An expert offers advice on creating an effective corporate security awareness program, and a warning that nation-state attacks will get worse.
Hello from San Francisco. Welcome to a special edition of Cyber Security Today. I’m Howard Solomon at the annual RSA security conference for ITWorldCanada.com.
To hear the podcast, click on the arrow below:
 |
 |
 |
It’s been a busy week, at the three buildings that comprise the conference centre here, with keynotes and sessions on how to keep businesses and governments safe from online attacks. I want to give you two of the highlights:
Getting employees to be more aware about security is one of the big problems companies face. That’s because technology doesn’t solve all security issues. Some experts say employee are the biggest problem in security, because they do foolish things like click on attachments in email or easily give away their passwords. But Lance Spitzner of the SANS Institute, a training company, said the problem is staff haven’t been made secure, the way computer companies make hardware and software secure.
So he offered this advice to companies: If you want an effective cyber security awareness program you’ve got to be disciplined. Figure out your goals – say, reduce the top five human risks to the company; decide who needs training (only managers, only the finance department or the help desk?); figure out what behaviour you want to change (for example, click on fewer email links); then ask how you’re going to change behavior. Is it training? Maybe adopt technology, like a password manager. Finally, use metrics – what were people doing wrong before you started training. Has that gone down?
One tip: IT people often lead awareness programs, but employees with good communications skills, like the PR or marketing team, will be valuable.
On the sidelines of the conference, security companies are holding meetings with customers, industry analysts and reporters. Cisco Systems provided a number of experts for us to talk to. One was Craig Williams, director of engineering at the Cisco Talos threat intelligence service, which analyzes malware. He had a gloomy prediction when the talk turned to online attacks from nation-states. Countries are trying to figure out how far they can push the envelope before triggering something like a war, he said.. At the same time, victim nations are trying to figure out how far they can go to stop cyber attacks. Hopefully, Williams said, that gap will end soon and there will be clear lines of what’s acceptable in cyberspace. But in the meantime, the seriousness of government-backed cyber attacks will only continue.
There are a number of countries, including Canada, trying to establish cyber norms for the Internet. But it’s a slow process.
And while most of what Williams talked about was enterprise security, he also had advice for consumers: Sometimes warning signs are right in front of you. If a message pops up on your smart phone saying ‘Are you sure you want to do this?”, pay attention.
That’s it for this special edition of Cyber Security Today from the RSA Conference in San Francisco. Until my next podcast look for my news stories on the conference at ITWorldCanada.com. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon