Friday, June 27, 2014

Training Trouble: Why E-Learning Doesn't Work for Everyone

I took a little look back at my calendar today and it seemed high time for a blog. My colleagues and I took a little hiatus to finish up the first draft of our corporate book—a project 6 months in the making and one we are very excited to be bringing your way soon. Check back throughout the year for more information about how to get a copy of our step-by-step guide, From Here to Security.

But for now, we're back in the business of blogging—and with something a little different this time.
e-learning, online training, online courses, security awareness training
I know my blogs usually cover ITSec, security breaches, and big business blunders when it comes to securing sensitive information. But in my work on the book, I've really felt a renewed interest in covering the "Why" of all that. Why are companies struggling to close the gaps in corporate security? Why are we seeing a dramatic rise in security breaches in the news?

While I don't believe there is one right answer that covers everyone, I do think that inadequate training has a lot to do with it.

I was poking around some e-learning sites today and stumbled across this article: 5 Reasons that Everyone Should Know: Why E-learning Projects Fail. And, in fact, Sonal Paul does a pretty good job laying out a number of the pitfalls companies fall in when establishing an online training program. According to Paul, the 5 main problems are

  • Poor Need Analysis
  • Gaps in Communication
  • Poor Project Management
  • Failing to Understand the Learner
  • Wrong Instructional Strategy

Bing, bing, bing! That list hits some pretty big nails right on the head. As a company that specializes in crafting training campaigns and individual courses for big businesses, I'd say that our clients run into at least one of these in almost every project (and especially big projects usually struggle with all five).

But listing the problems doesn't even come close to solving them. Many of our e-learning clients would be ill-equipped to address these issues even if they were well aware of the problems up front. So I'd like to take Paul's article a step further and offer some practical advice on each of these points.

Thursday, May 22, 2014

Bad Customer Service vs. Data Breaches: Competing for "Best Way to Lose Customers" Award

So which is worse: bad customer service or a data breach? Well, when it comes to brand reputation and customer loss rate, they may be equivalent.

identity theft, ID protection, data breach, information securityCustomer service has always been a sticking point for brands. After all, a bad in-store or phone experience with a company can send customers heading for the door, never to be heard from again. Environmental disasters also still rank high on the list of reasons customers may consider discontinuing their loyalty to a brand or company (think Exxon Mobile or BP). Yet, according to a recent study by the Ponemon Institute, customers now rate data breaches right along with customer service and environmental disasters as a major reason to ditch a company and run into the loving arms of its competitors.

It was really bound to happen, if you think about it. With the increase of very highly publicized data breaches in recent years (think Target a few months ago and eBay getting headlines today), customers are beginning to sit up and take notice. After all, the threat of identity theft promises much worse consequences than a bad experience with a rude customer service rep, and it hits much closer to home than an oil spill hundreds of miles away.

The average American consumer understands the long-lasting and potentially devastating effects of a breach of their personal information. According to the study, “prior to having their personal information lost or stolen, 24 percent of respondents (customers) said they were extremely or very concerned about becoming a victim of identity theft. Following the data breach, this concern increased to 45 percent, Ponemon says. Almost half of respondents feel their identity is at risk for years or forever.”

Wednesday, May 7, 2014

Data Breach Costs Rise 9% in 2013

data breach, data security, corporate security
So just how much money did companies lose last year to data breaches? Which industries are most at risk? Let’s break down the facts for 2013:
  • Average cost of a data breach to US companies: $5.4 million
  • Average cost per lost record: $201
  • Industries with highest breach costs (in this order):
    • Healthcare
    • Transportation
    • Energy 
    • Financial services 
    • Communications 
    • Pharmaceuticals
    • Manufacturing

While 2013 did not reach 2011’s high ($214 per lost record), this information still represents a 9% rise in data breach costs from last year’s $188 loss per lost record—and they think this may be due to loss of customers. A 15% “churn rate” (or tendency for customers to abandon a company) based on a data breach represented a steep increase from prior years. Folks are getting wise to companies that don't make securing their sensitive information a priority.

Will this rising cost trend cause companies to sharpen their security behaviors and stay on top of the dangers? We hope so. After all, security is our business. 

Maybe your company in that high-rilibrary of security courses, security awareness campaigns, or even social engineering consulting and penetration testing. These first steps can go a long way towards ratcheting those costs down and keeping customers feeling safe and satisfied. 
sk list. Maybe you are a small company with limited resources that still feels the pressure of social engineering and identity theft. Or maybe you just need more ideas about how to secure your own company’s assets. Consider Sight Training’s

Wednesday, April 30, 2014

Oh the Humanity: Picture of a Thief

In order to improve security awareness among staff, the first step is to change each employee’s mental picture of what it means to be a thief. Every social engineer who calls will not be an easy-to-spot gentleman with an oily voice and diabolical laugh. Awareness cannot be based on preconceived notions about gender, personality, and level of authority.

social engineering, phone fraud, theft, danger
In order to be successful, social engineers will go to any lengths, will play on your employees’ weaknesses, and will find ways to get in their heads.  For many men, that weakness is a friendly girl.

For some folks, it might be a helpless old lady. Here’s another story that illustrates one of the two main problems with employee-based security.

Thursday, April 24, 2014

Are Buzzfeed Quizzes Lowering our Defenses?

So I’ve been toying with shutting down my Facebook account again—mainly because it gets on my nerves. The simple act of scrolling through the posts each morning has reached a ratio of 20% pleasurable and 80% grind. One reason? Buzzfeed quizzes.

security awareness, identity theft, infosecOh, Buzzfeed quizzes. Zimbio quizzes. Shudder.

To be fair, I’ve taken my share. The nerd gene in me just has to know what character I most identify with in every Joss Whedon universe. And while I rarely share my results (because that’s pretty annoying), I have started to wonder about some inherent dangers in the culture of quiz taking.

So, I spent a little time on “Internet research” yesterday (read: surfing the web). I wanted to see if I could get any hard, fast evidence that the data in Buzzfeed quizzes were dangerous. Do they harbor malware? Are they used for phishing purposes? Are there records of any data breaches that stemmed from a Buzzfeed quiz?

Not really. Although it would be a pretty clever ruse for social engineers, it appears that the quizzes are fairly harmless. The danger, it seems, lies more in the attitude and culture behind these personality tests. So many of my “friends” (ok, friended acquaintances) rant regularly about the dangers of Facebook privacy settings. They have a real “Big Brother is watching” or “Everyone is out to get my personal information” complex. But these folks may be very the same ones who will readily answer personal question after personal question in a Buzzfeed quiz and then share the answers with anyone who scrolls past their profile.

Jordan Shapiro hit the nail on the head for me in an article this past January.

“Why is it that when it comes to novelty quizzes, we enjoy being analyzed by simple algorithms that divide and reduce us into a limited number of determinate categories, but when it comes to Google and the NSA we’re terrified of the same thing?”

Personal information is personal information, whether is stolen from us by a social engineer, secretly gathered by the NSA, or voluntarily offered through an online personality quiz.

We seem to have developed an almost desperate need to share our opinions or facts about ourselves in an effort to identify with a larger group of like-minded people. Go ahead and admit it. You feel good when your poll answer is the most popular. The appeal of belonging has made many of us irresponsible—and irresponsible Internet users can be easily lured out of their comfort zones and into a trap.

While the danger may not come directly from an online quiz, click-happy Internet users are bound to slip up in other areas. And the more comfortable we become with oversharing, the more likely we are to find ourselves victims of social engineering scams or identity theft.

“Well, but…what difference does it make?” you say. “It’s not like they’re asking for my social security number. The results are all made up.” OK, that’s true. There is no proven rubric designed to accurately determine which superpower you should have, or whether or not you would in fact die of dysentery on the Oregon Trail. Yet, that does not mean the questions have no value to someone.

“We brush them off as ‘merely entertainment,’ forgetting that by participating–through the act clicking–we’ve once again provided Google with a plethora of personality data that is forever stored in our file,” says Shapiro.

In fact, some limited evidence suggests that quiz and Internet poll builders may be inserting more probing questions into harmless entertainment quizzes to get an idea of who you are, how you behave, or even what you might choose to buy. Lee Munson at BH Consulting gave his take on it in this week's Security Watch blog on oversharing. 

“…in a few instances the polls can pose some more serious questions…sometimes some of the sneakier sites on the web will even make completion of the poll mandatory in order to proceed onto your ultimate aim of, say, reading a particular news story. Such polls may not demand your name and address but they do drift roughly into areas of personally identifiable information.”

 He also offered a bit of sound advice.

“If you share information you need to be alert. Even if you are divulging personal information within an environment in which you feel safe, you need to be certain that the audience is the one you expect. I myself have a few friends who have completed polls on Facebook only to later discover that they actually handed all that info to a third party unawares.”

It may be time to find new ways to entertain ourselves rather than buying in to a culture of irresponsible clicking and mindless answering. While I may never know which Twin Peaks character I am or how well I know the movie ‘Clueless,” at least no one else will either.

More about Information Security

Wednesday, April 16, 2014

New "Smishing" Scam has Tampa Bay banks on alert

phishing, smishing, data securityJust last week, several Tampa Bay area banks reported a new “smishing” scam (SMS phishing, or phishing texts sent to mobile devices) in which mobile users are informed by “bank personnel” that their debit card has been flagged. The text then encourages mobile users to contact a fraudulent number and provide personal financial information.

Phishing through text messages are further proof that attacks continue to come from every angle at once, and are getting more and more clever.

Why is it so hard to practice safe surfing on a mobile device? Why do otherwise intelligent Internet users take actions on their phones that they would never take on a home desktop or laptop computer?

Thursday, April 10, 2014

More Hooks in the Water: Spearphishing Up 91%

This just in from Symantec: spearphishing increased 91% in 2013.

Here’s why: it still works. Even though security awareness training and a constant stream of worrisome new stories may be improving the average employee’s click-through rate in run-of-the-mill phishing emails, social engineers still know just how to pinpoint the areas that will lower even a seasoned email user’s defenses. That’s just what spearphishing is: targeted attacks that are hand-crafted to startle or scare an employee into making a bad decision—usually clicking an embedded link that routes to a fraudulent website prepared to collect personal information.

According to Symantec, two of the most common words in last year’s string of emails were “order” and “payment.” In our experience, words like “benefits,” “payroll,” “cancelled,” and “dropped” also do the trick.