A Spooky Tale of Cybersecurity

October 23, 2019 Collin Varner

A Spooky Tale of Cybersecurity

It’s fitting that National Cybersecurity Awareness Month is in October—it may be vampires and zombies that spook us on neighborhood streets, but when it comes to cybersecurity, it’s the things we don’t know that can be the scariest.  Never fear, cybersecurity professionals are working as the good guys—the knights in shining armor, the superheroes—attempting to prevent and combat the villainous schemes of the malicious attackers, who represent the metaphorical ghosts and ghouls trying to abduct and steal our information.  But make no mistake, being one of the good guys can often be difficult--it’s like the saying, “the hardest thing to do is usually the right thing to do.” Because of how imperative it is to adapt to the innovation established by the evil doers seeking new ways to navigate around established defenses, the good guys must always be on their toes, anticipating the next jump scare.

Here are some spooky cybersecurity statistics to haunt you:

Given how scary those points are, it’s unfortunate that we can’t just wake up from our nightmare, put down our book, or simply turn off the horror film to escape these cyber goblins.  However, hope isn’t lost—just as Captain America has his shield and Tony Stark uses his genius, organizations need to equip themselves with tools, utilities, and, most importantly, employee education in preparation against the evil villains of the Internet world.  While it’s still true that human error remains one of the biggest threats against security, employees can also serve as the biggest assets in identifying and reporting incidents in a timely manner—they just have to know what to look for while going about their work.  The better an organization’s security training and awareness, the higher the number of reported incidents should be among its employees, and the smaller the risk of breach.

To determine what should be included in an organization’s training and awareness activities, one may evaluate applicable information from privacy and security policies before aligning the security training objectives with those of the firm’s mission and objectives.  For additional information in structuring a security awareness program for your organization, refer to our blog article from Avani Desai, “Building a Security Program to Fit Your Enterprise.

To help mitigate the nightmare risk of human error, it’s advantageous to go ahead and educate your employees on the number of social engineering techniques that include but are not limited to attacks such as phishing, pretexting, baiting, etc.

 

Phishing

We’re all familiar with phishing attacks, whether they are presented through website ads or directly sent to your e-mail inbox.  According to Phishing.org, the term dates back to 1996, yet the attack is still a common threat with an elevated likelihood. Click on the wrong link at any given time and suddenly the horror movie has manifested itself, putting your company on display as an example of the importance of cybersecurity, as well as the price paid when it isn’t in place. As such, employee education becomes all the more important, especially since the majority of cyber insurance policies focus on attacks from the outside and do not cover phishing attacks, which are triggered internally. While tools such as firewalls, intrusion detection and prevention systems, antivirus software and the like remain extremely important for full protection, education is likely the strongest strategy in combating these targeted phishing spells.  In order to be as shielded as possible, organizations should confirm what their insurance policy covers while applying mitigation strategies related to cybersecurity risks.

 

Social Media

Per a recent DataReportal report, 45% of the total world population uses social media networks.  A Global Web Index report took it a step further and found that digital consumers spend over two hours a day either browsing social networks or using social messaging.  That creates masses of opportunity for an individual to inappropriately share sensitive information and once it’s out there, it can be hidden but never deleted.

Therefore, be cognizant of what information is being released on public sites, including personal identifiable information (PII), such as addresses, account numbers, birthdays, etc.

 

Mitigating Tactics

Internet connectivity has established itself everywhere, and with that has come several conveniences; however, with exponential amounts of convenience comes exponential amounts of responsibility.  Whether you’re looking to keep your own information private or ensure confidential work information remains confidential, you can help minimize the risk of leaked or stolen data by doing the following:

  • Educating your employees on how to spot phishing, baiting attempts and the like
  • Leveraging industry standards such as NIST or SANS while referencing compliance guidelines including PCI, ISO, HIPAA, and the like for industry best practices
  • Enabling multi-factor authentication, including biometric varieties
  • Encouraging the use of password management tools such as LastPass, Keepass, etc.
  • Applying patches and security updates to computer software

For more tips on personal accountability and security, the National Initiative for Cybersecurity Careers and Studies (NICCS) is a great resource that offers good details how individuals should be cognizant of internet use from both a personal and professional standpoint.

 

Quiz yourself with some cybersecurity awareness trivia, courtesy of NICCS.

 

 

 

About the Author

Collin Varner

Collin Varner is a Senior Associate at Schellman & Company, LLC. Prior to joining Schellman, Collin was an Advisory Manager planning, organizing, and managing multiple facets of information technology security reviews including cybersecurity assessments, risk management, internal and external audit, system implementations, and customized attestation reporting. Further, Collin also served as the lead in IT compliance for a small, private healthcare organization, in addition to several years experience as a consultant for reputable accounting firms. As a Senior Associate for Schellman, Collin is focused primarily on specializing in IT attestation, audit and compliance activities as they relate to numerous standards including Sarbanes-Oxley (SOX), Service Organization Control (SOC), HIPAA, and ISO 27001.

More Content by Collin Varner

No Previous Articles

Next Video
Cloud Apps - Penetration Testing for Providers  and Customers
Cloud Apps - Penetration Testing for Providers and Customers

Please, join Matt Wilgus and Josh Tomkiel from Schellman's Threat and Vulnerability Assessment team, as the...