Want to take a peek at the World’s Worst Data Breaches? Here you go:
Now that we’ve got that out of the way, let’s start this blog post over again. Our goal isn’t to frighten you or deepen the numbness you might already be feeling from the drip, drip, drip of bad cyber news.
It’s National Cybersecurity Awareness Month (NCSAM), which was launched in October 2004 as a collaboration between the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security with the goal of raising awareness and providing education on cybersecurity issues.
The name is something of a misnomer, however. NCSAM is really designed to do more than make you aware of cyber risks. It’s bigger goal is to arm you with information and tools you can use to strengthen yourself, your social groups, and your businesses against the cyber criminals who prey on us.
In the spirit of NCSAM, we at Threat Stack want to do our part by sharing some of the advice our bloggers have offered on how to take action to protect yourself and your company from cyberattacks. With that in mind, here are summaries of four recent blogs.
1. 4 Steps to Building a Security Awareness Program
First up is a post that gives advice on creating a security awareness program in your organization. Recognizing that security isn’t just about technology, this post addresses human factors and the part that employees can play within the context of a company-wide security awareness program.
The goal is to stop treating security as a series of one-off events or activities that are handled by experts (often in reaction to incidents after they’ve taken place) and to create a proactive, pervasive culture where employees can recognize security risks and then take action on their own or escalate as appropriate.
The post recommends carrying out the following “human factors” steps:
- Creating a Security Handbook containing a body of information that employees know about and actually consult when they need information about a security issue.
- Setting up real-time communication channels using two-way tools such as Slack so you can report and be advised on issues as they occur.
- Holding in-person information sessions to create a culture of openness and to bring important issues to employees in a dynamic, engaging fashion.
- Creating a Security Awareness Week to pull security out of the shadows and raise awareness throughout your company.
If you’re up for more reading, you can also take a look at the recommendations in How to Implement a Security Awareness Program at Your Organization.
2. The Real Implications of the Shared Security Model
Providers like AWS have gone to great lengths to codify and transparently communicate a Shared Responsibility Model that has expressly defined the scope and boundaries of responsibility. Increasingly, customers recognize that Amazon and its brethren have all-star teams that have a security focus ingrained in them.
In this post, Pete Cheslock, Threat Stack’s Senior Director of Operations & Support, takes a detailed look at the Shared Responsibility Model and explores areas where companies can extend their security beyond the basic “Providers secure the cloud; we secure our data.”
As he points out, even as the cloud is proven to be quite secure and as confidence in it increases, Security and DevOps teams still have to be vigilant about their own workloads. Organizations have to pick up their end of the shared responsibility bargain — and in some cases, even take it a step further than what is required.
To determine where and how you should extend your security responsibilities, Pete recommends asking questions like:
- What can we control security-wise? What can’t we control?
- What do our customers expect of us, security-wise?
- What do we need to focus on from a compliance perspective?
- What types of data pass through our system, and what security concerns arise?
- What do our competitors cover security-wise that we don’t?
- And more, depending on your situation
Simply put, by going beyond the basics, you will strengthen your overall security posture, gain or strengthen competitive advantage, improve your reputation with customers, and likely affect your products and services for the better, too.
3. W-2 Phishing Scams: What You Need to Know to Stay Secure
Last February, Kevin Durkin, Threat Stack’s CFO, wrote an important post about W-2 phishing scams. His advice is all the more important following the latest Equifax breach that exposed a huge amount of personal information including Social Security Numbers.
Here’s some of what Kevin had to say.
Phishing attacks have recently been targeting W-2 forms because they are a treasure trove of personal and financial information. The attackers generally pose as a company official or other trusted source when they send phishing emails.
Kevin recommends making yourself an unappealing target through a combination of employee training to tell people what to look for, periodic testing, and continuous security monitoring.
Who falls for phishing scams? According to the 2017 Verizon Data Breach Report, a lot of us: Around 30 percent of all employees fall for phishing attacks.
(A final note: We’re very proud of Kevin at Threat Stack. Recently Boston Business Journal honored him as CFO of the Year, and he’s a frequent contributor to this blog. For a summary of a some of his recent articles, take a look at 5 Security Blogs Your CFO Needs to Read.)
4. How to Stay Secure at Conferences
Pete Cheslock spends a lot of time at conferences, and when we asked him to share advice on how to stay secure on the road, he came back with a lot of valuable tips.
Anytime there’s a large group of people, especially one that has its roots in tech, security can be a concern. More devices in one place and a concentration of industry players can mean a field day for casual or targeted hackers. Luckily, there are key security basics and hygiene best practices you can follow to ensure that attending conferences doesn’t mean opening up a wider attack surface for yourself or your organization.
First and foremost, he focused on ways you can protect all of your devices — phones, laptops, tablets, wearables, and IoT devices, stressing, among other things, that you need to:
- Take inventory and maintain control of your devices by knowing which ones you’re bringing with you and where they are at all times.
- Password-protect the devices themselves, set up an autolock after a short timeout, and use a password manager.
- Use Two-Factor Authentication whenever possible and consider using a service like Find My iPhone or Prey that will let you geotrack your devices if they are stolen or lost and remotely wipe them if needed.
- Stay away from unsecured public WiFi networks, or any network that isn’t trusted.
To remind that technology by itself isn’t the answer to all security problems, Pete also talked about the human side of security, including best practices for using social media as well as excellent advice on what to discuss (and not discuss) in public.
While his advice focused on attendance at conferences, it applies just as well as we go through our daily personal and work routines.
Final Words . . .
In the midst of all the bad news, it is reassuring that a lot of individuals and organizations are working to make life online safer for all of us. Nationally, of course, there’s Cybersecurity Awareness Month. In our region, Massachusetts Governor Charlie Baker has announced the formation of the brand new Cybersecurity Growth and Development Center, whose goal is to unite the cybersecurity sector in Massachusetts while also training new talent. And, at Threat Stack, where we take security very seriously, we are committed to accelerating cybersecurity innovation. Finally, it is reassuring to know that as individuals and as organizations, there is a great deal we can do to turn awareness into action to help make life safer in our cyber world throughout the year.