If you had a choice between doctors to perform surgery on you, which would you pick: a doctor who has sat through training on how to perform an appendectomy; or assurance that your doctor will successfully perform your appendectomy?
The answer seems obvious, but on the topic of dealing effectively with human vulnerabilities in cybersecurity, most of us seem satisfied with “awareness training.” It’s a check-the-box response to regulatory compliance or client demands. Sign everyone up for an on-line phishing exercise and you’re done. Yet the consequences of ineffective training can be dire. You will most certainly lose productivity, you’ll probably lose money, and you may lose the company.
This is not to say that awareness is unimportant. But raising awareness is just the first step in effective cybersecurity defense. Employees—and management—must come to understand why and how security incidents occur and learn how to recognize and guard against them. In other words, you must develop assurance that everyone in your organization is equipped to protect the company and its assets. Continue Reading How to gain assurance against human security vulnerabilities
The indictment filed last Friday by Special Counsel Robert Mueller explains how Russian military intelligence officers hacked into computer systems of the DNC, the DCCC, and Clinton Campaign employees during the 2016 presidential race. With sweeping, specific details that have compelled unanimous confidence among Americans (except apparently 
How time flies. Seventeen years ago, I went to work for a small, visionary company based in Seattle—Computer Forensics, Inc. Indeed, the founder was so early in the e-discovery and forensics industry that our URL was forensics.com. Laptop drives typically had 8 GB of storage, and servers were more often than not simply a bigger box that sat in a closet.
It’s 4:20 p.m. on Friday. You’re looking forward to meeting your friends soon for happy hour at the local bar. Your boss is on vacation, and you’re caught up for the week. All is well. As you take one last look at your email, you see a message has just arrived from one of your suppliers – marked URGENT. The supplier is ranting about why you didn’t send payment for last month’s invoice to the right bank account. They’ve contacted your boss, who they say was irate at being disturbed while in Madrid on vacation, and who told them to contact you personally for immediate resolution. They helpfully provide the correct bank routing information and demand the payment be made today. Your authority for wire transfers ($1M) will easily cover the request for $250,000, with change. The invoice amount sounds about right, you know the supplier, your boss is already upset, it’s Friday, and so you wire the funds.
The aftermath of the Equifax breach continues. First, the Ugly:
The grousing began within 24 hours of Equifax’s 
At last!!! A good reason not to create dozens of hard-to-remember passwords! The updated 
A swarm of zombies, led by Byte Walkers, surges inexorably onward to penetrate a massive perimeter wall by force and stealth. Sounds like Game of Thrones, right? Instead, this is our cyberthreat reality. And in an ironic twist that would make George R. R. Martin blush under his beard, it’s now painfully real for 
Hurricane season is in full swing. As I write this, Tropical Storm Emily is drenching Florida, and the governor has declared a state of emergency. Having lived in Florida myself, I know that most coastal residents do take hurricanes seriously. There are always those, however, who either don’t grasp the possibility that if a hurricane hits they can suffer real damage, or simply play the odds that it won’t happen to them. Hurricane readiness for them is a bottle of Cuervo Reserva and some DVDs for entertainment in case the power goes out. And so, too, it goes with data breaches.