The Hackers are ready, Are you?

The Hackers are ready, Are you?

These days it feels like every time I look in a newspaper or watch the news on TV, there has been another company becoming a victim of a cyber attack. From small company’s being hit with ransomware to major banks losing customers data, Targeted attacks are increasing every day.

Last year in an article on the US Chamber of commerce Foundation website, Jason Street a white hat hacker wrote how he broke into a bank in Beirut, Lebanon in 2 minutes and 22 seconds. He walked right in the bank and managed to insert a USB drive with a malicious payload into a networked computer, compromising all of the bank’s security. He said in his article “The Beirut bank (as with most places) was vulnerable because of how its employees used the technology in a secured network. Nine out of ten times, network compromises are due to human error, intent or accident. The challenge of securing data is only going to grow as our refrigerators start tweeting, toasters update a Facebook page, and more of the “things” in the Internet of Everything (IoE) come online. “

So are you and you employees really ready?

Looking around I have found two risks coming up time and time again.

  1. Most companies spend lots of time and money on IT as a productivity requirement. They buy equipment, hire consultants and train their IT professionals as part of their IT security plans. But what do they do with their end users?

End Users represent over 95% of an organizations workforce and theses users are often left out of a company’s security consideration.

LESS THAN 1% OF COMPANIES POLLED HAVE A POLICY OR DIRECTIVE REQUIRING ALL THEIR WORKFORCE TO BE SECURITY TRAINED!

According to the UK Governments 10 Steps Guide: User Education and Awareness. Organisations that do not produce user security policies or train their users in recognised good security practices will be vulnerable to many risks. New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process. Without exception, all users should receive regular refresher training on the cyber risks to the organisation and to them as both employees and individuals.

  1. Most of the Owners and Directors are not involved in the review of cyber security.

Research undertaken by PwC for their 2015 Global State of Information Security Survey found thatonly 25% of directors are actively involved in reviewing security and privacy risks.

only 25% of directors are actively involved in reviewing security and privacy risks.

That is something I just don’t understand.

The Information Commissioner’s Office reported that 93% of incidents it investigated in Q4 of 2014-15 were caused by human error and The Verizon Data breach report states 60% of incidents were attributed to errors made by system administrators.

So what can we do about this?

I asked Cary Hendricks the global operations director and lead trainer from ID Cyber Solutions what the answer was. He said

“Every employee in your company is a potential risk to cyber security. From the CEO, Directors to the office girl that started yesterday or even your cleaner. Education is the key to help you reduce the risk. There is no need training just the IT department as most of the time that’s like preaching to the converted.”

Training needs to be designed for and be relevant to each job roll. There is no need to train the end users at the same level as your IT security personnel. Also Directors need training that helps them understand what is needed to be put in place so that the security of the business is not at risk.

ID Cyber offers a range of courses that cover every part of your business.

For Owners Directors

Master Class

Master classes are ½ day non-technical courses designed to give Directors and Owners and awareness of the of the Cyber security risk. It shows demos on how attacks are preformed and gives the attendee tools and knowledge to help manage the risk. This course and be presented over dinner or can be set up as a more formal course.

For IT Executives and IS Managers

CCISO (Certified Chief Information Security Officer.)

CCISOis a 5 Day course as the name says for Chief Information Security Officers. The CISO is an executive title in the industry, just like CIO or CEO.

The Course certifies information security manager and executives in 5 crucial domains of information Security. Governance, IS Management Controls & Auditing Management, Information Security Leadership – Projects & Operations, IS Core Competencies and Strategic Planning & Finance.

This is NOT a technical course. There are no labs, no hacking demos, etc. The program is concerned with policy setting, project management, laws and regulations, HR management, executive strategy, contract management, and finance. These topics are things that many CISOs and other IS (information security) executives have to learn on the job.

For Security Officers auditors and Security Professionals

CEH (Certified Ethical Hacker)

The 5 Day CEH course is the world’s most advanced ethical hacking course encompassing 18 state-of-the-art modules containing everything you need to know to improve the security posture of your organisation. CEH v9 covers over 270 different attack technologies, examining many different approaches taken by attackers and allowing you to truly embrace the hacker mind-set.

For the end users

CSCU (Certified Secure Computer User)

CSCU is a 2 day course that enables computer users to build on their existing skills by educating them on practical aspects of security and networking. Your employees will acquire a fundamental understanding of various computer and network security threats such as identity theft, credit card fraud, online banking phishing scams, malwares, loss of confidential information, and social engineering. This course is an interactive environment where your employees acquire fundamental understanding of various computer and network security threats. These skills will help employees to take the necessary steps to mitigate their personal and corporate security exposure. On successful completion of the exam the candidate will receive a certification from the EC-Council

For any more Information on any of these courses you can visit the ID Cyber Solutions Website