- Interview with Security Expert Mikko Hypponen. From Slashdot.org. Do you have any suggestions on how to create a successful security awareness program in a tech company? Some people like Bruce Schneier prefer the time and money spent on better security engineering. What’s your take on this?
Mikko Hypponen: If there’s one thing that I have learned over my 25-year career in computer security, it is that people never learn. They just won’t. They will always follow every link, they will always double-click on every attachment, they will always type their password on every phishing site. Quite often, education just seems like a waste of time. I think we should do the best we can to move the responsibility away from the end user, as much as we can. Most users can’t handle it, anyway. The average Slashdot reader can, but most can’t.
- So much for counter-phishing training: Half of people click anything sent to them. From ArsTechnica.
Security experts often talk about the importance of educating people about the risks of “phishing” e-mails containing links to malicious websites. But sometimes, even awareness isn’t enough. A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages—even though most of them claimed to be aware of the risks.
The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month’s Black Hat security conference. Simulated “spear phishing” attacks were sent to 1,700 test subjects—university students—from fake accounts.
1. U.S. Cyberattacks Target ISIS in a New Line of Combat. From NYTimes. The United States has opened a new line of combat against the Islamic State, directing the military’s six-year-old Cyber Command for the first time to mount computer-network attacks that are now being used alongside more traditional weapons.
2. Cybersecurity Threats Are Real: You And Your Organization Could Be In Danger. From Forbes. When board members were asked about the amount of knowledge they had on cybersecurity, less than 20% had a high level, 65% had some and 15% had little knowledge. During the webinar, over 50% were dissatisfied with the quality of information provided to the board by management pertaining to cybersecurity and IT risk.
3. The future of the NIST Cybersecurity Framework. From IApp.Org. On April 5-7, the National Institute of Science and Technology hosted a Workshop on its “Framework for Improving Critical Infrastructure Cybersecurity.” The workshop was extremely well-attended, with more than 900 registrants and hundreds more attending by webcast. It was preceded by a NIST request for information, which prompted 105 responses, many from industry associations representing hundreds of companies.
4. Aligning Cybersecurity with Corporate Culture. From Wall Street Journal. Creating a “cybersecurity culture” means instilling in employees an acute sensitivity to cyber risks and arming them with knowledge and tools to mitigate these threats. Tightly linking cybersecurity to the day-to-day work environment could vastly improve organizations’ security posture.
5. Singtel launches first-of-its-kind cyber security institute in Asia Pacific. From Straits Times. Telco Singtel on Tuesday (April 26) launched its Cyber Security Institute (CSI), a hybrid between an advanced cyber range and an educational institute. It is the first-of-its-kind in the region to test and train companies in dealing with sophisticated cyber threats. Housed in a permanent space of over 10,000 sq ft in the eastern part of Singapore, the institute provides cyber skills development and education programmes tailored to the varying needs of company boards, C-suite management, technology and operational staff.