Register now to reserve your seat!

If you’re not scared, you’re not paying attention. Consider these recent headlines from InformationWeek.com:

  • Average Ransomware Payments Soared in the First Quarter
  • Pandemic Could Make Schools Bigger Targets of Ransomware Attacks
  • Local, State Governments Face Cybersecurity Crisis
  • DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
  • Average Cost of a Data Breach: $116M

Cybercriminals are busier than ever. They’re taking advantage of the disruption caused by the COVID-19 crisis and the fact that many employees are now working from home, many on personal computers.

Cybercrime is costly to your reputation and your bottom line. And that cost is growing: a recent Hiscox survey showed that “losses stemming from cybersecurity threats had grown almost six-fold, jumping from a median cost of $10,000 to $57,000 per company within the reported period (12/24/19–2/3/20).” The report also noted that losses may have been underreported.

How Cyber Insurance Can Help Reduce Costs

 Cyber insurance can lessen costs due to an incident through policies that cover:

  • Restoration or replacement of electronic data
  • Media and website publishing liability
  • Security breach expenses
  • Extortion threats
  • Programming errors and omissions liability
  • Security and data breach liability
  • Public relations costs
  • Loss of business income
  • Other areas of risk specific to your business

You’ll notice we said insurance can lessen costs. Cyber insurance doesn’t reduce your liability or your risk—it forces you to maintain proper security and most policies preclude coverage if you don’t.

How Cybersecurity Training Helps Reduce Risk

Security awareness programs can reduce risk by strengthening one of the areas most vulnerable to attack: your employees. The Insider Data Breach survey 2019 reported that although 92% of employees stated they had not done anything malicious, over 75% of executives believed that employees accidentally put company data at risk.

Cybersecurity training can help employees understand what dangers to watch for and what safety measures to put in place. For example, a phishing awareness program can go a long way toward providing better security: according to Verizon’s 2019 Data Breach Investigations Report, phishing was involved in 32% of data breaches.

To be effective, cybersecurity training must be more than a one-time event. Ongoing security awareness programs that provide information, updates and reminders on a regular basis are much more likely to keep security top of mind for your employees.

Cyber Insurance vs. Cybersecurity Training

 Which is best for your company? Consider your risk and your appetite for risk. Additional considerations might also factor in to your decision, like untrained employees who handle a lot of sensitive data, or contracts that require your business to carry cyber insurance. The best choice, of course, is both. Cybersecurity training can mitigate your liability, and insurance can lessen any financial blows that result from an event.

Our Security Awareness Program Mitigates Liability by Changing Employee Behavior

Alterity’s cybersecurity courses support long-term change while keeping employees updated about the newest threats. We provide monthly lessons with different topics, and the information is offered in a variety of formats to suit every learning style. All of our cybersecurity modules are available 24/7 and can be completed from home or the office.

Make your business safer with us. Sample our course offerings on our On-Demand Learning Portal today!

 

Implementing a Security Awareness Program

When coworkers can’t sit side by side in the office, it’s harder for them to know who they’re really dealing with. Is the person signing into your company system actually who they say they are? And with a huge email uptick due to work going 100% remote, workers can be in a hurry to excavate their inboxes and might not be sufficiently cautious.

That’s why companies must devise and implement good security awareness programs and make cybersecurity courses available to all workers. Employees should use two-factor authentication and create stronger passwords and IT professionals must monitor access controls remotely. Fortunately, this isn’t as daunting as it may sound, because Alterity offers excellent cybersecurity classes online.

Phishing

Cybercriminals are constantly honing their attack strategies. According to Accenture’s March 2019 Ninth Annual Cost of Cybercrime Study, criminals are increasingly targeting companies’ human layer with ransomware and phishing schemes. Criminals have identified humans as the weakest link in cyber defense—and now your employees are alone at home, virtually undefended.

Phishers send fraudulent emails or text messages trying to trick people into giving away their personal information. Employees probably know better than to send a bank account number to somebody in Nigeria, and hopefully, they won’t believe their grandson has been thrown in jail and needs bail money. But scammers are growing more sophisticated. They may send emails that look like they come from your company, asking employees for sensitive information about themselves or work projects. Phishers frequently trick people into parting with passwords, account numbers, and payment information, and may send fake invoices. According to the FBI’s Internet Crime Complaint Center, people have reported losses up to $57 million to phishing scams in a single year.

This is why you need to implement a security awareness program that includes regular phishing tests. When combined with a suite of online topics that focus on raising awareness and communicating the reasons for change, employees are more likely to alter the behaviors that put your company at risk. Your workers deserve to keep their personal information safe. And you must make this investment to mitigate risk to your company.

How Alterity Can Help

Alterity is here to help your employees and your company stay safe during this time of increased remote work. We deliver fully virtual courses to your employees through a 12-month cybersecurity training program. Each month, workers learn about a different topic through a lively mix of handouts, videos, and podcasts that are available through an intuitive, web-based learning portal. Posters and communications are also available to help you launch your program and promote adoption.

We’re excited to help your workers become more informed cybercitizens. Sample our course offerings on our On-Demand Learning Portal today!

Keep Personal Data Private

Cybersecurity and data privacy can seem daunting. Attackers continue to refine their tactics and the list of things you need to consider to keep your data safe is ever-expanding. This Data Privacy Day, here are some tips to make you a data privacy champion.

  1. Gone Phishing

    Phishing is an attacker’s greatest weapon when it comes to dropping off malware. As our tech improves, so do theirs. Take time to review all incoming emails, and look for some telltale signs like spelling or grammar mistakes, a lack of personal salutation, a long address or URL, and misrepresented logos. More sophisticated phishing attempts will look completely legitimate but will ask you to share something personal, make a purchase or take another action that puts private data at risk. When in doubt, have someone from IT check out the email or contact the sender to verify the request was from them (don’t just hit “Reply”).

  2. Into the Breach

    Breaches don’t always play out the way you might think. Lots of shows and films have a nefarious attacker “breaching” our hero’s PC with an ominous claim of “I’m in!” But most breaches aren’t malicious at all and only happen because of negligence or human error. Prevent this by being aware of your surroundings, your office and your practices at work. Keep business meetings in private or secure places, stay knowledgeable about software updates and security protocols, and make sure all your devices are locked and password- or pin-protected.

  3. Let’s NOT Get Physical

    Avoid using or keeping physical reminders on your person or at your desk. Physical reminders can be anything like a pin, a password or payment information for a client. Instead, opt for a password management app to help you manage your passwords, and enable multifactor authentication which requires an additional action to verify one’s identity before being able to log in and access account info.

  4. Keeping Confidence

    Restrict access to confidential data on a need-to-know basis and choose who gets to see what data. Many tools have settings that allow you to determine access rights. Keep people off of email threads until you know they need to access project information. If you print anything, make sure it’s locked in a drawer or cabinet so it isn’t sitting out in the open. When it comes to digital private data, remember that passwords, encryption and administrative restrictions are your friends.

  5. Have a Plan

    What do you do when there is a breach? Who do you contact first? Be aware of your organization’s policies, and have a plan in case your personal data is compromised. In the time it takes to detect and respond, a lot of damage or loss can occur, so stay sharp!

These five tips can help you be a data privacy champion this January 28 and throughout the year!

Learn how the Alterity Cybersecurity Awareness Program, an array of imaginative and engaging communication, education and reinforcement tools, can help create and sustain a culture of security in your organization.

Cybersecurity people
What’s the easiest entrance point for a hacker to attack your organization? People. In the previous two blogs in this series, we discussed how technology and policies are an integral part of the information security posture needed to protect your business from an attack. However, those efforts will fall short if we don’t also address the human element. The number one way into an organization is through people. The result may end up exploiting technology vulnerabilities and/or procedural gaps in an organization’s policies, but the entrance almost always comes through people. We have a people problem. If we are going to solve this problem, we must help people understand that information security is part of EVERYONE’S job. This is not just an issue for leadership or IT. EVERYONE has a part to play in protecting information. Understanding “the why” behind our information security efforts and the important role that everyone should play goes a long way to help people understand their part in the effort. Without the “why,” people see the information security measures as burdensome and impeding their ability to get their work done. We must change the message. We can’t just say “NO! Don’t do things!” We should say “Yes! Do these things …and here’s why!” You will see a remarkable change in people when they realize that we must do this together to protect what’s important to all of us.

INTERESTING INSIGHT

The National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce, revealed a study in 2016 that uncovered an interesting phenomenon called “Security Fatigue.” In short, people hear about information security attacks, breaches, horror stories, etc., and the response to all of this information is an overwhelming sense of futility. “I can’t understand it, and I can’t keep up with it. Therefore, I’ll do nothing and hope for the best.” This is a dangerous mindset and is brought on when we continually lace the message of information security in fear and scare tactics. It’s a fact that people are hacked more often than systems, by far. It is also a fact that part of the human condition is to think, “That will never happen to me.” This presents an ongoing challenge that must be addressed.

WHAT TO DO

If you want to successfully assess and address the people side of your information security vulnerabilities and risks, at a minimum you should include these three components in your plans.
  • Phishing: It might seem strange, but if we are going to assess our vulnerabilities, we have to test the areas of risk. This includes testing our people.By now, most people are familiar with phishing scams. We’ve all gotten emails that were unsolicited, poorly written and obvious forgeries. Those are the phishing scams of the past. Today’s hackers are very smart people, highly motivated and patient to perfect the “art of the con.” They are also switching to a far more sophisticated tactic: Spear Phishing. This term refers to the hacking technique that doesn’t cast a wide net by sending a thousand emails. It targets an individual with a single email. It is far more effective to appear trustworthy to one person with information specific to them. This type of email is highly effective and is rarely caught by spam filters. Spear phishing accounts for over 90% of the successful inroads into an organization.Phishing tests, both emails and phone calls, should be a part of our ongoing information security efforts. The information gained from these tests can be very powerful in educating your people.
  • Social Engineering: We shouldn’t stop at phone calls and email phishing tests. The hackers won’t. Gaining access to your organization’s information often gets much more brazen and cleverer than that. So, we too should include social engineering in our penetration tests and vulnerability assessments.First, just try to gain access to your space. If someone walks boldly into your office, looking confident and professional, would you stop them? I’ve personally performed this test more times than I can count, and I’ve never been questioned. Why? Because I never look out of place. We may have implemented information security measures at entry points, but we all know how easy it is to tailgate behind another person with access. What if the person behind you has their hands full, or better yet, is using crutches? Polite society dictates that you turn and open the door.Once in, try to gain information or access to systems. This can be done in many ways:
    • Ask the receptionist to print out something from a USB drive for you. USB drives are a very serious vector of attack.
    • Drop USB drives around as bait.
    • Look for opportunities to be left alone with access to someone’s computer (e.g., while someone goes to get coffee).
    • See how far you can walk around before someone speaks to you.
    • Look for information readily visible in paper form laying around.
    • Pretend to be the electrical contractor called in by IT to address an issue in the wiring closet.
    • It should be immersive without being disruptive.
    • It should be an ongoing part of the regular dialog within the organization and not just a once-a-year discussion.
    • It should include active and visible sponsorship from leaders at all levels of the organization.
    • It should include relevant stories of threats facing your industry.
    • It should also include relevant stories about your very own organization. This is a good place to inform people of the phishing and social engineering results. NOTE: Don’t go for a “wall of shame” and post names of those who fell for the phishing tests. Sanitize the results, remove names, use percentages, and let people know that this happened right here within your company.
    • It should ALWAYS emphasize the WHY and encourage people that we are ALL in this together.Cybersecurity Awareness: Once you have the information from your penetration tests and vulnerability assessments, it’s time to use that information for good. An ongoing Cybersecurity Awareness Training program is essential in your information security posture. Here are some key elements of an effective program:
People are our biggest asset, and business leaders need to invest in educating people as to their role in protecting the valuable information we interact with every day. Help them find their “WHY” in this effort and how important they are. One person can make all the difference in the world. Technology, policies and people all work together to comprise your overall information security posture. None of them stand alone. A gap in one of them puts your company in a vulnerable place. It takes effort to maintain each, but it is worth it to avoid the burdens of a breach!
Cybersecurity policies
Technology solutions provide vital layers of protection to your organization’s information, but they’re not enough to cover the scope of vulnerability. Policies are also an important part of your overall security posture. Policies are not an exciting topic. We are a “skip to the end and click Accept” generation. However, policies play an important role in risk management, liability, information governance and defining the areas of vulnerability that need to be constantly monitored and addressed by your business.

SECURITY POLICY TIPS

  • Security Policies should be reviewed at least annually. Outdated policies do not address the way people currently work.
  • Security Policies should have executive sponsorship.
  • Security Policies need to be applied enterprise-wide. Security is the great equalizer. It is everyone’s responsibility to align to the same standards.
  • Security Policies should clearly state who owns it, who it’s for, and how they are to be informed.
  • Security Policies should align with a standard (NIST, ISO, GLBA, HIPAA, etc.).
  • Security Policies should address internal threats along with external threats.

POLICIES TO CONSIDER (IF YOU HAVEN’T ALREADY)

  • Multifactor Authentication: Passwords are not enough and haven’t been for some time. Adding another factor to authenticate a person’s identity will exponentially increase your security posture.
  • Mobility: According to the FBI, “The more mobile, the more vulnerable.” Everyday our culture is becoming more and more mobile. While this is convenient and expected, it also adds layers of risk that need to be addressed.
  • USB Drives: This is a serious and increasingly used vector of attack. Think about how easily an office visitor could plug a USB into a device, leave it and then begin mining your data.
  • Content-Filtering: Web traffic is inevitable but can be filtered to trap or block sites and web traffic activity.

OTHER POLICIES AND PLANS THAT SHOULD BE IN PLACE

  • Business Continuity and Disaster Recovery Plans. These need to be defined, in place and rehearsed/reviewed at least annually. Don’t wait for a disaster to make sure you are ready.
  • Incident Response. Assume that at some point things will happen. Plan for this and map out the appropriate steps to take following a breach.
  • Vendor Management. Vendors that have access to your data present as big a risk as internal personnel. Address this with appropriate rights management.
The responsibility of organizations today to address the ever-changing threats and vulnerabilities to their information requires a holistic look at all elements of security. In doing so, don’t forget the importance of properly written, sponsored and communicated security policies.
cybersecurity technology
To have a strong security posture you must address the three main areas of defense for protecting your business: technology, policy and people. All three work in conjunction with one another to protect the business. By the way, fortifying your security posture is a business initiative, not an IT initiative. If you position it as “an IT thing” — IT. WILL. FAIL. That’s a tough pill for some to swallow but information security is a business initiative AND everyone’s job. Now, let’s give each security component the attention it deserves. This first in a three-part blog series is about TECHNOLOGY. NOTE: There are no perfect solutions for information security, but new tools and resources are being developed that make it easier than ever to protect your assets from the inside and the outside. TECHNOLOGY TIPS AND SUGGESTIONS:
  • Start with penetration tests and risk assessments that check for vulnerabilities inside and outside of your organization. You must have firewall protection, but in this modern world, that is not enough. However, firewalls should always include a visibility tool (IDS) and a control tool (IPS) for monitoring traffic coming AND going.
  • The best way to secure your corporate information is to be proactive rather than reactive. Have systems in place to do behavioral analysis and anomaly detection so that you get alerts BEFORE someone gets in or out of your organization.
  • Make sure you get regular check-ups. Vulnerability scans should be followed with vulnerability exploits. These should be run more than once a year. Use your internal tools and outside help for a better look at your potential weak spots. Leave no stone unturned.

INTERNAL DEFENSE QUESTIONS:

What are your printer vulnerabilities? This is one of the most commonly overlooked areas of vulnerability. Are you using default credentials on these network-connected devices? If so, the bad guys can get in and possibly spread, do database searches and garner all sorts of information from the content held within that device or the network areas it accesses. What about your workstations? If I’m the bad guy, I want to get in by any means necessary. Once in, I will spread, elevate and stick around for as long as possible. I want to sniff around your machine and find any leftover administrative credentials. Then I can go anywhere. What are the bad guys looking for? Anything. Names. Addresses. Phone numbers. EMAIL addresses. The bad guys want to know where you go and what you do. They are studying you. They do this so that, ultimately, they can convince you that they are someone they are not. The bad guys are extraordinarily patient. What should you do?
  • Verify all patch levels are current (from gear to servers to endpoint software).
  • Verify software settings are in line with security best practices (e.g., Microsoft Office Trust Center Settings such as Protected View and Macro Security).
  • Verify that user access and user roles are set to correct permissions.
  • Use drive encryption on local machines.

EXTERNAL DEFENSES SUGGESTIONS:

If I’m the bad guy, what information can I get from the outside? I can collect tons of information about your firm, simply by studying your website. I can get names of authors and email addresses. I can find out what versions of software you are using. All of this is being collected to find the chink in your armor. What should you do?
  • Scrub all metadata from content accessible from the outside
  • Ensure you have the ability to add and remove people and permissions quickly and easily
  • Utilize detect, flag and alert solutions that analyze behaviors and do threat protection
GENERAL CONSIDERATIONS:
  • Take advantage of AI machine learning
  • Stay abreast of new technologies as they become available
  • Implement Mobile Device Management (MDM)
  • Always utilize Multifactor Authentication (MFA) for all business and personal accounts
Remember, people will have grace if you get fooled. They will not have grace if you know how to prevent an attack and you didn’t take the necessary measures to prevent it. We are currently in a state of heightened awareness regarding information security. That gives us a real opportunity for change.
Cybersecurity Layering
With the Fall comes colder weather, and layers are the fashion of the season! Layering up from head to toe helps keep you cozy and safe from the elements. Pair boots with some thick socks, add warmth with a favorite turtleneck, and incorporate a pop of color with a scarf. Add in sweaters, jackets and hats, and there are a multitude of opportunities to layer up! Fall fashion is similar to cybersecurity awareness training in that you should layer learning opportunities to improve your overall program. Try to cover all the essentials – websites, videos, podcasts and blogs. Every measure helps keep your organization safe from possible data breaches. In addition to turning to your favorite Alterity Cybersecurity Awareness Training consultants, here are some resources you can use to layer up:
Websites Videos Articles Webinars News, Analysis, Opinions Podcasts Blogs (Curated Blogs) IT Security Shows
Cybersecurity information
There is no shortage of scary and fearful things going on in the world around cyber threats and crime. This constant flow of information around cyber threats and dangers has caused a general sense of fear and dread that needs to be addressed. The National Institute of Standards and Technology (NIST) came out with findings from a study that indicated that many people are experiencing what they refer to as a new "phenomenon" …Security Fatigue. This is the condition that happens when people are inundated with cybersecurity information that for most is incomprehensible. What does another breach of a BILLION records actually mean to me? If it's just a matter of when and not if, why should I bother making changes? I'll just hunker down, brace for impact, and take my chances. Security Fatigue! This is a dangerous position. Hope is not a plan! If someone wants your information, they are praying you have Security Fatigue. It is important for an organization’s leaders to put this information into context and make it relevant to their people. Let them know why they should care. For example, knowing that there are dangers walking down a certain ally is good information. With that information, I can make informed decisions and take a different route. It's the same with cybersecurity information. We are dealing with a human condition. People get scared of things they do not understand or know about. Cybersecurity information can be scary and confusing, but it doesn't have to be. Translate the threat into actionable things that real people can do in their real lives. For example:
  • Learning about another breach of data from a major organization should remind us to protect our personal data by placing a freeze on our credit and/or putting monitoring in place for the important accounts in our life.
  • Hearing news about identity theft should remind us how valuable our identity really is and to add multiple ways of verifying that you are who you say you are when connecting to your personal and professional accounts. You can do this with some easy steps, such as adding multifactor authentication and using a password management software solution.
  • Learning about phishing and spear phishing attacks should raise our awareness that not all emails are legitimate. You should make a concerted effort to verify email messages and avoid blindly following links or opening attachments.
  • Being aware of Smart home technology options should remind us that all internet-connected devices (the IoT) can be a threat. Small changes like modifying default administrative passwords can add a level of protection and allow you to safely enjoy the benefits of Smart technology in your life.
It is time to help people overcome Security Fatigue! There are constant threats of cyber attacks, but being informed about cybersecurity risks and dangers helps us protect the information that is most important to us. Fear is cancerous and debilitating, but knowledge is power. Knowing information…even bad information…is a good thing. Live informed, not in fear!