Tag Archives: cyberrisk management

Q&A With New National Cyber Security Alliance Executive Director Kelvin Coleman

Posted on by

The National Cyber Security Alliance (NCSA) announced that its new executive director is Kelvin Coleman, who has held high-level positions in the United States Department of Homeland Security, and the National Security Council.

Coleman’s appointment puts him in charge of the country’s leading cybersecurity and privacy protection education and awareness organization, responsible for leading organizational growth; facilitating strategic partnerships and alliances with government, industry and non-profits; and acting as NCSA’s primary spokesperson.

He discussed with Risk Management Monitor the types of cyberrisks he follows, preventative measures and upcoming NCSA events and services.

What are the biggest cyberrisks facing businesses today? How do you plan to advise or collaborate with business leaders to combat them?

buy azithromycin online metabolicleader.com/p7pmm/img/jpg/azithromycin.html no prescription pharmacy

Some of the biggest cyberrisks facing businesses today include email threats, employee activity and vendor security. When it comes down to addressing cyberrisks targeting businesses of varying sizes, everyone needs to start with the basics. It is imperative to get leadership on board with recognizing that cyber resilience is more than just taking technology-focused measures, but also modifying processes and behaviors at all levels in the organization.

What are the attacks that are easiest or most difficult to prevent?

The answer to both is phishing. Attacks come in through three different ways – people, products, and processes. A great product can hold attackers at bay. Similarly, great processes can mitigate a threat. Human beings are the wild cards. People are both the easiest to control and the most difficult, especially when it comes to phishing attacks. One of the NCSA’s tips is “when in doubt, throw it out.” We try to make sure folks understand that if they are not familiar with a link or a website, they need to delete it or ignore it.

At NCSA, our focus is on the human side of cyberattacks, and we work to get people to change their behaviors as well as understand the processes for keeping their devices and online accounts safe, particularly as phishing attacks become more sophisticated.

Speaking of the human side, which professionals are most exposed to cyberrisk?

All of them. Cybersecurity needs to be embedded into the company culture from the most entry-level positions to the most senior, because hackers can access information at any level. We’re all vulnerable, from the break room to the boardroom. We often tell small business owners that they must also train their employees to recognize malicious links and emails, as employees can often be the weakest link when it comes to cybersecurity at the office.

What is your reaction when you learn that the information of 500 million Marriott guests may have been exposed?

Marriott is a great example of a company doing as much as it can to prevent an attack but still being targeted. They were not laissez-faire about their security. So, I see it as a warning for everyone to remain extremely vigilant in the face of increasing numbers of cyber attacks. If it happens to Marriott, we’re all vulnerable to an attack of this nature.

Small businesses seem just as susceptible to cyberrisk as large ones. How would you advise small businesses to protect themselves?

buy diflucan online metabolicleader.com/p7pmm/img/jpg/diflucan.html no prescription pharmacy

Small businesses are more at risk and they often have information, such as customer data, that’s just as valuable to hackers as that of the customer data from large corporations. Small businesses often don’t have the resources to invest in a prevention plan, nor do they have the capital or leadership or knowledge about cybersecurity. This is why they’re often targets for hackers.

Our advice for small businesses doesn’t vary much from what we advise to all people: Keep a clean machine by keeping software updated, use stronger authentication and passwords, recognize and avoid phishing links, etc. If [a small business] decides to hire a third-party vendor for cybersecurity, we advise them to do their research and hire a reputable vendor. We also encourage them to attend our regional CyberSecure My Business events in their local community, or take part in a CyberSecure My Business webinar.

What new initiatives or campaigns will you be overseeing for in 2019?

In 2019, our overarching goal is to empower individuals and – at the same time– focus on educating businesses to respect privacy, safeguard data and enable trust. This means that consumers need to know how organizations collect and use personal information and companies of all sizes need to be transparent and communicate in an accurate and consumer-friendly language to their customer base.

buy keflex online metabolicleader.com/p7pmm/img/jpg/keflex.html no prescription pharmacy

We will share key messaging and provide actionable tips to help protect privacy. NCSA and our highly engaged partners will host numerous events that will shine a spotlight on the rapidly changing technology landscape and forging ahead toward the future of privacy. We plan to engage industry leaders with diverse perspectives to address opportunities and challenges. In addition, we will soon be launching our Champions program which is a way for both individuals and businesses to officially show support. We expect to launch the Champions portal – along with additional Data Privacy Day information – in mid-December 2018.

What changes or improvements are in store for National Cyber Security Awareness Month (NCSAM)?

I don’t believe NCSAM needs a shiny new toy each year. Our plan is to engage a much larger audience. NCSAM continues to reach more and more people every year, but there are still significant numbers of Americans who need to hear our message – not just during October but throughout the year. We want to connect these folks more with our proven tips for staying safe and secure online. Our goal at NCSA is reinforcing our cybersecurity best practices among a broader audience to better impact online behavior.

Cyber’s Human Side

Posted on by

People are often tired, distracted and overworked. They are bound to make mistakes, inadvertently overlook policies and procedures and have quick lapses in judgement—forgetting hours and hours of training.

Human error is a significant problem when it comes to managing cyber exposures. Most cyber surveys point to people as the root cause of a breach.

buy tretiva online medilaw.com/wp-content/uploads/2015/03/jpg/tretiva.html no prescription pharmacy

The Information Commissioner’s Office (ICO) compiles statistics about the main causes of reported data security incidents. In its first 2018 quarterly report, four of the five top causes reported to them involved human errors:

  1. Loss or theft of paperwork – 91 incidents
  2. Data posted or faxed to incorrect recipient – 90 incidents
  3. Data sent by email to incorrect recipient – 33 incidents
  4. Insecure web page (including hacking) – 21 incidents
  5. Loss or theft of unencrypted device – 28 incidents

James Bone, author of the “Cognitive Hack: The New Battleground in Cybersecurity…the Human Mind,” will lead a RIMS webinar Aug. 23 that explores the cognitive risk framework. Bone asks: are risk professionals considering the “human element” in their cyber risk management plan?

According to Bone, “The purpose of creating the cognitive risk framework is to begin to educate risk professionals about the need to incorporate the human element into their risk programs, to identify areas where human error or lapses can cause significant damage, and then design effective solutions.”

Bone points to the airline and automotive industries as examples where the value of human element risk management planning has already been realized. “Automation in cockpits, navigation systems, lane assistance technology and, even something as simple as the seatbelt demonstrate organizations’ and industries’ attention to human error risk mitigation.”

“All of us have a limit in our ability to work and focus at a very detailed level for long periods of time,” Bone said. “The ability to design a work environment that simplifies the work that people do will help reduce risk.

buy flomax online medilaw.com/wp-content/uploads/2015/03/jpg/flomax.html no prescription pharmacy

And, while human error is a piece of the cyber risk management puzzle, it isn’t the only human element cyber concern. Human routine, tendencies and employee processes are constantly monitored by cyber predators. “A sophisticated hacker can spend up to 18 months to two years setting their strategy to attack your organization,” he said. “They are studying the rhythm of the workflow and the movement of data across the firm. They gain a tremendous advantage by just sitting silently and watching.

buy renova online medilaw.com/wp-content/uploads/2015/03/jpg/renova.html no prescription pharmacy

Implementing a cognitive risk framework is no easy task. The key is data. “A lot of data is mislabeled, making it difficult for risk professionals to see the connection between an end result and the human behavior that caused it. In order to use data to its fullest, it needs to be properly categorized with descriptors that allow risk professionals to be able to leverage it,” Bone said.

Organizations with risk frameworks that fail to incorporate the human element are, in his opinion, acting on assumptions. “They are assuming people will be able to follow thousands of policies and procedures with perfect accuracy every time,” he explained. “We shouldn’t assume that people won’t be distracted at work and click on phishing emails. We shouldn’t assume that people will change their passwords as frequently as we want them to. We shouldn’t and can’t be afraid to incorporate new ideas and solutions to improve routines or, at least, make them more difficult to track.”

People are the common denominator. They are not perfect by any means, but incorporating a cognitive risk framework can be a valuable advantage that allows organizations to stay ahead of human element risks while identifying opportunities to improve processes and increase productivity.

Ransomware Attacks Increase, With U.S. the Primary Target

Posted on by

Ransomware attacks constituted the greatest cybercrime danger in 2016 as the volume and value of attacks rose sharply, according to a new report from internet security firm Symantec.

“Attackers have honed and perfected the ransomware business model, using strong encryption, anonymous Bitcoin payments, and vast spam campaigns to create dangerous and wide-ranging malware,” according to “Internet Security Threat Report (ISTR), April 2017.”

The average ransom amount involved in such attacks jumped 266% to $1,077 during 2016 from just $294 in 2015. Symantec also found that frequency increased, with detection of ransomware up 36% to 463,000 from 340,000 in 2015; or 1,271 per day in 2016 compared to 933 per day in 2015.

The United States saw the largest share of these attacks by far at 34%, followed by Japan (9%) and Italy (7%). “The statistics indicate that attackers are largely concentrating their efforts on developed, stable economies,” Symantec said. Further, research from Norton Cyber Security Insight team said that 34% of those attacked will pay the ransom, but that figure jumps to 64% for U.S. victims, “providing some indication as to why the country is so heavily targeted,” the Symantec report said.

Another indicator of rising ransomware activity is the tripling of new families of ransomware to 101 in 2016 from just 30 in both 2105 and 2014. While the number of new variants (distinct variants of existing ransomware families) declined 29% to 241,000 from 342,000 in 2015, this “suggests that more attackers are opting to start with a clean slate by creating a new family of ransomware rather than tweaking existing families by creating new variants,” the report said.

The proportion of ransomware infections on consumer computers rose only marginally to 69% from 67% in 2015 as the rate of infections for enterprise and other organizations dropped accordingly to 31% from 33% in 2015. Consumer infections totaled between 59% and 79% for every month except December, when they fell to 51%.

Beyond the top threat of ransomware, the report discusses exposures including “New frontiers: Internet of Things, mobile, & cloud threats,” and has a section that lists multiple challenges from malware, spam and phishing via email. Email, for example, was a major avenue of attack in 2016, “used by everyone from state- sponsored cyber espionage groups to mass-mailing ransomware gangs,” it said, adding that one in 131 sent during 2016 were malicious, the highest incidence in five years.

Symantec also discusses a few of the largest cybercrimes of the year, including the theft of $81 million from the central bank of Bangladesh and alleged tampering with the U.S. electoral process. “Cyber attackers revealed new levels of ambition in 2016, a year marked by extraordinary attacks, including multi-million dollar virtual bank heists, overt attempts to disrupt the US electoral process by state-sponsored groups, and some of the biggest distributed denial of service (DDoS) attacks on record,” according to the report.

Despite the apparent rising threat level portrayed in the report, the cyber insurance landscape remains untamed, Risk Management Magazine reported in April. Potential customers would be wise to educate themselves prior to approaching the market.

Financial Services IT Overconfident in Breach Detection Skills

Posted on by

Despite the doubling of data breaches in the banking, credit and financial sectors between 2014 and 2015, most IT professionals in financial services are overconfident in their abilities to detect and remediate data breaches. According to a new study by endpoint detection, security and compliance company Tripwire, 60% of these professionals either did not know or had only a general idea of how long it would take to isolate or remove an unauthorized device from the organization’s networks, but 87% said they could do so within minutes or hours.

When it comes to detecting suspicious and risky activity, confidence routinely exceeded capability. While 92% believe vulnerability scanning systems would generate an alert within minutes or hours if an unauthorized device was discovered on their network, for example, 77% said they automatically discover 80% or less of the devices on their networks. Three out of 10 do not detect all attempts to gain unauthorized access to files or network-accessible file shares. When it comes to patching vulnerabilities, 40% said that less than 80% of patches are successfully fixed in a typical cycle.

The confidence but lack of comprehension may reflect that many of the protections in place are motivated by compliance more than security, Tripwire asserts.

buy spiriva online abucm.org/assets/jpg/spiriva.html no prescription pharmacy

“Compliance and security are not the same thing,” said Tim Erlin, director of IT security and risk strategy for Tripwire.

buy ventolin online abucm.org/assets/jpg/ventolin.html no prescription pharmacy

“While many of these best practices are mandated by compliance standards, they are often implemented in a ‘check-the-box’ fashion.

buy prograf online abucm.org/assets/jpg/prograf.html no prescription pharmacy

Addressing compliance alone may keep the auditor at bay, but it can also leave gaps that can allow criminals to gain a foothold in an organization.”

Check out more of the study’s findings below:

financial services cyber risk management