Tag: Awareness

  • Rising Above The Minimum Cyber Security

    Rising Above The Minimum Cyber Security

    Cyber attacks on the rise

    With the end of each year there are blog posts and articles suggesting the next year will be worse than the previous when it comes to cyber security. Whether those predictions are true or not, one thing is sure – IT Security is a top concern for most network administrators – and it’s a concern that’s only likely to get bigger.

    2016 saw a rise in ransomware and other malware attacks (FBI This Week – March 2016). We also saw insinuations of foreign governments leveraging their way into critical data (DNC & FDIC were two stories of 2016 that suspected international hacking as the culprit) .Companies large and small alike were crippled by cyber attack.

    What’s at risk

    A successful cyber attack can not only damage a company but also could impact business continuity to such a point that the business could not recover. There are ancillary impacts to be considered aside from the critical loss or compromise of data – down time, recovery cost, reputation damage, fees for providing identity theft protection for customers, and possible litigation are just a handful of hurdles an attacked company can face.

    PCI & HIPAA regulations

    Many companies and organizations look to guidelines such as PCI and HIPAA as a security framework, but the reality is these guidelines are best considered as a baseline and the MINIMUM a company should be doing. The proactive company is looking for strategies to safeguard their networks, apps, and APIs with as much fortitude as possible. Operationally, this translates to running in-house scans, delivering constant awareness training, and consistently leveraging the value of penetration tests. The responsible company is also hiring outside experts to attempt network, physical and social penetrations in addition to the in-house testing. The goal should be to ascertain exposures and remediate them to drive the improvement of the organization’s security posture.

    The cybersecurity risks are real

    Even with the best of intentions, shortfalls occur. Systems don’t always get patched and are often prone to insecure configurations. With the rise of social engineering as an attack vector, employees are often the weakest link (unintended of course). Threats are limited only by an attacker’s creativity, and it is impossible to predict all threat vectors. A realistic attack by a skilled adversary is the best way to understand the mindset of the attacker and gain an understanding of how your systems may be vulnerable to compromise.Nothing beats an outside set of eyes testing your defenses. Cyber attacks are on the rise, and companies have never had more to lose. With so much on the line, now is not the time to be looking at average security measures. What steps will you take in 2017 to improve your security posture?

  • The Human Element is Often the Weakest Link

    The Human Element is Often the Weakest Link

    Most companies realize that you can spend millions on network security but one of the biggest gaps is the employee. The human element of a workforce can easily be exploited once you understand the basic psychology of human behavior. Most people at their very core simply want to be helpful. People generally want to be nice and are often concerned about what people think of them. We see this time after time when we are doing a social engineering engagement for our clients. Do you want to get into a locked door – load up with boxes and follow an employee, “Oh – can you hold that for me?” Really – who wants to be the person that says, “No – put down those boxes and struggle with it yourself.”? Looking for a password – phishing emails are all too easy to the naturally trusting person. With basic precautions the email looks legitimate, and many will click the email and, in the process, load malware giving a malicious actor full access to their computer. Physical security – many times this is a false sense of security. Often times security guards are hired for low wages and without extensive training. Certainly this is not always the case, but many times it is. While the visual effect of a security guard can be a deterrent, to the experienced person seeking to infiltrate your business it’s often a mild annoyance that simply requires a little more surveillance and planning.

    One of the best ways you can strengthen the human element is to test the human element. Whether this is through an outside company or internal tests. People respond to real-life examples. You can teach seminars and send emails about social engineering with somewhat limited results. However, when someone actually falls for an infiltration scam, and they later find out it was a test and are told the results of the actions of the person who infiltrated the company – that lesson sticks.

    Many times employees don’t understand the critical role they play in the security of your business. However, once they see first hand the potential results of their actions, it becomes much easier to tell the person with the boxes that they must go to the front door and sign in. It becomes more comfortable to call your IT department about an email – even if it seems to be okay.Regardless of your industry, real world testing simply makes your business stronger. What will you do this month to help your people learn how critical they are to your security?