Thursday, October 31, 2013

Frontline Employees: Stop Being Polite and Start Getting Suspicious

Back in the late 90’s, I began a career path in college administration. I started slow, worked my way around a few schools, and tried out lots of positions: lowly student intern, undergrad admissions officer, International student admissions coordinator, marketing and creative officer. At one school, I even took over admissions for a while.

And I loved it, most of the time. There is something exciting about growing a department from the inside; creating policies and procedures that improve life for everyone, helping young people realize their dreams. I worked at some outstanding institutions.

But every institution I attended, visited, or worked for struggled with a common issue: low-level security awareness among frontline employees.

Tuesday, October 29, 2013

Employees and Social Media: If You Can’t Beat ‘Em, Then Train ‘Em.

With the exception of few stodgy holdouts, pretty much everyone has a social media account or two—or maybe five. I mean, why share everything on Facebook? Why not open up the fascinating details of your suburban, middle-class life to a wider audience? There are life-changing food photos to post to Instagram, quippy thoughts to share on Twitter, and that hilarious meme you whipped up last week that’s begging to get posted on Reddit. More exposure! More, more, more!

security awareness, social media, threats, training, policyAn awful lot of us have this attitude now—and if your supervisors are aware of your tendency to tweet first and apologize later, then they may be freaking out. In fact, according to a Javelin Research report from earlier this year, 69% of companies are concerned about employees’ social media use. While a half hour here or there may not seem like much, even on the company clock, it can add up to a lot of lost revenue, thousands of security threats, and plenty of potential bad press if you can’t keep it in check.

Fortunately, according to CSIdentity, businesses have two good options to keep their employees’ social media usage from causing harm to the business: create clear policies and keep employees educated.

Friday, October 25, 2013

Cute-Girl Voice: A Social Engineer's Secret Weapon

social engineering, pretexting, security awareness, training
This just in: a highly informal study of a teeny tiny group of people suggests that men may be more likely to give up sensitive information over the phone if they think they’re speaking with a cute girl.

Surprised? Yeah, me neither. What did surprise me, though, was just how easy social engineering really was.

Tuesday, October 22, 2013

Working Together: Technology and Education Necessary to Prevent Phishing

phishing, courses, information security, trainingI've been in the education business for a long time. I was a public school teacher first, and spent a good deal of effort educating middle school and high school students. Then, years ago, I made a career shift into the information security business and made a career out of teaching employees how to avoid opening their businesses up to the threat of social engineering, phishing, and pretexting.

In both cases, education is necessary for success, and I'm always interested in the ongoing argument in the information security world: Tech or Teaching? Recently, Robert Lemos asked the same question on Dark Reading. Here are some takeaway points from that article.

Tuesday, October 15, 2013

Information Security in 2013: Are Passwords Really Dead?

email password, phishing, security awareness, information securityAccording to Heather Adkins, Google’s information security manager, “the game is over” if your company is still relying on passwords as a primary form of information security protection.

Adkins laid it all out when speaking at a recent tech panel. Apparently, Google’s done with passwords and we should be too. She went on to describe a new means of authentication that could require physical tokens embedded in clothing. And who’s behind this world changing, space-age technology? You guessed it—Google.

Thursday, October 10, 2013

Sex, Money, and Friendship: Phishing Bait that Works

phishing, scam, email, fraud
In a recent study by TNS Global, 30% of the 1000 polled said they would open a general phishing email even if they thought it had a virus. And if the phishing emails are crafted to be especially enticing, then the percentage is even higher.


Evidently, a simple email click is still awfully hard to protect against. Even though we all know what to do (and what not to do) a compelling email can throw good sense out the window and even the most educated people can fall for it. According to the study, this is especially true if the email tempts women with social networking invites (interesting) or tempts men with money, power and sex (yeah, no kidding).

Tuesday, October 8, 2013

Spearphishing: Scamming the Tired, the Stressed, and the Downright Distracted

spearsphishing, social engineering, email scam, security awarenessAnother day, another phishing story—but this one made me really mad.

Rohyt Belani, CEO and co-founder of the anti-phishing training firm PhishMe, cited a very narrow spearphishing attack in a recent interview about the dangers of phishing in internal networks: a single employee working the night shift, monitoring his company’s SCADA systems.

According to, “the attacker researched the worker's background on the Internet and used the fact he had four children to craft a bogus email from the company's human resources department with a special health insurance offer for families with three or more kids. The employee clicked a malicious link in the message and infected his company's network with malware.”

Thursday, October 3, 2013

Why Medical Identity Theft Might Be The Next Big Thing

By now you’ve heard of identity theft – we get it…we shouldn’t share our bank account number with the Minister of Finance from Nigeria. But how many of you have heard of medical identity theft? According to surveys, very few…but the number of medical identity theft incidents are rising at an alarming rate.

Tuesday, October 1, 2013

So What Does the Dropbox Hack Mean for You?

So, a couple of months ago, two developers decided to hack Dropbox. Just because. You know what this world needs less of? VOLUNTEER hackers.