October 17, 2018 by Joe Williams
As always, when we get to this point in the year we realize that the months have flown by. Before we know it, 2019 will be upon us with new challenges and opportunities. From a business perspective, one of those opportunities is to focus on increased cyber safety and awareness. Regardless of how successful your security awareness training (SAT) program was in 2018, next year is a brand new start, and today is the perfect time to start planning.
Where should you start? The process will differ slightly based on your organization’s size and scope, as well as the degree to which you’ve implemented training programs in the past, but an important first step is to assess users’ current strengths and weaknesses. There are multiple ways to do this: you could deploy a quiz-style assessment (GLS offers a comprehensive one), or even send out a simple questionnaire that asks users how they would respond to different situations. Your goal is to discover where users’ knowledge is solid, and where it may be weak. From there, you can decide what next year’s program needs to target, whether it’s phishing, passwords, or anything in between.
Another key step is to examine the scope and content of your current SAT program. What topics are you already covering, and how do you approach them? Are you utilizing only standard courses, or do you also use gamified content or internal communication materials, such as related articles or print posters? Ideally, a healthy SAT program should expand from year to year, taking familiar content and formats and building on them. For example, if you’re deploying a single security awareness course, consider adding some additional short courses that could supplement users’ knowledge and refresh their memory over the course of the year.
Take the time to determine how well your employees relate to the training they’ve been receiving. Has your program reached users the way you’d like? Are they engaged and interested in the courses they take, or are they apathetic? Although this criteria might seem arbitrary or relatively unimportant, it is a crucial part of analyzing and improving upon existing training. Disinterested employees will disregard training and ultimately fail to follow security procedures. On the flip side, fully engaged employees are much more likely to retain and implement best practices. Evaluate how your users learn, what they relate to, and how your program capitalizes on those interests.
Finally, think pragmatically. Did your organization suffer any security-related breaches or scares in 2018? What risky emails did employees receive and/or fall victim to? Did you notice a trend of un-secure passwords creating issues for employees, personally or professionally? Looking at current organizational threats provides a good baseline for creating a new training program. Assessing the greatest risks to your organization can provide important guidance for prioritizing training topics or approaches.
Taking the time to plan, evaluate and adjust your security awareness training program can have a measurable and long-term effect on organizational security.
Join us for an upcoming webinar where Joseph Williams, a solutions consultant with Global Learning Systems, will discuss 6 critical elements to consider as you plan your security awareness program in the coming year. You’ll learn valuable tips for evaluating the state of your current SAT program and get insight on the key items you must address, including: assessing your current threat landscape; understanding your organization’s behavior posture; determining the maturity of your program; deciding which elements to include; deploying your program effectively; and measuring success.
Register for the 6 Critical Elements for a Successful Security Awareness Training Plan webinar.
October 11, 2018 by Marina Kelly
In its latest blog post titled “Project Strobe: Protecting your data, improving our third-party API, and sunsetting consumer Google+,” Google has announced the findings of Project Strobe. Described as a “root-and-branch review of third-party developer access to Google account and Android device data, and of our philosophy around apps’ data access” the blog post outlines four “Findings” and associated “Actions” based on the project audit.
The first Finding and Action are the most important.
“Finding 1: There are significant challenges in creating and maintaining a successful Google+ product that meets consumers’ expectations.
Action 1: We are shutting down Google+ for consumers.”
Many of us who work in development probably had a similar reaction to the Finding: “Duh, you did not need an audit to know that! There are significant challenges in the creation and maintenance of any product with a consumer base, especially one for social media!”
However, what looks like a simple attempt at stating the obvious actually masks a very serious announcement of a security breach that was found as part of the review. Seven paragraphs in, Google admits:
- The bug was found in March 2018 and was immediately patched
- The bug left sensitive information such as user names, email addresses, occupation, gender and age exposed
- 438 applications had used the API
- Up to 500,000 Google+ Profiles were impacted
- Google cannot tell which users were impacted by the bug because they only kept the API log data for two weeks
The blog goes on to say, “Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
If you have an information security mindset and are aware of various regulations and standards related to sensitive personal information (also known as Personally Identifiable Information, or PII), you are probably stunned at this point. In the last month, we have seen security-related announcements from Facebook, Twitter (who announced late last month a bug that sent unauthorized developers the direct messages and protected tweets of some users), and now, Google. All have one thing in common….
The bug was in an Application Programming Interface (API) that was in production!
It is another perfect reminder of why secure coding is vital to the security stature of a company. If you have a development team, whether in-house, remote, or contracted, you need to have a secure coding standard that has gateways, reviews and sign-offs at every step. It does not matter which software development lifecycle (SDLC) methodology you use (Agile, Waterfall, Prototype, Rapid, Extreme, etc.). All SDLCs support having a secure coding framework being placed side-by-side. Your goal is to avoid common bugs and flaws, and to always to find bugs as early in the process as possible. The industry standard in support of secure coding is the OWASP Top 10.
It is also important that your organization is aware of the various industry standards and protocols related to security and privacy. This announcement from Google would have triggered an avalanche of activity and costs under many of these standards, including HIPAA (if healthcare information was exposed), FERPA (if student data was exposed), and PCI (if cardholder data was exposed).
Finally, you may be wondering why Google announced such a specific date - March 2018 - for this possible data breach and remediation. It comes down to four simple letters: GDPR. Google has already been hit this year with a huge $5 billion anti-trust fine from the European Union (EU). Had Google announced this issue after May 25, 2018, when the General Data Protection Regulation came into effect, the impact to the company would have been substantial and the fine could have been close to another $5 billion due to the number of user records impacted and the type of data exposed. Also, Google would not have been able to wait almost eight months to announce the breach, nor would their Privacy & Data Protection Office been allowed to make the decisions it did.
What a perfect storm! What are the key takeaways from this incident?
This can happen to anyone, no matter how large or small the organization
Realize that APIs have just as many security concerns as web applications or websites
You need a secure coding framework in place NOW
You need a comprehensive training program at all levels of your organization which addresses the responsibilities of various teams/groups
Unfortunately, none of this is going to get any easier! Development is getting more complex, as are the associated security and privacy regulations. The rules are changing and you must keep up. As in basketball and military combat, your best defense is a good offense.
October 08, 2018 by The GLS Team
Since last October, numerous sexual abuse allegations have been levied against high-profile individuals in organizations with household names -- often resulting in financial and business repercussions in addition to the trauma suffered by the victims and the effects of a hostile workplace on others. As a result, boards of directors are demanding that executive leaders take an immediate and proactive approach to harassment prevention for both business and moral reasons.
In other words, organizations are realizing they can no longer look the other way on sexual harassment or workplace bullying and expect employees to remain engaged and productive. And, the benefits of ensuring a safe and harassment-free work environment far outweigh the costs.
How can organizations make the changes that alter perspectives and behaviors on this issue? The exact steps will differ based on the organization’s resources and existing protocols, but generally speaking, effective sexual harassment prevention starts with clear policies. All organizations should have an employee handbook that details what types of unwanted behaviors are considered sexual harassment, and what steps should be taken by an employee who believes they have been harassed, or observes an employee harassing others.
Supervisors should have clear procedures in place to make sure that these situations are dealt with swiftly, sensitively and effectively. These procedures should be consistent and well-articulated so all managers know exactly what to do if a situation arises. What’s more, all levels of the organization (including the very top) must be involved in upholding the processes and modeling appropriate behavior. As Forbes notes, CEOs have a duty to use their influence to shift organizational culture from the top down.
Last but not least, education is critical. Proper anti-harassment training reinforces written policy by showing users what harassment looks like and what to do about it. The use of videos that enact different scenarios is extremely effective in demonstrating both the unwanted behaviors and how to handle them. Regular and continuous training ensures employees understand the organization’s commitment to a harassment-free workplace and to policy enforcement.
While some of this advice sounds like it might be targeted toward larger enterprises, small and medium sized businesses can also adopt harassment prevention policies and make a commitment to safe workplaces. It doesn’t take a big budget to provide effective training, nor should it take a multi-million dollar lawsuit to emphasize the importance of sexual harassment awareness and prevention.
Don’t underestimate the power of informative and engaging anti-harassment training. Contact us to learn more about our comprehensive suite of courses or to see a demo.
October 01, 2018 by Marina Kelly
Facebook has long been known as a place where young, innovative developers want to work. Employees cite the great perks they have, such as small work teams, trust by the organization, and having a sense of accomplishment. Facebook is also a company that has been mired in scandal for the last two years, specifically over their privacy practices and data handling processes. Thursday was not a good day for the corporate giant, as it announced a data breach that impacted 50 million user records.
If you were one of the 90 million people who woke Friday morning to find that you had been logged out of the application, then you were one of the 50 million whose data was breached or one of the 40 million whose accounts were reset as a precaution. Unfortunately, the company has chosen not to tell users upon log in if they were part of the 50 million or 40 million.
The company announced that the source of the breach was two-fold:
The feature which allows a user to view their account from the perspective of other users, known as “View as”.
A bug in the site’s video upload feature which allowed the hackers to steal access tokens.
Facebook joins a long list of companies who have announced data breaches in 2018, including Macy’s, Adidas, Best Buy, Under Armour, and Whole Foods. Consumers are growing more and more concerned with each announcement and are all asking the same question.
Why does this keep happening?
There is no single, simple answer to that question, but these breaches do share some common traits.
Websites are under constant attack - as companies look to expand their presence and offer their customers more functionality, the attack vector for hackers grows.
Breaches of username and passwords remain a consistent problem - hackers harvest the login credentials from data breaches to breach other systems, so this information is highly sought in an attack.
Shape Security’s 2018 Credential Spill Report noted that “Credential stuffing attacks make up, on average, 80-90% of an online retailer’s login traffic.” and “The US consumer banking industry faces nearly $50 Million per day in potential losses due to credential stuffing attacks.”
Most of these breaches involved the exploitation of coding flaws - whether it is a data leak on a corporate website, a vulnerability in an API, or a security gap in a payment application system, the key takeaway is that these breaches were preventable.
In a corporate culture whose mantra was once “Move fast and break things,” Facebook now must face the consequences of its developers’ coding practices and decisions.
Steve Jobs famously said, “It doesn't make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do.” In 2018, maybe we need to update that thought.
“Hire smart people, but be sure to provide them the training and tools they need to guide us down the proper paths.”
September 24, 2018 by The GLS Team
Founded in 1901, the National Institute of Standards and Technology (NIST), is a branch of the US Department of Commerce that measures and provides standards for various areas of science and technology. Among IT professionals, NIST is known for its Cybersecurity Framework, which “consists of standards, guidelines, and best practices to manage cybersecurity-related risk.” The framework has been adopted by numerous organizations since it was first instituted in 2012, and has helped organizations understand and avoid various cyber-security threats.
In August, NIST achieved a new victory: its Small Business Cybersecurity Act was signed into law. This law requires that the director of NIST “issue guidance and a consistent set of resources to help SMBs identify, assess and reduce their cybersecurity risks.” Among other goals, this initiative is designed to assist small businesses in creating a “workplace cybersecurity culture.” In general, the law provides an excellent starting point for increased awareness of and visibility into cyber threats and prevention. And it’s crucially important for small businesses, who tend to have less infrastructure and fewer resources to devote to security awareness initiatives.
One of GLS’ main focuses in 2018 has been to ensure that small and medium-sized businesses are not overlooked when it comes to cyber security. We strive to ensure that our solutions and services are scalable and easily implemented by all companies, regardless of their size. Smaller businesses are easy targets for cyber crime, like phishing, password hacks, or system breaches. And the results can be even more devastating to small businesses than they are for large ones. As a result, GLS takes our responsibility to help small businesses stay secure very seriously, and we’re excited to see that NIST does as well.
Are you a small business owner or administrator who’s still trying to figure out what security awareness means for your employees, or what steps you can take to protect your organization? There’s no better place to start than with training. Keeping employees aware of and able to deal with threats is half the battle, and it’s an easy first step as you work toward a cyber-aware organization. Visit us to learn more about how our training can help meet your needs.