and the impact of data privacy laws on their organization.
Address Security Misconceptions
Massive data breaches and ingenious hackers have muddied the waters of what is and isn’t possible when carrying out a cyberattack, making it challenging for novice security personnel to tell the difference between facts and made-up security misunderstandings.
Lack of understanding and misconceptions make matters worse as employees tend to become too concerned about non-existent or misunderstood risks while being less concerned about real ones. That begs the question: Are employees taking cybersecurity seriously, or will they be a liability rather than an asset?
To move forward, begin by designing a survey that starts with the basic cybersecurity knowledge and distributing it across the organization. The survey could contain questions such as:
What is cybersecurity,
Why is cybersecurity important,
Do employees lock their devices and keep strong alphanumeric passwords for online accounts,
Do employees connect to a secure WIFI network provided by the company, etc.
The results will demonstrate the current knowledge base within the organization and whether the employees take cybersecurity seriously.
While discovering the loopholes within your organization is one thing, developing a cybersecurity training program specifically tailored to patch those vulnerabilities might not be enough. Not only this, keep a strategy that focuses on zero-day attacks to avoid any damages. As an individual entrusted with developing a training program, you should know that you need a long-term solution to the existing problem.
Humans have always been the weakest link in the cybersecurity chain, and human errors will only escalate despite the depth of training given. That leaves organizations in a tough spot and struggling to meet compliance requirements.
Understand the Consequences of Inadequate Security Training
Training just for the sake of training will not benefit anyone. Employees need to dedicate their hearts and minds to the training, and continuous sessions should take place so that employees always stay current with the latest happenings and privacy frameworks. Poor training may further confuse employees, which may also draw additional dangers.
With Securiti data privacy automation tools, you can reduce or eliminate reliance on employees and move towards a more modern and error-free framework.
With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.
Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
There is a serious user problem out there, and whether the user makes a mistake or is intentionally malicious, it can impact the entire system and the organization. But is it really a user problem?
In their session at (ISC)2 Security Congress, Ira Winkler, CISO with Skyline Technology Solutions and Tracy Celaya-Brown, president, Go Consulting International, said the user problem is really a cybersecurity people problem.
“People can’t do things that we don’t give them permission to do,” Winkler said. As long as a user has the ability to do certain tasks, click on links or see a spearphishing email show up in their inbox, they will make mistakes that can take down the network. The problem is not that users cause a loss, but that they can potentially initiate a loss, according to Winkler and Celaya-Brown.
A Failure of Leadership
One mistake shouldn’t take down an entire network. One person shouldn’t have the ability to cause universal panic because of the access permissions they are given. But it happens all the time, and the reason is failure of cybersecurity leadership. Remember the Twitter hack a few years ago where some of the most famous names on the social media site were victims of account takeovers? Winkler pointed out that social engineering techniques coupled with the fact that about one-fifth of Twitter’s employees had permissions to change passwords led to that massive cybersecurity failure. Or, in other words, the human problem was enabled by cybersecurity people and leadership who fell short in their responsibilities. Of course, you want users that will behave the way cybersecurity leadership wants them to, but the cybersecurity team needs to take a closer look at their actions, too.
“We have to take a closer look at why problems occur,” said Winkler. “The problem isn’t a user clicking on a link. The problem occurred when the user received the message.”
Developed by experts, ITG staff awareness training courses have been designed to give your employees the knowledge they need to protect your organization’s data while performing their roles, in compliance with relevant standards, laws and cyber security best practices.
Did you ever stop to think that the office smart TV used for company presentations, Zoom meetings, and other work-related activities may not be so trustworthy?
In our latest video, we demonstrate an attack scenario that can occur within any organization – hacking a smart TV. The video shows an insider plugging a USB Rubber Ducky into a smart TV in a company meeting room. Within less than a minute, a payload is executed to set up a Wi-Fi network for data exfiltration (called kitty3) and instructs the TV to connect to it. The payload then uploads a utility that captures the screen before the insider removes the rogue device.
Smart TV Security: Media Playback and Digital Video Broadcast
You’re almost certainly familiar with vishing, a phone-based scam in which cybercriminals leave messages on your voicemail in the hope that you’ll call them back later to find out what’s going on.
In fact, if you have a long-standing phone number, like we do, you may well get more of these scam calls (perhaps even many more of them) than genuine calls, so you’ll know the sort of angle they take, which often goes along these lines:
[Synthetic voice] Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of dollars]. To cancel your subscription or to discuss this renewal, press 1 now.
Sometimes, they’ll read out the number to call them back on, to re-iterate not only that it matches the number that shows up in your call history, but also that it’s a local number, right there in your own town or country.
The crooks do this to “prove” that caller is local too, rather than sitting overseas in some scammy boiler-room call centre, far from the reach of law enforcement and the regulators in your part of the world.
Microsoft is warning of a large-scale BEC campaign that targeted hundreds of organizations leveraging typo-squatted domains registered days before the attacks.
Now Microsoft is warning of a large-scale BEC campaign that targeted more than 120 organizations with gift card scam.
The attackers targeted organizations in multiple industries, including the consumer goods, process manufacturing and agriculture, real estate, discrete manufacturing, and professional services sectors. The threat actors leverage typo-squatted domains to trick the recipients into believing that the emails were originating from valid senders.
BEC emails are designed to look like ordinary emails, but these attacks are more complex than they appear. We investigated a BEC operation in which attackers registered typo-squatted domains for over 120 orgs just days before the email campaign began. https://t.co/YdbwdC8kenpic.twitter.com/HTqYsUlCSn
— Microsoft Security Intelligence (@MsftSecIntel) May 7, 2021
We’ve recently witnessed large companies that were hit with major data breaches and cybersecurity incidents point the finger of blame at the lowest hanging fruit – their employees. While it’s understood that employees have a certain level of accountability when it comes to their role in the organization’s broader security strategy, it’s up to company leadership to arm them with the resources and knowledge to effectively thwart cyber threats.
With 90% of security incidents stemming from human error, a culture strong in security awareness is no longer a nice-to-have, it is a top priority and an absolute must across all organizations, regardless of their size or industry. Businesses who change risky employee behavior methodically and effectively through personalized, timely, and relevant learning will see an improvement to their overall security posture and a reduction in the number of security incidents.
Personalization is key
Cyber threats today have become increasingly sophisticated and more personalized. Therefore, it stands to reason that the training and coaching offered to employees needs to meet the same level of personalization in order to effectively combat these threats and change risky habits and behaviors over time.
We are living in a world of innovations. Now, imagine innovative technologies with zero security is such a big nightmare. Cybersecurity comes here for the rescue. Cybersecurity is an immense ocean of various fields. Many skillful fishes are living in this ocean with lots of expertise. Cybersecurity is what keeps all organizations sane and safe. For that reason, I will discuss the fields that outgrown currently and the certifications that help in those fields.
Before diving into the ocean of cybersecurity, let us understand why to choose cybersecurity. Imagine being the CEO of a digital children’s toy-making corporate, promising every parent that the information provided about children inside the toys will stay safe. And the organization faces a cyber-attack that leaks all information about the children. That is the big downfall of the organization’s reputation.
Cybersecurity promises to secure the organization system’s from cyberattacks yet to keep user information safe. Cybersecurity professionals put all their efforts to create a secure and protect the environment, not only for organizations as well for all the users connected to the network/internet.
The world is becoming digital day-by-day, the growth in cybersecurity is not coming slow. The rates of cybercrime are also increasing yet bringing many opportunities for jobs in cybersecurity.
According to New York Times,3.5 million cybersecurity jobs are available this year. United States Bureau of Labor Statistics (BLS) contemplate that in the next ten years, cybersecurity jobs will increase 30% compared to other computing jobs.
Job performance is another category where cybersecurity staff performs well. The (ISC)2 Cybersecurity Workforce Report in 2019 showed that 71% of cybersecurity professionals in the United States are happy with their employment.
These scams seek to collect personal information about you, often appearing to come from a real business or agency. Someone may pose as an official disaster aid worker, or send you a fraudulent COVID contact tracing email. If you receive a message with a link, you should not click it as it may download malware to your device to steal passwords and personal information. Government agencies like FEMA or the IRS will never contact you asking for a FEMA registration number, a Social Security number, or a bank account or credit card number to give you a COVID or FEMA payment—or ask you to pay anything up front to fill out an application or to access state or federal resources.
Before sharing, check that what you are reading is from a trustworthy source. Disinformation can be life threatening in a global pandemic.
No cures or vaccines have been approved for COVID-19 yet. Online offers claiming to provide a medicine or device to treat or prevent COVID should be ignored. When there is a new breakthrough in the treatment and prevention of COVID, it will be widely reported on by reputable news sources.
Fake charities often emerge following a crisis, soliciting donations, but not using them for the described purpose. Before donating, check out www.ftc.gov/charity  to research the organization and make sure it’s legitimate.
If you receive a robocall, you should hang up instead of pushing any buttons or giving away any personal information. If a call claims to be from the IRS or FEMA, but demands immediate payment through debit card or wire transfer, it is fraudulent. Federal agencies will never demand immediate payment over the phone, threaten immediate arrest, or ask you to make a payment to anyone other than the U.S. Treasury.
Warning Signs that a Loved One may be the Victim of a ScamÂ
Victims to a scam may be embarrassed or uncomfortable asking for help. It’s not always obvious when someone has been scammed, so check in with your loved ones frequently, especially if they are older, live alone, or are otherwise high risk.
Warning signs include large ATM withdrawals, charges, or checks; secretiveness and increased anxiety about finances; large quantities of goods being delivered that they do not need; an unusual number of phone calls or visits from strangers; and a sudden lack of money, unpaid bills, or a change in daily habits.
For more information, and to get help with a potential FEMA fraud, you can call the National Center for Disaster Fraud Hotline at 866-720-5721 or FEMA’s Public Inquiry Unit at 916-210-6276. For questions about pandemic scams, go to www.ftc.gov/coronavirus or www.cdc.goc/coronavirus/2019-ncov .
Google Chrome will warn users when submitting insecure forms that deliver information via HTTP connections on HTTPS websites starting with version 86.
![Breaking IN: A Practical Guide to Starting a Career in Information Security by [Ayman Elsawah]](https://m.media-amazon.com/images/I/51d-r8hESmL.jpg)
