Wednesday 31 August 2016

Overcoming Barriers to Effective Supplier Risk Management

Overcoming Barriers to Effective Supplier Risk Management

Businesses both large and small have the same challenge.  How to keep up with auditing suppliers new and old for security risk.  Too many are constrained by manual processes and the impacts that has on reporting.  We look at some of the common factors:


Existing approaches can be daunting, requiring the capacity to dedicate a team of people to control and manage thousands of suppliers. Existing tools and manual processes are resource-heavy and often result in only a small percentage of suppliers being audited, meanting the organisation has no comprehensive oversight of its risk.


Assessing supplier risk often requires large-scale, cross-departmental collaboration across Legal, IT, Information Security, Risk & Audit, Procurement and more.  An integrated approach and reporting can be a challenge.


The decision on which standards to use can prove protracted and external consultancies can prove to be expensive and rigid and take time to implement new procedures and policies.


Traditional tools can prove cost-prohibitive when managing internal resource overhead, using expensive consultants, or implementing and managing unwieldy, high-cost, in-house software.

Management Reporting

Compiling, analysing, validating and verifying data from individual spreadsheets across multiple departments makes the production of meaningful reports for senior management a labour-intensive task, meaning it takes longer for critical risks to be identified.

So how to analyse your full supply chain?  ZeroDayLab's Supplier Evaluation Risk Management (SERM) service can help.  Find out more here. 

Thursday 25 August 2016

Top 10 Considerations for Truly Effective Security Awareness Training

Security, The Risk of Human Error...& a Tricky Thing Called Motivation…

Top 10 Considerations for Truly Effective Security Awareness Training

Even though 52% of breaches are attributed to human error, security awareness is still quite a new thing for many companies.  Well, not that new, there are plenty of induction packs with sections on data protection responsibilities and if you are lucky, a presentation or webinar.  However, we all know the threat environment is looming ever-larger and darker, worse still, it’s constantly changing; so how do you keep your employees not only knowledgeable about the risks presented each day at their keyboards but also motivated enough to identify them and to take action?

The reality is that every organisation and its requirements are different.  Whilst there are key elements, such as phishing campaigns, that should be included as standard to measure and educate security awareness; an effective strategy needs to tick additional boxes to create a true change in 
security behaviour.

1 Test & Benchmark
Before you commence security awareness training; find out the truth!  I’m afraid you might be shocked, most companies are.  Common click-through rates from phishing programmes we have delivered for clients have seen click-through-rates achieve up to 30+%.  When you consider that it can take less than 30 minutes for a threat to establish itself on your network, just one click could seriously jeopardise your security. 

If the result is the kind of click-through-rates a Marketing Manager would die for, you would be forgiven for thinking, ‘Well, what’s the point in testing if it’s likely the so many staff will fall for it?  I know we have a problem.’  The benefits of a phishing test are not just confined to identifying problems and benchmarking for improvement.  Utilising the results of an actual, live example which the trainees received and many of them clicked on, resonates with staff far more than giving generalised real world examples because they experienced it.  It really could happen to them.  Human behaviour is such that an individual never wants to jeopardise the tribe, nor do they want to be the fool.

2 Elements of Testing – It’s Not Just About Phishing!
There are certain key components to security awareness testing and training which should form part of a successful campaign but it is their mode of delivery that makes the difference.  Successful campaigns will involve personalising that message to your company.  This is not about just raising click-through-rates for your security company to report to you; this is exactly what the cyber criminal will do.  They know, that on the other side of the computer is a person that is ultimately motivated by self-interest.  The most effective spear-phishing campaigns carefully target their prey and learn about them.  They will create fake websites and branded emails and they will learn the name of the manager in the purchasing department that they want to send their malware-laden ‘invoice’ to.  Effective testing and training involves activating your staff’s self-interest button; coffee and gym vouchers, for example, have been popular tactics used to test employee resilience.

On a similar note, cyber criminals will exploit another human trait.  Trust. Consider the wider possibilities for breach, over-and-above email.  Digital social engineering is an obvious culprit but what about physical social engineering?  Security awareness also comes down to what information is given out over the phone but also who is allowed into the building.  How often do you check a staff badge closely, or allow someone to follow you through a secure door? 

3  Timing
Consistency is the key to security awareness.  Companies undertaking security awareness training once at induction will not succeed in raising levels of awareness and staff security. A message delivered once, and in the fog of a lot of other information, will be lost. The biggest brands know it, they repeat their message again and again until people at first recognise their message and then respond.  Involve HR & Training and Internal Communications to enable a consistent programme of messaging and to keep the profile of security awareness high within the business.  This is particularly important where there is high staff turnover and large customer support departments.  The most effective programmes review and re-visit their training programmes on a regular basis.

4  Training Methods
We have already mentioned how ‘real world’ examples drive greater awareness and engagement by using results from phishing resilience tests.  Again, depending on the structure of the company, different methods might be more effective, or quicker, with large numbers of people.  Interactive seminars and/or computer-based training are at their best when followed up by internal marketing programmes and access to further information covering topics such as how to identify phishing, or what information not to give out over the phone. Additionally, security awareness training may need to be adjusted in line with the job role, e.g. customer services or accounts as opposed to shop floor.

5 Who Holds the Keys to the Kingdom? – Why Top-Down Training is Essential

Just who does hold the keys to your kingdom? Spear-phishing is targeted.  Board Members, Senior Managers and their PAs are just as vulnerable as the sales office, in some cases, more so.  Top-down training instils a security-orientated culture benefiting not only the business but also its customers.

6. What's In It For Me? The Human Motivation Factor
"That's all very well," you think, "but what impact will a couple of hours training really have in changing behaviour in the company?" All too often, corporate training days are swiftly forgotten, so how do you make it stick - without using one?

Human error is a significant problem and to overcome it you need their behaviour to change.  To enable on-going behavioural change aligning your business needs with your employee needs and motivations is key.  Some motivators might be:
  • Protecting yourself and your family from identify theft and fraud
  • Financial incentives
  • Ambition and development (KPIs, development programme)
  • Personal engagement and responsibility (Security ambassadors)
  • Corporate engagement - doing it for the future of the company and its security.
Some companies have been linking staff security awareness to their appraisal system, some even to their bonus structure via a testing and scoring system.  If an individual (or sometimes team) falls below benchmark level, they lose their bonus and are sent on security awareness training.  This is an approach that has been welcomed by some management teas as it is quantifiable.  Clearly, there are pluses and minuses.  It is likely to engage the individual so they don't lose money, however the stick approach doesn't work for everyone and may affect loyalty and motivation.  There are however, no concrete statistics to suggest disincentivisation at this point.

7. Integration - The Human Link to Solutions, Policies & Procedures

ZeroDayLab's Four Quadrants of Security Awareness 

Let's face it, humans are everywhere.  People or their activities affect every single part of the business.  In terms of business solutions, weeding out the unofficial shadow applications and ensuring that teams keep all aplications in line with security protocols and the most effective implementation for your organisation.  Likewise, whilst the majority of staff are not involved in the management of policies and procedures; do all staff who need to be (such as customer-facing roles) have a full understanding or their responsibilities under PCI DSS or EU GDPR, for example?

8.  What Now? What to Do When a Threat is Discovered
Once you've trained your staff, have you told them what to do when they identify a threat? Empower them as a part of your security awareness programme. Make staff clear on when and how they report an email, or odd activities on their computer.  Just as importantly, in the event of a breach, ensure that communications are implemented effectively so that all staff, especially customer-facing operatives, know what to say and how to help the customer when they ring up concerned about their data security. Quite often, this link in the chain breaks and so does customer and stakeholder trust as a result.

9. Test, Educate, Review, Repeat
Testing isn't just about the phishing campaign.  Make sure you are breach ready with Red Teaming and runbook preparation and training - not forgetting a crisis communications strategy. Staff security awareness is an on-going project requiring regular communication and follow-up training.  In short; test, educate, review, repeat. 

10. Dust off the Bat Phone
Not every company has a big enough IT/Security team or HR & Training to implement Security Training on an on-going basis. It's not just the additional resources that a security consulting team will bring to your security awareness strategy, it is analysis and independence.  A security firm will not only be able to analyse the results from your phishing resilience testing, they can anonymously test social engineering and deliver physical security tests.  What's more, as an independent expert, they can add greater weight to your education programme through threat knowledge and the latest approaches for the board or the employee group as a whole. 

Plus the Paper DOWNLOAD the paper here

Tuesday 23 August 2016

7 Ways Advanced Penetration Testing Protects Your Business Better

7 Ways Advanced Penetration Testing Helps Beat the Hackers

Penetration testing is vital for risk management.  Thorough, Advanced Penetration Testing provides a realistic demonstration of what would be the result of the attack without having to be the victim.  This allows risks to be evaluated with the ability to gain a good perspective of potential costs.

In general, real attackers have a long period of time to identify potential ways to gain access to a system or network.  Therefore, the longer time a tester gets to perform a penetration test, the more realistic the results of that penetration test shall be.

As every application or environment is unique, a certain period of time is already needed to really understand the application or environment that needs to be tested.

Furthermore, performing small (pen)tests means there is less time to perform manual tests and verify/develop vulnerabilities.  More time means that more manual testing can be done and the test has the time to think of specific, unique and realistic attack scenarios.

A test of 7 or more days means that potentially more than one tester can be on the test, and two heads are better than one.

We have 7 examples of extensive/additional tests that are performed when a tester has more days to test a specific application or environment - read more in our infographic here.

  1. Extensive software security track record checks
  2. Exploitation of found vulnerabilities,  or bypassing implemented security measures to gain further access into the network
  3. Advanced password cracking attacks
  4. Advanced brute force attacks
  5. Decompiling/reverse engineering of applications or application components
  6. Download publically available source code of software in use, to look for vulnerabilities not traditionally found in a short pen test
  7. Enumerating the dark web
Read more on how to beat the hackers on our infographic.

Further details on ZeroDayLab's approach to Advanced Penetration Testing can be found on our website here.

Monday 15 August 2016

Sage software firm hit by data breach by someone using an internal computer

A data breach at large UK software company Sage may have compromised personal information for employees at 280 UK businesses, it is understood.
Police are investigating the breach and Sage is probing the "unauthorised access" of data by someone using an "internal" company computer login.
The information was accessed at some point over the past few weeks.
It is unclear whether it was stolen from the FTSE-listed firm, or merely viewed.
The company, which provides business software for accounting and payroll services to firms across 23 countries, says it is taking the breach extremely seriously.
The police are investigating and the Information Commissioner's Office (ICO), responsible for the enforcement of the Data Protection Act 1998, has been informed.
Sage has notified those businesses whose data may have been accessed and has advised them to look out for any unusual activity.
A Sage spokesperson said: "We are investigating unauthorised access to customer information using an internal login.
"We cannot comment further whilst we work with the authorities to investigate - but our customers remain our first priority and we are speaking directly with those affected."
Sage was founded in 1981 and now has more than 13,000 employees around the world.
The group has an annual turnover of £1.3bn, and is the only remaining technology stock on the FTSE 100.
If the ICO decides that Sage has been negligent there are a number of actions it could take, including criminal prosecution, non-criminal enforcement, or undertaking an audit at the firm.