Category: Uncategorized

Image via Freepik
As we celebrate another Cybersecurity Awareness Month, this year’s theme, “See yourself in Cyber,” is especially poignant for an industry that desperately needs to find new and creative ways to establish a sustainable workforce. As of last year, more than 700,000 cybersecurity jobs remained unfilled in the United States, with experts estimating that number will only rise over the next decade. 

What the general population doesn’t understand about cybersecurity, and what I believe this month-long celebration should intend to explore, is that it doesn’t take a computer genius, or even a background in computer science, to embark on a successful career in the industry. Are you an art major who is looking to pivot? An accountant who loves solving puzzles? Or even a construction worker who excels in working in teams? I promise, there is room for you in cybersecurity. As more professionals look to change industries completely and follow their dreams, I want you to know that you’re not alone, and it can actually be done. I know because I did it. 

As a former humanities major and video game developer, I can confidently say that I didn’t always see myself in cyber, especially in the early 2000s, when hacking — and thwarting hackers — was more common in Hollywood than on the nightly news. At that time, I was developing video games for a small studio on September 11, 2001, and the tragedy changed everything for me. I decided I wanted to make a more direct impact on my country and studied the best path to realize that goal. Soon after, I joined the U.S. Army to gain the intelligence experience necessary to serve in the Federal Bureau of Investigation (FBI) as a special agent covering mostly cybercrime, but also a bit of everything from international terrorism to gang interdictions. I even had the opportunity to serve as a SWAT team leader.

In the FBI, I was assigned to investigate cybercrime, that was my initial motivation to develop the technical skills necessary to work in cybersecurity in both the public and private sectors, but I want everyone to understand that there are other ways to enter this industry. Some cybersecurity firms offer internships, and at other non-cybersecurity businesses, you can start on the helpdesk or in a system admin position and make your way across the industry into more security-focused work. Also, tinkering on security projects in a home lab is a great way to set yourself apart from others in an interview cycle. Focused determination and a curious mind can open this field to many who might not otherwise see it as a possibility.

The truth of the matter is that you are already in cybersecurity. If you use a computer to do your job, at home, or at any time, including smartphones, then you are in cybersecurity. We are all part of the security team that secures our businesses, organizations, and our own data. The fact that you must be on the lookout for phishing and other scams at work and home proves this point. You are already performing your cybersecurity role when you screen your calls for fraud attempts and help your grandma avoid sending money to that ubiquitous Nigerian prince. And you are probably pretty good at it too.

Historically, though, career security practitioners have been depicted as people with their heads hovering four inches away from a computer screen 18 hours a day — not very appealing to folks with real passions and pursuits outside of the workplace. But that image couldn’t be further from the truth of what real cybersecurity talent looks like.

As a Chief Information Security Officer (CISO), I look for specific personality traits when hiring for analysts and engineers rather than a perceived interest in technology or networks. Effective cybersecurity talent, regardless of background, will always be curious, gritty and eager to learn more as new threats develop and vulnerabilities are exposed. Having an investigative mind is very helpful. In addition, people who want to understand how things work, or who like to know the answer to a mystery, are good candidates. Even musicians, or folks with an analytical mind that can recognize patterns like they recognize their own family members, stick out to me on a resume or during an interview. 

Though I gained technical cybersecurity experience of my own through self-teaching, training, and working for the FBI, my humanities degree has been invaluable in encouraging me to look at problems at a holistic and systemic level. It has helped me have a greater perspective for the ancillary and downstream effects of cybersecurity attacks and policies. It has also helped me know how to communicate to various levels of leadership within my own organization and to clients, articulating the severity of a situation and the possible remedies that are available for any attack. Without the communication skills to break down cybersecurity jargon into plain English, even the most technically talented analyst will always be at a loss in explaining their value to potential customers.

The point is that it’s high time for the cybersecurity industry to take action to change its reputation as a realm of complexity and secrecy to a fast-paced industry where those with innate curiosity and leadership can thrive. My journey to cybersecurity started 20 years ago with a deep motivation to protect my country, and I have been able to take my career everywhere, from investigative work to incident response to strategic leadership. Over the next 20 years, let’s ensure that every talented individual has the power to do the same.

Adam Marrè is the Chief Information Security Officer at Arctic Wolf. Prior to joining Arctic Wolf, Adam was the Global Head of Information Security Operations and Physical Security at Qualtrics. With deep roots in the cybersecurity space, Adam spent almost 12 years with the FBI, holding positions like SWAT Senior Team Leader and Special Agent. 
You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days.
Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company. Interested in participating in our Sponsored Content section? Contact your local rep.
ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe. 
The John F. Kennedy Center for the Performing Arts is home to some of the nation’s largest events, from the Kennedy Center Honors to the Mark Twain Prize and high-caliber theatrical and symphonic performances.
 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 
Copyright ©2023. All Rights Reserved BNP Media.
Design, CMS, Hosting & Web Development :: ePublishing

source

Sponsored by Monday Properties and written by ARLnow, Startup Monday is a weekly column that highlights Arlington-based startups, founders, and local tech news. Monday Properties is proudly featuring 1515 Wilson Blvd in Rosslyn. 
Arlington-based CyberVista announced it is providing free cybersecurity training through a new partnership with a D.C. area nonprofit.
The cybersecurity workforce development company located in Rosslyn (1300 17th Street N.) is making available two courses to participants in Black Girls Hack. The Alexandria-based nonprofit provides training and resources to encourage Black girls and women to be engaged in STEM fields, with a focus on cybersecurity and executive suites.
“There is a critical shortage of black women in the cybersecurity industry. BlackGirlsHack’s mission is to bridge this gap by creating a source of shared knowledge and resources that can enable black girls and women to break the barriers,” said BlackGirlsHack Founder and Executive Director Tennisha Martin in a written statement.
For CyberVista, the partnership complements its work to support STEM education.
“Our partnership with Black Girls Hack goes hand-in-hand with CyberVista’s goal to close the skills gap in cybersecurity by measuring and upskilling underrepresented groups of talent,” CyberVista CEO Simone Petrella said. “We support organizations that invest in their communities by elevating STEM education that will enable a better and more diverse cybersecurity workforce.”
Its two courses — Cybersecurity Matters and Security Essentials for IT — are aimed at supplementing the training that BGH provides to current members.
Cybersecurity Matters, which is designed for a non-technical audience, provides foundational knowledge of common cyber attacks and defensive techniques. The company says the course “helps learners understand the ‘hows’ and ‘whys’ of cybersecurity, and their role in keeping the organization secure.”
Security Essentials for IT, designed for information technology professionals, addresses cybersecurity threats related to protecting business data and maintaining business systems.
“We are excited to partner with CyberVista, an organization recognized for making inroads to eliminate the skills gap,” Martin said. “The resources they are providing our members will help us open the doors for more black female professionals in cybersecurity for today and tomorrow.”
CyberVista, founded in 2016, is the sister company of the 85-year-old tutoring and training platform Kaplan. It recently merged with Maryland-based CyberWire, an audio-based cyber media company to form N2K Networks, or “news to knowledge” network, the Washington Business Journal reports.
The new cyber media and education brand has raised a $5.4 million round of funding.
The company that owns Kaplan and CyberVista, Graham Holdings, previously owned the Washington Post.
Flickr photo by wocinthechat
Good Tuesday evening, Arlington. Today we published articles that were read a total of 16807 times… so far. 📈 Top stories The following are the most-read articles for today —…
Arlington’s long regional nightmare has ended: the Taco Bell Cantina at 2039 Wilson Blvd will open at last next week. A company spokesperson confirmed to ARLnow today that the restaurant…
With the Amazon HQ2 development pause Ask Eli discusses the possibility of a condo price drop.
Firefighters are currently battling heavy fire at a house in the Bluemont neighborhood.
Art House 7 is thrilled to announce that the award-winning artist, Teresa Oaxaca, will be returning this Spring to host some amazing weekend workshops! We invite you to join us for two fantastic opportunities to learn from this popular master artist.
Our first workshop, “Drawing the Portrait in Charcoal,” will take place on March 11 and 12. During the class, Teresa will guide students through her approach to drawing the human portrait in charcoal while helping them create their own charcoal portraits of models.
Our second workshop, “Painting the Dutch Tulip from Life,” will be held on April 22 and 23. This two-day class will feature a live demonstration by Teresa as she selects, composes, and paints a beautiful flower. As she works, she will narrate the steps and process, allowing students to follow along and learn the art techniques to create their own stunning paintings of the provided selection of fresh tulips.
Please note that both classes require supplies, which can be found on the workshop registration listings here. If you need art materials, we’ve got you covered at the Art House 7 Store. We sell a broad range of art supplies for all mediums at competitive prices, so you can get everything you need in one convenient location.
Read More
Submit your own Announcement here.
What happens after the Tortoise beats the Hare in the race? Join Encore Stage & Studio on March 3-12 for a new spin on the classic story in its world premiere of What Makes a Winner written by Lynne Childress. When Terri the Turtle and Ray the Rabbit become co-captains on a new racing team, Ray comes to find that he’s got a lot to learn about the true meaning of friendship. This unlikely duo meet all kinds of woodland creatures in their journey to make the perfect team. Together they learn that the most rewarding medals are the friends you make along the way.
“It’s a story full of heart and kindness and the answer to what really makes someone a winner,” says playwright Lynne Childress. Lynne Childress is a playwright, founder and artistic director of Building Better People Productions, a professional theater company based in Annapolis, MD, that focuses on shows for young audiences all based in themes of kindness, respect and the things that make us all better people.
Performances are held at Thomas Jefferson Community Theatre (125 S. Old Glebe Rd. Arlington, VA 22204). Tickets are on sale now at www.encorestage.org. Tickets are $12-$15.
“Theatre by Kids, for Kids!” Founded in 1967, Encore Stage & Studio inspires young people to develop the creativity, empathy and confidence they need to create meaningful connections with peers and have a positive impact in their communities. Encore believes that an artistic community is enhanced through diversity.
Submit your own Announcement here.
Kevin Bartini, Headliner
Kevin Bartini is a nationally touring comedian, writer and occasional TV and radio personality. He has made numerous appearances on ABC’s hidden camera show What Would You Do? Kevin can currently be seen in the recurring role
Join Cody Chance and Dick Nathan of Long & Foster on Thursday, March 9 at 5:30 for a free Zoom workshop that will help you to dispose of your extra possessions and design a written plan for your next move.

source

Let Cybersecurity Dive’s free newsletter keep you informed, straight from your inbox.

The fake phishing email is losing its luster.
Awareness training plays an important role in an organization’s overall cybersecurity posture. But while security tools and platforms are regularly updated or replaced to meet the challenges of a constantly changing threat landscape, security awareness training has remained stagnant. 
Training is the first, and often the only, interaction with the security team, said Marisa Fagan, head of trust culture and training at Atlassian. It’s an opportunity for the security team to create a positive experience that delights as well as educates employees, which could have big payoffs later with faster incident resolution and fewer mistakes with security impacts.
That’s in a perfect world. In the actual workplace, security awareness training isn’t meeting those objectives. 
At the Insider Risk Summit in late September, Fagan explained that traditional awareness training does not focus on outcomes, it’s not interesting or engaging, and worst of all, it doesn’t convince anyone to actually care about security. 
It isn’t surprising that traditional cybersecurity training approaches aren’t working. 
“When you look at the data over the past five to 10 years, the approaches haven’t moved the needle in materially reducing organization risks,” said Mary Dziorny, cyber strategy manager at Accenture.
Security awareness training has stagnated, in part, because it is a financially undervalued — and underfunded — piece of the cybersecurity platform. 
Security awareness training professionals end up spending most of their work time on other projects, according to a study from the SANS Institute. Or they have the wrong people in charge of awareness training, relying on those with high technical skills to lead the effort who might not have the soft skills needed to engage co-workers.
Also, there aren’t enough people on the awareness training team. Most companies have one or fewer people in charge of training programs. The organizations that have more mature training programs and a more mature security posture are those that have four or more people responsible for awareness training. 
Not having enough — or the right people — to do the job could be why security awareness training itself misses the mark. 
“Fundamentally, the industry is struggling to connect the realities of adult learning best practices with how organizations need to run their businesses, which is efficient and effective,” said Dziorny.
Security training today tends to emphasize specific focus areas, like how to ensure the organization is meeting compliance regulations or to improve employee production, but it skips things like employee engagement or improving employee job satisfaction. 
“Through more hands-on learning and upskilling, rather than outmoded table-topping exercises, security teams can see how their organization performs on relevant and timely exercises and simulations — even within hours of a new threat going live — so they can prove their ability and stay current,” said Max Vetter, VP of content at Immersive Labs.
As cyberattacks become more sophisticated, employees need to take a more active role as the first line of defense. That means more effective cybersecurity awareness training, while working through the parameters of current budgets and staffing. 
It should focus on making the training more engaging and looking at how to change human behavior.
One change to awareness training is to either get rid of or deemphasize the term awareness. 
There’s a simplistic take that just by saying “awareness training,” users will automatically become aware of all the security issues and problems solved. 
It doesn’t work that way, said Ira Winkler, field CISO and VP with CYE. 
Rather than focus on awareness, the emphasis should be on how to change behavior. With behavioral science, you want to put things in place like reward systems, modifications to the user experience, or more established guidelines. 
“The goal is to have measurable improvement in security-related behaviors, and that’s very different from the concept of awareness,” said Winkler. 
One way to achieve this is to actually catch users performing good security behaviors and reward them, rather than looking for mistakes and punishing them. This could include highlighting when employees take security training classes, report a phishing email, or regularly use multifactor authentication. 
You might reward these behaviors in different ways — the point is to have a constant system to do so.
Another behavioral training method is to use storytelling. 
“Not only is storytelling a proven educational method rooted in behavioral science, it has the added feature of being entertaining as well,” said Fagan. 
Educating and entertaining should work in tandem to cement security-related concepts in employees’ minds. Security should become a habit, but to get to that point, training should follow the pop culture format. 
“The most successful security training content creators are now providing rich, engaging HD videos that tell stories with characters over several episodes with interactive elements,” said Fagan.
Like popular TV shows or NFL games, security training videos should aim to generate “water cooler” discussions around the office to reinforce the messaging. 
“Using this method, we’ve seen a second wave of people view the training in greater numbers than in previous years simply because they wanted to understand what the first people to take the training were talking about,” said Fagan. 
Cybersecurity is a distributed business problem, and it is time to move beyond the annual “how to spot a phishing email” style of training, and do more to support users to incorporate cybersecurity into their everyday work behaviors. 
“We need to use realistic exercises that span from executives down to the most technical teams to unlock new levels of real-world performance measurement,” said Vetter.
Correction: This article has been updated to correct the spelling of Marisa Fagan’s name.
 
Get the free daily newsletter read by industry experts
Chief Product Officer Josh Prewitt said the company restored email access to more than three-quarters of its Hosted Exchange customers. But Rackspace officials pushed back on alleged connections to ProxyNotShell.
Rates continue to soar, but Marsh research shows the pace of increases is slowing. 
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Chief Product Officer Josh Prewitt said the company restored email access to more than three-quarters of its Hosted Exchange customers. But Rackspace officials pushed back on alleged connections to ProxyNotShell.
Rates continue to soar, but Marsh research shows the pace of increases is slowing. 
The free newsletter covering the top industry headlines

source

Cyber security in Europe is big business. Globally, the market size was valued at $184.93 billion in 2021, and it is expected to expand at a compound annual growth rate of 12% to 2030. The European slice of the pie accounted for nearly €34 billion in 2021, an 8% increase that year, with an expectation that this growth will continue. 
By 2025, spending on security equipment, software and services in Europe will exceed €45 billion. Right now, cybersecurity represents about 3% of the overall IT market – and it is growing three times faster than the rest of the sector thanks to a range of factors. 
Some of those are down to the pace of digital transformation of businesses brought on by the pandemic. And as more of us move our shopping and banking habits online, the need to protect our data becomes ever more important. Additionally, according to an EU report, 28% of European SMEs experienced at least one type of cybercrime in 2021, and 32% are very concerned about the risk of hacking online bank accounts, as well as viruses and spyware or malware (29%).
As a result, those with cybersecurity skills are in demand across Europe, and the job market here – as well as globally – has grown rapidly. According to the latest research by ISC, this year an estimated 1.8 million jobs in the sector will go unfilled. The bloc boasts many locations that offer talented tech workers a number of attractive benefits, including good career prospects within the cybersecurity arena, work-life balance, and great pay. We’re checking out three of them below.
The internet economy in the Netherlands is hugely important, contributing around 6% to the country’s GDP, and the Amsterdam region houses nearly a third of Europe’s data centres. Additionally, Amsterdam has one of the world’s largest data-transport hubs, AMS-IX, and many large tech companies have chosen to base their European operations in the country. 
All these factors mean that the problems of cybercrime, digital espionage, and disruption of online services are major concerns leading to the availability of well-paid jobs in the cybersecurity sector.
It is also a great place to live. Centrally located in Europe, Amsterdam is a beautiful city that offers a great quality of life and excellent educational opportunities thanks to its universities which offer undergraduate and postgraduate programs that can help you train for jobs in the field. 
Group-IB is recruiting for a Cyber Threat Intelligence Analyst in the city. One of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property, in this role you will track phishing kits, track infrastructure of threat actors, automate research and write technical articles, plus share knowledge via blogs, news, and events. 
The capital city of Ireland, Dublin is the EMEA base for a wide variety of Silicon Valley firms that include Google, Indeed, Airbnb, and Guidewire among many others, leading to its moniker of Silicon Docks. As a result, there are many companies looking to hire across cybersecurity roles.
The country has a strong economy, but an equally high cost of living. Tech salaries are competitive to compensate, but many workers relocating here find it difficult to find accommodation. On a positive note, Dublin is very liveable—with its small centre, it is walkable and enjoys close proximity to the sea and the great outdoors.
Interested in working in Ireland? This Azure Platform Administrator at Johnson Controls Proactive involves administration and support of the company’s Azure Data Lake Platform including admin, incident management and troubleshooting. You’ll be the point of contact for Azure PaaS services including Data Factory, ADLS, Databricks, Synapse, and DevOps. Required skills include Azure Data Factory, Azure Data Lake Store, HDInsight, Azure Synapse Analytics, Azure SQL and Security Management with Ranger policies.
While it isn’t as cheap as it once was, and rents can be pricey, Berlin is a great place to live and work, especially if you’re young. The city is now a leading startup centre within Europe and in 2021, 273 Berlin-based startups and tech companies attracted a record €14.3 billion in buyout, growth, and early-stage funding, accounting for 26.6% of the deal volume in Germany according to Unquote data.
Germany has some of the strongest data privacy laws in Europe, making it ideal for working with sensitive information – and for jobs in this area. Salary potential is high: Graduates can earn up to €100,000 per year.
If you’re interested in working in the city, Mercedes-Benz Tech Innovation has an opening for a Cyber Security Consultant. You will carry out cybersecurity assessments based on the ISO 2700x series of standards, advise customers on regulatory, procedural, organisational and technical issues in the area of ​​information security and you’ll identify fields of action, assess risks, prioritise and coordinate measures to eliminate weak points and coordinate their implementation.
If you’re interested in exploring career opportunities in cybersecurity, check out the Tech.EU Job Board today
Would you like to write the first comment?

source

HUB Cyber Security Ltd, a Developer of Confidential Computing Cybersecurity Solutions and Services, Successfully Closes Its Business Combination with Mount Rainier Acquisition Corp.  Yahoo Finance
source

When it comes to job demand, it’s hard to beat the field of cybersecurity. By 2025 there will be an estimated 3.5 million unfilled cybersecurity jobs across the globe, according to Cybersecurity Ventures, a researcher and publisher that covers the international cyber economy. And that follows a 350% growth in the number of open cybersecurity jobs between 2013 and 2021.
As practically all elements of work, life and everything in between now have a digital component, the need to secure our information from cybersecurity threats has only grown. With that growth, master’s degree programs in cybersecurity have also flourished.
“The job market’s insane for cybersecurity,” says Mary McHale, a career advisor for the master’s of information and cybersecurity program (MICS) at the University of California—Berkeley. The university landed the No. 1 spot on Fortune’s first-ever ranking of the best online master’s degree programs in cybersecurity. “When you look at the opportunity and demand, it’s tremendous.”
Whether contending with cyber criminals who wish to turn a profit from stealing information or challenging nation-states that wish to do us harm, cybersecurity professionals are in an interesting and ever-evolving field. And UC Berkeley grads are landing jobs with salaries of more than $200,000. Here’s what you need to know
In June, Lakshmi Hanspal, the global chief security officer for Amazon devices and services, was the keynote speaker for Berkeley’s MICS immersion program. In her address, Hanspal said that Amazon had more than 600 unfilled cybersecurity jobs.
That’s a high number, particularly given Amazon’s deep pockets. “They’re saying the demand is just going increasingly higher,” says McHale of UC Berkeley. “Once we help [students] get visibility in the job market, the amount of attention they’re getting is tremendous.”
Many master’s degree candidates in cybersecurity programs take part in summer internships with companies before graduating.
“Most come back with an offer of full-time employment when they finish,” says Mustaque Ahamad, a professor in the School of Cybersecurity and Privacy at Georgia Tech. “You have a job lined up, absolutely.”
While a master’s degree in cybersecurity or a related subject like computer science isn’t required to work in cybersecurity, it goes a long way to inform graduates on the latest trends and happenings in the field.
“A master’s degree is going to prepare you for the highest skill, top-level careers,” Ahamad says. “A master’s degree is essentially going to make a specialist in cybersecurity.”
If you have a master’s in cybersecurity, it’s fairly common to earn a six-figure salary immediately after graduation. “It’s a profession that will pay you well,” says Ahamad. “The vast majority of [graduates] head out to the Microsofts and the Googles and the Ciscos and the Intels.”
According to a UC Berkeley salary survey of alumni, graduates with a master’s degree in cybersecurity make an average salary of $214,000, not including bonuses; the median salary is $200,000. Some graduates who are now executives, such as chief information security officers (CISOs), chief information officers (CIOs), and chief technology officers (CTOs) make more than $300,000.
“The CISO roles are going to be more over the $250,000, $300,000 [salary mark], closer to $400,000, depending on the company and the size of the organization,” McHale says.
The median pay for computer programmers, who write, test and modify code and scripts so that applications and computers can work properly, was $93,000 in 2021, according to the U.S. Bureau of Labor Statistics. Information security analysts, who plan and carry out security measures to protect the computer networks and systems of an organization, had a median pay of $102,600. Computer network architects, who design and build data communication networks, such as Intranets, wide area networks (WANs), and local area networks (LANs), had a median income of $120,520 in 2021.
Though graduates who go to work for the government generally make less money, the knowledge gained from becoming familiar with government systems that need to be secured can pay off if they eventually work for a major defense contractor.
“The experience is golden,” Ahamad says. “They’re dealing with sophisticated nation-state threats, so [with] the systems and the applications and the high level of security that’s needed, once they have that experience, that really makes them first-class at cybersecurity.”
McHale says that while some cybersecurity master’s graduates from Berkeley head to the public sector, most take new jobs in the private sector.
“People with this professional master’s degree are now open to a path of incredible career opportunities,” McHale says. “There is an ability to apply those skills in any industry, or around the globe, because they can take that core skill and apply it to something they’re very passionate about.”
See how the schools you’re considering fared in Fortune’s rankings of the best master’s in computer science programs, psychology programs, public health programs, business analytics programs, data science programs, and part-time, executive, full-time, and online MBA programs.

source

Every security framework recommends that an organization has a cybersecurity training program for all employees, but few give much guidance about what the program should contain.  What do you train them on?  What actually works?  Other than checking a box on the compliance forms, are these programs useful?
Don’t discount “checking the box” on your compliance program as a motivator for your teammates.  For some team members, just knowing that if they take this training, your company can be in compliance, and that it will impact the future growth and success of the business, will be encouragement enough.
Primarily, you want your people to be aware of potential security problems and how your company wants them to deal with those situations. You want this knowledge to stick and your teammates to take action. Having everyone attuned to the organization’s security approach will reduce issues, and give you a baseline for improving or changing the security culture.
The company currently has a security culture, but is it the culture you want to have?  It is important to know where you are starting, and to know if the end goal is merely achieving compliance, learning to recognize a phishing scam, or a much higher ideal.
Children’s brains are made to absorb knowledge, taking in as much information they encounter. The science devoted to understanding how adults learn differently is called andragogy. One principle of the adult learning style is that adults must want to learn and will learn only what they feel they need to learn.  They learn by doing and often their learning focuses on problem solving rather than sequentially. Adult learning is influenced by: their personal experience; the setting (such as an informal situation, and the need to be an equal partner in the process; and, of course, the overall enjoyment of the learning process. If we want the knowledge to stick, the training program should take these factors into account.
How do you increase an adult’s desire to learn?  Know that your group will have a variety of motivations, and appeal to them all.  Some may enjoy the break from their normal work to think about something new.  Many will want to know how this training will help them solve a problem.  Communicating about the training at different levels may help increase engagement at all levels.
There is a benefit to doing a single annual training – also known as “one and done” – but most of that benefit is on the program coordination side rather than on the student side.  It’s certainly easier to plan and track for compliance reporting, and if this satisfies the minimum standard, this method is certainly available. However, it’s pretty easy for the learners to grumble through a long session to get their certificate and then not think about security again for the rest of the year, and new hires may miss out on this opportunity to learn the new security culture by months. 
Another option is to use much smaller training modules, either monthly, or quarterly.  This allows the training to be more approachable – it’s a 15-minute task, rather than hours – and it happens regularly and pretty painlessly.  It also makes security something the team thinks about all year long, rather than as a session they complete and then forget.  However, tracking this for compliance purposes does take some thought or additional automation tools.
In addition to training videos or modules with quizzes, the training topics will be retained longer if the team member is exposed to it a second or third time.  For example, your training video may focus on the topic of malware.  Later that month, you may email around a link to an article on a competitor who was a malware victim, and what it cost to recover in time and money.  Then, in a company meeting, a manager may bring up malware as a concern.  Reiterating the topic not only gives it time to sink in, but it also presents the data in different ways, which increases the awareness of the topic.
The training should always be relevant to the audience. There are topics that may need to be repeated annually for all staff members. Password security and phishing are in perennial need – and there are some topics that may only be applicable to certain groups – CEO fraud is of interest to all financial staff, and Software Bill Of Materials (SBOM) security can be critical to developers.  As part of your structure, you may also reserve a slot in the year for targeted training for issue pertinent to subgroups of teammates.
Consider potential topics for a general audience, as well as topics specific to your industry.  Try not to use the same exact training modules year after year, as the team will become bored.  Mix it up! Here are some ideas:
To increase engagement, you may be able to gather a cross functional team to review and select the training modules – an individual learner may not have selected the training, but it’s coming from their peers rather than some faceless corporate email.  That team can also be used to assemble newsletters or be cybersecurity cheerleaders in their departments.
There are many companies that offer computer based training, often as short videos and quizzes.  They also give the ability to keep records about who took which training class, or automatically remind them (or their managers) what’s due.  It is important to review these modules to confirm they meet your organizational demographics and goals. For instance, while your global company may transact business in a primary language, selecting training modules are multilingual allows you to give teammates the ability to review them in their most comfortable language. If you have specific password complexity requirements, don’t use a module that contradicts your company’s needs.
There are also other means of training or reinforcement:
You can find free videos on the internet, and show them in team meetings, with some questions to prompt discussion.
After the employee completes the assigned training, there are several ways to provide feedback, which can snowball into future eagerness for cybersecurity training:
There are a lot of good ways to develop a training program, and what works is going to depend on your industry, your culture, and what you can invest into it.  Each program should acknowledge its reachable goal and design, it’s structure around the goal, aiming towards incorporating adult learning principles. 
While training can be delivered without a specialized integrated tool, they certainly make distributing and tracking easier.

source

The Home of the Security Bloggers Network
Home » Security Boulevard (Original) » The Most Pressing Cybersecurity Challenges of 2023
The global cost of cybercrime attacks is rising and reached an estimated €5.5 trillion in 2021. Ransomware attacks alone hit organizations somewhere in the world every 11 seconds. Our use of and dependence on technology grows each day and with it the opportunities for criminals to profit from emerging vulnerabilities. Despite increased awareness and growing spending by organizations to protect themselves and to build resilience in the event of a successful attack, specific cybersecurity threats will continue to rise in 2023. Cybersecurity risks will have to be mitigated by managing direct threats, but sufficient resources will be needed to navigate an increasingly complicated regulatory and operational environment in the coming year.
State-sponsored cybercrime and attacks are now one of the most prominent forms of cybercriminal activity, and will continue to rise in 2023. Nation-states take advantage of our increased dependence on technology to use cybercrime for espionage, sabotage or to sow misinformation. Meanwhile, some are turning a blind eye to cybercriminal groups within their borders that target the private sector, as long as those targets are in other countries.
In 2021, only a quarter of cyberattacks reported in Europe were directed at public administrations, while more than half targeted private-sector companies in a broad variety of sectors. The reasons targets are chosen are not always clear. For example, last month 14 U.S. airports suffered a denial-of-service (DoS) cyberattack that disrupted websites featuring flight information. Russian-speaking attackers took credit for the attack but the reasons for their actions remain unclear.
Private companies will need to closely monitor potential collateral damage caused by state-sponsored threat actors whose motives may not be obvious.
Globalization has dramatically increased the flow of goods throughout the world, but the rising interdependence for supplies and manufacturing processes also means that supply chains are stretched over greater distances and have become especially vulnerable to disruption. Already weakened from pandemic bottlenecks, the manufacturing sector has become an attractive target for attackers. In 2021, the number of supply chain intrusions rose 16% from the previous year.
Manufacturers and service providers often adopt new digital technology to quickly enhance productivity, but sometimes do so without paying sufficient attention to security issues. The introduction of robotics and the internet of things has provided attackers with new avenues to explore and exploit. One recent example is Toyota’s suspension of its Japanese production line last February due to a cyberattack directed not at Toyota itself but at one of its suppliers. The company had to delay the production of 13,000 vehicles as a result.
Cybercriminals monetize their activities via ransomware, and the tactic, which blocks access to systems or data until a ransom is paid, is being used on an ever-broader range of organizations and companies of all sizes. In 2021, there was a record 623 million ransomware attacks; far more than in previous years. Broader adoption of digital tools and remote working during the pandemic helps to explain the rise of attacks. More and more, criminals are using sophisticated phishing scams and targeted deep fakes, and the ubiquity of digital communication means attackers have more windows of opportunity to exploit.
Financial companies are prime targets for cybercriminals and frequent targets of cyberattacks. Financially motivated criminals attempt to infiltrate systems using tactics like server access, misconfigurations and fraud, often monetizing their activities through ransomware.
Almost one-third of successful breaches in the sector come from internal actors, in some cases employees unaware they are putting their company at risk. Adequate cybersecurity awareness training is key to avoiding incidents.
Insiders who knowingly aid cybercriminals, on the other hand, can be difficult to identify. To mitigate the threat from malicious insiders, cybersecurity systems need to take into account a broad range of information and be able to detect unusual or erratic user activity. Processes and controls must be established for granting access to sensitive data and followed closely at all times. User and entity behavior analytics (UEBA) can be critical to properly vetting new hires and keeping an eye out for unusual practices in the workplace.
The sense of alarm is growing among policymakers and regulators throughout the world of the threat to critical infrastructure and businesses that cybercrimes present, not to mention the risks to private citizens. New legislation to improve resilience and try to stem the growing tide of cyberincidents is beginning to appear which will require greater attention to an evolving regulatory landscape for cybersecurity.
Pressured into action by high-profile cybercrimes involving businesses and infrastructure, such as the Colonial Pipeline hack in 2021, the U.S. passed the Strengthening American Cybersecurity Act of 2022 in March 2022. The new legislation obligates companies to notify the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovering a cybersecurity breach and within 24 hours of paying ransom to hackers. The law targets companies that provide critical infrastructure, but details of which companies the law will apply to and how it will be enforced have yet to be fully defined.
The new Digital Operational Resilience Act (DORA) was adopted by the European Parliament in November 2022 and introduced a comprehensive framework for the digital operational resilience of the financial sector. Almost all regulated financial institutions are in scope of DORA and will have to implement sufficient safeguards to protect against cyber and other ICT-related risks.
As the implications of these new laws become clearer and more countries follow with their own requirements, meeting the increasing cybersecurity-specific regulatory requirements across all countries and regions where companies operate will be a growing challenge for cybersecurity managers in 2023.
Unfortunately, the increased use of technology and the rise of cybercrime attacks has not brought with it an increase in the number of qualified cybersecurity professionals available to address the problems. Attracting and retaining the right talent has been a challenge for companies and will continue to be in the future.
Recruiting professionals with the needed skill set is critical, but just as important is retaining talent once they are on board. Many cybersecurity professionals want to work at organizations where their opinions will be taken seriously by top management, where well-defined cybersecurity governance and automation are in place and where cybersecurity training and investment throughout the organization is a key priority. Many want to feel challenged to design new solutions and to connect with the core purpose of the company they work for. Organizations have to focus not just on filling their specific needs but on meeting the expectations for career development and purpose of the cybersecurity talent they depend on.
Overcoming the cybersecurity threats and attacks that lie ahead will take more than stamina to confront the day-to-day battles. Broad vision is critical in order to keep up with an environment in constant evolution and to cultivate adequate resources to help in the fight.
Eric Schifflers is Ria Money Transfer’s CISO. Ria Money Transfer, a business segment of Euronet Worldwide, Inc. (NASDAQ: EEFT), delivers innovative financial services including fast, secure, and affordable global money transfers to millions of customers along with currency exchange, mobile top-up, bill payment and check cashing services, offering a reliable omnichannel experience. The company is steadfast in its commitment to serve its customers and the communities in which they live, opening ways for a better everyday life.
eric-schifflers has 1 posts and counting.See all posts by eric-schifflers
More Webinars

source

November 9, 2022
If you think your small business is not a target for hackers and cybercriminals — think again. An estimated 50-70% of ransomware attacks target small- and medium-sized businesses[1], likely because adversaries believe smaller organizations do not have robust security measures in place to defend the business and its data.
While cybercriminals rely on a variety of methods to attack a company, one of the most common — and often easiest — is by targeting employees through coordinated phishing attacks or other social engineering techniques.
To minimize this risk, small- and medium-sized businesses need to develop an employee cybersecurity training program that will educate their people about common security risks, promote responsible online behavior and outline steps to take when they believe an attack may be in progress.
Small businesses are often easy prey for cybercriminals on the hunt for sensitive business data and customer information. With CrowdStrike, you get enterprise level-protection and support at a price you can afford – because every SMB deserves protection, regardless of headcount.View cybersecurity solutions for SMBs
Before employee training programs can be developed, your business must have a clear sense of its cybersecurity strategy, as well as the people, processes and technologies that will execute the security program. Here we review the essential elements of the cybersecurity architecture.
A wide variety of solutions and services are available on today’s cybersecurity market. While a trusted and reputable cybersecurity partner can help businesses develop a custom toolset to meet their unique needs, every cybersecurity platform should start at a baseline with antivirus protection.
While cost is a concern for many small business owners, it is important to find solutions that provide the right level of protection at the right budget with the right technology. Learn how to start building a robust cybersecurity plan to meet the specific needs of small businesses.Download: Cybersecurity for Small Businesses: Proactive solutions that meet your need
An incident response plan is a document that outlines an organization’s procedures, steps and responsibilities to prepare for, detect, contain and recover from a data breach.
Even small businesses should develop a clear acceptable use policy for employees who use corporate devices and networks, or have access to data and other sensitive assets. This would include listing the different software applications, programs, websites and social media platforms that are allowed to be accessed with a company device or via a corporate network, as well as the steps that need to be taken to secure and protect the device and its data.
As part of this process, it may also be helpful to outline unacceptable behaviors and prohibited activity.
EXAMPLE: A company’s IT policy should make clear that employees are not allowed to install unlicensed software on any company computer, phone or other device or to download files or programs, such as music, movies, games or other applications. This is because unlicensed software downloads, or any file download, could make the company susceptible to cyberattacks. 
Cybersecurity awareness training should be a mandatory task completed by every employee, regardless of level, location or job scope. That said, it may be wise to tailor learning programs based on job type or level of experience, as well as location.
The training program may be adapted for the following audiences:
The training program should cover common and significant cyber threats. These include:
Social engineering is one of the most common methods of cyberattack, where a hacker tricks an employee into sharing sensitive data or credentials by posing as another legitimate employee or partner. For example, a hacker may pose as a help desk agent to ask a user for sensitive information, such as a username and password.
Phishing is a type of social engineering cyberattack that uses email, text message, phone call or social media to entice a victim to share sensitive information — such as passwords or account numbers — or to download a malicious file that will install viruses on their computer or phone.
When creating your training program, include real-life examples of a phishing attack to educate your employees on the main key indicators like you’ll see in the example below:

Attackers are constantly after user IDs, email addresses and passwords because these items enable them to pose as a legitimate user to avoid detection while they carry out an attack.
Once the hacker has your credentials they can access any service or network the account is entitled to. One of the best ways to reduce the risk of password compromise is to require users to create strong passwords. Below are examples of strong passwords.
Strong passwords are:
Long, complex, random passwords are exponentially more difficult for password cracking tools to breach. In addition, frequently updated passwords limit the amount of time adversaries have available to crack password hashes.
An insider threat is a cybersecurity risk that comes from within the organization. This is usually a current or former employee or other person who has direct access to the company network, sensitive data and intellectual property.
Typically an insider is financially motivated to lead or take part in a malicious act. These attacks usually involve theft of data or trade secrets which can be sold on the dark web or to a hostile third party. Luckily, there are ways to mitigate insider threats for SMBs, which include continuously monitoring your network and educating employees on all company policies regarding cybersecurity practices.
Every internet-connected device can be the entry point for an attack. Your cybersecurity training program should share best practices for how employees can keep their devices safe, as well as how to install and update the security tools used by the organization.
Social media can be another avenue for cybercriminals to connect with employees, gather personal information and otherwise exploit personal relationships to advance an attack using social engineering techniques. While companies generally cannot prohibit employees from using social media on their own time using their own devices, they can construct clear policies that limit use on company devices or the corporate network.
The main goal of every cybersecurity program is to keep the organization and its assets safe. This includes data of all kinds — including sensitive customer data and intellectual property.
In many cases, employees who handle sensitive customer data, such as personal information, bank details or health records, are required by law to complete cybersecurity training. Organizations that are subject to such regulations should ensure that the training program they develop meets the requirements dictated by government or industry groups.
Cybersecurity must be seen as a company-wide effort. It is important the program has dedicated leadership from IT and HR to ensure training modules are properly developed and rolled out to the appropriate audiences.
As part of this process, the CEO, CFO, IT lead and HR manager should also coordinate on all aspects of program management, including budget. This will help ensure that cybersecurity remains an important part of the company’s ongoing operations and is supported with the proper resources and investments.
As with any new training program, it may be helpful to conduct an initial pilot of the program with a subset of employees and gather feedback about the program content and user experience.
When rolling out the program to your employees, it will be important to track completion rates and test knowledge through both a completion quiz and regular cybersecurity testing, such as a simulated phishing email.
All basic training should be conducted annually in order to refresh employees’ knowledge and keep best practices top-of-mind.
Don’t let the size of your business or your budget stand in the way of developing a strong security defense. CrowdStrike Falcon® Go is an easy-to-manage and affordable solution that prevents ransomware, malware and the latest cyber threats.
Start a free, 15-day trial of Falcon Pro and protect your business from ransomware, malware and sophisticated cyberattacks.
[1] U.S. Secretary of Homeland Security Alejandro Mayorkas in Inc., 2021

source

The Home of the Security Bloggers Network
Home » Promo » Cybersecurity » Debunking Common Cyber-Security Myths
Cybersecurity is a critical issue that affects everyone who uses the internet, both individuals and corporations. Unfortunately, there are many myths and misconceptions about what does and does not work when it comes to protecting yourself online. In this article, I will debunk some of the most common cybersecurity myths.  I’ll also provide some tips on what you can do to keep your staff and your information safe.

Many people believe that Macs are immune to viruses, and therefore don’t need to worry about installing antivirus software. This is simply not true. While it is true that Macs are less vulnerable to viruses than PCs, they are not completely immune. In fact, malware and other types of cyber threats have been found on Macs. In light of this, it is important to take steps to protect yourself. This includes installing antivirus software and keeping it up to date, as well as practicing safe browsing habits.
Antivirus software is a valuable tool in the fight against cyber threats, but it is not a catch-all solution. There are many different types of cyber threats, and antivirus software may not protect against all of them. For example, antivirus software may not protect against social engineering attacks, such as phishing scams, or credential harvesting attacks. In addition to installing antivirus software, it is important for employees to practice safe browsing habits, keep your operating system and software up to date, and be trained on the latest cyber threats they may encounter. Providing your staff with awareness training on tactics like elicitation and rapport building, as well as critical thinking, can help them stay on guard against social engineering attacks.

Public Wi-Fi can be convenient, but it’s important to be aware of the risks. Public Wi-Fi networks are often unsecured, which means that anyone on the same network can potentially see the data you’re sending and receiving or can be controlled by malicious actors to redirect legitimate traffic to malicious websites. However, this does not mean that you can never use public Wi-Fi for personal or professional use. When it comes to your employees, it is best to err on the side of caution. Staff should be aware of the dangers in using work computers and accessing company data on public networks. It is highly recommended that employees use a company Virtual Private Network (VPN) to connect to corporate resources. This will encrypt the traffic and help secure your internet connection on public networks.
Many people believe that passwords need to be changed regularly. Some companies even rotate their credentials annually, bi-annually, or even quarterly. Though the logic seems intuitive, updated information tends to say the opposite. Experts advise that unless you become aware of a password breach or compromise, there is no need to change your passwords regularly IF they are strong, unique passwords for each service you use. Yes, having strong and unique passwords is much more important to help increase the security of your credentials. It is beneficial for any company to ensure their staff is using these characteristics. The use of both multi-factor authentication and a credible password manager can help strengthen your security defenses by adding additional layers of protection to login procedures. Password managers especially can assist if a cyber attack takes place, and the need arises to change out compromised passwords for another strong and unique one.
Finally, some people believe that multifactor authentication (MFA) is too inconvenient, and therefore choose not to use it. However, MFA is a very simple and effective way to add an extra layer of security to your accounts and make it more difficult for a threat actor to access information systems. There are also three main types of MFA methods:
What you know, such as answers to personal security questions or additional secret passwords.
Things you have, such as one-time passwords (OTP) generated by smartphone apps, access badges, USB devices, or software tokens and certificates.
Things you are, such as fingerprints, facial recognition, voice, retina, or iris scanning.
While it may add a few extra seconds to login procedures or access protocols, the added security is well worth the inconvenience. In the event credentials ever become compromised due to cyber or social engineering attacks, MFA will prove to be another challenge for the attacker, as they would need something their target knows, has or is for the password to even be worthwhile. Without MFA, the attacker would immediately have access to internal systems. As mentioned in Myth 4, MFA provides an extra layer of protection for employees.

This Article has debunked several common myths regarding cybersecurity. Understanding what is untrue, or does not work, helps us to see what does work to improve our security.
By following these tips, you can protect yourself and your valuable information online. Corporations do well to correct any such myths discussed in this article that may circulate in the workplace. Remember, cybersecurity is everyone’s responsibility, and it is important to be vigilant to keep yourself safe.
Josten Peña
At Social Engineer LLC, our purpose is to bring education and awareness to all users of technology. For a detailed list of our services and how we can help you achieve your information/cybersecurity goals please visit:
https://www.Social-Engineer.com/Managed-Services/
Images:
https://cdn.stocksnap.io/img-thumbs/960w/woman-thinking_MLZIHL9GLY.jpg
https://cdn.mos.cms.futurecdn.net/cAdRiWzdJDySUS2z6NsqG6.jpg
https://kbigroup.com.au/wp-content/uploads/2020/07/Essential-Policies-Procedures-Post.jpg
*** This is a Security Bloggers Network syndicated blog from Social-Engineer, LLC authored by Social-Engineer. Read the original post at: https://www.social-engineer.com/debunking-common-cyber-security-myths/
More Webinars

source