New Year!

Each New Year brings with it the opportunity to start fresh; learn from the prior year’s errors and victories. This bifurcation between the years allows for this reflection. With the upcoming year, there are a number of initiatives that the corporate CTO/CISO can implement to better the business and further mitigate risks associated with eh operations and business itself.

One action item for the corporation to accomplish if it had not been done already is to hire a qualified Information Security Engineer/Architect. This should be a top priority if it is not already done. This person will be able to assess the enterprise, advise what needed to be done, and begin to implement the changes.

Communicate with your staff and ensure they follow these. One of the more profitable attacks that grew traction over the last year was the ransomware of everyday consumers, manufacturers, and hospitals, and also the executive pay scam. The former involves anyone at work or home simply clicking on an image or opening a malicious file. The latter involves a multi-step social engineering process with one of the staff members as funds are wired from the business on the false behest of the C-level. To mitigate this attack, people need to know they don’t have to click on everything, including kitten pictures. The business can also communicate their wiring processes and simply verify the email to mitigate this risk.

During the next year, a focus should be on training the staff to better recognize social engineering attempts. The training cannot be the same mindless, boring presentations with graphs on PowerPoint slides. The training needs to be engaging and interesting. The role of the training staff is not to entertain, but this helps with knowledge retention over time. No training will be perfect; however every little bit assists in mitigating the risks. The alternative is become a victim of social engineering, and have to manage the issues arising from this.

Here is to a New Year with a focus of securing the enterprise!