Tuesday, October 18, 2016

Annual Cost of Fraud and Cybercrime Tops £10.9bn in the UK

Barnet, United Kingdom, October 18, 2016 - According to Get Safe Online, the annual cost of fraud and cybercrime in the UK is £10.9bn – the equivalent of £210 per adult. The research shows examples of online fraud ranging from fraudulent phishing messages to extract the personal details of victims, to ransomware and the theft of data through hacking.

Commenting on this, Robert Capps, VP of business development at NuData Security, said “We’re saddened, but not shocked, to see these findings. In this study, the fact that online fraud costs the UK £10.9bn a year is a sad state of affairs for consumers who can often bear the brunt of the costs (especially with regard to account takeover and new account fraud). It’s absolutely no wonder that consumers are pushing back on companies to improve security, holding them accountable for it, yet still wanting to have a good experience going through the gates."

Financial fraud offers a lucrative source of income for cybercriminals, totaling £755 million in 2015 in the UK alone. Cybercriminals have grown in their sophistication, exploiting the human interest factor by posing as banks or suppliers and then duping consumers into revealing their personal details. These scams have also proved effective in targeting commercial organizations, as senior executives are tricked into revealing sensitive information which enables access to a company network.

The increasing volume of attacks globally can also be attributed to more fraudsters willing to commit the crime, more data available on the black market, and more financial institutions and merchants that are vulnerable to attacks. Plus, as more countries fully adopt EMV (Europay, MasterCard, and Visa), we'll see fraud continue its migratory path to all available online channels.

We have to remember; fraudsters know us better than we do in that they’ve pegged our vulnerabilities. It’s time we returned the favor. They are vulnerable because they must do very similar behaviors to be successful, and guess what? We can find them by their tell-tale signals.

In order to detect out of character and potentially fraudulent transactions before they can create a financial nightmare for consumers, we must adopt new authentication methods that they can’t deceive.  Solutions based on consumer behavior and interactional signals are leading the way to providing more safety for consumers, and less fraud in the marketplace.

To combat these types of attacks, consumers should always report emails to their banking provider. No legitimate organization will ask for security or banking details so consumers need to be suspicious of any email that requests this information.

Meanwhile there are steps that consumers can take to help secure themselves:
  • Shop with well-known companies online, or use safer payment systems such as PayPal, ApplePay, Android pay, to avoid providing your payment details directly to an unknown merchant.
  • Use strong, unique passwords on each site you register with.
  • Make sure to change your passwords regularly.
  • Don't use public computers or free, unencrypted Wi-Fi to conduct financial or retail transactions or interactions.
  • Don't fall victim to email and phone scams, where a consumer receives a call from "their bank" asking for personal, or financial account information. If it looks too good to be true, it most likely is.  When I doubt, call the bank directly, based on the number printed on the back of your card, or on a recent statement.

Tuesday, October 4, 2016

National Cyber Security Awareness Month

National Cyber Security Awareness Month  

From KnowBe4:

DHS site has lots of tools, hints and themes you can use. In their words:

October is National Cyber Security Awareness Month. This is an annual campaign to raise awareness about cybersecurity. We live in a world that is more connected than ever before. The Internet touches almost all aspects of everyone’s daily life, whether we realize it or not.

National Cyber Security Awareness Month (NCSAM) is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.

Books on Security Awareness

Asset Protection through Security Awareness by Tyler Speed

Managing an Information Security and Privacy Awareness and Training Program, Second Edition by Rebecca Herold

Thursday, September 29, 2016

ISAO Standards Organization to Release Initial Voluntary Guidelines for ISAO

ISAO Standards Organization to Release Initial Voluntary Guidelines for ISAO

ISAO documents in response to Executive Order 13691 available Friday, September 30 on ISAO.org

San Antonio, TX (September 29, 2016)The Information Sharing and Analysis Organization Standards Organization (ISAO SO) will publish four initial voluntary guideline documents on Friday, September 30 on ISAO.org. These publications were developed with the support of over 160 industry experts in response to Presidential Executive Order 13691 to provide guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices. The initial documents to be published Friday will include:
  • ISAO 100-1, Introduction to Information Sharing and Analysis Organizations: This publication offers an overview of Information Sharing and Analysis Organizations.  It also previews the full ISAO document series and the scope of future guidelines and standards.
  • ISAO 100-2, Guidelines for Establishing an Information Sharing and Analysis Organization: ISAO 100-2 provides a set of guidelines to create an ISAO and guides readers through the most critical considerations to creating an effective organization.
  • ISAO 300-1, Introduction to Information Sharing: This document describes a conceptual framework for information sharing concepts, the types of cybersecurity-related information an ISAO may want to share, ways an organization can facilitate information sharing, as well as privacy and security concerns to be considered.
  • ISAO 600-2, U.S. Government Relations, Programs, and Services: ISAO 600-2 addresses relevant federal laws and regulations regarding cybersecurity information sharing within the United States, as well as state and local perspectives.  It also includes a comprehensive listing of available government resources to assist ISAOs and their members.
“The information sharing ecosystem takes a big step forward with Friday’s publication,” explained Dr. Greg White, Executive Director of the ISAO SO. “The ISAO SO, supported by a dedicated cadre of volunteers, aims to grow the information sharing community and equip it with the tools needed to improve the cybersecurity posture of all communities of interest across the nation. The publication of these documents represents the collaboration of over 160 experts from industry, government, and academia, combined with the input and feedback of the public.”

The ISAO SO, led by the University of Texas at San Antonio (UTSA) with support from LMI and R-CISC, is a non-governmental organization established in October 2015 to facilitate the implementation of Presidential Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing.” The ISAO SO created Working Groups composed of industry, government and academic experts to lead the development of the guideline publications.

“These publications provide the cornerstones to build out an information sharing ecosystem at unprecedented scale,” said Rick Lipsey, Deputy Director of the ISAO SO.  “However, they are just the beginning.  The ISAO SO is helping the community to evolve a consensus-based corporate body of knowledge.  We anticipate updating and expanding these guidelines based on feedback from their implementation. The ISAO Series will evolve in the coming months to serve the community with additional publications that will allow all organizations and individuals to better defend themselves against emerging cyber threats.”

Public feedback was vital to the creation of these publications. Working Groups received comments and feedback from public online meetings, in-person public forums and Request for Comment periods for previous drafts. Comments were considered and adjudicated in an open and transparent consensus-based development process. 

“The collaboration and input by the tremendous team of experts that have contributed to the Working Groups is a testament to the need to work together,” said Brian Engle, Advisory Partner for the ISAO SO. “The issues of cybersecurity and the threats to our nation and the global economy require the sharing of information in ways that ISAO’s will be well suited to accomplish. As the leader of a sharing organization that formed almost two years ago, I can say that the considerations provided by these initial guidelines will be extremely helpful in supporting the success of forming ISAO’s, and the continued work of the ISAO SO will be pivotal in the development of the cybersecurity information sharing ecosystem."

The ISAO SO will host its next online public meeting on October 20th at 1pm CT.  This meeting will address upcoming publications, a national information sharing conference for 2017, and feature a question and answer session with ISAO SO Leadership.  For more information about ISAOs and the ISAO Standards Organization, go to ISAO.org.

About the ISAO SO
The ISAO Standards Organization is a non-governmental organization established October 1, 2015, led by the Center for Infrastructure Assurance and Security at The University of Texas at San Antonio (UTSA) with support from LMI and the Retail Cyber Intelligence Sharing Center. The ISAO SO’s mission is to improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents and best practices. The ISAO Standards Organization works with existing information sharing organizations, owners and operators of critical infrastructure, relevant agencies, and other public and private sector stakeholders through a consensus-driven standards development process to identify a common set of voluntary standards and guidelines for the creation and functioning of ISAOs.

Wednesday, September 14, 2016

FREE Guide on How to Communicate Security Issues to Employees

Creating a secure and safe working environment has become an essential priority for employers. Cyber-attacks, terrorist activity and even inadvertent employee actions feature all-too-frequently in the media. No organization or individual is immune.

Effective communication and education are central to developing a robust, security-conscious culture. But this has been highlighted as one of the biggest challenges faced by employers. So how do you get your employees to sit up and take notice of security issues?

Global communications company SnapComms has developed a new white-paper to help organizations implement an ongoing security framework for all staff through better communication and training. You can download the white paper, "How to Communicate Security Issues to Employees," here.

The white paper outlines common threats and activity that lead to security issues, as well as recommended training techniques for avoiding these security situations and methods for communicating better practices to employees such as:

•       Making your security message personal;
•       Targeting communications by employee role;
•       Cutting through the noise to share messages that build culture;
•       Tracking employee progress;
•       Keeping messages simple; and
•       Developing a theme that resonates with your workforce.

Related Books

Asset Protection through Security Awareness

Managing an Information Security and Privacy Awareness and Training Program, Second Edition

Tuesday, September 13, 2016

Cyber Attacks Inflict Unprecedented Damage; Enterprises Still Lack Intelligence

As Threats Become Increasingly Severe and Complex, Enterprises Should Consider an Intelligent Hybrid Security Strategy     
LONDON, UK, September 13, 2016 – Cyber attacks aren’t slowing down – in fact, 76 percent of organizations have experienced a breach within the last two years. Enterprises of all sizes, across every industry, are challenged to respond to increasingly complex and severe attacks – often only learning about the size, severity, and type of incident they’re dealing with as their security teams work to stop them. However, many organizations continue to maintain a reactive approach – implementing stand-alone point solutions that only fragment and silo security efforts. NSFOCUS recommends an intelligent hybrid security approach based on harnessing true global threat intelligence across an organization’s cyber defenses (hybrid cloud and on-premises), and turning that insight into action – to proactively and holistically protect assets across the organization.
“Cybercriminals have been trying to gain access to protected networks since the dawn of the Internet,” said Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS. “In response, security teams implement counter-measures to try and keep them at bay – like anti-virus, DDoS defenses, intrusion preventions systems, web application firewalls, and a host of other security technologies. This segmented approach has led to visibility tools like log aggregators, SIEMs, and traffic analyzers – but has proven to be a poor attempt to get a holistic look at the threat landscape. In reality, these solutions have created security silos that require specialized teams, and result in a limited, expensive and ineffective approach to security.”
NSFOCUS advises enterprises to move toward an intelligent hybrid security model by taking the following steps:
  1. Automate Threat Intelligence: Consume real-time global threat intelligence and put it into action across all of the security technologies deployed within the enterprise, in an automated fashion that requires no human interaction.
  2. Eliminate Silos with Integrated Defenses: Deploy defenses that interoperate with and are fully aware of the other defenses in place, communicating vertically with the cloud and laterally across the entire enterprise, helping eliminate security silos and fragmented approaches.
  3. Identify Security Blind Spots: Implement closed-loop threat intelligence feedback for both cloud and on-premises defenses that removes blind spots and significantly reduce the time from measure to counter-measure, infection to detection.
  4. Take an Intelligent Look across the Network: Execute on a vision of an intelligent ecosystem of threat-aware solutions combined into a single entity that dramatically increases the visibility of the entire network and application landscape in the enterprise.
  5. Implement an Intelligence-Enabled Enterprise Security Platform: This platform allows organizations to upload all of their proprietary and additional third-party threat feeds into a comprehensive reporting and analysis solution.. 
“Security departments have spent countless amounts of money trying to undo the damage caused by hackers, while simultaneously bleeding their budget in a futile effort to proactively protect themselves from increasingly malicious campaigns,” said Allan Thompson, Chief Operating Officer, NSFOCUS. “It is no longer enough to implement disparate security solutions and hope that they will work together. If organizations aren’t looking at security holistically, taking an intelligent hybrid approach, and working to get ahead of attacks using real, actionable threat intelligence, they will continue to remain vulnerable and at great risk. NSFOCUS is committed to developing solutions and services that empower intelligence-in-action to proactively protect global businesses from threats across their entire network.”