<div dir="ltr"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><a href="https://dzone.com/articles/how-we-can-turn-national-cybersecurity-awareness-m">https://dzone.com/articles/how-we-can-turn-national-cybersecurity-awareness-m</a></div><div dir="ltr"><div class="gmail-ng-scope">
<div class="gmail-content-html">
<p>Want to take a peek at the World’s Worst Data Breaches? <a href="http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/" target="_blank" rel="nofollow">Here</a> you go. </p>
<p>Now that we’ve got that out of the way, let’s start this blog
post over again. Our goal isn’t to frighten you or deepen the numbness
you might already be feeling from the drip, drip, drip of bad cyber
news.<br><br>It’s <a href="https://www.dhs.gov/national-cyber-security-awareness-month" rel="nofollow" target="_blank">National Cybersecurity Awareness Month</a> (NCSAM), which was launched in October 2004 as a collaboration between the <a href="https://staysafeonline.org/ncsam/" rel="nofollow" target="_blank">National Cyber Security Alliance</a> (NCSA)
and the U.S. Department of Homeland Security with the goal of raising
awareness and providing education on cybersecurity issues.</p>
<p>The name is something of a misnomer, however. <a href="https://staysafeonline.org/ncsam/get-involved/" rel="nofollow" target="_blank">NCSAM</a> is
really designed to do more than make you aware of cyber risks. It’s
bigger goal is to arm you with information and tools you can use to
strengthen yourself, your social groups, and your businesses against the
cybercriminals who prey on us.</p>
<p>In the spirit of NCSAM, we want to do our part by sharing
some of the advice our bloggers have offered on how to take action to
protect yourself and your companies from cyberattacks. With that in
mind, here are summaries of four recent blogs.</p>
<h2>1. 4 Steps to Building a Security Awareness Program</h2>
<p>First up is a post that gives advice on creating a security
awareness program in your organization. Recognizing that security isn’t
just about technology, this post addresses human factors and the part
that employees can play within the context of a company-wide security
awareness program.</p>
<p>The goal is to stop treating security as a series of one-off
events or activities that are handled by experts (often in reaction to
incidents after they’ve taken place) and to create a proactive,
pervasive culture where employees can recognize security risks and then
take action on their own or escalate as appropriate.</p>
<p>The post recommends carrying out the following “human factors” steps:</p>
<ol>
<li>Creating a Security Handbook containing a body of information that
employees know about and actually consult when they need information
about a security issue.</li>
<li>Setting up real-time communication channels using two-way tools
such as Slack so you can report and be advised on issues as they occur.</li>
<li>Holding in-person information sessions to create a culture of
openness and to bring important issues to employees in a dynamic,
engaging fashion.</li>
<li>Creating a Security Awareness Week to pull security out of the shadows and raise awareness throughout your company.</li>
</ol>
<p><a href="https://dzone.com/articles/4-steps-to-building-a-security-awareness-program" target="_blank" rel="nofollow">Read the full post here. . .</a></p>
<p>If you’re up for more reading, you can also take a look at the recommendations in <a href="https://www.threatstack.com/blog/how-to-implement-a-security-awareness-program-at-your-organization/" rel="nofollow" target="_blank">How to Implement a Security Awareness Program at Your Organization</a>.</p>
<h2>2. The Real Implications of the Shared Security Model</h2>
<p>Providers like AWS have gone to great lengths to codify and transparently communicate a <a href="https://aws.amazon.com/compliance/shared-responsibility-model/" rel="nofollow" target="_blank">Shared Responsibility Model</a> that
has expressly defined the scope and boundaries of responsibility.
Increasingly, customers recognize that Amazon and its brethren have
all-star teams that have a security focus ingrained in them.</p>
<p>In this post, <a href="https://www.threatstack.com/company/" rel="nofollow" target="_blank">Pete Cheslock</a>,
Threat Stack’s Senior Director of Operations and Support, takes a
detailed look at the Shared Responsibility Model and explores areas
where companies can extend their security beyond the basic “Providers
secure the cloud; we secure our data.”</p>
<p>As he points out, even as the cloud is proven to be quite
secure and as confidence in it increases, Security and DevOps teams
still have to be vigilant about their own workloads. Organizations have
to <a href="https://www.threatstack.com/blog/what-all-devops-teams-should-know-about-the-aws-shared-responsibility-model" rel="nofollow" target="_blank">pick up their end</a> of the shared responsibility bargain — and in some cases, even take it a step further than what is required.</p>
<p>To determine where and how you should extend your security responsibilities, Pete recommends asking questions like:</p>
<ul>
<li>What can we control security-wise? What can’t we control?</li>
<li>What do our customers expect of us, security-wise?</li>
<li>What do we need to focus on from a compliance perspective?</li>
<li>What types of data pass through our system, and what security concerns arise?</li>
<li>What do our competitors cover security-wise that we don’t?</li>
<li>And more, depending on your situation</li>
</ul>
<p>Simply put, by going beyond the basics, you will strengthen
your overall security posture, gain or strengthen competitive advantage,
improve your reputation with customers, and likely affect your products
and services for the better, too.</p>
<p><a href="https://dzone.com/articles/the-real-implications-of-the-shared-security-model" target="_blank" rel="nofollow">Read the full post here. . .</a></p>
<h2>3. W-2 Phishing Scams: What You Need to Know to Stay Secure</h2>
<p>Last February, Kevin Durkin, Threat Stack’s CFO, wrote an
important post about W-2 phishing scams. His advice is all the more
important following <a href="https://www.forbes.com/sites/thomasbrewster/2017/09/08/equifax-data-breach-history/#7e406ecc677c" rel="nofollow" target="_blank">the latest Equifax breach</a> that exposed a huge amount of personal information including Social Security Numbers.</p>
<p>Here’s some of what Kevin had to say.</p>
<p>Phishing attacks have recently been targeting W-2 forms
because they are a treasure trove of personal and financial information.
The attackers generally pose as a company official or other trusted
source when they send phishing emails.</p>
<p>Kevin recommends making yourself an unappealing target
through a combination of employee training to tell people what to look
for, periodic testing, and continuous security monitoring.</p>
<p>Who falls for phishing scams? According to the 2017 <a href="http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/" rel="nofollow" target="_blank">Verizon Data Breach Report</a>, a lot of us: around 30 percent of all employees fall for phishing attacks.</p>
<p><a href="https://www.threatstack.com/blog/w-2-phishing-scams-what-you-need-to-know-to-stay-secure/" rel="nofollow" target="_blank">Read the full post here. . .</a></p>
<p>(A final note: We’re very proud of Kevin at Threat Stack. Recently <a href="https://www.bizjournals.com/boston/news/2017/07/19/kevin-durkin-of-threat-stack-receives-cfo-of-the.html" rel="nofollow" target="_blank">Boston Business Journal</a> honored him as <a href="https://www.threatstack.com/blog/boston-business-journal-names-threat-stacks-kevin-durkin-cfo-of-the-year/" rel="nofollow" target="_blank">CFO of the Year</a>, and he’s a frequent contributor to this blog. For a summary of a some of his recent articles, take a look at <a href="https://www.threatstack.com/blog/5-security-blogs-your-cfo-needs-to-read/" rel="nofollow" target="_blank">5 Security Blogs Your CFO Needs to Read</a>.)</p>
<h2>4. How to Stay Secure at Conferences</h2>
<p>Pete Cheslock spends a lot of time at conferences, and when
we asked him to share advice on how to stay secure on the road, he came
back with a lot of valuable tips.</p>
<p>Anytime there’s a large group of people, especially one that
has its roots in tech, security can be a concern. More devices in one
place and a concentration of industry players can mean a field day for
casual or targeted hackers. Luckily, there are key security basics and
hygiene best practices you can follow to ensure that attending
conferences doesn’t mean opening up a wider attack surface for yourself
or your organization.</p>
<p>First and foremost, he focused on ways you can protect all
of your devices — phones, laptops, tablets, wearables, and IoT devices,
stressing, among other things, that you need to:</p>
<ul>
<li>Take inventory and maintain control of your devices by knowing
which ones you’re bringing with you and where they are at all times.</li>
<li>Password-protect the devices themselves, set up an autolock after a short timeout, and use a password manager.</li>
<li>Use Two-Factor Authentication whenever possible and consider using a service like <a href="https://support.apple.com/explore/find-my-iphone-ipad-mac-watch" rel="nofollow" target="_blank">Find My iPhone</a> or <a href="https://www.preyproject.com/" rel="nofollow" target="_blank">Prey</a> that will let you geotrack your devices if they are stolen or lost and remotely wipe them if needed.</li>
<li>Stay away from unsecured public WiFi networks, or any network that isn’t trusted.</li>
</ul>
<p>To remind that technology by itself isn’t the answer to all
security problems, Pete also talked about the human side of security,
including best practices for using social media as well as excellent
advice on what to discuss (and not discuss) in public.</p>
<p>While his advice focused on attendance at conferences, it
applies just as well as we go through our daily personal and work
routines.</p>
<p><a href="https://www.threatstack.com/blog/how-to-stay-secure-at-conferences/" rel="nofollow" target="_blank">Read the post here. . .</a></p>
<h2>Final Words</h2>
<p>In the midst of all the bad news, it is reassuring that a
lot of individuals and organizations are working to make life online
safer for all of us. Nationally, of course, there’s Cybersecurity
Awareness Month. In our region, Massachusetts Governor Charlie Baker has
announced the formation of the brand new <a href="https://www.mass.gov/news/baker-polito-administration-announces-new-cybersecurity-center-at-mass-tech-collaborative" rel="nofollow" target="_blank">Cybersecurity Growth and Development Center</a>,
whose goal is to unite the cybersecurity sector in Massachusetts while
also training new talent. And, at Threat Stack, where we take security
very seriously, we are committed to <a href="https://www.threatstack.com/blog/threat-stack-raises-45m-round-c/" rel="nofollow" target="_blank">accelerating cybersecurity innovation</a>.
Finally, it is reassuring to know that as individuals and as
organizations, there is a great deal we can do to turn awareness into
action to help make life safer in our cyber world throughout the year.</p>
</div>
</div>
<div class="gmail-article-bumper gmail-article-bumper-bottom gmail-ng-binding gmail-ng-scope"></div><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span style="font-size:10pt"></span></b><span style="font-size:10pt"></span><span style="font-family:arial,helvetica,sans-serif"></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>