June 28, 2014

Mid-year review: Top 5 posts


In the workforce, we often receive mid-year performance reviews, so why not have a blog mid-year review? It is certainly better than waiting until the end of the year. I tallied up the views from our 2014 posts  and here are the top 5 posts so far this year.

Don't follow the example of these
"class acts" on social media.
1) Stupid on Social Media. In early 2014, there were a number of news stories dealing with people posting stupid messages. I'm not talking about normal stupid posts. I am talking about the kind that generates outrage and backlash, especially if it disrespects the military in some shape or form. This post looks at five different incidents. The biggest rule is, if you're going to be stupid don't post it online. Nobody would have found out if they did not post it online for everybody else to witness.

2) Personal Security Measures. When this post went live, Spring Break was quickly approaching, which meant there was going to be a number of people traveling. In it I share some travel security tips I personally use to reduce my chances of being targeted, whether going on vacation or business travel. Of course, these tips are not just limited to Spring Break travel; they work for Summer Vacation travel as well!

How to properly fill out a SF 702
3) SF 702 Security Container Check Sheet. Two of last year's top ten posts were the Army Security Incident Process and Basic User Info: Protecting Classified Documents, which was driving in search engine results on the SF 702 Security Container Check Sheet. Capitalizing on these search results, I came up with this post. I don't want those searchers to be disappointed. Besides, one of the biggest nit-picks I see during information security inspections is complaints about how the SF 702 is not filled out properly. Post this infograph next to the your SF702, and you will easily reduce this complaint.

4) Child Blogging Security. When I initially started drafting this post, it was more of a rant against
parents permitting their young children to blog, but I reconsidered. On this blog I often warn about the dangers of over sharing information online, so I am what some would consider more paranoid than most people. A statement I'm willing to consider. With this in mind, I rewrote my rant to a post providing talking point for parents to think about when deciding whether to have their minor child blog, and if so, what boundaries should they set. If parents do let their young child blog, I hope they do it as safely as possible, and make an informed decision.

5) Experian Data Breach. Back in December 2013 and January 2014, there were multiple news stories covering the big Target data breach over the holiday shopping season. In fact, I have a couple of post about the data breach here and here in case you're interested. Yet there were barely any articles about the major credit bureau, Experian, involved in a legal case of potentially 200 million Americans' credit information sold to known identity theft rings.

June 15, 2014

Latest security poster additions

I've been playing around with some programs I hope to feature in an upcoming post on free resources to make security awareness material. Thus far I am liking the results. What do you think of some the security posters I made in one afternoon?
before traveling to far off destinations go to security for your defensive travel briefing
Before traveling to far off destinations, go to security for your defensive travel briefing. Know before you go!

security risk management poster using a lock
"He who defends everything, defends nothing." A great quote to help us security practitioners to practice security risk management principles. Only focus your resources on critical assets.

Railroad track security poster
Including security in the planning process can help you stay on track. Encourage your workforce to consult security early and often.
Security poster planning using a building diagram
For a strong foundation, don't forget to include security in the design.
road in the country side security poster
Using security from the start puts you on the road to success.

Naturally all these items will be in our security poster library along with over 500 other poster, comics, and images you can use in your security awareness program.

June 9, 2014

Patriotic themed security posters

The 4th of July holiday is quickly approaching. It's time to pull out the patriotic themed posters to rotate through your security awareness program as we near the celebration of America's Independence Day!
OPSEC poster with Uncle Sam
OPSEC. Starts with you! Ends with you!

I'm counting on you. Don't discuss troop movements, ship sailings, war equipment


You've got what it takes soldier. Now take care of what you've got!


2nd Continental Congress security poster
Uncle Sam security poster
Minute man security poster
reduce storage increase security poster
American drummer boy security poster
American flag security poster
Uncle Sam security poster
American flag bald eagle security poster
Report foreign contacts and foreign travel wear your badge practice need-to-know protect passwords


Uncle Sam telling you to stay on the job with security.

Security is a team effort. Together we win.
Be like a soldier on guard patrol. Ever vigilant
Be like a soldier on patrol. Guard against security violations.

June 5, 2014

Small and Medium Sized Businesses Lack Security Awareness

Enterprise Management conducted a security awareness survey that received over 600 respondents from small organizations with less than 100 people to larger organizations with over 10,000 people. The organizations included public and private companies, as well as government and non-profit groups. The results are not comforting. More than 56% of the surveyed people admit they have not been provided with security awareness training. Of those admitting to being untrained, 72% are from small to medium sized businesses. Sadly, these types of businesses are the ones that could least afford costly data breaches and security lapses.    

It's been my experience that some organizations view security as an additional cost rather than a benefit. Additionally, security awareness benefits are hard to qualify and quantify, making it difficult to justify expenditures of time and resources on security training and awareness programs. Unfortunately, it is the uninformed employee that could unintentionally pose the bigger security threat.

"Many [small to medium size businesses] may mistakenly think their small size keeps them below attackers' radar, but in doing so leave themselves exposed to various types of employee focused attacks which could cost them everything," the report states. "The potential cost of employees making poor security choices due to lack of awareness and understanding may go unrecognized until it becomes an actual cost of breach reparations."

Hackers and other criminal type threats go after the target of opportunity and the easier target. While larger corporations may have more information and assets, they also typically have stronger security protocols. Granted breaches at major companies, such as Target, make the front page of the news, but "data breaches at smaller and medium sized organizations are occurring with greater frequency and reach." (Gow) "Based on estimates, cybercriminals steal as much as US$1 billion a year from SMBs in the United States and Europe alone." (Trend Micro, 2012) It looks like an organization's size does not insulate them from attackers.

According to Trend Micro, the major cause of data loss for small and medium sized businesses is employee negligence. This is through risky behavior such as opening attachments from unknown sources, visiting malicious websites, using weak passwords, and leaving accounts accessible to third parties. Employees do not intentionally create unnecessary risk for their company. They're just unaware. The old adage an ounce of prevention is worth more than a pound of cure applies to security awareness and training. A little time spent now educating your workforce is worth more than what breach reparations would cost. An active and effective awareness program help reduce the number and extent of security breaches. The human element in any program can be your strongest or weakest link. Why don't you give them a fighting chance?

References:
Brodie, C. (30 June 2008). The importance of security awareness training. SANS Institute Reading Room. Retrieved from http://www.sans.org/reading-room/whitepapers/awareness/importance-security-awareness-training-33013 

Enterprise Management (7 April 2014). Security awareness training: Its not just for compliance. Retrieved from http://www.enterprisemanagement.com/research/asset.php/2734/Report-Summary---Security-Awareness-Training:-It/%27s-Not-Just-for-Compliance 

Goldman, J. (11 April 2014). Majority of employees don't receive security awareness training.  eSecurity Planet. Retrieved from http://www.esecurityplanet.com/network-security/majority-of-employees-dont-receive-security-awareness-training.html 

Gow, B. (n.d.). Data security breaches: More reach and frequency requires more diligence. Zurich. Retrieved from http://www.zurich.com/NR/rdonlyres/C4FC10D0-2156-42F8-84E7-63C3BF69B6B6/0/Tech_Cold2_DataBreach.pdf 

NoticeBored (3 June 2010). Business case for an information security awareness program. Retrieved from http://www.noticebored.com/The_value_of_security_awareness.pdf 

Schroeter, J. (12 February 2014). Measuring the effectiveness of your security awareness program. CSO Online.  Retrieved from http://www.csoonline.com/article/2134334/metrics-budgets/measuring-the-effectiveness-of-your-security-awareness-program.html 

Susser, B. (5 April 2012). The benefits of a security awareness, training and education program for an organization. Bot24. Retrieved from http://bot24.blogspot.de/2012/04/benefits-of-security-awareness-training.html?showComment=1401611178085 

Trend Micro (2012). 5 data security threats every small business should know about. Retrieved from http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/sb_5-reasons-why-small-business-lose-critical-data.pdf 
Enhanced by Zemanta