<img src="https://secure.leadforensics.com/71120.png" style="display:none;">

Kalki Blog

Header_about.png

Information Security Training & Awareness: What's missing?

Posted by Stacy Willis on Nov 20, 2015 7:00:00 AM

At this point, the majority of businesses (both large and small) understand the need to educate their employees about cybersecurity. There are plenty of stats that tell us what a good idea it is, training and awareness programs are major component in accepted information security frameworks (like ISO or NIST) and plenty of experts in the field keep recommending it. So, what do we see that's missing?

Read More

Topics: Education & Awareness

Structuring an information security training program

Posted by Stacy Willis on Sep 18, 2015 7:00:00 AM

Class is in session!

Creating an information security education program (see why prefer to call it an education program rather than a training program) can be a daunting task, especially if you've never done it before. But it is one of the most crucial steps in keeping your organization secure. Our education programs are all about empowering employees with knowledge and making them secure both at home and work.

Read More

Topics: Education & Awareness

“CEO Fraud” on the Rise

Posted by StacyNease4Fbhds on Aug 10, 2015 11:14:24 AM

An attack known as CEO Fraud is seeing an uptick as a new favorite for attackers. These attacks are a very specific type of phishing attack where the email is very well crafted to look like it is coming from the CEO (or another high-level executive) from within your own company. The gist of these emails is typically along the lines of “I need to move some money around, can you provide me with the account numbers for X, Y, Z?” These attacks are often very well crafted and may even be well-planned enough to use language that is typical of your CEO in email communications, and they may be very difficult to distinguish from a real email from the CEO.

How prevalent is it?

The IC3 reports that in 2014 business email compromises accounted for more than $214 million in losses for victims. Just this week, Ubiquity Networks reported a loss of over $46 million from an attack of this type. And that’s just the tip of the iceberg. There are endless stories of scams like these wreaking havoc on businesses. The moral of the story: no matter how big or small, start preparing your business now.

How can you protect your business?

Get ahead of it! Send a company-wide communication to your team warning them of what to look out for. If people are prepared, it is much easier for them to recognize an attack (and not fall victim to it).

Educate your people. I know we sound like broken records over here, but education is key to protecting your people and your company. Invest in an education and awareness program sooner rather than later. Find out why we want you to create an education and awareness program rather than a training and awareness program.

Lay down policies and create methods for reporting possible attacks. Lay down what is and isn’t acceptable at your company (i.e. financial account numbers should not be shared via email) and communicate those to your employees. Now give your people clear procedures for reporting those fishy emails so your company can stay on top of what’s happening.

Read More

Topics: Education & Awareness, Phishing, Cyber security

What should I teach my employees about information security?

Posted by StacyNease4Fbhds on Aug 3, 2015 9:26:10 AM

One of the biggest hurdles to information security training is getting employees to understand why it should be important to them. Many people mistakenly believe that they simply aren’t a target for attackers, a belief which often extends to the businesses they work in. Many small to medium sized businesses don’t think they are a target because they “aren’t one of the big guys” when, in reality, that makes them an even bigger target. Make sure to communicate to employees what the attackers are after and what it is worth to them.

Some other major topics that should be included in any SecurITy Awareness Program are:

Data classification: Classify all data that flows through your company (you can use our handy Data Classification BINGO tool for that!) and make sure your employees understand those classifications. Employees will be much more likely to handle information carefully if they truly understand its value.

Company’s information security policy: First of all – make sure you have information security policies and procedures in place that have been signed off by executive management and distributed to all employees. Make sure employees know what is and isn’t expected of them and teach them about processes for communicating with support and reporting incidents.

Access control and passwords: Make sure your organization has strict rules for password strength and teach your employees how to create strong passwords (and why they should have them!). We always like to teach users about Kalki’s 10 Password Commandments. It’s a simple and effective way for users to learn what they should and should not do in creating passwords. Make sure employees aren’t writing passwords down or emailing them to themselves, you can even introduce enterprise level password safe tools to help them out!

Social engineering: One of our favorite sayings over at Kalki (aside from all of our #kalkiisms of course) is “A chain is only as strong as its weakest link.” This is especially true of businesses, with human error being the weakest link. You can have all the security in the world, but if a social engineer calls up an employee and obtains logins and/or passwords, it’s all blown. Set ground rules for what employees should and should not divulge over the phone, how they should verify who they are speaking to and lay down processes for employees to report issues.

Phishing: Spam filters don’t catch everything, so make sure your employees know what to look out for in phishing or malicious emails. Teach them how to think before they click and report “fishy” emails. Check out our phishing blog post for more details.

Browsing: Make sure it’s clear in your organization’s security policies what is acceptable browsing and what isn’t. Teach employees the basics of safe browsing and make sure you have tools for measuring and monitoring activity. On a side note: please, please, please make sure you don’t let your employees have admin level control over their own machines to avoid some major catastrophes from this one.

Malware: Teach users the basics about malware: what it is, how to avoid it and make sure they know to quickly report it so your IT department can respond quickly and efficiently. For a quick non-technical view, we always like to talk users through our Malware infographic.

Social networking: Make your employees aware of the rules regarding usage of social media at work and let them know what they should and shouldn’t be posting about the company. Giving them a basic breakdown of safe social networking for themselves and their families will make it relevant to them even at home.

Mobile devices: Set your BYOD (Bring Your Own Device) policies and make sure employees know what to expect. Be sure to teach any employees that have to use mobile devices for work purposes the rules of the road. On a side note: if your company allows employees to connect personal mobile devices to wifi – make sure the network is segregated from your work network to avoid any infected mobile devices from bringing down your network.

Read More

Topics: Education & Awareness

In the News: FBI consultant advises small businesses to prepare for cyberattacks

Posted by StacyNease4Fbhds on Jul 6, 2015 3:54:08 PM


A recent interview with John Iannarelli, an FBI cybersecurity consultant, revealed the true depth of cyber threats facing the U.S. today. The reality is, attacks are becoming more advanced and are not just aimed at large companies, but small businesses as well. The key is in preparation - taking the time to prepare now will make your life that much easier when emergencies happen. Proper preparation can help keep your lights on and your business running when the stuff hits the fan (if you catch our drift). Reduce the worrying and find your zen zone by knowing what you're up against and taking the proper steps to protect your business.

Read More

Topics: Education & Awareness

New Guide! Employee Education & Awareness

Posted by StacyNease4Fbhds on Jul 3, 2015 9:26:08 AM
Read More

Topics: Education & Awareness