Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Arguments Against Security Awareness Are Shortsighted
Oldest First  |  Newest First  |  Threaded View
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
3/25/2013 | 10:40:26 PM
re: Arguments Against Security Awareness Are Shortsighted
I'm wondering what organizations that can't afford proper security awareness initiatives can realistically do in lieu of check-box training methods.

Kelly Jackson Higgins, Senior Editor, Dark Reading
onlyjazz
50%
50%
onlyjazz,
User Rank: Apprentice
5/3/2013 | 11:37:24 AM
re: Arguments Against Security Awareness Are Shortsighted
Kelly

Great question which reveals the root cause.

The root cause (and Ira has been sucked this mentality also) is that executives typically view business and security as 2 separate universes. The same CEO that constantly looks at business indicators like free cash flow doesn't even conceive of security indicators like the number of files leaked by employees this week to their Dropbox accounts.

Considering the current levels of breaches and data loss and business impact - this is an absurd view of the world.

To make security part of the business, we need to start with CEO-level commitment to security just like she's committed to the bottom line. A companyGs management controls should explicitly include security:

Soft controls: Values and behavior sensing
Direct controls: Good hiring and physical security
Indirect controls: Internal audit driving by real time monitoring

After you do that - you can graduate to enforcement. As Andy Grove once said "A little fear is not a bad thing in the workplace".

See my essay on the Psychology of data security originally written in 2004.

http://www.software.co.il/2010...


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21991
PUBLISHED: 2021-09-22
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server...
CVE-2021-21992
PUBLISHED: 2021-09-22
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service ...
CVE-2021-34647
PUBLISHED: 2021-09-22
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via t...
CVE-2021-34648
PUBLISHED: 2021-09-22
The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /n...
CVE-2021-40684
PUBLISHED: 2021-09-22
Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in...