When people use their work email addresses to register for external websites it causes a security risk because so many people reuse the same password for all their accounts. When an external account is breached and the password is disclosed it means that our internal systems could be at risk as well as other external…
DetailsWe’re struggling to manage cyber security risk. Partly it’s because attackers are more agile than defenders. But it’s also because we struggle to get accurate information to make good risk management decisions. To make good risk management decisions we need to understand who the threat actors are, their capabilities, how likely it is that we…
DetailsIt’s been a huge year for information security in the public eye. Security was constantly in the news and has popped up in ways we never expected. Who could have guessed that phishing attacks and a private email server would help derail a US presidential campaign? We had Apple vs the FBI. Much like the…
DetailsThis month I caught up with Lance Spitzner, Director of SANS Securing The Human. Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and has published three security books. Lance has worked and consulted in over 25 countries and helped more than 350 organizations plan, maintain…
DetailsThere’s great news in the quest for improving security awareness. Help is at hand from a new joint publication from the Research Institute in Science of Cyber Security (RISCS), Hewlett Packard Enterprise (HPE) and CESG – the UK government’s National Technical Authority for Information Assurance. Awareness Is Only The First Step is a superb précis of best…
DetailsThe challenge of how we structure, analyse and select the security advice we deliver to end users has been a reoccurring topic in this column. We can’t provide unlimited advice to unlimited people so we need to prioritise. Costs need to be understood. We need to consider not just the displacement of productive activities for…
DetailsIt’s been a huge year for security awareness. Terrorist attacks, corporate security breaches and ongoing concerns about government surveillance have meant that people are more aware of information security than ever before. Everyone from politicians to pensioners has been talking about who has access to their data. The beginning of the year saw a lively…
DetailsExploiting human firewalls through social engineering is an increasingly popular method of attack. Recently, a hacker has claimed that they compromised CIA Director John Brennan’s email by tricking a Verizon employee into divulging details of his account. These human exploits are likely to get worse as technical controls improve and organizations continue to liberalize their…
DetailsFor those not familiar with the case, TJ Hooper was a landmark in tort law that established an important standard for negligence. The case was heard in 1932 to assign liability for a lost cargo. A tug towing the cargo on a barge had set to sea in good weather but later that night there…
DetailsSecurity policies are a great opportunity to influence behaviour. Unfortunately, for a variety of reasons they’re not usually as effective as they could be. Despite our efforts to sell the value of information security, actually reading a policy is less popular than a fart on a plane. There’s a reason that a security policy has…
Details
