We're on the home straight now.  All the writing is done and dusted, proof-read and polished to a gleam. The poster images are winging their way to us through the Internet. The website is being revised with an updated home and 'this month' pages describing the ransomwareness module. We'll take the opportunity to quote Pro fessor Angela Sasse , professor of human-centred technology and director of the UK Research Institute in the Science of Cyber Security at University College, University of London. Angela's comments at a European m eeting resonated with me, in particular: “In most organizations today, awareness training is just background noise. This stuff is being pushed at people but its going past them. They are not engaging with it and not changing as a result.” Agreed, engaging the audience is crucial, Angela, but how ?  Several engagement techniques are employed in the ransomware materials: Rather than attempt to cover everything at once, we've focused on ...

The last-minute idea of using IoT ransomware as a unifying theme across all three awareness streams has worked out nicely.   Most geeks being gadget freaks, we can easily set the IT and other professionals thinking and talking about the technical side of ransomware on  things:  taking control of them and holding them to ransom is challenging given their limited capabilities (the things I mean, not the pros!) but on the other hand all those insecure devices littering the network are, potentially, myriad network traffic monitors and launch-pads for attacks on other networked systems. Securing them is also technically challenging, to say the least. It doesn't take much to raise the topic and let the geeks' fertile imaginations elaborate.  Job done. For managers, ransomware taking over industrial plant and machine tools, robots, vehicles and so forth is a scary thought, given their business-, safety- and environmental-criticality. High stakes, and hence their financial v...

We're plummeting towards the end of month deadline, hence working this weekend to complete the remaining writing in time for the awareness materials to be proof-read and packaged for delivery. The professionals' awareness materials are usually the last to be finished, partly because they include the newsletter that picks up on news items right up to the point of delivery. Another reason is that I'm a self-confessed geek with an IT background, hence the materials in this stream are easier to write - so much so that if I started with them I would probably not leave enough time and energy for the other two streams.  Having written those other materials first, I now have a reasonable picture of the topic area as a whole, including the wider personal, business and societal context. I have come up with a few angles I want to bring up and delve more deeply into for the professionals, most obviously the technologies associated with ransomware and the cybersecurity controls. However...

As the three awareness streams start to trickle and then flow, we are creating opportunities to bring staff, managers and professionals 'onto the same page'.  From the outset, our awareness service was designed to provide relevant information and guidance to educate and motivate those three key audiences in terms and formats that work for them and to encourage them to interact with each other around the monthly topic.  Although we talk about the 'three parallel streams of content', they all cover the same topic and we expect the streams to converge in practice. The informal social aspect is an extremely valuable part of an effective security awareness program. It lifts the awareness content from the paper into the corporation at large, influencing the culture through casual chat, repetition and endorsement.  Today we wrote the management and executive awareness briefings on ransomware, completing the management stream too. Both briefings take a management perspective, ...

One advantage of having covered malware many times before is that we have a stock of awareness graphics already in the bank, including the poster images, mind maps and so on created for our previous modules.  As such, we own the copyright on them and can use them freely without the bother and expense of commercial graphics. Good quality graphics not only illustrate and amplify on the words, they also make the awareness materials more enjoyable to read. Our poster images are particularly effective because of the way they are designed: most consist of bright photographs with just a few words on a plain background, a deliberately simple yet visually appealing style. Furthermore, most have a touch of humor about them. Even when shrunk down from high-res poster-size to fit a seminar slide or document page, they remain eye-catching.  Adjusting the word wrapping to make the text flow around the image, and adding a subtle shadow, makes the finished product still more impressive - clos...

While working on next month's module, we're also thinking forward to those that will follow. As soon as the ransomware module is delivered, we'll need to come up with poster ideas for a brand new module on 'innovation and creativity' - an unusual topic for a security awareness program for sure. We've been quietly researching the topic for months, in parallel with the ongoing work. Over the next week or two we need to review the information already gathered and firm-up the scope and purpose of the new module, clarifying the learning objectives and key messages that we'll be putting across. The fundamental premise we originally had in mind was to encourage the legitimate exploitation of the organization's intellectual property and other information assets, while at the same time protecting them from various risks including (in part) theft and exploitation by others. Instead, or perhaps as well, we might delve into the controls and tools supporting informat...

With a week to go until our self-imposed end-of-the-preceding-month regular-as-clockwork delivery deadline, the ransomware awareness module for March is coming along nicely.  The contents listing is gradually filling up with ticks as each item is drafted and completed, which means that stress levels in the office are elevated but under control at this point. The diagrams/mind maps, glossary and presentations are sources of inspiration and content for most of the remaining materials, allowing us to increase the pace of production at this point in the monthly cycle. Today we completed four more deliverables: (1) The case study is valuable for security awareness and training purposes because:  It gets people thinking and talking animatedly about the topic, especially in a lively group with an inspirational facilitator; It is a good way to bring information security topics to life with relevant news, recent incidents, advisories, issues  etc. ;  It is succinct;  It ...

As you might expect , we use security metrics extensively to illustrate, and support the awareness materials. We exploit data, graphs and statistics from recent reports, advisories, surveys and other information sources published on the Web*. It's not always easy to find credible information however, since quite a lot of  stuff out there is either pure marketing tripe or is so badly described and presented that it is unsuitable. Look at this Bitdefender graph for example: I've included the preceding paragraph and legend in the clip to point out the complete lack of values on the Y-axis, while the X-axis doesn't actually state the years (given the date of the blog piece,  I think it covers September 2014 to March 2015). I guess  from the evenly spaced horizontal lines that the Y axis is linear, and I hope the X axis crosses the Y axis at the zero point, in which case it appears ransomware jumped up from about 1.3 to about 9.3 unspecified units from January to February, w...

We spent much of the day chainsawing, clearing one tree and side branches of another from the microwave link path.   So far it seems to have worked: the link is holding up in today's drizzly rain that interrupted proceedings the other day.  Phew.  An Internet business without the Internet is not a business.

Nothing to report today on the awareness front - another day off. Luxury! Well ... almost. Part of the reason for the break is that our rural Internet connection failed. Our Internet service uses a dedicated microwave link to a mountain-top comms site about 20km away. The path was degraded by heavy rain and, I believe, wet foliage on the trees at our end. Chainsawing the most accessible lower branches out of the way didn't resolve it so I guess more dramatic chainsawing is called for.   I wish I could access the path quality metrics from the dish feedpoint radio system to check how much difference the foliage clearance is making and how much further we have to go - also to double-check the dish alignment since we've had storms with strong winds lately. Hmmm, time to contact the service provider, I think, and maybe to check out the admin interface on the dish radio system. Annoyingly, one of our two backup Internet connections also fell over. There appears to be an intermittent ...

With the graphic/visually-oriented materials well under way, it's time to crack on with the supporting ransomware awareness briefings. These are primarily intended to supplement and extend the PowerPoint slides ( e.g. as printed seminar handouts), filling-in the details for people whose interest has hopefully been piqued - or simply to appeal to those who prefer the written word and quiet reflection over colorful diagrams and whatever the seminar leader is spouting off about, up front. They are valuable for people who want or need to know about the topic but, for whatever reason, don't get to the seminars, workshops, courses or meetings in person and are unwilling to ponder over the somewhat cryptic slide decks online. At this point in the month, I have a reasonably clear picture in mind of the whole ransomware topic area, including most of the elements that I believe are worth bringing up in the written briefings. I also have several diagrams and other graphics to hand that wi...

Today I've mostly been reading and thinking about the official launch of the NCSC - that's the UK's new N ational C yber S ecurity C entre as opposed to the US N ational C ounterintelligence and S ecurity C enter (presumably an unfortunate clash of acronyms ... or was that deliberate?  They do have remarkably similar aims, much like the People's Front of Judea and the Judean People's Front ).  Reading between the lines of the formal speeches and usual puffery on the website, I get the feeling this is more than just the latest in a long line of government re-orgs. In particular, I noticed the chief's stated intent to demonstrate the value of cybersecurity advice by proving it on Her Majesty's Government first. Using HMG as a guinea pig is a bold move and an interesting one. I wish them well - seriously, I have more than just a passing interest in their success. Skipping deliberately past the thorny issue of what they actually mean by "cyber", on...

The security awareness seminar slide decks are coming along nicely. Today we picked up on 'bluff ransomware' (a form of scareware that displays a warning message and ransom demand without the system lock-out or data encryption) and 'Ransomware as a Service' (malware for rent).  The management seminar now includes a tip in the notes about insisting on 'proof of life' i.e. making part-payment first and checking that you can recover some of your data before completing the deal ... if it turns out - due to inadequate preparation - that you have no alternative but to pay the ransom to get your system/data back.  By the way, it should be obvious from the management presentation thumbnails above that we much prefer graphics to plain bullet points or solid blocks of text when presenting stuff. The slides may not be entirely self-evident, though, so we invest nearly as much time in writing the accompanying speaker notes (not shown here) for the benefit of the presenters ...

Here we are, half way through the month so it's time to take stock of the awareness materials in the bag already, on the go right now or not yet started. This acts as a crude progress metric: will we finish the module before our self-imposed end-of-month deadline? [We always do but some months are more stressful than others!] I'm ticking off items on the contents list as they come into being, in pencil first as they are drafted then inked-in as they are completed. When the whole module is done, this listing will become a checklist for customers to zip through the materials and decide which ones to use.  Today we started work on the management and staff awareness seminar slide decks. A few slides can be re-purposed from the professionals' seminar, and maybe a few more from previous malware modules, but there's an art to designing a seminar to suit the audience. Finding angles, perspectives or aspects that will catch their imaginations is key. We try to incorporate fresh ...

The security awareness seminar for professionals is coming along.  So far, we have a quote from Kaspersky, two diagrams showing a process view of a typical ransomware incident, a mind map (see below) and some notes about risks and controls. Two of the slides use the following mind-map: Mind maps are a useful way to structure and express our thoughts.  The malware mind map was developed over several previous years and has been updated to emphasize ransomware this year.