Your organization’s online safety and security are a responsibility every employee shares.
WASHINGTON, D.C., Oct. 15, 2018 ‒ Today all workplaces face the growing risk of cyberattacks. No matter where you are employed – whether it’s at corporate headquarters, a downtown restaurant, hospital, government agency or school ‒ online safety and security are a responsibility we all share. According to the U.S. Small Business Administration, there are more than 30 million small businesses nationwide. These organizations have a big impact on America’s economy through job creation and employment.
In October 2017, the National Cyber Security Alliance (NCSA) launched CyberSecure My Business™. The program ‒ of which FedEx is a Founding Partner and Trend Micro is a Signature Sponsor – was created to help protect the cybersecurity in the small and medium-sized business (SMB) community. It does so by offering interactive training based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework. During a 12-month period, NCSA has reached more than 6,840 highly engaged individuals via CyberSecure My Business in-person events, monthly webinars and YouTube webinar views.
Regardless of a business’s size, it is critical to take measures to help prevent attacks and have a set plan ready to go if one does occur. Across the board, NCSA recommends a top-down approach to creating a culture of cybersecurity in the workplace. The following steps ‒ developed by NIST ‒ will help tremendously as you formulate a plan to keep your business cybersecure:
- Identify: Conduct an inventory of your most valuable assets – the “crown jewels” of greatest importance to your business and of most value to criminals – such as employee, customer and payment data.
- Protect: Assess what protective measures you need in place – such as keeping your software up to date or by following these tips – to defend the organization as much as possible against a cyber incident.
- Detect:Have systems set up that would alert you if an incident occurs, including the ability for employees to report problems.
- Respond: Make and practice an incidence response plan to contain an attack and maintain business operations in the short term.
- Recover: Know what to do to return to normal business operations after an incident or breach, including assessing any legal obligations.
As a technology leader, Intel has implemented some of the industry’s best practices for making sure its employees and contingent workers know how to play an active role in helping keep the workplace and company data secure. Recognizing that employees are the first line of defense in corporate security, Intel cultivates a culture where security is top of mind and sets expectations for good security hygiene by helping employees know what actions to take in order to help keep Intel information secure. Some examples include:
- Delivering more than 150 role-based information security training courses to the enterprise and providing annual Information Security Awareness training for all 100,000+ employees plus contingent workers across 45+ countries.
- Executing regular companywide information security awareness campaigns to engage employees and keep them connected to Intel information security and privacy policies, as well as the evolving security landscape.
- Enforcing compliance and managing change via targeted internal communications.
In another initiative to assist SMBs, NCSA teamed up with Facebook and MediaPRO to produce the Cybersecurity Awareness Toolkit. It is packed with techniques and tips addressing simple, actionable ways organizations of varying industries can better protect themselves and their companies from being compromised. Front and center is Facebook’s Hacktober, which is the company’s internal NCSAM campaign and emphasizes the role everyone plays in making the internet safer and more secure. MediaPRO infographics and a link to their invaluable Best Practices Guide for Comprehensive Employee Public Awareness Programs are also showcased along with NCSA’s Quick Wins Tip Sheet and a lengthy list of practical resources. In addition, check out the latest NCSAM infographic for user-friendly tips any business can follow. NCSA encourages everyone to download the infographic and share it on social using #CyberAware.
“As we have witnessed over the last several years, any organization can fall victim to cybercrime, which could result in stolen personal information or intellectual property and serious disruptions to businesses and their customers,” said Russ Schrader, NCSA’s executive director. “And as the lines between our work and daily lives become increasingly blurred, it is more important than ever to be certain that smart cybersecurity carries over between the two.”
Recent Research Addressing Cybersecurity and Privacy Practices in the Workplace
Last Pass Report
Most businesses still have work to do in overcoming weak, reused, old and potentially compromised credentials. A new password security benchmark report from LastPass found that the average security score of over 43,000 businesses using LastPass is 52 out of 100, meaning even as more businesses invest in password management, most are performing middle of the road for password security. The report has several other notable findings, including:
- The bigger the company, the lower the security score on average. Organizations with 25 or fewer employees have the highest average Security Score of 50, and the average drops as the company size increases. More employees bring more passwords and unsanctioned apps, as well as extra opportunities for dangerous password behaviors. In larger organizations, it’s simply more challenging for IT to hold all employees to strict password security standards.
- On average, any given employee now shares about six passwords with coworkers. As teams become more distributed and technology-dependent, the ability to protect, track and audit shared passwords is more important than ever. Employees don’t need to stop sharing – they just need a secure way to do so.
- In the first year of investing in a password manager, a business gains nearly 15 security points. This represents a significant improvement in the security posture and is a tangible metric to validate the investment in LastPass and security training.
Overall, 75 percent of respondents in MediaPRO’s 2018 State of Privacy and Security Awareness report struggled with identifying best practices in cybersecurity and data privacy, an increase of five percent from the previous year. The study had several other notable findings:
- Fourteen percent of employees lacked the ability to correctly identify phishing emails. This is a notable increase in respondents who showed risky behaviors when it came to phishing attempts from MediaPRO’s 2017 survey, in which eight percent of employees struggled in this area.
- Only 58 percent of respondents overall could define business email compromise (BEC), suggesting a concerning lack of awareness surrounding this specific social engineering tactic.
- Employees in management roles or above showed riskier behaviors than entry- or mid-level employees. Seventy-seven percent of respondents in management showed a general lack of awareness, while 74 percent of those in subordinate positions scored the same.
NCSA and Nasdaq Cybersecurity Summit on Oct. 16
As a signature event of NCSAM, NCSA and Nasdaq will host a Cybersecurity Summit, “Securing America’s Critical Infrastructure” at the Nasdaq MarketSite in Times Square, New York. It is critically important to remember that the 16 sectors of our nation’s critical infrastructure are businesses themselves and vital to our country’s economy and prosperity. Everything from the upcoming mid-term elections to the electrical grid to financial centers and transportation hubs to agriculture and water could be drastically impacted by a cybersecurity attack.
Leaders from industry and government will examine the latest nation-state cybercrime tactics, how industry and government are thwarting these threats and ways they can and should work together to ensure a resistant and resilient America. The event will consist of a series of timely panel discussions and TED-style talks and culminate with the Nasdaq Closing Bell Ceremony.
“In today’s complex technology environment, the management of security vulnerabilities affecting both hardware and software is increasingly important.” said Audrey Plonk, Senior Director of Public Policy at Intel’s Product Assurance and Security Group. “We remain dedicated to working with industry partners, academia and government to advance technology and policy solutions that protect organizations around the world.”
“We’re living in an era where the increasing intensity and creativity of cyberattacks from both foreign and domestic actors underscores the importance of prioritizing cybersecurity,” said Brett Hansen, Vice President, Client Software and General Manager, Data Security at Dell. “From insider threats to nation-state level operations, preparedness comes down to what plan your organization has in place to stop an attack before it begins.”
Department of Homeland Security developed a Toolkit that contains information about ways you can use cybersecurity key messages in your own organization to celebrate NCSAM. The Toolkit includes links to useful websites, social media language, key messages, and frequently asked questions to help you prepare for this year’s 15th annual NCSAM initiative. To download the DHS NCSAM Toolkit, please visit www.DHS.gov/NCSAM today.
ADP: Small and mid-sized businesses may be targeted by cybercriminals because they assume these businesses don’t have the security safeguards that larger companies do. ADP’s Small and Mid-Sized Business Security infographic includes security tips to help protect businesses.
ESET’s Cybersecurity Awareness Training is a free on-demand, interactive video training that business can send to their employees to help them become more cyber aware. The interactive gamified videos are a fun and effective way to teach and educate employees about cyber threats in the workplace and help keep your business safe. https://www.eset.com/us/cybertraining/
Symantec: Security is non-negotiable and security awareness isn’t limited to the workplace. Watch and share Symantec’s FREE Security Awareness Quick Tip video series for brief, actionable information to share with your friends and family! Be sure to talk to your friends and family about the inherent risks associated with their actions at work, at home and at school whether they’re online or not.
- How to Reveal the True Hidden Destination Behind a Web Link!
- How to Prevent Your Data From Getting Leaked
- File Sharing In The Cloud
Better Business Bureau: The BBB Institute for Marketplace Trust launched its #BBB Secure article series, which educates small businesses on the importance of HTTPS encryption and the basics of how to ensure business websites are secure for customers, and provides tips for consumers on how to identify websites that are not secure. The article series was created with support from Facebook and Comcast.
CompTIA: Corporate leadership cannot afford to leave comprehensive cybersecurity programs to others within the organization. Today, executives and board members need to be hyperaware of the vulnerabilities to cyberattacks, the growing risks associated with cybercrimes, and what a company is doing to protect itself and its customers. Find out how leaders can create a corporate culture that takes a proactive and holistic approach to cybersecurity, by reading “Building a Culture of Cybersecurity: A Guide for Corporate Executives and Board Members.” Download the white paper here.
EDUCAUSE: The National Student Clearinghouse, EDUCAUSE and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) released a white paper, “Cybersecurity: Why It Matters to Registrars, Enrollment Managers and Higher Education,” to kick off October as National Cybersecurity Awareness Month. Registrars and enrollment managers play central roles in an institution’s cybersecurity posture. The choices they make each day directly affect student data security.
NCAD Online: Directors need senior-level executives to understand and frame the implications of cyber-risk in an appropriate way in order to inform boardroom discussions about cybersecurity.
NIST: Each employee, from the newest hire to the chief executive, holds the power to harm or strengthen the organization’s security posture. “Cybersecurity is Everyone’s Job” was authored by the members of the National Initiative for Cybersecurity Education (NICE) Working Group subgroup on Workforce Management. This guidebook provides actionable tips for everyone in an organization, regardless of its type or size. It is intended for the general audience, and can be read as a complete guide, or by each business function as standalone advice. This is about turning the organization’s greatest vulnerability—its people—into the organization’s greatest cybersecurity asset. https://go.usa.gov/xUzBz
In-person and Virtual Events
Identity Theft: The Aftermath hosted by Identity Theft Resource Center, Thursday, Oct, 18, Washington, D.C., 9:00 a.m. – 1:00 p.m. at Google HQ with industry experts, media, government and advocates. Identity crimes create more than just a financial impact. Victims experience emotional, behavioral and lost opportunity-costs. Join the ITRC for the release of our Aftermath trend analysis. This half-day morning session will also include insights from victims and expert-led workshops. Full survey results of the Identity Theft: The Aftermath 2018 report will be published in Q2 2019. Registration website: https://www.idtheftcenter.org/aftermath2018/
Symantec Webinar: It’s Everyone’s Job to Ensure Online Safety at Work, Thursday, Oct. 18, 1 p.m. EDT/10 a.m. PDT
Week 3 will focus on cyber security workforce education, training and awareness with specific focus on understanding adversary objectives for and the best practices for thwarting some of the most common threat tactics. Speaker: AJ Nash, Symantec
Register Here: https://www.symantec.com/about/webcasts?commid=330287
Federal Trade Commission (FTC): Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, will discuss an exciting, new cybersecurity initiative for small business during an interview with the National Cyber Security Alliance. The interview will be livestreamed via Facebook Live at 2:00 p.m. EDT on Oct.18. Please join us at facebook.com/staysafeonline.
FTC Cybersecurity for Small Business Webinar: New Federal Trade Commission’s Resources, Thursday, Oct. 18, 3:00 ‒ 4:00 p.m. EDT Learn about the FTC’s new cybersecurity for small business campaign. Hear how to use the FTC’s new tools to help improve cybersecurity for small businesses.
GRF Summit on Third-Party Risk, Oct. 24 – 26: at Lansdowne Resort & Spa, Leesburg, VA http://grfederation.org/2018-Summit-Overview The GRF Summit on Third-Party Risk aims to increase awareness of security best practices, offer an opportunity for collaboration among third-party vendors and organizations’ risk management teams, and provide a platform for security leaders to share expertise and learn from each other to improve holistic security. The Summit will provide training, education and networking on the critical cyber and physical security issues facing organizations, their vendors, and the areas where the two groups intersect. The event is being hosted by Global Resilience Federation in partnership National Health ISAC, Financial Services ISAC, Legal Services ISAO, Oil and National Gas ISAC, National Retail Federation’s Retail ISAO, Retail Cyber Intelligence Sharing Center, Energy Analytic Security Exchange and Multi-State ISAC.
About National Cybersecurity Awareness Month
National Cybersecurity Awareness Month (NCSAM) was created as a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online. Now in its 15th year, NCSAM is co-led by the Department of Homeland Security and the National Cyber Security Alliance, the nation’s leading nonprofit public-private partnership promoting the safe and secure use of the internet and digital privacy. Recognized annually in October, NCSAM involves the participation of a multitude of industry leaders ‒ mobilizing individuals, small and medium-sized businesses, nonprofits, academia, multinational corporations and governments. Encouraging digital citizens around the globe to STOP. THINK. CONNECT.™ NCSAM is harnessing the collective impact of its programs and resources to increase awareness about today’s ever-evolving cybersecurity landscape. Visit the NCSAM media room: staysafeonline.org/about-us/news/media-room/.
About the National Cyber Security Alliance
NCSA is the nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness. NCSA works with a broad array of stakeholders in government, industry and civil society. NCSA’s primary partners are DHS and NCSA’s Board of Directors, which includes representatives from ADP; AT&T Services Inc.; Bank of America; CDK Global, LLC; CertNexus; Cisco; Cofense; Comcast Corporation; ESET North America; Facebook; Google; Intel Corporation; Marriott International; Mastercard; Microsoft Corporation; Mimecast; NXP Semiconductors; Raytheon; Salesforce; Symantec Corporation; Visa and Wells Fargo. NCSA’s core efforts include National Cyber Security Awareness Month (October); Data Privacy Day (Jan. 28); STOP. THINK. CONNECT.™, the global online safety awareness and education campaign co-founded by NCSA and the Anti-Phishing Working Group with federal government leadership from DHS; and CyberSecure My Business™, which offers webinars, web resources and workshops to help businesses be resistant to and resilient from cyberattacks. For more information on NCSA, please visit staysafeonline.org/about-us/overview/.