Tag: training

Security Defenses are Not Adequate

We have just completed an extensive survey of security and compliance professionals in mid-sized and large organizations, asking about the current state of their cyber security defenses. We will soon be publishing a white paper discussing the results. Here’s a bit of what we found:

  • Fifty-five to 58 percent of organizations admitted that they are not fully protected against security threats like payment scams, spear phishing attacks and email spoofing.
  • Four of the top five concerns that security and compliance professionals have in the context of their organizations’ cyber security are focused on email-related threats.
  • Sixty-five percent of security and compliance professionals admitted that their organization has suffered a successful attack and/or data breach during the past 12 months, with the most common being a phishing attack successfully infecting systems on their network with malware (28 percent), and a targeted email attack launched from a compromised account successfully infecting an endpoint with malware (25 percent).
  • Corporate executives represent 16 percent of the attack surface in the typical mid-sized and large organization, despite the fact that they account for only two percent of the total number of employees.
  • Forty-two percent of those surveyed told us that their anti-ransomware defenses are either not improving the catch rate for ransomware attempts over time or the catch rate is actually going down.
  • Only 28 percent of those surveyed believe that their end-user training regimen focused on web surfing best practices is “very good” or “excellent”; only 39 percent believe that their user training for detecting and addressing phishing and other unwanted emails is this good.
  • The average cyber security budget will increase by 7.4 percent in 2018 compared to last year; 67 percent of organizations are increasing their budget and only two percent are decreasing it.

Please let us know if you’d like an advance copy of the white paper.

Here are some upcoming security conferences that should be on your radar:

  • InfoSecWorld, Lake Buena Vista, Florida (March 19-21)
  • Black Hat Asia, Singapore (March 20-23)
  • RSA Conference, San Francisco, California (April 16-20)

Dealing With Phishing and Next-Generation Malware (Part 2)

This is a continuation of my last post focused on ways that decision makers can address problems with phishing and next-generation malware:

Establish detailed and thorough policies: Most organizations have not yet established sufficiently detailed and thorough policies for the various types of email, Web and social media tools that their IT departments have deployed or that they allow to be used. Consequently, we recommend that an early step for any organization should be the development of detailed and thorough policies that are focused on all of the tools that are or probably will be used in the foreseeable future. These policies should focus on legal, regulatory and other obligations to:

  • Encrypt emails and other content if they contain sensitive or confidential data.
  • Monitor all communication for malware that is sent to blogs, social media, and other venues.
  • Control the use of personally owned devices that access corporate resources.
  • Creating detailed and thorough policies will help decision makers not only to determine how and why each tool is being and should be used, but it also will help decision makers determine which capabilities can or cannot be migrated to cloud-based security solutions and which should be retained in-house.

Implement best practices for user behavior: The next step is to implement a variety of best practices to address the security gaps that have been identified. For example:

  • Employees need to employ passwords that match the sensitivity and risk associated with their corporate data assets. These passwords should be changed on an enforced schedule, and should be managed by IT.
  • Employees should be strongly encouraged and continually reminded to keep software and operating systems up-to-date to minimize a known exploit from infecting a system with malware.
  • Employees should receive thorough training about phishing and other security risks in order to understand how to detect phishing attempts and to become more skeptical about suspicious emails and content. It is important to invest sufficiently in employee training so that the “human “firewall” can provide the best possible initial line of defense against increasingly sophisticated phishing and other social engineering attacks.
  • Employees should be tested periodically to determine if their anti-phishing training has been effective.
  • Employees should be given training about best practices when connecting remotely, including the dangers of connecting to public Wi-Fi hot spots or other unprotected access points.
  • Employees need to be trained on why not to extract potentially suspicious content from spam quarantines that might end up being phishing emails.
  • Employees need to be given a list of acceptable and unacceptable tools to employ for file sync and share, social media and other capabilities as part of the overall acceptable use policies in place.
  • Ensure that all employees maintain robust anti-virus defenses on their personally managed platforms if access to any corporate content will take place on them.
  • Employees should be reminded continually about the dangers of oversharing content on social media. The world will not be a better place if it knows that you had breakfast in Cancun this morning, but it could give cybercriminals a piece of information they need to craft a spearphishing email.

Deploy alternatives to solutions that employees use today: Decision makers should seriously consider implementing tools that will replace many of the employee-managed solutions in place today, but that will provide users with the same convenience and ease of use. For example, IT may want to deploy an enterprise-grade grade file sync and share alternative for the consumer version of Dropbox that is so widely used today. They may want to implement a business continuity solution that will enable corporate email to be used during outages instead of users falling back on their personal Webmail accounts. They may want to consider deploying an enterprise-grade file-sharing system that accommodates very large files if the corporate email system does not allow these files to be sent.

Implement robust and layered security solutions based on good threat intelligence: It almost goes without saying that it is essential to implement a layered security infrastructure that is based on good threat intelligence. Doing so will minimize the likelihood that malware, hacking attempts, phishing attempts and the like will be able to penetrate corporate defenses.

An essential element of good security is starting with the human component. As we discussed above, users are the initial line of defense in any security system because they can thwart some potential incursions like phishing attempts before technology-based solutions have detected them. Consequently, we cannot overemphasize the importance of good and frequent user training to bolster this initial line of defense, the goal of which is to heighten users’ sensitivity to phishing and related threats, and to help users to be less gullible. By no means are we suggesting that users can be the only line of defense, but they should be incorporated into the overall security mix.

Determine if and how the cloud should be used: A critical issue for decision makers to address is whether or not internal management of security, as well as other part of the IT infrastructure, is a core competency that is central to the success of the organization. Key questions that decision makers must answer are these:

  • Will our security improve if solutions remain on-premises?
  • Will managing security on-premises and managed by in-house IT staff contribute more to the bottom line than using a cloud-based provider?
  • Should a hybrid security approach with both on-premises and cloud-based solutions be use? If so, for which systems?

An important requirement in accurately evaluating the use of cloud-based security solutions is for decision makers to understand the actual and complete total cost of ownership for managing the current, on-premises infrastructure. Osterman Research has found consistently that many decision makers do not fully count all of these costs and are not confident in their estimates. If decision makers do not understand accurately what it costs their organization to provide a particular service to their users, this leads to poorly informed decision-making, as well as an inability to determine the potential cost savings and the return-on-investment from competing security solutions.

If you’d like to download our recently published white paper that explores these issues, you’re welcome to do so here.