Mar 23, 2017 10:03:00 AM

Cyber Security for the Road Warrior

In my previous columns, I’ve been describing the benefits of having offense-oriented testing performed on your company’s network. This time around, I want to give some advice for the road warriors among you. Many of you have to travel for work, and present an attractive target to cyber criminals that want to steal trade secrets, customer information, or even infect your system in a way that puts your network at risk when you return to the office. You can, however, work on the road in a much more secure way, armed with some basic precautions and awareness.

Topics: cybersecurity

Mar 9, 2017 9:42:19 AM

Why "I'm Just Not Technical" is No Longer an Excuse in the C-Suite

I cannot tell you how many board presentations and meetings I have been in and heard "I am just not technical". Not being “tech savvy” is no longer a valid excuse to not understanding the threats your organization faces and what needs to be done to provide protection. If you are in the budgeting, decision making or approval process of technology in your organization, you have no choice.

Topics: cyber risk

Mar 2, 2017 10:00:00 AM

How Much Should You be Spending on Cybersecurity?

We often hear clients and prospective clients asking “how much should I be spending on cybersecurity?” That is a very complex question and one that is not easily answered without first having an understanding of what is meant by cybersecurity. There are many different versions of cybersecurity being pushed in the market and there is no "one size fits all" solution despite what your vendor may tell you. The key is in spending for what is right for your organization, not simply deciding that a set percentage should be spent on these solutions. Below are some key questions that you should ask of yourself:

Topics: IT Budget

Feb 23, 2017 10:05:00 AM

Their Breach is Your Breach

When you’re catching up on the news, it’s become all too common to see stories about new breaches that have occurred, resulting in the theft of customers’ personal and financial information from businesses of all sectors. If you’re a regular reader of my column, you’re probably gotten past the fallacy of thinking “that can’t happen to me”, but there’s still something very detached about it all. Even when you get a letter or email notifying you that your information has been stolen from an online service you use, it happens so often you have a hard time seeing the urgency.

Topics: password reuse, password security

Feb 16, 2017 10:25:45 AM

Don't Let Cyber Risk Derail Your M&A Deal

Headlines around hacking and data breaches have become a regular occurrence over the last few years. When a business loses the trust of its customers, it can be nearly impossible to win it back. Cybersecurity, or the lack thereof, can famously destroy existing companies, but could it also be killing future business deals? The obvious example is Verizon’s potential acquisition of the deeply troubled Yahoo. Despite the flaws at the former tech behemoth, the deal seemed to be progressing forward nicely until it was revealed that one billion Yahoo users had their accounts compromised in 2013.

Topics: risk management, M&A

Feb 9, 2017 9:50:52 AM

You've Been Breached. Think It Won't Happen Again?

There’s a popular saying in the cybersecurity space, “There’s two types of organizations, those that have been breached and those that don’t know they’ve been breached.” In working with organizations that know they’ve been breached, I’ve noticed a very alarming fact. It’s not their first breach! This left me wondering why and how? How can an organization suffer from one breach and have a second or third similar breach? What did they not learn from the initial breach that would leave them vulnerable to similar subsequent breaches? One of the common themes we see is that they “handled” the first breach themselves or they hired a security consultant with little to no experience in incident response that focused on recovery and not fully understanding how the attack was carried out. This is a very scary reality that we are seeing more and more daily. 

Topics: incident response

Feb 2, 2017 10:00:00 AM

The Victims of Cyber Security Training

It’s harder than you think to identify good talent in cyber security. Whether you’re trying to fill full-time security positions within your organization, or partner with service providers and vendors that can identify vulnerabilities and help maintain resilience, there is an ocean of “get rich/smart quick” schemes that make things more difficult for you. They target up-and-coming information security professionals, and, in turn, leave you with less qualified staff and vendors.

Topics: cybersecurity training

Jan 26, 2017 10:01:00 AM

An Internet of Hackable “Things” Threatens Your Business

In this column, I try to avoid “buzz words” and jargon. Information security is complex enough without them. The security industry is overrun with companies that intend to confuse you with marketing bullet points, wrapped up as new concepts and trends, in the hopes that you will cut them a check. Meanwhile, you are the one that will bear the ultimate responsibility for risks they know you don’t understand.

Topics: IoT Security, Internet of Things

Jan 16, 2017 10:00:00 AM

Being a Compliant Victim of Cybercrime

When I discuss cybersecurity with business leaders, the most common misconception I see involves the role of security compliance. In my last column, I described the reality of cybercrime, a wild frontier of advanced attackers that can critically damage your business with impunity. In this dangerous environment, it’s important to realize that compliance alone will not protect you.

Topics: cybersecurity

Jan 5, 2017 10:07:00 AM

Why 2017 Could Be the Year of Cyber-Espionage

In this digital age where most businesses are focusing on the disrupt or be disrupted ethos, it seems that most are ignoring an even bigger trend that will affect their organization. In 2016, cybersecurity or the lack thereof played a significant role. The fact that even presidential campaigns were affected by hacking scandals and data leaks illustrates how the question is no longer if you will be breached, but when.

Topics: cybersecurity, cyber espionage

Dec 22, 2016 10:00:00 AM

What Can the C-Suite Learn from the Latest Companies to Suffer Data Breaches?

2016 is ending with another round of major data breaches with online companies such as PayAsUGym, Lynda, and Yahoo.

Topics: cybersecurity, cyber risk

Dec 16, 2016 10:03:00 AM

The Reality of Cybercrime

Computer networks have given us the ability to operate, communicate, and conduct business more easily today than ever before. It is, however, hard to imagine a more dangerous time for businesses to operate than right now. While technology has provided us with great opportunities, it has also exposed us to attacks that threaten our business operations. At no other time in history has a business stakeholder faced as many criminal threats on a daily basis as we face today.

Dec 8, 2016 10:00:00 AM

What Should You Learn From Your Penetration Test?

Having a true advanced penetration test performed on your organization’s infrastructure is one of the fastest ways to gain valuable insight on the state of your security posture. It provides quick situational awareness around where your weaknesses are and *should* provide you with a roadmap on how to approach remediation. In working with clients, one thing we are realzing is that many of our clients believe they have been getting an "advanced penetration test" for years, when in fact they have not. Below are a few hints on how to know if you are truly getting a penetration test worth value to your organization. 

Topics: Penetration Testing, cybersecurity, advanced penetration testing

Nov 10, 2016 10:30:00 AM

Staying Ahead of the Threat

Forrester Research released a report recently which predicted that our President-elect Donald Trump will face a major cyber crisis within the first 100 days of being president. Who knows if that will come to fruition but one thing is for sure, with the major DDoS attacks recently and the cyber attacks surrounding our election, we are a major target. By we – I mean me, you, American businesses, and America as a whole.

Topics: cybersecurity, cybersecurity operations center, the threat

Sep 20, 2016 9:30:00 AM

Hacking Healthcare: How to Offensively Protect Healthcare Systems

A breach of a healthcare provider can have a serious impact, both in terms of financial loss and patient confidence. HIPAA violations can involve fines of up to $50,000 per patient record, and in many cases, attackers are able to access all of a provider’s patient records. Healthcare breaches are widely covered in the news, where the court of public opinion lays blame on the targeted organization. Current and future patients may think twice, even years later, about seeking care from a provider that was portrayed negatively by the press for data loss.

Topics: Penetration Testing, healthcare security

Sep 14, 2016 10:00:00 AM

Size Doesn’t Matter to Cyber Criminals: 5 Tips for Securing Small to Mid-Sized Organizations

Data or access to another organization’s data is what makes a target attractive, not the size of the organization. We hear it over and over – “why would a hacker target me? I don’t have any valuable data, plus my organization is small compared to X, Y, Z.” We are seeing more and more smaller organizations being attacked for a few reasons:

Topics: cybersecurity

Aug 23, 2016 10:30:00 AM

5 Cybersecurity Strategy Mistakes You Can’t Afford to Make

Read through your Twitter feed or turn on the news on any given day and one thing is evident: cyber attacks are happening in every industry and organization size. It is obvious that these attacks are increasing in number and sophistication, and we’re confident in stating that this trend will continue.

Topics: cybersecurity

Jul 26, 2016 10:30:00 AM

Any Bitcoins in Your Wallet?

It doesn’t matter who you are, your position, or the size of the company you work for, you never want receive that phone call saying that your company has been hit by a ransomware attack.  Most IT departments and staff do their very best to protect their network from attacks by regularly patching, installing firewalls and intrusion detection systems, segmenting their network, and performing vulnerability assessments, but the real truth is that an external threat is going to find its way inside your network in some form in the near future.

Jul 9, 2016 3:30:00 PM

5 Considerations for Protecting Your Employees, Customers and Data

With the rapid evolution of cloud based computing, many organizations face the fundamental question of whether or not they should employ third party solutions to facilitate convenience within their entity.  As technology advances, the outsourcing possibilities seem endless.  Everything from document collaboration, to payroll, data, and even entire applications and servers can now be managed off site, or in the cloud.

Topics: cybersecurity

Jul 9, 2016 3:30:00 PM

5 Considerations for Protecting Your Employees, Customers and Data

With the rapid evolution of cloud based computing, many organizations face the fundamental question of whether or not they should employ third party solutions to facilitate convenience within their entity.  As technology advances, the outsourcing possibilities seem endless.  Everything from document collaboration, to payroll, data, and even entire applications and servers can now be managed off site, or in the cloud.

Jul 6, 2016 1:00:00 PM

Security Measures for Hostile Network Environments

While hacking and information security themed conferences such as DEF CON and Black Hat USA have a reputation of having hostile network environments with a large number of sophisticated attackers, other industries’ conferences, coffee shops, and even airport hotels have just as much potential for being target-rich environments. It is possible, with a bit of planning and discipline, to maintain the connectivity you rely upon for your job with an awareness of the risks and threats involved. Check out our white paper The Practical Guide to Security at Conferences, which discusses operational security and communications security measures you can take when working remotely.

Topics: cybersecurity

Jun 7, 2016 11:00:00 AM

Key Considerations When Purchasing Cyber Insurance

From both current and prospective cyber insurance policy holders, we are frequently asked about what should be considered when purchasing a policy—what terms should be included, what are the important aspects and why. The answers to these questions are extremely complex, as cyber insurance is in its early infancy stages.

Topics: cybersecurity

May 10, 2016 10:00:00 AM

Buying Your Own Stolen Data

I’m becoming very used to reading about the latest “ransomware” attacks each morning when I catch up on information security news over my first cup of coffee. Malicious software (malware) authors seem to have found a successful way of making money, and unsafe, yet common, practices are enabling it. Office-wide sharing of data with security as an afterthought, and the absence of strong backup and recovery processes fuel the continued rise of ransomware. Trends point to an increase in healthcare data being held for ransom, though no one is completely safe from being targeted by ransomware.

Topics: ransomware

May 3, 2016 10:00:00 AM

Modern Cyberattacks: Tradecraft on Your Network

At the Armed Forces Communications and Electronics Association’s Defensive Cyber Operations Symposium on April 20th, DISA Director LTG Alan R. Lynn described a shift in attackers’ operations. Lynn stated that it’s become “snatch and grab” rather than following traditional intelligence techniques of using good tradecraft (the set of an attacker’s operational techniques and tools) to compromise, monitor, and accomplish the mission while avoiding detection.

Mar 29, 2016 10:00:00 AM

When Was Your Last Information Security Check Up?

Maintaining information security today is, in many ways, similar to maintaining your personal health. Yearly check-ups and health screenings could detect a potential problem. If a problem is detected, more invasive procedures are performed to get a definitive diagnosis before laying out a treatment plan. A similar process can be followed in cybersecurity. Traditionally, companies receive vulnerability scans which may or may not accurately detect a threat. Once a potential threat is detected, security professionals may conduct penetration testing to explore those threats to see if there is really anything there.

Topics: cybersecurity