My Mom Always Says ” You Learn Something New Everyday” Security Awareness Training

And my mom is 93 and I listen to my mother! Training is a critical piece of every business model. No matter your product or service and your not training your staff get out of the game your going to lose…everything!

Training

No matter how good your prevention steps are, breaches are inevitable. But user education plays a big part in minimizing the danger. Make it a key aspect of your prevention strategy. Start by training staff on security policy. Augment this by creating a simple handbook on the basics of security. This should include reminders to never to insert USB drives from outside devices into work machines. It should also review password management, such as not reusing work passwords on other sites or machines.

As it represents one of the biggest dangers, phishing demands its own training and instruction. Let users know that hovering over email addresses and links in messages shows the actual email address or destination URL. Just because it says “Bank of America,” or “IT department” with all the right logos doesn’t mean it’s from that
source. Add further instruction to not open unknown file types, click on links, and open attachments from unknown people or entities. Coach them into a suspicious frame of mind regarding requests to send in their passwords or account details. If for instance, educating a student body in this manner isn’t feasible, put them on a separate network and severely restrict their access to sensitive data.

Security awareness training is strongly recommended. The best programs baseline click rates on phishing emails and harness user education to bring that number down. But again, don’t expect 100% success. Good employee education can reduce phishing success significantly, but it won’t take it down to zero. There is always someone who doesn’t pay attention, is in a hurry that day, or is simply outsmarted by a very clever cybercriminal. Comprehensive data security best practices must also be in force.

Next post find out about…Simulated Phishing & Red Flags…Think Before You Click!

Tina Louise ~ www.cloudplusservices.com ~ 888.871.6584

 

Don’t Get Punched In The Mouth! Cyber Risk Planning

You know the saying ” Everyone has a plan until they get punched in the mouth”, so what’s your plan!

Cyber-Risk Planning

Cybersecurity has historically been treated as a technology issue. However, cyber-risk must be managed at the most senior level boardroom in the same manner as other major corporate risks. The CEO must fully understand the company’s cyber risks, its plan to manage those risks, and the response plan when the inevitable breach occurs. CEOs also must consider the risk to the company’s reputation and the legal exposure that could result from a cyber incident. CEO fraud must be part of the risk management assessment. While this assessment is of a technical nature, it is more about organizational procedures.

Executive leadership must be well informed about the current level of risk and its potential business impact. This is rarely the case within organizations inflicted with phishing and CEO fraud. Management must know the volume of cyber incidents detected each week and of what type. Policy should be established as to thresholds and types of incident that require reporting to management. In the event of an outbreak, a plan must be in place to address identified risks. This is another weak point in many organizations. Yet it is an essential element of preserving the integrity of data on the network.
Best practices and industry standards should be gathered up and used to review the existing cybersecurity  program. Revise the program based on a thorough evaluation. One aspect of this is regular testing of the cyber incident response plan. Run a test of a simulated breach to see how well the organization performs. Augment the plan based on results.

Lastly, call your insurance company and go over the fine print regarding your coverage. If no cyber insurance exists, acquire some rapidly. Go over the details of cyber security insurance to ensure it covers the various type of data breaches and includes the various types of CEO fraud.*

Note: Normally human error like CEO fraud is NOT covered by cyber security insurance.

Forgive the delay on our posts ….next time find out about training just like my 93 year old mother say’s ” You learn something new everyday”!

Think before you click!

Tina Louise ~ www.cloudplusservices.com ~ 888.871.6584

 

Part X: /CEO Fraud ~ Let Them Know About The Procedures!

IT should have measures in place to block sites known to spread ransomware, keeping software patches and virus signature files up-to-date, carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines, conducting regular penetration tests on WiFi and other networks to see just how easy it is to gain entry. These and many other security procedures will go a
long way towards protecting your organization.  Procedures must also be developed to prevent CEO fraud. Wire transfer authorization is one scenario demanding careful attention. Set it up that any wire transfer requires more than one authorization, as well as a confirmation beyond email. Phone, or ideally, face-to-face confirmation should be included. That way, a spoofed email attack is thwarted as confirmation is done on a different channel. If by phone, only use a pre-existing number for your contact, not one given to you in an email.

The subject of time should also be part of procedure. To guard against urgency injected by a cybercriminal into an email, standard procedure should call for a 24 hour waiting period before funds are transferred. This gives ample time for the necessary authorizations and side-checks for authenticity to be completed.

Next week find out about ~ Cyber-Risk Planning…Think Before You Click!

Tina Louise ~ www.cloudplusservices.com ~ 888.871.6584

 

Part IX: CEO Fraud ~ Policy What Policy!

Every organization should set security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as users not opening attachments or clicking on links from an unknown source, not using USB drives on office computers, password management policy (not reusing work passwords on other sites or machines, no Post-it notes on screens as password reminders), completing specific types of security training including training on security policy, and the many other details of employee and overall security diligence. Policy on WiFi access, for example, should be reviewed. Include contractors and partners as part of this if they need wireless access when on site.

Policy should also exist on wire transfers and the handling of confidential information. It should never be possible for a cybercriminal to hijack a corporate email account and convince someone to transfer a large sum immediately. Policy should limit such transactions to relatively small amounts. Anything beyond that threshold must require further authorizations.  Similarly, with confidential information such as IP or employee records, policy should determine a chain of approvals before such information is released.

Next week find out about ~ Procedures….Think Before You Click!

Tina Louise ~ www.cloudplusservices.com ~ 888.871.6584

Part VIII: Let’s Talk Prevention

Many steps must dovetail closely together as part of an effective prevention program.

Identifying High-Risk Users

High risk users include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas. For example, on finance approvals for wire transfers, stipulate several points of authorization and a time period that has to elapse before the transfer is executed. It is wise to conduct a search of all high-risk users to see how exposed they are. For example, LinkedIn and Facebook profiles often provide detailed personal information or even what could be considered sensitive
corporate data such as the person having wire transfer authority, as well as email addresses and list of connections.

Technical Controls

Various technical controls should be instituted to prevent the success of phishing attacks. Email filtering is the first level but it is far from foolproof. Authentication measures should be stepped up. Instead of a simple username and password, which the bad guys have a good success rate of getting past, two factor authentication also requires something that only the user has on them such as a physical token. This makes it
much harder for potential intruders to gain access and steal that person’s personal data or identity. Key fobs, access cards and sending a code to a registered mobile phone are some of the possible methods, but we prefer the Google authentication app.

Automated password and user ID policy enforcement is another wise defense. Comprehensive access and password management also can minimize malware and ransomware outbreaks. Review existing technical controls and take action to plug any gaps.

Next post find out ~ Resolution ~ Policy and Procedures…Think Before You Click!

Tina Louise ~ www.cloudplusservices.com ~ 888.871.6584

Part VII:CEO Fraud ~ Technology vs. The Human Firewall

Most efforts towards risk mitigation concentrate on technology. Certainly, antivirus, antimalware, intrusion detection/protection, firewalls, email filters, two-factor authentication and other technology solutions are vital. Similarly, appropriate backup and disaster recovery (DR) processes must be in place. For example, a 3-2-1 backup strategy (three copies of the data, on two different types of media, with one off site) is a recommended best practice along with testing of the restore function on a regular basis.

However, these technology safeguards must be supported by what is known as the human firewall – an internal staff that is educated on cyber-threats, can spot a phishing email a mile away and won’t fall prey to CEO fraud.

Regardless of how well the defense perimeter is designed the bad guys will always find a way in. They know that employees are the weakest link in any IT system. The Verizon 2016 Data Breach Investigations Report (DBIR) found human error to be the weakest link based on a study of 100,000 security incidents and 2,260 confirmed data breaches across 82 countries. Thus, cybercriminals continue to rely on phishing and other tricks from the social engineering playbook.

The way to manage this problem is new-school security awareness training. Thousands of organizations are doing this with great results. Stepping users through this training proofs them up against falling for social engineering attacks. Establishing a human firewall won’t eliminate breaches entirely, but will reduce them.

Next post find out ~ Prevention, High Risk Users & Technical Controls..Think Before You Click!

Tina Louise ~ www.cloudplusservices.com ~ 888.871.6584

Part VI: CEO Fraud ~ Board Oversight and Fiduciary Duty

Virus and malware defense has long been viewed as a purely IT problem. Even though some organizations appoint Chief  Information Security Officers (CISO), the fact remains that information security is often viewed as a challenge that lies well below board or C-level attention.

However, the events of recent years have highlighted the  danger of this viewpoint. With the FBI warning corporations  that they are at risk and so many high-profile victims in the  news, organizations, led by their CEO, must integrate cyber risk  management into day-to-day operations. Additionally, companies must take reasonable measures to  prevent cyber-incidents and mitigate the impact of inevitable breaches.

The concept of acting “reasonably” is used in many state and  federal laws in the United States, Australia, and other  countries. Blaming something on IT or a member of staff is no defense. CEOs are responsible to restore normal operations after a data breach and ensure that company assets and the company’s reputation are protected. Failure to do so can open the door to legal action.

Let’s put it in these terms. A cyber breach could potentially cause the loss of a bid on a large contract, could compromise intellectual property (IP) and loss of revenue, to name just a few of the repercussions. That places cybersecurity firmly at the top of the organizational chart, similar to all other forms of corporate risk.

No matter the size of the company the involvement of the CEO and communication with their staff is critical in the leadership, lively hood and company success.

Next post find out ~ Technology vs. The Human Firewall..Think Before You Click!

Tina Louise ~ www.cloudplusservices.com ~ 888.871.6584