July 28, 2020
Good morning, everyone!
|This week’s critical vulnerabilities: On Friday, CISA issued an alert in response to recently disclosed exploits that are actively targeting F5 BIG-IP devices, after issuing an alert earlier in the week regarding a security flaw with SAP Java . Yesterday CISA reported that 62,000 QNAP NAS devices are infected with malware. Patch your systems!|
Security is a Team Sport
As you all know, I spend many hours each week reading about cyber security online. It’s amazing how often I will notice a common theme in many of the articles I read over a short period of time. This past week, I kept seeing references to security being a team sport. So let’s talk about that!
Last Wednesday, CyberScoop published a piece entitled ”Fixing supply chain vulnerabilities should be a team effort":
Security is a team sport, and each vendor has a huge opportunity to make an impact.
This particular piece focused on the recent disclosure of the Ripple20 vulnerabilities affecting literally tens of millions of devices (Internet of Things devices in particular), with the author making a strong case for more cooperation between hardware and software vendors to build security into IoT devices from the beginning.
I believe the theme is valid in every industry.
ZDNet recently published an interview with the Chief Trust Officer at Salesforce, discussing the importance of getting back to basics in information security. I love this quote:
I think the best thing that any business can do in securing yourself, especially as adapting to this new environment, this new work from anywhere environment, is to nail the basics…. treating cybersecurity like a team sport, building a culture of awareness in your company so that all the employees in your company can act like security trailblazers.
Did you know that the PCI DSS (security standard for merchants who accept credit cards) has 12 security requirements, of which one is “Maintain a policy that addresses information security for all personnel.” Quoting from PCI DSS v.3.2.1 (May 2018):
A strong security policy sets the security tone for the whole entity and informs personnel what is expected of them. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it.
I love this! This is how building a culture of security fits into your overall information security program. What is a “culture of security”? It’s an environment where everyone is an active participant in protecting the organization’s information and systems. You can read more in my latest white paper Building a Culture of Security in TNE’s White Paper Library.
Remember last week in this newsletter I said ”Your employees are the last line of defense for your information systems.” I mean that! Here’s a good article that talks about ”incorporating security awareness into the organisational culture”:
”Businesses should focus on educating employees on how to protect their personal data, therefore encouraging employees to enact further security-orientated practices in the workplace.”
YES! This is why all my security awareness training courses include practical strategies for securing personal information online. Once the security mindset becomes a habit, it goes with you everywhere. This is a Good Habit that you want your employees to develop.
Finally, one of my favorite articles on the subject, A Culture of Security, Not of Blame is well worth the time to read:
if you want to change behaviors you must work with a complete and holistic program, one that incorporates technology, people and policies. Not one by one, but together.
Start now to build a culture of security within your organization!