Cyber Threat Analysis for 06/09/2016

Analysis & Commentary on the Week's Cyber Security Issues

The "so what" factor feeds and aggregators don't give you.

Subscribe to the Cyber Threat Analysis Weekly

Battling Cyber Threats Begins With Employee Education

Clearly businesses seem to understand the importance good security practices. But are they taking the right steps? The best security technology products and the most comprehensive policies and processes won’t work without appropriate human action and intervention. Spreading cybersecurity awareness, knowledge and training throughout the entire organization, from the receptionist at the front desk to the CEO in the corner officer, is essential. (Entrepreneur)

The argument over whether employee training is useful or not is unlikely to be resolved any time soon. Training is clearly not useless, but most organizations deliver training in a fashion that does not support retention or spark employee interest. Just as important: most organizations don't reinforce what is learned by holding policy violators accountable. Gamification techniques and executives walking the walk can produce positive results; the same old-same old will continue to produce victims.
 

45% of organisations unsure if email cyber attack insurance will pay up

Email and data security company, Mimecast, has issued "a warning to organisations relying on cyber insurance: your policies may not be fully up-to-date in covering new social engineering email attacks, leaving firms at risk for taking the full financial brunt of these attacks". The research which Mimecast conducted was assisted by "a survey of 436 IT experts at organisations in the US, UK, South Africa and Australia in March 2016". The company says "respondents assessed the growth in a range of email attacks seen over the prior three months". (IT Wire)

Cyber insurance may not necessarily help you sleep better at night. Draw analogs to other types of insurance you may be more familiar with: think of the loopholes and reasons your insurer won't pay out. Now read the fine print on your cyber policy. Think about how much work it will take and money it will cost to maintain compliance (things you should be doing anyway). If things were to go sideways, think about your legal team and the legal firepower retained by an insurance company. Cyber insurance should be a part of your security portfolio, but far too many think the shine on such policies is silver, when in fact its more like pyrite.
 

Study: C-Suite Leadership Can Cut Cyber-Attack Growth by 50%

The C-suite and board have critical roles in defending their firms against cyber-crime, highlights a new report published by The Economist Intelligence Unit. Findings from a global survey of 300 C-suite executives reveal a primary driver of success was the adoption of a proactive cyber-defense strategy. The 28% of firms that prioritized this approach were able to cut the growth of cyber-breaches by more than 50%. Another significant factor of success was the active support of this strategy by the C-suite or board of directors. Companies that pursue a proactive cyber-defense strategy strongly supported by C-suite and board have cut the growth of eight major cyber-attacks by an average of 53%. (CFO Innovation)

Nothing spurs action like attention from mahogany row. You would be hard pressed to craft a better argument for why a CISO/CSO should report to the top. Friction that would otherwise stall a cyber security effort miraculously falls away when people know they can't ignore or slow-roll you. Still, cyber security is something people outside of the security function are forced to do, not something they do willingly. Any sufficiently meaningful improvement is likely to lead to a new status quo, not a rush to an ideal state.
 

Cyber Threats to Supply Chain on the Rise

Cyber threats to supply chains have become increasingly prevalent due to extensive sharing of digital information between organizations and their suppliers. Still, some companies don’t do enough to protect their assets, sensitive data and information by addressing the risks within their networks. Many breaches don’t start at the top – attackers start somewhere in the supply chain and work their way up to the target through a trusted supplier. (Global Trade Magazine)

The cliche of the weakest link applies. Always. The more complex and extended the relationships necessary to operate your enterprise, the greater the risk and the more diverse the threats you will face. Security is a team sport, but especially when it comes to inter-connected commercial concerns, everyone on the team is playing a different sport and being scored differently. Incentivizing all elements of your supply chain to adhere to the same security rules is not going to be easy, but a collective defense / herd immunity is going to improve resilience against attacks.
 

Fashion Industry Tells Feds: We Need Better Cybersecurity for Internet-Connected Clothes

The fashion industry is urging Washington not to hinder creativity when the government formulates policies surrounding the internet of things, as everyone from Met Gala celebrity guests to U.S soldiers slip on wired garments. Kenya N. Wiley, founder of the D.C.-based Fashion Innovation Alliance, is asking the Commerce Department to consider the $260 billion digital economy, when crafting any new federal regulations for networked-clothing and other internet of things gear. (NextGov)

I'll let you formulate your own Zoolander-related jokes here.