If your annual cycle matches the calendar year, you’re probably working hard on a 2017 budget proposal to secure the funding for all you need to do on information security, cybersecurity, information risk management, compliance, business continuity and so on - doing it yourself or maybe helping the boss. Is security awareness and training part of the plan, hopefully not just a single line item but an integral part of virtually everything you are proposing to do?  If not, don't be surprised if, once again, you struggle to make much headway in information security in 2017. Security awareness is not just an optional extra but an essential prerequisite for success ... and the magic starts with senior management having sufficient knowledge, understanding and appreciation of what information security is all about to approve an adequate budget. With that in mind, do you see the conundrum? Awareness is needed to gain funding for ... awareness and the rest of information security. How is t...

The following bullet-points were inspired by another stimulating thread on the ISO27k Forum , this one stemming from a discussion about whether or not people qualify as "information assets", hence ought to be included in the information asset inventory and information risk management activities of an ISO27k ISMS. It's a crude list of people-related information risks: Phishing, spear-phishing and whaling, and other social engineering attacks targeting trusted and privileged insiders; ‘Insider threats’ of all sorts – bad apples on the payroll or at least on the premises, people who exploit information gained at work, and other opportunities, for personal or other reasons to the detriment of the organization; ‘Victims’ – workers who are weak, withdrawn and easily (mis)lead or coerced and exploited by other workers or outsiders; Reliance on and loss of key people (especially “knowledge workers”, creatives and lynch-pins such as founders and execs) through various causes (resi...

Over on the ISO27k Forum today, a discussion on terminology such as 'virus', 'malware', 'antivirus', 'advanced threat prevention' and 'cyber' took an unexpected turn into the realm of security control failures. Inspired by a tangential comment from Anton Aylward, I've been thinking about the variety of ways that controls can fail: To detect, prevent, respond to and/or mitigate incidents, attacks or indeed failures elsewhere (a very broad overarching category!); To address the identified risks at all, or adequately (antimalware is generally failing us); To be considered, or at least taken seriously (a very common failing I'm sure - e.g.  physical and procedural control options are often neglected, disregarded or denigrated by the IT 'cybersecurity' techno crowd); To do their thing cost-effectively, without unduly affecting achievement of the organization's many other objectives (" Please change your password again, only ...

Electronics supplier RS Online sent me an unsolicited promotional mailing in the post this week, consisting of a slimline USB stick mounted in a professionally printed cut-out card: Well, it looks like something from RS' marketing machine.  It has their branding, images of the kinds of tools they sell and a printed URL to the RS website .  But the envelope has been modified ... The printed sticker stamp top right has been crudely redacted with a black marker pen plus two further sticky labels, and 'postage paid' has been printed lower left, allegedly by the Hong Kong post office.  [I put the blue rectangle over my address.] A week ago, we released a security awareness module on human factors in information security, including social engineering. Among other things, we discussed the risk of malware distributed on infectious USB sticks, and modified USB hardware that zaps the computer's USB port. The notes to a slide in the awareness seminar for management said this: What...

We've just delivered the next block of security awareness materials, some 210 Mb of freshly-minted MS Office content on the human side of information security. The module covers the dual aspects of people-as-threats and people-as-controls. It's all about people. The threats in this domain include social engineers, phishers, scammers and fraudsters, while controls include security awareness and training, effective incident response procedures and various other manual and administrative activities, supplemented with a few specific cybersecurity or technical and physical controls. Whereas the awareness program has covered phishing and spear-phishing several times before, our research led us to emphasize "whaling" this time around. Whalers use social engineering techniques to dupe financial controllers and procurement professionals into making massive multi-million-dollar payments from fat corporate bank accounts into the criminals' money laundering machinery, where i...