CISO Best Practices for Managing Cyber Risk
Leading CISOs have offered best practices for security leaders on how to manage cyber risks effectively during 2023 – 2024 Use Appropriate Frameworks – Cybersecurity frameworks are the best place to start in cyber risk management. Urge CISOs to look at factors like the size of the company, their current risk management program and their sector when deciding which frameworks to use. For example, ISO27001 is often useful for organizations who are at the mid-point of their risk management journey. Understand Regulatory and Contractual Obligations – learn which cybersecurity regulations and contractual requirements their organization must adhere to. It’s surprising but not all organizations are adhering to what’s mandatory. CISOs should engage with the company’s legal officer if they are receiving pushback on taking measures to be compliant with a particular obligation. Understanding these obligations in full also helps security leaders develop the best ways to implement them, finding the middle ground between the letter of the law and impact on the business. Create a Sustainable Vulnerability Management Program – A critical vulnerability does not necessarily pose a high risk to your organization. Therefore, security teams should develop an internal definition of what is a critical vulnerability to their organization, analyzing factors like exploitability rates and what systems are affected. This enables CISOs to develop a realistic vulnerability management program that prioritizes the most dangerous threats to their organizations. Focus on the Basics – The reality is the vast majority of attacks are not sophisticated, such as social engineering and cracking passwords. Therefore, they urged CISOs to avoid the noise and focus on the basics of cybersecurity, such as implementing MFA, patching and access management policies. Consolidate Security Toolkits – Many organizations have purchased an excessive amount of security tools, citing one case in which a company had 19 separate tools. This makes it impossible for security teams to manage. Instead, CISOs should prioritize consolidating and concentrating their toolkit.
World first Cyber Security story book aimed at young children is unveiled
All primary one pupils in Scotland to receive free copy to build cyber security skills and protect their information online. A world-first illustrated children’s book designed to teach children aged 4-7 about cyber security and how to protect their information online is being launched. Education Scotland and the Scottish Government have unveiled Bongles and The Crafty Crows, which teaches young learners how to create passwords and passcodes using ‘three random words’ helping them to explore, play and communicate while using digital technologies, keeping their online information safer and more secure. The book which follows the adventures of Big Bubba, the Twins, Brainy and Pet Robot has been designed to equip teachers, parents and carers with an attractive resource to deliver important cyber resilience skills and is supported by a range of learning activities and materials. The book was showcased to children and teachers at a special event held at the Abertay CyberQuarter, Scotland’s multimillion pound cyber security research and development centre at Abertay University. Every Primary 1-aged child in Scotland will now receive a copy of The Bongles and The Crafty Crows in their Book Bug Bag due to be distributed in November 2023 ahead of Scottish Book Week, with Gaelic language versions sent to schools delivering in that medium. According to a recent report by Ofcom1, 97% of children in the UK have access to the internet with 86% of 5-7-year-olds using tablet devices to go online. It is hoped the new book will provide parents and carers with a host of hints and tips on how to talk to their children about protecting their precious information online. The book and associated learning materials will also be launched on the Scottish Government’s Parent Club website. We hope that teachers, parents and carers will use this engaging story and the learning activities that come with it to help their children learn about the importance of online safety. Digital technology is going to be at the heart of these children’s lives and it’s so important to help them learn how to stay safe online.
5 Reasons Why a Cyber Security Degree is Worth It
There are countless reasons why a Cyber Security degree is worth the investment. In fact, by one crucially important metric you could say there are 3.4 million reasons that’s the estimated number of cybersecurity positions that need to be filled. And the salaries are matching the demand with the average pay for a cybersecurity professional topping £128,000 with some salaries much higher. Why are there so many unfilled cyber security jobs? And why is this fast-growing industry paying top dollar for top talent? According to a Forbes article, cyber crime is projected to cost £10.5 trillion per year by 2025. Bottom line, the threat is urgent, the stakes are incredibly high and there aren’t nearly enough highly educated and qualified workers to meet the demand. That’s why companies are paying high salaries for well trained cybersecurity professionals and that’s also why earning a cybersecurity master’s degree could be the best investment you ever make. A Degree in Cybersecurity Equals Job Security If there was ever a time to enter the cybersecurity field, it is now. With cyber threats and attacks increasing in both frequency and sophistication, the demand for cybersecurity professionals is far outpacing the supply. This means that for qualified cybersecurity specialists, job security is practically guaranteed. Cyber Security Professionals Earn High Salaries Due to the severe shortage of skilled workers, cybersecurity professionals are among the most highly compensated in the technology sector. Cybersecurity Offers Unique and Interesting Ways to Make a Difference For example, some cybersecurity specialists are focused on using creative methods to attack the very systems they are aiming to protect, in order to discover vulnerabilities that could be exploited by hackers.Today, there are more and more so-called bug bounty programs in which skilled white-hat hackers work to disrupt the illegal and destructive efforts of their black-hat counterparts by finding and fixing weak spots in cybersecurity defense systems. Cybersecurity Work is Meaningful and Vitally Important A career in cybersecurity can bring personal and professional fulfillment while helping to defend one’s country. Corporations in all industries need robust cybersecurity defenses to guard against inevitable intrusions from hackers that can cost companies millions, even billions. But the stakes are even higher when it comes to the nations future safety and security, which will increasingly depend on our ability to combat high-tech warfare waged using advanced computer technology. Cybersecurity Skills, You’ll Learn the Basics – Plus Leadership, Management and More One of the most important benefits of earning a master’s degree in cybersecurity is the additional managerial and leadership training you will receive. In most technology programs these types of business skills are not taught as a part of the curriculum. However, in order to advance in the field and land high-ranking leadership positions, you’ll need to possess the right qualities, including keen business acumen.
New principles to help make cloud backups more resilient
Introducing a new set of NCSC principles to strengthen the resilience of organisations’ cloud backups from ransomware attackers. Every month there are press reports of a global organisation experiencing a ransomware attack. In the NCSC we see the real world effects of ransomware when we support UK organisations going through an incident. While there is a lot that organisations can do to minimise the chance of becoming a victim in the first place, everyone agrees that a backup capability is absolutely key to resilience. Not having this in place hampers your ability to get back on your feet and worsens the consequences to you, your business and in many cases, your customers or service users. Every organisation should have a solid response plan in place which should include making regular backups. And testing your backup regime is equally important to make sure you can restore your data as planned. We’re aware of cases where organisations believe they have a backup regime in place but aren’t sure what it looks like in practice. That’s why we’ve come up with a new set of principles which lay out the best practice to make sure cloud backups are more resistant to ransomware. It’s important to say that while these principles provide a solid foundation to help prevent an actor deleting your cloud backups, they won’t protect your organisation from all the effects of ransomware, we’re thinking particularly here of the extortion threat, where an actor threatens to release your stolen data unless you pay a ransom. Principle 1. Backups should be resilient to destructive actions Suggested implementations: Blocking any deletion or alteration requests for a backup once it is created. Offering soft-delete by default. Delaying implementation of any deletion or alteration requests. Forbidding destructive requests from customer accounts. Principle 2. A backup system should be configured so that it isn’t possible to deny all customer access Suggested implementations: Allowing customer access to the backup service, even if all existing corporate IT systems and assets are unavailable, by agreeing a separate out-of-band mechanism. Forbidding any IAM policy that restricts access to a single account within an attacker’s control, as this forces an attacker to undermine multiple accounts to achieve full control of the backup system. Principle 3. The service allows a customer to restore from a backup version, even if later versions become corrupted Suggested implementations: Providing mechanisms so that system owners can test whether they can restore from the current backup state. Storing backup data according to a fixed time period Creating and retaining a version history Offering flexible storage policies so that a system owner can decide how many backups to keep for different periods of time Principle 4. Robust key management for data-at-rest protection is in use Suggested implementations: Following the NCSC’s cloud key management guidance. Offering an out-of-band key backup option, such as the option to commit a master key to paper in human-friendly text encoding or QR code form, so that it can be stored in a secure location, such as a safe. Principle 5. Alerts are triggered if significant changes are made, or privileged actions are attempted Suggested implementations: The service offers a wide range of customisable alerts for activity that affects the backup system that a system owner can ingest and monitor. Significant changes to how the backup system behaves or is accessed require extra authorisation and should automatically initiate extra protective monitoring.
October is the 20th annual Cybersecurity Awareness Month
Cybersecurity awareness is something that we take seriously, but we focus on it yearlong, not just one month. One area that our organisation excels in is to make cybersecurity training a mandatory training course for all employees, so they understand the basics of identifying threats. This month (October) is the 20th annual Cybersecurity Awareness Month, organized by the Cybersecurity and Infrastructure Security Agency to draw attention to ways you can defend yourself and your business from online threats. Ultimately, cybercrime is all about data either to steal it, expose it, or prevent you from using it. Data is the whole reason that cybercrime exists. This is why data security, in particular, is top of mind for CEOs, CIOs, CISOs, and even the board of directors for your organization. CEOs are concerned about how data theft could affect the running of their business. CISOs are focused on internal cybersecurity operations and the various mechanisms they need to deploy for cyber defenses. CIOs are interested in the security posture of corporate assets as well as the security practices of third-party organizations that the business interacts with–vendors, partners, service providers, etc.). Everyone is trying to answer three questions: what is my critical data, where does that critical data live, and who has what access to that data? Because data theft and ransomware attacks could have such a material effect on the company, even the board paying attention to cyberthreats. Should it be breached, the company’s reputation could be damaged, its stock price could drop, and it could very much affect its ability to maintain or grow its market share. But here’s the thing, your senior executives might do a great job choosing, investing in, and implementing processes and technologies that bolster your security stance and cyber resilience. However, cybersecurity is also the responsibility of every employee at every organizational level. Organizations must take into account that excellent technology-based defenses aren’t worth much without addressing the fact that it takes just one employee to slip up and put the entire organization at risk. The question then becomes: How do you ensure the security of the actions of every single employee, 24 hours a day, seven days a week? The answer is you can’t. In many ways, cybercriminals play a numbers game. Imagine all the laptops, virtual machines, and appliances running in your environment adding up to tens of thousands of connected devices running day in and day out. Say, sometimes you miss patching a system. Or a patch attempt fails. Or your inventory isn’t completely up to date. It comes down to the laws of large numbers. If you miss one-tenth of 1% of 100,000 devices, that still gives cybercriminals plenty of opportunities to break into your company. Given all this, what can organizations do? Simple. Limit the blast radius with zero trust. What zero trust means: Just because an employee is given a credential does not mean that you’re going to give them unfettered access to your entire IT environment. Instead, you are going to challenge them every single time they try to access a resource that isn’t appropriate for their role. Organizations that implement zero trust have a better chance of defending themselves against cyberattacks because a single compromised credential is not going to give a criminal the keys to the kingdom. No question, zero trust is complicated to implement and will be more costly as well as more cumbersome for users, but it limits the blast radius. Employee training can be very effective, but you have to put it in context; for example, generic phishing training doesn’t have that much of an impact. Show employees a real case – when someone fell for a phishing scam – along with actual ramifications, and they’ll remember and act accordingly. With that kind of real-world context, training is much more effective. Just take it from our customers at Shropshire Council. That’s why, although Cybersecurity Awareness Month is commendable, the world needs a great deal more than a single month to focus on cybersecurity. We need to bake it into the behaviour of every single person in every organization, every single day. We need to in still in our people that when you get up to walk away from your computer, you make sure to lock it. When you’re sitting on an airplane, use a screen guard so other passengers can’t shoulder surf and see what you’re doing. And always badge into every room in the office without letting tailgaters follow you in, even if you know them.
Major Cyber Attacks, Data Breaches, Ransomware Attacks
The massive ransomware attacks on MGM and Caesars Entertainment clearly dominated all conversation about cybersecurity in September 2023. Attacks on casinos and hotels always get a more than fair share of attention, they’re dramatic, involve a lot of money, cause direct inconvenience to customers, make for interesting press, all the pandemonium that cyber criminals tend to love. No wonder casino heists also form the plots of several potboilers. Yet, while these attacks were the most spoken of, they were far, far from being the only samples of cyber crime in the month gone by. Schools, city councils, kids snacks, government ministries, healthcare organisations, dating apps, electricity grids, charitable organisations and crypto businesses are just some of the many victims that emerged through our research. Airbus, SONY, Air Canada, Pizza Hut Australia and even Save the Children were compromised in one way or the other. The alarming thing here is that of all these big names were breached in just one month, such is the rapid rise in the rate of cyber crime across the globe. Nobody and we mean absolutely nobody can now afford to be relaxed about their cybersecurity. It’s time to gather forces, ramp up protection and bolster defences with urgency.
Microsoft Says, Hackers With AI Are Harder to Stop
New cybersecurity research shows artificial intelligence and new encryption tactics test corporate defenses. Hackers are using AI and encryption in new ways to make cyberattacks more painful, according to new research from Microsoft. Stealthier attacks are being crafted by hackers using both artificial intelligence tools that have been on the market for a while and generative AI chatbots that emerged last year, said Tom Burt, Microsoft’s corporate vice president for customer security and trust. “Cybercriminals and nation states are using AI to refine the language they use in phishing attacks or the imagery in influence operations,” he said. Cisco Systems’ $28 billion purchase of Splunk announced recently reflects a shift in the cyber market, where investment is going to companies focused on using AI to manage security and risk.
5 Reasons you should consider a career change to Cyber Security
It’s no secret that women are underrepresented in tech. Although numbers are slowly creeping up we still only comprise 26% of the industry. The reasons why are myriad, ranging from a lack of visible role models, to fewer women choosing STEM subjects at degree level, to gender bias in recruitment. Are we missing out? Without doubt. Take cybersecurity for example, one of the fastest growing industries in tech and a highly sought-after tech skill in the UK. A recent government study on recruitment in this sector confirmed that demand for specialists continues to outstrip supply. Their findings indicated a shortfall of 10,000 people a year. With an average competitive salary at around £62,000 a year, there are therefore plentiful opportunities for progression. Still, women make up only 25% of those working in the field but, it’s never too late to make a change. In fact, the scope of the industry and the broad range of candidates required makes cybersecurity a great option for women seeking a new career. Here we look at the top five reasons you should consider a switch to cybersecurity. 1: Cybersecurity wants you The goal of a more diverse workforce is one that the tech industry is actively pursuing. This is of particular concern in the field of cybersecurity where the realisation that women are underrepresented and urgently needed has led to the launch of a range of initiatives. These include education programmes, training, networking events and mentorship opportunities. Aside from the potential gains in filling vacancies, recruiting more women is essential for the industry to continue to grow. Women can bring a broad range of experience and technical skills. One ISC2 report illustrates that women in this field tend to be more educated than their male counterparts with the potential to reach higher positions. In addition, many of us also possess so-called ‘soft skills’ that can make teams more effective. Jane Frankland founder of the IN Security Movement, says: “Women see risk in a different way to men. Women are very accurate in terms of risk management…we are highly attuned to risks, and we can spot anomalies very easily.” She adds, “If we’ve got hackers who are profiling us, they’re basically modelling it on men because the majority of the industry is male. So when we have more men, if there has been an attack that has been written purely for a male receiver, then a woman will be able to spot that more easily.” 2: Cybersecurity offers variety Women are often dissuaded from pursuing a career in this field due to negative perceptions, ranging from the stereotype that it is the domain of ‘nerds’ or ‘hackers’ to the belief that it is elitist. But while the popular image of the hooded analyst persists, there are scores of other roles involved, from marketing to incident response to forensics. What’s more, you don’t necessarily need an engineering degree or knowledge of coding to get started. Cybersecurity is a concern across almost every industry, meaning skills gained in previous careers can often be transferred. As Priscilla Moriuchi, director of Strategic Threat Development at Recorded Future explains, tackling ever-changing security threats requires a huge variety of experience and personalities. She highlights, “We need people with disparate backgrounds because the people we are pursuing – threat actors, hackers, ‘bad guys’ – also have a wide variety of backgrounds and experiences.” 3: Retraining need not involve time out While a degree in a STEM subject will serve you well when applying for roles in cybersecurity, a lack of one should not be a deterrent. An accredited ‘cyber bootcamp’ will equip participants with training in areas such as ethical hacking, security analysis, penetration testing and network defence, over a 12–18 month timespan. Many of these courses can be completed remotely online making it easy to gain a qualification without compromising on other commitments. Alternatively, some firms are willing to take career-changers on as juniors and allow them to complete their training on the job. Tech security expert Carlota Sage believes better recognition of transferable experience is key to improve access to the industry and build a more diverse workforce. “Leaders should hire women who may not be experienced in cybersecurity and then train them,” she says. “Leadership skills transfer across any industry. If they are curious and passionate, they can learn cybersecurity or any field. Leaders just have to be willing to invest in them.” 4: Scope for great work-life balance A global study of female STEM graduates highlighted common concerns around pursuing a career in cybersecurity. The top three priorties for women in choosing a job are; contributing to society; earning a high salary and having a good work-life balance. However, 37% of those surveyed thought cybersecurity was a field where achieving that balance would be difficult. But these perceptions are not necessarily accurate. Debby Briggs, chief security officer at Netscout Systems Inc, says it is a common misconception that cybersecurity demands long hours and a fixed work schedule. She recommends cybersecurity as a career option for women, “who may have gone the non-traditional route and got degrees later in life or who have taken time off to raise children and want to come back to work.” Many jobs in cybersecurity can be carried out remotely, allowing for homeworking, and the 24-hour nature of security means the typical working day can often be rejigged to fit around family schedules. 5: Never a dull moment As one of the fastest growing industries in the UK, you won’t suffer from a lack of options to progress your career in cybersecurity. In fact, many of those working in the field state the pace of the work, the challenge of solving problems and the plentiful career opportunities as some of the biggest attractions of the industry. Cybersecurity encompasses everything involved in protecting personal information, intellectual property, data and information systems from theft and damage. This means it is important work that can offer a high level of job satisfaction. The ever-evolving nature of security
