Ransomware holds a tight grip on its victims and their most valuable data and is a global epidemic reaching all corners of the world.
The most commonly used infection vectors used by ransomware are email attachments, links in emails, compromised websites and malvertising. The first type, attacks via email attachments, can be intercepted by a security or gateway appliance before a user even receives the lure.
When an attack is using a website that security products have already identified as having been compromised or hosting malicious behavior, it can be blocked by looking at the domain or IP used in the link embedded in the email or the URL visited by a user. In practice, however, simple blacklisting approaches suffer from the relatively short lifespan of these drive-by landing pages.
Without a doubt, the information security space is experiencing a dramatic increase in hiring. Finding qualified candidates is continuing to get more difficult, and the duties of managers are steadily increasing. As a result, hiring managers and human resource recruiters are looking for ways to make the process more efficient. Because most certifications in the information security industry come with experiential requirements, the search for candidates possessing industry credentials is seen as a good way to achieve this goal. However, other challenges begin to surface if the proper value of certification is not considered, which I explore in further detail in my recent Journal article.
I have developed a risk-based management approach to third-party data security, risk and compliance methodology and published it to provide process guidelines and a framework for enterprises’ boards of directors and senior management teams to consider when providing oversight, examination and risk management of third-party business relationships in the areas of information technology, systems and cyber security.
My business relationships and the research that I went through, a number of professional surveys indicate that information technology and security managers, directors and executives report that significant data breaches are linked directly or indirectly to third-party access. Unfortunately, these security breaches are trending upwards.
In my recent Journal article, I covered how organizations can leverage information governance (IG) programs to enable change and instill a culture of security. With today’s reality of increasing global data privacy regulations and unrelenting data breaches, sound data management and security are more important than ever before. In the face of these challenges, one of the most effective things organizations can do is enable true change, weaving security and privacy into the fabric of their cultures. Once that has been achieved, enforcement of the established programs and policies is equally important so that the hard work was not futile.
Having experienced the excitement of a total solar eclipse, I now have an improved awareness of picking the right lens to make the experience worthwhile. Eclipses in the cyber landscape (cyberrisk and cyberevents) are analogous to solar eclipses—picking the right lenses to view a solar eclipse is similar to examining cyberrisk through a quantitative risk-based approach.
Today, decision makers rarely choose a course of action without clear insights into the values at risk—when it comes to a cyberrisk response, understanding the risk exposures in quantitative terms is mostly sought after. Oftentimes, the risk quantification requests receive little attention and experience some hesitancy to produce them, resulting from complexity of frameworks, limitations of empirical data, reliability of statistical models and the lack of stakeholder confidence, to name a few factors. While some of these debated areas simply cannot be ignored, it is largely the user interpretation of things that makes cyberrisk quantification perceived as complex—it might be fair to rationalize arguments on whether risk quantification failed the users or if the user interpretation failed risk quantification. Understanding the realities helps set realistic expectations of quantitative risk analysis. Like any methods, cyberrisk quantification is not just a plug-and-play process, but a unified effort across the governance, process and technology aspects: