Good news on the security awareness training front: Wombat Security (now part of Proofpoint) reports that 95% of companies they surveyed now train end users on how to identify and avoid phishing attacks, up from 86% in 2014.
The State of the Phish Report is based on analysis from data from tens of millions of simulated phishing attacks sent through the wombat security education platform over a 12 month period.
Data is related to 16 industries covering thousands of customers, from mid-range to large enterprises. It includes over 10,000 responses to quarterly surveys from infosec professionals revealing what organizations are experiencing.
Even more good news: Training has an impact. 54% of security pros said they have been able to quantify reductions in phishing susceptibility based on training, according to Wombat’s “2018 State of the Phish” report. Yet it is impossible to understand where companies still go wrong with their security awareness training.
You can get the 2018 State of the Phish report and many related studies and assessments at our Threat References page.
Few complex professions change with the velocity of IT security. Practitioners are faced with an average of 5,000 to 7,000 new software vulnerabilities a year. That’s like springing 15 new leaks in your defenses every day. That’s on top of the tens of millions of unique malware programs that threaten your IT environment each year.
Amid this deluge of constant threats, a single slip-up could compromise the crown jewels and put your company in an unwanted media spotlight, hurt your revenues, and get people fired.
Read about twelve things every computer security professional should know to successfully fight the good fight, on CSO.
Finn Partners Research released findings from its Cybersecurity at Work study that examined the level of cyber risk that employees pose to their organizations.
The in-depth study, which surveyed 500 full-time office employees across the US, found that nearly two in five workers admitted to clicking on a link or opening an attachment from a sender they did not recognize. This security slip-up is significant due to the installation of malware on their devices and the harvesting of sensitive corporate data.
Read more about the findings of the study by Finn Partners Research on Help Net Security.
Connected technology, Internet-enabled (IoT) devices and other digital services each come with their own security risks. But when used in concert with businesses and their data, these technologies can present more substantial cybersecurity risks than those used for personal use.
Vendors, suppliers, partners and other third-parties associated with your business can also increase your risk for a data breach. Consequently, businesses have spent millions on cybersecurity solutions to combat the risks of the multitude of online, data-driven business services.
Read why, aside from adopting new technologies, a proper cybersecurity strategy requires businesses to emphasize cybersecurity awareness and education along with their stringent security protocols, on Business 2 Community.
Most security awareness programs are at best gimmicks that will statistically fail at their goal. They intend to educate people so that they can make better decisions regarding how to behave or whether they are being conned. The programs intend to get people to think so that they eventually will behave better. This will at best achieve basic results.
Stop and consider that you are relying on the discretion of a minimally trained user to thwart a highly skilled sociopath, financially motivated criminal, nation-state, etc. Logically, this is a ridiculous business decision.
Read why Ira Winkler, president of Secure Mentem, believes the ideal awareness program focuses on reinforcing procedures and guidelines, which have embedded security, on DarkReading.
Business leaders are becoming increasingly conscious of the impact cybersecurity can have on business outcomes. Gartner said that security leaders should harness this increased support and take advantage of six emerging trends, to improve their organization’s resilience while elevating their own standing.
Trend No. 1: Senior business executives are becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation.
Read the full list of emerging trends that security leaders should take advantage of according to Gartner, on Help Net Security.
The EU’s General Data Protection Regulation (GDPR) went into effect in May, requiring all organizations that handle the data of EU citizens to comply with its provisions regarding collecting and using personal data. However, a majority of companies likely missed the compliance deadline, and many employees remain unaware of the policies needed to keep data safe.
“Data privacy is a hot topic with GDPR going into effect,” said Dave Rickard, technical director at CIPHER Security. “An awful lot of companies may not think they have exposure to it, but there are lots of variables in that.” Companies that fail to comply with GDPR will face a penalty of either 4% of their global revenue or €20 million, whichever is greater.
Read about five types of policies that companies must ensure they have in place and have trained employees on in the age of GDPR, according to Rickard, on TechRepublic.
CISOs are under the gun to produce results rapidly and stench the constant “bleeding” from cybersecurity attacks. Cybersecurity attacks are increasing in complexity, velocity and ferocity.
The reflexive response is to acquire the latest set of shiny new tools and roll them out quickly. This rapidly leads to cybersecurity data silos produced by tools that do not integrate. It is impossible to get a consolidated view of the threats, which is critical to create an actionable and automated response. Further, as threats evolve, the number of tools required keeps increasing – leading to a tangled cybersecurity mess!
Read why Gaurav Pal, CEO and founder of stackArmor, believes that CISOs must quickly shed the tool-centric mindset and instead start thinking like a developer to leverage API and microservices to build integrated cybersecurity platforms, on CSO.
“There are three essential skill sets a modern day CSO must have. The first is knowledge of the business to better align a security strategy to company objectives without being a blocker to innovation. The second is technical breadth. Third and most important is evangelism: you have to be able to clearly articulate and sell the team strategy from the top down and across the organization,” says George Gerchow, Chief Security Officer at Sumo Logic.
But people skills cannot be overlooked, he adds. When you have to justify the company’s risk positions and get the business side to sign on on implementing proper security even though it might be cheaper to pay fines instead, understanding people can come in handy.
Webroot found that businesses in the U.S., U.K. and Australia are taking cybersecurity seriously – with almost 100 percent of respondents conducting some form of employee cybersecurity training. However, despite these efforts, 79 percent say they aren’t completely ready to manage IT security and protect against threats.
In a study of 600 IT decision makers (ITDMs) at small- to medium-sized businesses (SMBs), Webroot found that the attacks organizations believed themselves to be most susceptible to in 2017 are rapidly shifting in 2018, while the estimated cost of a breach is decreasing.