Third Party Risk Management and Cyber Supply Chain Risk Management

Today’s business environment continues to be a challenge. Businesses whether small, or large leverage third-party vendors to provide critical services like data handling (security, transmitting, and storage), cloud storage/applications, and systems security monitoring. Each business must ask themselves a few simple questions about one of their most valuable assets “Data”. If or when it leaves your secure working environment: How secure is your customer data in transit and storage? Do your third-party vendors handle your “critical information”? Provide a secure environment for processing? Comply with a proven Cyber Security Framework? Perform a “Due Diligence” on-boarding step for the Nth vendors (how many vendors handles your specific data) in your cyber supply chain? Follow security agreements and service level agreements catered to information security? Ensure data privacy is an important element of their InfoSec Program? It is more important than ever for businesses that handle proprietary information, personal identifiable information and protected health information to understand the threats and risk management practices to ensure “Critical Information” is secure. These questions and more will be covered in this webinar

Cybersecurity Strategies to Protect Information Systems in Small Financial Institutions

Leaders of financial institutions face challenges in protecting data because of the increased use of computer networks in the commerce and governance aspects of their businesses. The purpose of this single case study was to explore the strategies that leaders of a small financial institution used to protect information systems from cyber threats. The actor-network theory was the conceptual framework for this study. Data were collected through face-to-face, semistructured interviews with 5 leaders of a small financial institution in Qatar and a review of company documents relevant to information security, cybersecurity, and risk management. Using thematic analysis and Yin\u27s 5-step data analysis process, the 4 emergent key theme strategies were information security management, cybersecurity policy, risk management, and organizational strategy. The findings of this study indicate that leaders of financial institutions protect their information systems from cyber threats by effectively managing information security practices; developing robust cybersecurity policies; identifying, assessing, and mitigating cybersecurity risks; and implementing a holistic organizational strategy. The protection of information systems through reductions in cyber threats can improve organizational business practices. Leaders of financial institutions might use the findings of this study to affect positive social change by decreasing data breaches, safeguarding consumers\u27 confidential information, and reducing the risks and costs of consumer identity theft

Defining a new composite cybersecurity rating scheme for SMEs in the U.K.

The 5.7 million small to medium enterprises (SMEs) in the U.K. play a vital role in the national economy, contributing 51% of the private sector. However, the cyber threats for SMEs are increasing with four in ten of businesses experiencing a cyber attack in the last twelve months. One significant treatment of this growing concern is in the implementation of long-established information security standards and best practices. Yet, most SMEs are not undergoing the certification process, even though the current threats are now widely published by the government. In this paper, we look at the disconnect of cyber threats faced by SMEs considering their current security postures and perceptions. We also identify the influencing factors needed to improve security behaviours and engagements with information security best-practices. We then propose a new foundational composite cybersecurity rating scheme aimed at SMEs. The focus of our scheme is to ascertain and measure the security behaviours, perceptions and risk propensity of each SME, as well as their technical systems. To that end, we define our 5x5 matrices based scheme by combining the measurements ascertained from the behavioural as well as technical audits. The preliminary evaluation results demonstrate that this approach provides a higher level of insight, engagement and accuracy as to an SME's individual security posture

Automating the Communication of Cybersecurity Knowledge: Multi-Case Study

Cybersecurity is essential for the protection of companies against cyber threats. Traditionally, cybersecurity experts assess and improve a company's capabilities. However, many small and medium-sized businesses (SMBs) consider such services not to be affordable. We explore an alternative do-it-yourself (DIY) approach to bringing cybersecurity to SMBs. Our method and tool, CYSEC, implements the Self-Determination Theory (SDT) to guide and motivate SMBs to adopt good cybersecurity practices. CYSEC uses assessment questions and recommendations to communicate cybersecurity knowledge to the end-user SMBs and encourage self-motivated change. In this paper, the operationalisation of SDT in CYSEC is presented and the results of a multi-case study shown that offer insight into how SMBs adopted cybersecurity practices with CYSEC. Effective automated cybersecurity communication depended on the SMB's hands-on skills, tools adaptedness, and the users' willingness to documenting confidential information. The SMBs wanted to learn in simple, incremental steps, allowing them to understand what they do. An SMB's motivation to improve security depended on the fitness of assessment questions and recommendations with the SMB's business model and IT infrastructure. The results of this study indicate that automated counselling can help many SMBs in security adoption. The final publication is available at Springer via https://link.springer.com/chapter/10.1007%2F978-3-030-59291-2_8Comment: 14 pages, 1 figure, 13th World Conference on Information Security Educatio

SMEs, electronically-mediated working and data security: cause for concern?

Security of data is critical to the operations of firms. Without the ability to store, process and transmit data securely, operations may be compromised, with the potential for serious consequences to trading integrity. Thus the role that electronically-mediated working plays in business today and its dependency on data security is of critical interest, especially in light of the fact that much of this communication is based on the use of open networks (i.e. the Internet). This paper discusses findings from a 'WestFocus' survey on electronically-mediated working and telework amongst a sample of SMEs located in West London and adjacent counties in South-Eastern England in order to highlight the problems that such practice raises in terms of data security. Data collection involved a telephone survey undertaken in early 2006 of 378 firms classified into four industrial sectors ('Media', 'Logistics', 'Internet Services' and 'Food Processing'). After establishing how ICTs and the Internet are being exploited as business applications for small firms, data security practice is explored on the basis of sector and size with a focus on telework. The paper goes on to highlight areas of concern in terms of data security policy and training practice. Findings show some sector and size influences.WestFocus* under the Higher Education Innovation Fund (HEIF 2

The commodification of security in the risk society

Expanding on the works of Beck and others on the growing business of risk, this paper examines the role of private industry in the creation, management and perpetuation of the world risk society. It observes that the replacement of the concept of security with risk over the past decades has permitted private firms to identify a growing range of unknown and unknown-unknown dangers which cannot be eliminated and require continuous risk management. Using the discourse of risk and its strategies of commercialized, individualized and reactive risk management, the private risk industry has thus contributed to the rise of a world risk society in which the demand for security can never be satisfied and so guarantees continuous profits

Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature