I am writing again on cyber-security as I personally feel this is the topic which each organization should really consider for strategic risk mitigation.
Lately I came across a situation with my client where Risk Management has become the key pillar of focus in their organization re-enlightenment, not denying the fact that there are also many other organization is also investing a lot of effort in mitigating the organization risk on PEOPLE, PROCESS and TECHNOLOGY.
In today;s time, technology RISK became an interesting “topic” that corporate organization has become a primary target for cyber attack.
Typical only with anti-virus and firewall we re not playing a proactive role in curbing this risk, because the primary target are the people who are employed in the organization.
In my opinion mitigating Cyber Risk can be from the following area:
- Investment on Assets – This by means having the right tools to support the initiatives to be in safe organizational working environment. For those who don’t have the budget or your organization is to small for this investment- you may consider the FOC ones (remember to use the reputable brands only- example – Kaspersky Anti Virus basic license which is free, or AVG ..however the paid version is always better 🙂
- Investment on People – Statistic proves that 12%-14% of the cyber risk is actually originated by the employee negligence and lack of Cyber-Security awareness. Some large organizations spend millions by just creating awareness to the employees globally so that they can prevent risk to the organization. The KEY for this PROBLEM is due to the HUMAN BEING CURIOSITY . There is a funny statement which most of the IT experts will quote : WHEN I SAY DON’T CLICK, ONLY THEN THE USER WILL CLICK TO FIND OUT WHY I SAY THAT !! … what else I can say ??
- Direction from the Business – I also feel that that business stake holders need to feel the pressure that Cyber-Risk is something not be tested because if once you got HIT, it will be too late. So its always better to be in PREVENTIVE mode to ensure your business is secured. As stake holder, this investment is no more an option but its a Necessary for the Business.
In my organizations for the matter of fact, I have invested on cyber-security initiatives by giving my employees Cyber-Security Awareness campaign. Some ares which I have deployed on this following ares:
- Kaspersky Cyber-Security Awareness
- Menlo- Isolation Platform to be in preventive mindset and to be in Isolation mode.
- Internal Awareness on :
- Security Essentials – We embarked on training on the basics of the cybersecurity. Educating them on common threats and mistakes in the daily life.
- Security Essentials: Recognize and avoid threats encountered by my team at work and at home.
- URL Training – My employees learn how to examine a URL, understand the origin of the link, and identify fraudulent or malicious URLs.
- Email Security – My team will learn to spot phishing traps in emails and recognize fake links, attachments and information.
- Anti-Phishing Phil – My team learn how to examine a URL, understand the origin of the link, and identify fraudulent or malicious URLs.
- Anti-Phishing Phyllis – I actually educate them to spot phishing traps in emails and recognize fake links, attachments and information.
- Password Security – We have a list of tips and tricks to create stronger passwords, to use a password family to aid in password recall and to safely store passwords.
- Safe Social Networks – Social network is good but I educate them about types of “impostors” that can be found online, implications of very public social networks, and how to spot scam messages on social networks. “very dangerous”
- Protecting Against Ransomware – I heavily educate my employees on how to recognize and prevent ransomware attacks.”With the recent RAMSOMWARE incidents”
- Mobile Device Security – Teach my employees how to secure their smartphone from theft, create PINs, keep communications private, and avoid dangerous apps.
- Mobile App Security – Learn how to research app components and the implications of dangerous permissions, which can help them judge the reliability and safety of mobile applications prior to downloading.
- USB Device Safety – I consider this as an often-overlooked threat – my employee to be aware of the risks associated with flash drives and other IoT items powered via USB ports.
- Physical Security – Awareness on this area is equally important to prevent and correct physical security breaches, and get the best practices that will help keep my employee, my office and my assets secure.
- Security Beyond the Office – I do educate my employee about using free Wi-Fi safely, risks of using public computers, and safeguards for company equipment and information at home and on the road. (Free Wi-Fi is good but be safe)
- Safer Web Browsing – I do a frequent browser content and website content simulation with my team, how to avoid malicious virus pop-ups, the importance of logging out of web sites, form auto-complete risks, and how to spot other common website scams.
- Social Engineering – My team learn to recognize common social engineering tactics and practical tactics to avoid attacks and get insight into how social engineers think.
- Personally Identifiable Information (PII) – Educating my employees about the different types of PII, guidelines for identifying, collecting, and handling PII, actions to take in the event of a PII breach and tips and techniques for improving overall PII security.
- Payment Card Information Data Security Standard (PCI DSS) – We do take the initiatives to understand PCI-DSS requirements, identify PCI-DSS compliance, manage records and accounts as well as to recognize and act upon security breaches. – CREDIT CARD information need to be secured !!
- Data Protection and Destruction – We educate everyone in my organization about the different types of portable electronic devices and removable storage media, the pros and cons associated, best practices for securing these devices and securely disposing of data.
- Travel Security – Our awareness on how to keep data and devices safe when working in airports, in hotels, at conferences, and in other public spaces.
I hope this article was helpful for you to kick start your CyberSecurity Journey, I send signal to the universe that your effort to be in safe environment will be a successful project.
If you need advice or guide, feel free to contact me :
Prakash Christiansen @ Chris