Consumer Awareness/Education…Potential Competitive Advantage for Banks?
Posted In Financial, Information Privacy, Information Security, Risk Management, Validations on May 3rd, 2011 Tags: consumer awareness training, Phishing, Security Awareness, spear phishing
Recent attacks continue to show that spear phishing is quickly emerging as one of the society’s greatest threats. Technology alone is NOT going to solve this problem. It is critical for consumers to be more vigilant and aware of what they are clicking on, sites they are visiting, e-mails they are responding to, etc.
Lessons Learned: Financial insitutions should make consumer education a higher priority. Awareness training, handouts, seminars, etc. can be a great way for organizations to connect with their customers, improve trust, enhance reputations and help prevent potential incidents, breaches, lawsuits, etc. down the road. Security awareness training and education can become a competitive advantage for those institutions willing to lead the way.
No Comments
Email This Post
Alarming School Survey: “Thou Shall Not Snitch”
Posted In Education, Incident Reporting, Risk Management, School Safety, Validations on May 3rd, 2011 Tags: anonymous incident reporting, bullying, School Safety
What does recent school survey reveal about ‘thou shall not snitch’ culture? Can schools take advantage of real life situations to create a culture of preparedness, safety and prevention?
The responses to this survey at H.D. Woodson High School reveal opportunities for schools to open the lines of communication, but only if school leaders understand how to relate to students and how to build trust with students.
Lessons Learned: Status quo responses to a survey, status quo comments from adults and status quo news articles validate how status quo approaches are not going to solve the problems and new challenges schools and communities face in the real and changing world we all live in. A huge opportunity exists for visionary school leaders to make a difference by asking better questions that help to connect the dots and strengthen our weakest links.
No Comments
Email This Post
‘Tricked’ RSA Worker Opened Backdoor to APT Attack
Posted In Financial, Information Privacy, Information Security, Risk Management, Validations on May 3rd, 2011 Tags: Human Factors, Phishing, RSA, RSA breach, Security Awareness
A targeted phishing e-mail with the subject line “2011 Recruitment Plan” tricked an RSA employee to open a document attached to an e-mail. The document contained a virus that led to a sophisticated attack on RSA’s information systems.
Lessons Learned: Are your employees aware of changing and more sophisticated risks? Does your organization update employees with situational awareness as more and more attacks target your employees? All employees must understand their individual roles and responsibilities for protecting sensitive information. Organizations need to implement comprehensive and ongoing awareness programs to ensure all individuals understand changing risks, threats, best practices, etc.
No Comments
Email This Post
Compliance and Ongoing Audits Save Money…
Posted In Regulatory Compliance, Risk Management on March 11th, 2011 Tags: audit preparation, Compliance, internal audit, Larry Ponemon, Ponemon Institute
A new study by the Ponemon Institute shows organizations that perform internal audits spent less per capita on compliance than those that didn’t perform internal audits.
Larry Ponemon is chairman of the Ponemon Institute and he commented: “I believe that the reason why internal audits reduce compliance cost is that they help prioritize the organization’s overall compliance efforts. This leads to greater efficiency in managing the total compliance burden. In other words, companies that do not conduct audits appear to be less efficient in their ongoing program management of data protection and privacy efforts.”
From my experiences and from lessons learned I agree that “ongoing program management and ongoing internal audits” are crucial to an organization’s bottom line and important to keep up with constant changes, new regulations, new risks, higher scrutiny in audits and mounting lawsuits.
But…is a binder full of policies ongoing? Nope. Is an electronic intranet or shared server full of policies ongoing? Nope. Is having your people go through online general training once-a-year ongoing? Nope.
What if your people were reviewing your policies, procedures, risks, expenses and efficiencies on an ongoing basis and had the ability to anonymously offer their feedback and report incidents on an ongoing basis?
This study reveals the obvious (including potential for cost savings), so hopefully organizational leaders are paying attention and will become more open to transforming their outdated and status quo ways of compliance and risk management sooner than later.
No Comments
Email This Post
Preventing Online Fraud –Assumptions Versus Awareness
Posted In Information Privacy, Information Security, Risk Management on February 22nd, 2011 Tags: ACH Fraud, bank security, BankInfoSecurity, Identity Theft, Security Awareness, Tom Oscherwitz
I recently came across an interview on BankInfoSecurity entitled, “Banks Must Assume Customers Will Compromise Themselves”.
In this interview, Tom Oscherwitz, chief privacy officer and vice president of government affairs for ID Analytics, discussed why online security measures are failing due to basic authentication techniques. With the use of current social networking sites, such as Facebook, customers are often revealing all the information fraudsters need to figure out their log-in credentials.
Many experts (and vendors) are recommending banks increase their security measures and implement expensive fraud detection technology solutions and measures. Unfortunately this is merely reacting to a symptom rather than preventing the problem. The root of the problem is uneducated consumers and lack of situational awareness, so why not teach situational awareness and help bank customers work with banks to proactively protect their personal information?
If bank customers could make the connection between sharing their maiden name, pets’ names, nicknames, birth place, birthday, etc. on their Facebook profile and then using that same information as their authentication question for their online banking, they may be less inclined to do so.
And those Financial institutions implementing ongoing customer awareness programs will gain a competitive advantage by having customers who are more aware and working with the bank to mitigate risks involving:
- Email Security
- Online Risks (shopping, sharing music, online gaming)
- Viruses, Spyware, Crimeware and Bots
- Internet Safety (social networking sites)
- Password Security
- Information Disposal
- Mobile devices
- Home Networks
- Identity Theft
As risks, threats, regulations, etc. are constantly changing, it will be critical to maintain an ONGOING program. And financial institutions sharing lessons learned from current data breaches will help ensure copycat breaches do not happen at their institutions or to their customers.
Visionary Financial leaders providing situational awareness training for their customers will not only be helping their customers, but also preventing expensive data breaches and lawsuits and improving their ongoing customer relationships, customer trust and their institution’s reputation. Financial institutions should stop assuming things about their customers, realize more technology is not the answer, and start helping their customers make better decisions.
No Comments
Email This Post
Same Should Different Day!
Posted In Campus Safety, Regulatory Compliance, Risk Management, School Safety on February 2nd, 2011 Tags: Accountability, bullying, Situational Awareness, solving problems
I wrote a couple blogs in December 2010 about importance of solving bullying problems and about the importance of awareness, accountability and measurability in solving problems. The underlying message in each of those 2010 blogs was to point out the need to SOLVE problems rather than just talking about what SHOULD be done.
So in honor of Groundhog Day and the movie Groundhog Day, today is the perfect day to shed some light (or shade) on the dreaded “should all over yourself syndrome”.
And for you Tony Robbins fans, you may have heard Tony tell us all to: “Stop shoulding all over yourself”.
So what do I mean by same should different day? From today going forward, see how many times you come across the same shoulds in a:
- Headline news story telling you what you should do
- Risk assessment report citing you should do this and you should do that
- Seminar, webinar or conference with an expert telling everyone they should do this or do that
- New or updated regulations and mandates saying you should do this or do that
Or see how many times you catch yourself or your manager telling employees they:
- Should do this…
- Should do that…
- Shouldn’t do this…
- Shouldn’t do that…
Should is not the same as Solving. Should is a thought or an idea…Solving is taking action.
And now that January is over…stay tuned because going forward I will be blogging about numerous ways to take action and solve numerous problems and burdens.
Comment (1)
Email This Post
Missed Opportunities With Red Flags and Warning Signs
Posted In Campus Safety, Human Resources, Incident Reporting, Risk Management, School Safety on January 20th, 2011 Tags: Incident Reporting, Prevention, Red Flags, Tucson
Already in 2011, tragedies in Tucson and Omaha have reminded each of us about the consequences of missed opportunities involving red flags and warning signs. Lives were lost and lives will be changed forever because of these and many other tragic incidents.
We are now learning numerous red flags and warning signs existed involving the gunman in each tragedy, which has many people asking why these two tragedies were not prevented and how can we prevent future incidents like these from occurring?
Some people are suggesting new gun control laws in Arizona or new laws that do not allow guns within 1000 feet of government officials. In Omaha, some are suggesting school metal detectors and cameras.
Unfortunately these suggestions are knee-jerk reactions that miss the point. The ‘big picture’ issue is prevention and what organizations need to do differently to improve their prevention and intervention efforts.
For example, what are schools’ responsibilities for sharing information with appropriate entities in the community and how can we ensure all dots are connected across multiple locations, multiple levels of law enforcement, mental health professionals, etc.?
Organizations need to encourage and empower people (students, faculty, staff, law enforcement, parents, employees, community members, etc.) to report suspicious incidents, red flags and warning signs as soon as they identify them.
All personnel should be trained to look for early indicators – behaviors and warning signs (bullying, intimidation, threats, harassment, targeted violence, etc.) – that require immediate reporting.
Organizations need to offer anonymous incident reporting options and the ability to automatically deliver incident reports to the right people…even if the right people are in multiple locations or at multiple organizations. Once incidents have been reported it is also critical to ensure all necessary follow-up actions are documented, appropriate authorities are notified and red flags do not continue to fall through the cracks. Traditional and status quo incident reporting systems rarely offer this level of holistic functionality.
Organizations need to centralize and securely share information more effectively across silos, organizations and communities. Sharing has been difficult because of paper-based methodologies and because of lack of awareness involving privacy regulations such as FERPA and HIPAA, as well as political and authority breakdowns.
Organizations need ongoing training based on individual roles and responsibilities, more comprehensive policies and procedures, increased awareness on how to recognize behavioral changes, secure access to professional threat assessment and behavioral analysis teams, and effective ways to continually connect the dots (people dots and process dots). Organizations need to empower their people (and third-parties) with proactive prevention tools that replace status quo and reactive approaches that are not working.
With improved situational awareness, improved information-sharing and proactively identifying red flags, organizations will be able to prevent incidents, rather than reading about them in the news.
No Comments
Email This Post
Measuring Risk and Measuring Cake
Posted In Risk Management on January 10th, 2011 Tags: Risk Management, Security
Is Measuring Risk Possible?
I saw a discussion question recently asking how to measure risk?
My first reaction was…do you measure risk? I say no.
Do you measure security? Do you measure prevention? I would say no and no.
Do you measure cake?
Not usually, unless you are paying for cake by the pound, but measuring the cake does not guarantee the cake is any good.
Determining if the cake is any good depends on how the cake looks and how the cake tastes. To make a good cake, you need to measure each of the ingredients for the cake (internal) and you need to measure the temperature and how long you bake the cake (external).
Risk is similar and organizations must determine if their risk management is good (or not good) based on the results. Like a good cake, good risk management* depends on the “internal ingredients” and the “external factors”.
Research from hundreds and hundreds of lessons learned clearly reveal that better risk management results are needed and organizations:
- Need better awareness/management of their internal ingredients
- Need better awareness/management of external elements that can affect their organization
- Need better tools for measuring their internal ingredients and external elements
Measuring risk is an interesting topic of discussion, but your organization’s bottom line results and winning the “best cake award” with your employees and clients is far more important.
*In addition to risk management, numerous other management efforts (security, safety, prevention, intervention, reputation, documentation, etc.) depend on measuring internal and external elements.
No Comments
Email This Post
Phishing for Mobile Users? They Are Taking the Bait
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Risk Management on January 6th, 2011 Tags: Acceptable Use, Information Security, Mobile Security, Phishing, security awareness training, Smishing, Trusteer, Vishing
In a recent Dark Reading article, new research from Trusteer revealed that mobile users are the most likely to fall victim to fake e-mail messages and visit phishing sites.
Once they arrive at the fraudulent site they are also three times more likely than users on PCs to provide sensitive login information.
Why are mobile users more vulnerable?
- Availability – smartphones are with their users 24/7 so e-mails are checked more frequently. Phishing attacks generally get their victims during their initial launch, as after a certain time frame sites are taken down, blocked or shut down.
- Size – the smaller screens of mobile devices can inadvertently hide clues that the e-mail contains false information or fraudulent web site links or URLs. Users on smart phones miss the basic signs of phishing emails like slightly tweaked URLs, hidden URLs behind links, poorly spelled e-mails, etc.
- View – many times the way e-mails are displayed is different on mobile devices. For example, on a BlackBerry, the “From” field may just include the name of the sender, but not the e-mail address.
The report also mentioned that iPhones users were more likely than BlackBerry users to visit fraudulent phishing sites. One potential explanation was that BlackBerrys are used by more enterprises, while iPods are popular with end-consumers and as we know, organizations are working diligently to educate their employees, implement security policies, acceptable use policies, etc…right?
Has your organization implemented ongoing security awareness training to ensure your employees (and third-parties) are aware of risks from mobile devices?
Do your employees understand what phishing is? What about smishing and vishing?
Do they know how to recognize the signs of a phishing attempt?
Do they know where to report suspicious incidents and phishing e-mails?
What should they do if they accidentally respond to a phishing e-mail and provide sensitive personal or organizational data?
It is critical for organizations to implement clearly defined policies for using mobile devices. It is also important that organizations continue to update their employees as risks, threats, requirements, etc. change on an ongoing basis. A once-a-year general training program is not enough; employees need ongoing awareness reminders.
One recommendation I would make is to share this Trusteer study with your employees. Many of your users may have no idea of the potential risks they can encounter on their mobile phone. Lessons learned make for great awareness tips and will help your employees understand your security requirements and acceptable use policies are there for good reason.
No Comments
Email This Post
Bullying PSAs…OK, Then What?
Posted In Regulatory Compliance, Risk Management, School Safety on December 1st, 2010 Tags: Big March, bullying, bullying prevention, Cyberbullying, Dear Colleague, Natasha Alam, National Bullying Awareness Week, OCR, True Blood
Natasha Alam from True Blood has joined the growing list of celebrities speaking out publicly against bullying. Celebrities are raising awareness and bringing attention to this escalating challenge.
Alam recently filmed an anti-bullying public service announcement (PSA), click here to learn more.
Canada recently targeted bullying with their National Bullying Awareness Week and the UK recently promoted the Big March to bring attention to bullying, violence and harassment in schools.
Each of these efforts encourages people to speak out about bullying and victimization, and adults are being urged to listen. These campaigns also mention prevention, the need for awareness and how everyone (students, parents, teachers, staff, community members, etc.) can play a role and make a difference.
I agree that PREVENTION is critical, and I agree we need to help victims be heard and encourage Security Teams and Prevention Teams to listen. Unfortunately, traditional ‘safe school’ approaches are not delivering the results we need.
The statistics are real; the challenges victims face and the suicides are real, and it is clear that the time is now for new approaches.
The PSAs, marches and awareness weeks are all great first steps. However, bullying is a systemic problem that needs comprehensive tools and solutions to deliver multi-directional awareness, accountability, auditability and measurability. How is your school measuring your efforts? Are administrators measuring incident reports and tips provided by victims and bystanders? Are you measuring if school leaders and communities are listening? Are you measuring if prevention and intervention efforts are working or not working on an ongoing basis? Are you measuring if your efforts are meeting the OCR Dear Colleague letter’s guidelines?
Awareity wants to know… How is your school addressing bullying? Do you have a new innovative approach?
Comments (2)
Email This Post
