There’s a common thread from the past week; Insiders. They still a huge risk.
People Don’t Know Common Threats
Wombat Security, a security awareness vendor, surveyed 2,000 people in the U.S. and the U.K. and discovered that a significant percentage (30%) didn’t know what phishing was and 60% didn’t know what ransomware was. This was just before the WannaCry ransomware attacks so that number might be a bit lower than today. The moral of this story? You can’t make any assumptions about user knowledge.
Don’t Forget About Contractors and 3rd Parties
More and more companies are utilizing external vendors and integrating them into their IT environments. It’s important to have a plan to deal with this risk. The U. S government has updated the National Industrial Security Program Operating Manual to include provisions for contractors. This includes making sure that they have internal programs that meet the same standards for end-user security training as the government department for which they are consulting. Most companies should understand that this is becoming normal, and if they argue, maybe you want to avoid connecting them in.
…Because they’re dangerous
And here is a perfect example of the risk of contractors. A consultant has been charged with espionage for allegedly sharing top secret documents with a Chinese intelligence operative.
And lastly some interesting reading for your Monday evening.
There’s been a lot of news over the last few weeks about the attacks on Ukrainian power infrastructure. This is a great analysis of what has been going on there and how it is likely the Russians practicing for larger cyber engagements. I have typically scoffed at the references to “cyber war” but it is increasingly being proven out that attacks have gone beyond the online world and physical ICS systems are clear targets for nation state adversaries. This means the private sector is involved.