@ISACA Volume 20  5 October 2016

Security Awareness: Humans Fighting Back


Bad things happen every day. The methods used to steal personal and business data cover a variety of techniques. Some are simply accidents, e.g., lost laptops containing databases of client details or emails sent containing personal data. Some techniques are much more sinister: using social engineering to trick victims into revealing their own information or stealing the “keys to the castle” by conning system administrators into entering login credentials for sensitive company resources into spoof sites.

Attacks have become more difficult to detect with traditional tools such as antivirus software. Cyberthieves are after information with employee and/or customer data making up more than 80% of breach focus. Intellectual property appears to be the next item on hackers’ wish lists. Sophisticated and complex patterns of infection and exposure make the battle against cyberthreats complicated.

Whatever causes a data breach, whether an accident or a deliberate act, technology is not always the answer. Being aware of the cyber security climate we live in is the beginning of building a culture of security. Being aware gives people the basic tools to make a stand against cyberthreats. No longer can anyone hope that an antivirus software or an intrusion protection system will keep information safe. Cybersafety has to be embraced by everyone in its entirety and this means being informed and aware.

Being Security Aware—Hacking the Human

Cyber security risk management, across all industries and across all vectors, accidental or otherwise, begins with an understanding of the problem at hand. Cybercriminals may be using more sophisticated techniques to get at valuable information, but they do use patterns that are successful for them, e.g., social engineering. Phishing, which uses social engineering techniques at its core, is an incredibly successful medium for a cyberattack entry point. Many malware infections begin with a phishing email. According to a quiz given by security firm Kaspersky, about 74% of Internet users cannot spot a phishing attempt. Knowing what a phishing email or a phishing web page looks like could stop a malware infection before it even begins.

Security Awareness Training

Making users aware of their own actions and of others’ malicious intent is now more important than ever. In addition to having in-house training sessions on security and how it can impact organizations, external experts can also be enlisted. There are a number of firms that offer security awareness training courses. These curricula are there to augment the use of a technology approach to preventing security breaches. The courses, often online and performed remotely, create programs tailored to an organization’s needs.

Some ideas for training a workforce about security include:

  • Designating security days when each department looks at what is/has happened in their department in the last month with regard to security issues
  • Designating a security focus month where attention is focused on particular issues, e.g., not sharing passwords
  • Using social engineering testing that can simulate attacks types, such as phishing
  • Including everyone in training, not just IT, and making it as interactive as possible
  • Focusing not only on compliance and security; but taking a wide-spectrum approach to creating a security culture
  • Getting end users to brainstorm ideas for training—everyone is at risk from cyber security threats and everyone has a vested interest in finding ways to raise security awareness
  • Sharing stories and using them to teach best practices

As more people are held for ransom by hackers, it can no longer be assumed that software will protect us. Everyone has to take a stand and this requires knowledge and insight. Hackers understand their prey very well, and an effective defense is to combat them with their own methods by understanding their tricks and techniques.

Avani M. Desai, CISA, CRISC, CIPP, CIA, CISSP, PMP, is the executive vice president at Schellman & Company Inc. Desai has more than 13 years of experience in IT audit, attestation, security and privacy. Her focus recently has been on emerging technology concerns and issues.


More Meaningful Risk Assessments


Source: ©iStock.com/

Quantifying the potential impact of a breach can be a useful way to engage stakeholders. To help organizations improve on the traditional vulnerability reports, ISACA has partnered with SolarWinds to present the “Making Risk Assessments Meaningful: Data Breach Intelligence That Matters” webinar. This webinar will take place on 6 October at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour for attending the webinar and passing a related quiz.

Billy Austin, vice president of security at SolarWinds, will lead this webinar. In it, he will discuss how to capture the potential financial impact of a breach and will show attendees how to produce reports that will be easily understood by the entire organization. When security professionals speak in terms of financial impacts rather than threats and vulnerabilities, they can more easily show the value of effective risk management.

To learn more about this webinar or to register for it, visit the Making Risk Assessments Meaningful: Data Breach Intelligence That Matters page of the ISACA web site.


Expand Your Skill Set and Network With Peers at 2016 CSX Conferences


Source: ©iStock.com/

Because of the growing importance of cyber security and the need for qualified cyber security experts, ISACA’s Cybersecurity Nexus (CSX) will host 3 cyber security conferences this year. Conferences will be held in Las Vegas, Nevada (USA), London (United Kingdom), and Singapore. The conferences will take place on 17-19 October, 31 October-2 November and 14-16 November, respectively.

Attendees with all skill levels are welcome to attend the conference, with 2 levels of complexity offered for each cyber track. The tracks are identify, protect, detect, respond, recover and explore. Presenters at this conference include chief executive officers, journalists and cyber security experts. In addition to the opportunity to learn from industry leaders, attendees will also have the opportunity to network.

To learn more about any of these conferences, visit the CSX North America Conference, CSX Europe Conference or CSX Asia Pacific Conference pages of the ISACA web site.


Certification Renewals and CPE


With the 2017 renewal year now open, it is the perfect time to review your continuing professional education (CPE) status for your certification. The CPE policy requires the earning of 20 CPE hours annually and 120 hours over the 3-year cycle. Remember that CPE needs to be earned in each cycle year and cannot be carried over from one year or one cycle to another. Certified individuals have until 31 December 2016 to earn any needed CPE to remain compliant with the CPE policy.

Your MyCertifications page provides valuable information and a high-level view of where you stand for your CPE for both the yearly and 3-year cycle requirements. Your Manage My CPE page provides detailed information on the CPE that you have already reported for your current cycle. Take a moment out of your day to assess where you stand with regard to CPE for your certification. Plan ahead now and schedule time for your CPE activities so you can earn any necessary CPE and avoid any end-of-year crunch.

To add CPE hours, log in to your ISACA account at www.isaca.org/reportcpe. Click on the “Manage My CPE” button. Scroll down and then click on the “Add CPE” button. Enter your CPE activity information and click “Save.”

Questions? Contact certification@isaca.org.