Breaking News

Advice given from five experts during Cybersecurity Awareness Month

Advice given from five experts during Cybersecurity Awareness Month



Half through the Cyberspace Awareness Month, private and public sector organizations around the world are considering experts' suggestions for an annual overview, either trying to get some energy into weary training or their first efforts. 

Getting ideas for A Canadian thinks it may be time to retire the annual observation. "This should be the year of Internet security because security is the responsibility of everyone," said Terry Cutler, head of Montreal consultancy Psychology Labs. 

He argues that there are new threats weekly, so if your employees are in focus only in a month, it is difficult to be vigilant. 

Cutler was one of the five experts we interviewed about what managers and IT professionals should do to improve their awareness training. An experienced penetration tester and incident response expert who has witnessed the aftermath of multiple data breaches, Cutler asked who is wrong for the cyber security deterioration of many organizations. 

"I think the biggest problem is not the care of the users. They are not the owners of the business, and if they make a mistake, assume that IT has covered it. They are not getting enough training. They Focusing on productivity and getting revenue. 

"He said that in general, and cybersecurity in particular, IT management is weak." I think the world wants a simpler button. This button Press and I'm safe. They want a black box. 

"But cyber security is expensive, he said." The problem is that if you don't spend that money you're going to spend it on data breeches. It's more. It will be expensive. 

”Regular awareness training, he said, is important to prevent end users from clicking on bad links in emails and text messages, the most common cause of breech. 

Many employees still don’t know what to do for signs. How to hover your mouse over the link may not be valid, Cutler said. Robert Gordon, Canadian Cyber ​​Threat Exchange (CCTX) as the Executive Director, Shine. Asked about the state of cyber awareness in this country, he said that "we are equal to countries of similar size". Businessmen are becoming aware of its importance, he said. 

A hint: more organizations are joining the exchange. Another thing is that more organizations are participating in programs proposed by the Canadian Center for Cyber ​​Security of the federal government. 

Gordon also hears that more organizations are interested in cyber insurance. This is important, he said, because applicants know how to get coverage, so they have to tighten their security.

"Companies have to realize that cyber security is a business operations issue, it is not just an IT issue," he said. "They consider it as some other part of their operations and risk. 

This means that the business side has to discuss the implications of the cyber attack with the IT side." Management has to understand that if a cyber attack leaves the business Brings over the issue of risk, he said. There should be flexibility to the goal. 

"The measure is how fast the business adapts to those evolving threats. So you make it harder and harder for a fast attacker to succeed. 

You keep raising the cost to the attacker. You want to make it really expensive for that attacker to come to you by spending more resources. 

"CISO of Ontario's Orion High-Speed ​​Research Network and a group of 29 universities and colleges in Ontario For the Cybercity Higher Education Forum, Firoz Nair said regular phishing tests are very effective in raising security awareness. 

"This is a way of telling us how effective awareness is because you are not able to measure the level of awareness until the test Most people are going through cyber security awareness sessions Watching videos or completing questions is not interesting, or perhaps they are distracting, so make sure security awareness continues and they are aware of ongoing scams and testing. 

The threat landscape is evolving - we see new ones every day, and awareness campaigns must also develop. "It shouldn't be a one-time thing. It should be on. "

" I used to organize the training of many people. I know in the current situation that is not possible, but I think it is very important to get the end-user's attention and make them realize what the current threat scenario is and what to look for. 

“The message should be designed to be simple, simple and convey the message in the simplest way possible. If this highly complex stuff will be lost in translation. 

Like Cutler, Scott Wright, CEO of Ottawa-based Click Armor, which creates a Security Awareness Gamification platform, said that one problem with cyber awareness is that most employees don't understand their job knowing about security. "They are not hired to learn safety, they generally find awareness training boring, and it can be complicated." 

"If they are not engaged, they are not going to learn and are not able to defend against threats," he warned. What is important, he said, is getting employees to speed up on basic security skills, such as detecting suspicious emails. 

After that, employees need to be regularly updated on the latest threats to the organization. While some experts believe that cybersecurity training should take place once in a quarter, Wright speaks in terms of "continuous cyber awareness awareness".

 He believes that the biggest mistake for the awareness training on the IT department is the responsibility of management. 

"Cyberspace is much less of a technology problem than a social engineering problem," he said. "Who should be responsible for what people learn depends on the business. It has to be combined with the risks around the business. 

“The second biggest mistake is placing a big curriculum in front of employees. "I asked very large companies, 'Can you create an awareness program for me. It has to cover 10 different areas of security: anti-malware, passwords, social engineering, WiFi, mobile - and this is done by one user. 

To be done in 20 minutes. "Managers should realize that people need time to absorb new material. They said it's time to practice what they learn to make it stronger. Also in training There is a variance, so it is not stale, Wright also said. 

Often he hears employees complain of watching the same security video or PowerPoint presentation every year. Dan Callaghan, Cyber ​​Training Director Capgemini North America, believes Awareness training is constant in some organizations. 

"I know that a lot of training is centered around, don't click here, don't do it," he said in an interview.

“We may have to start changing attitudes. It's like anything - when you start listening to it again and again, and [management] is more into compliance training, you're numb to it. "Callaghan said that awareness is not just about end-users and phishing attacks. 

It is about creating a culture of awareness in the organization, helping employees understand that it is up to the business to make mistakes if it happens. What is meant. 

Training should also suit every organization, he said. A firm where all employees work in an office is different from a plant where Internet-controlled industrial control systems operate machinery. 

Factory-floor workers Have to understand that cyber security is part of their security knowledge. 

"Each of us has to become a security advocate, so security lies in the person. To do this, you have to understand what the attackers are doing and why. In the end, Callaghan said that management has to lead. "You should always talk about cyber security no matter where you are in any part of the organization.”

1 comment:

  1. Amongst the users we’ve demoed the project to brand development agency, the reaction is nearly universally positive.

    ReplyDelete