Do You Trust Your Network?

Therefore, if your IT department says to you, “we’re confident we do not have any malware on our network” ask how they came to that conclusion. If instead they say, “we do not have any malware on our network, honest, trust us!” then raise an eyebrow and get your hands dirty, because you have work to do.

The question seems simple enough, doesn’t it?  But have you asked the question?  My feeling is that not enough people actually do.  Of course, a natural response may be: isn’t that a question for my IT department to answer?

Yes and no (more on that in a moment).  And I promise I am not trying to play word games, but words and their meanings matter, and am therefore placing particular focus on the word trust.  Trust is different than confidence.  Trust is different than transparency.  Trust has a much more “personal” element than the others.  And so much of what we do in the world today is based on trust. Continue reading “Do You Trust Your Network?”

Rising Tides and Higher Stakes – High Performance Counsel Interview with Chuck Brooks

The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency.

What are the new Cybersecurity Stakes – What are vulnerabilities and risks?

We live in world of algorithms; x’s and o’s. Our digital world is ripe for access and compromise by those who want do harm from just a laptop and server. A myriad of recent breaches have demonstrated that as consumers we are becoming more and more dependent upon digital commerce. Our banking accounts, credit cards, and financial daily activities are interconnected. We are all increasingly vulnerable from hackers, phishers, and malware proliferating across all commercial verticals.

In the past year, the employment of ransomware has become a method of cyber-attack choice by hackers. This is because many networks (especially hospitals, utilities, universities, and small businesses) are comprised of different systems, devices and often lack required patching and updating necessary to thwart attacks. The recent Wannacry, and Petya attacks were certainly wake up calls to the disruptive implications of ransomware. We can expect to see more such attacks because of the ease of infection and because the vulnerabilities to networks still remain. Continue reading “Rising Tides and Higher Stakes – High Performance Counsel Interview with Chuck Brooks”

A Quick Summary of Recent Trends & Developments That Businesses and Law Firms Should Know

“Nearly 60 percent of small businesses have to close shop after a data breach, which costs, on average, about $32,000 per attack.”

Cybersecurity Spending Soaring:

According to market research firm Gartner, global spending on information security is expected to reach nearly $87 billion in 2017 — an increase of around 7 per cent over 2016 – and is expected to top $113 billion by 2020.  Also according to Gartner, by 2020, 40 percent of all managed security service (MSS) contracts will be bundled with other security services and broader IT outsourcing (ITO) projects, up from 20 percent today. Continue reading “A Quick Summary of Recent Trends & Developments That Businesses and Law Firms Should Know”

Cybersecurity Starts With Basics

I start from this premise: we have finite resources. I do not think anybody serious would disagree with me on this premise. Therefore, let us be smart about how we use these resources. And part of being smart is asking the right questions and knowing the basics.

One undeniable fact: the 2016 elections brought the word “cybersecurity” into the mainstream.  The problem that stemmed from that fact: nobody is actually sure what “cybersecurity” is.  And as a result, we spin our wheels or head off into differing directions.

For all the tech talk, commentary, and promise of some incredible “save you from all cyber threats” solution, lost in the conversation are the cybersecurity basics.  It is a disservice to all when pundits use words, such as hack and leak, interchangeably.  Those who have a more informed understanding of the issue know that these terms having incredibly different meaning.  The same can be said for words such as stolen and copied.  They are not the same and are often confused, even misused.  And how about this one: the difference between authorized access by an unauthorized user and unauthorized access.  The fine nuance between the two can entirely re-characterize the nature of an attack. Continue reading “Cybersecurity Starts With Basics”

Cyber Hygiene and Government–Industry Cooperation for Better Cybersecurity

Certainly, information collaboration is a key component of any successful cybersecurity initiative effort, and the relationship between industry and government is no exception.

This past month cybersecurity legislation, called Promoting Good Cyber Hygiene Act of 2017, was introduced that would mandate the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and the Department of Homeland Security (DHS) to establish baseline best practices for good cyber hygiene, authentication and cooperation.

Specifically the legislation states that the list of best practices established “shall be published in a clear and concise format and made available prominently on the public websites of the Federal Trade Commission and the Small Business Administration.” It also recommends including “other standard cybersecurity measures to achieve trusted security in the infrastructure.” Continue reading “Cyber Hygiene and Government–Industry Cooperation for Better Cybersecurity”

Ransomware Heists are Only Part of the Board’s Problems

Your job isn’t done by completing vulnerability assessment. You actually have to do something about those vulnerabilities you have found.

It’s 10:00 am Monday morning and management is in the hot seat. The stock has lost 15 points since the opening bell and is going in a downward spiral. The company is being maligned on the news and trolled on social media. Shareholders are demanding to know how the company allowed a breach to happen over the long weekend, exposing 100 million pieces of personally identifiable information. An emergency meeting with all available board members is called for 1:00 pm to discuss the state of affairs and the question, “What do we do now?”

Ready to present, management and IT hastily put together a presentation of what happened. As soon as the presentation starts, the unthinkable occurs: ransomware takes control. Its demands are simple: $50 million in Bitcoins within one hour, or at 2:00 pm the hacker group dumps corporate R&D and emails from the last year into the public domain. There is no way for the company to recover once this information goes public. Continue reading “Ransomware Heists are Only Part of the Board’s Problems”

Closing the Awareness Gap Requires a Team Effort

In March 2017, Forbes made the case that the IT skills gap is really more of an awareness gap: “College graduates’ skills are not visible to employers because while they’re leaving colleges and universities with transcripts and resumes, employers aren’t able to see the skills they’ve developed through coursework and co-curricular activities.”

Until academic programs provide current and prospective students with documentation on how their multitude of classes translates into mastery of different skills, students are left trying to connect the dots on their own. But to connect the dots, students must step back and reflect on their lessons and experiences to translate them into skills — quite a challenging task in the midst of an academic term or degree program. Continue reading at SecurityIntelligence.com

Personal Cyber Health and Hygiene: More Expensive Shoes Don’t Make You Run Faster

Wasting your time and money on the latest fad exercise machine or diet will be just that, a waste of time and money, especially if you are not ready to put yourself through the daily grind. Same goes for cyber tools that promise you a path to the mythical place known as CybersecureLand, a place where you can click on any link without any fear because the magical Fairy Cybermother will protect you and whisk any malicious code back to the depths of Maldorware.

It’s January 2nd and you have just finished your latest culinary blowout from the holiday season.  You look down towards your toes and you see something obstructing your view that wasn’t there just three weeks ago.  And of course, you fear walking towards the scale because you already know it’s going to be bad news.

So what do you do?

Sign up for an expensive gym membership and spend $300 on new training gear of course!

Unfortunately, neither of those will make a difference unless you put your best foot forward and start working your own butt off.  Worse, if you do not put that expensive membership and new gear to good use, you are only a few months (weeks?) away from saying, “I wish I didn’t spend all that money for nothing!”

I fear I am about to upset a few people by stating the following: good cyber health and hygiene is a lot like personal health and weight management.  It takes time, effort, and dedication to keep in top form and it is also very easy to go off the rails if you do not watch what you’re doing.  Furthermore, each time you go off the rails it becomes harder and harder to get back to the good form.  And the only real difference between your health and cyberspace is that you can at least upgrade your device or operating system, whereas when it comes to our personal health, we are stuck with the same body and brain for our entire lives. Continue reading “Personal Cyber Health and Hygiene: More Expensive Shoes Don’t Make You Run Faster”

Security Awareness: Three Lessons From Health Campaigns

“If you are doing the same things you did five years ago to keep your business and its data secure, then you do not have an effective security awareness program.” — Michael Corey, technologist and columnist.

A recent study found that nearly 4 out of 5 health care IT executives view employee security awareness as their biggest information security concern. Verizon’s “2017 Data Breach Investigations Report (DBIR)” found that cybercriminals used social attacks in 43 percent of breaches, while 66 percent of malware was installed using malicious email attachments. Meanwhile, 7.3 percent of users fell for phishing attacks by clicking a malware-laden link or opening an attachment. Continue reading at SecurityIntelligence.com