Importance of mobile device security – In the today’s world, it is very unusual to find anyone who doesn’t own some kind of mobile device. Mobile phones or tablets are manufactured by numerous number of companies and there are many different service providers that equip the majority of world’s population with mobile devices.

It is estimated that the number of mobile phone users by 2019 will surpass five billion people around the globe. In addition to the social and economical effects of this massive increase, there is a definite increase in the number of cyber crimes. Cyber criminals have taken advantage of this massive growth and developed methods to take advantage of the increased number of possible targets.

There are many opportunities for cyber-criminals to access their targets: through apps, operating systems and software, and by identifying and taking advantages of defects in security before the programmers do and a patch a released.

Threats to Mobile Device Security

An outdated view of hacking, malware or viruses would limit this activity to desktop computers or laptops. The reality is that mobiles are just as at risk. In fact, reported incidents are in the range of 16 million attacks. A mobile device can be at risk from several different methods, some of which include:

Malicious, or Insecure Apps

Malicious or insecure apps contain cyber security flaws in data storage, communication, or authentication practices, meaning they contain at least one common security vulnerability that can be exploited.

Data Sniffing

Data sniffing by capturing, monitoring and scanning traffic moving across a network. Active sniffingwill monitor traffic and it can also alter it in some way to the like of the attacking party.

Fake WiFi Networks

Fake WiFi networks poses as a legitimate wireless service provider to intercept information that users transmit.

Vulnerabilities

Vulnerabilities within operating systems can be used to gain control of mobile devices, and depending on the operating system and its software, some mobile devices can be easily patched. However, others may be more difficult to patch, which could leave them vulnerable.

Inactive Apps

Inactive apps that are installed on mobile devices but unused and have unsecured access to personal and corporate information pose a significant danger to devices if they are not uninstalled properly.

In addition to the above threats, mobile devices are also susceptible to physical attacks due to their portability.

But all is not lost. Here are some practical steps that will help you minimize the exposure of your mobile device to digital and physical threats.

Mobile Device Security Tips

Use strong passwords and/or Bio-metrics

Passwords are always important, but even more so when you consider that the device could be stolen and in the possession of someone who has unlimited access and time to try various values.

Screen Lock

The display should be configured to time out after a short period of inactivity and the screen locked with a password.

Remote Wipe/Sanitation

Many programs, such as Find my iPhone or Google Play Protect, even Microsoft Exchange Server (if an exchange email is configured on mobile device) allow you to send a command to the mobile device that will remotely clear the data on that device.

Physical Security

Mobile devices, such as tablets, mobile phones, and smartphones, must be properly stored and secured in a cabinet or safe when not in use.

Utilize VPN

Enforce the use of virtual private network (VPN) connections with a strong protocol like IPSec between the mobile device and enterprise servers, especially if connecting to an insecure open wireless network.

Encrypt your device

Data should be encrypted on the device so that if it does fall into the wrong hands, it cannot be accessed in a usable form without the correct passwords.

Disable Unused Features

Every feature has the potential to be another point of vulnerability in a mobile system, so it’s good practice to disable any features that don’t serve a purpose in your organization.

Install an Antivirus Application

A mobile antivirus solution will protect devices against malicious code (such as xCodeGhost and iBackDoor) embedded in apps. Here is a quick list of the most popular mobile antivirus application:

• Kaspersky lab (AppStore, Google Play).
• McAfee (AppStore, Google Play).
• ESET (Google Play).
• AVAST (AppStore, Google Play).

Disable Wi-Fi and Bluetooth When Not Needed

Disable Wi-Fi and the discovery setting on Bluetooth connections to prevent bluejacking and bluesnarfing attacks and avoid connecting to an insecure open wireless network.

Software Updates

Keep the mobile operating system and its apps up to date. Everything from the mobile operating system to the games and miscellaneous apps are potential gateways for hackers to compromise the mobile device. Updating mobile devices and apps on a regular basis ensures the best protection against most mobile security threats.

Other mobile device security tips

Perform Regular Mobile Device Security Audits

At least once a year, conducting mobile security audit helps companies keep their compliance programs up to date, effective and aimed in the right direction.

Perform User Education

Implement a continuous information security awareness and training program that teaches employees about mobile device threats and enterprise mobile device management and security policies.

The Bottom Line in mobile device security

Mobile device security should be a primary concern. It isn’t simple to accomplish, and new attacks occur every day through new vulnerabilities. You need to always be aware of and notice anything unusual that happens on your device.

We hope that the tips mentioned in these article will help to enhance your mobile device security. If you like this article please subscribe to our newsletter and share with your friends.

Also check out how can you raise awareness among employees enhanced mobile devices usage and various other information security domain here.

The post Mobile Device Security appeared first on CIATEC.

SSL certificate stands for Secure Socket Layer, and it is used to create an encrypted connection between website visitors devices (clients) and the server hosting the website.

In a nutshell, an SSL certificate is used to secure personal information that is being entered into a website such as usernames, passwords, address and credit card information.

SSL Certificate components

The certificate is composed of the following components:

• Digital signature of the issuing authority or the verifier
• The certificate key or serial
• Certificate expiry date
• Certificate owner

Do you need SSL certificate for your website?

If your website collects any sort of user information it will require an SSL certificate to keep the transfer of this information to-and-from the web server secure. Moreover, google chrome started in July, 2018 marking website without SSL certificate as “Not Secure”. So if you care about your search engine ranking, you definitely need to setup a certificate.

In the Let’s Encrypt era, where SSL certificates are given for free, the question is not whether you need a certificate for your website or not, because you most probably do. The question is whether you should go for a free or paid one.

When should you start paying for your SSL Certificate?

To answer this question first we need to look at the difference between free and paid certificates.

Verification Level
Free certificates provides domain validation (DV) only, whereas paid versions provide organization validation (OV) and extended validation (EV), meaning that they provide validation for the site owner organization and not just the domain name.

Duration
Free certificates usually have a validity period of three months while paid certificate can be renewed once every three years.

Support and Warranty
All paid certificate comes with backend warranty several support packages to purchase and tech support are only a chat window or email message away. Obviously, free SSL comes with no warranties and if something goes wrong on the verifier’s side, you’re on your own.

So both choices provide a website with the famous green https lock. But the bottom line is that free certificates are great for a blog or an informative website that does not have much more than a simple contact form and a newsletter subscription. However, if trust a major issue for online business- and in most cases it is- especially in e-commerce websites, then paid certificate is the only option.

Where to buy?

When it comes to paid service providers there are many choices, where budget and service levels are the most deciding factors. To name a few service providers:

• DigiCert – digicert.com
• Symantec websecurity – acquired by Digicert in 2017
• VeriSign – verisign.com acquired by Symantec in 2010
• Sectigo – Formerly Comodo – sectigo.com
• GoDaddy – godaddy.com
• Network Solutions – networksolutions.com
• Cheap SSL Security – cheapsslsecurity.com
• RapidSSL – rapidsslonline.com

Need help?

Hope that this article was helpful, if you require any help with setting up SSL certificate for your website let us know here. We’ll be more than happy to help.

The post What is SSL Certificate? appeared first on CIATEC.

The video released Thursday on social media channels of both Dubai Police and Emirates NBD bank uses Shaggy’s year 2000 hit “It wasn’t me” tune but with changed lyrics to warn users about banking fraud through social engineering techniques.

As Information security awareness professionals at CIATEC, we loved the video that got all the elements of a successful information security awareness material. It is a job well done conveying the message of keeping personal banking information safe using a 20 years well known rap song. This type of awareness material has proven to have a high penetration rate among audience.

Enjoy the video, and always remember to #SecureYourAccount.

Many organizations struggle to convey information security awareness material to users and customers. If that sound like your organization, contact us today to start your information security awareness program.

The post “It Wasn’t Me” – Dubai Getting Creative on Banking Fraud Awareness appeared first on CIATEC.

The first step in building a security awareness program is to establish baseline by doing some assessment quizes, phishing campaign and some other methods to check employees awareness level and start building the awareness program accordingly.

The following security awareness assessment quiz is a beginner-level, 10 questions quiz that can determine, for a certain extent, whether an employee is a security asset or a vulnerability that needs to be remediated. However, it is worth mentioning that there is no way to cover all information security domains in such a short quiz.

Similar information security trainings and phishing simulations, along with comprehensive information security awareness material are all part of CIATEC’s information security awareness program. You can check program packages here.

Ready? Let’s go

Your passwords should be easy to remember and hard to guess, which of the following is an example of strong password?

Image by Gerd Altmann from Pixabay

Passw0rd

29Feb1980

MyPetName

$ayN02#ackers

Correct! Wrong!

A password should be at least 8 characters long and includes special characters, numbers, a mix of uppercase and lowercase letters and doesn't not contain a dictionary word or phrase. This will make it hard to guess by hacking scripts.

Personal Identifiable Information (PII) is used to verify your identity and distinguish one person from another. Which of the following is an example of PII?

Image by TheDigitalWay from Pixabay

ID Number

Date of Birth

Home Address

All of the answers are correct

Correct! Wrong!

Personal identifiable information are "Personal" and should only be shared on need-to-know basis. Keep all your personal identifiable information (PII) to yourself and do NOT share it with any untrusted party.

True or False? A phishing attack can harm your personal computer only, but not your company’s network.

Image by Tumisu from Pixabay

True

False

Correct! Wrong!

A phishing attack may download a worm or other form of malware that can easily spread over the network and cause harm to all computers, servers and network peripherals.

Information security is the responsibility of:

Everyone in the company

IT Security Department

Security Guard

Top Management

Correct! Wrong!

Information security is everyone's responsibility.

True or False? It is OK to use the same password for all your online accounts as long as you keep it a secret.

Image by Gerd Altmann from Pixabay

True

False

Correct! Wrong!

Don't put all your eggs in one basket. You don't want all your accounts to be comprised just because one account is hacked. Use a separate password for each account. To remember your passwords, you can fix a part of the password and make the second part variable and linked some how to the service used.

Spear Phishing is:

Character vector created by freepik

An attack on your company’s email server

A phishing attempt targeting you personally

A random attempt to hack any point of weakness

A massive spam email attack on all employees

Correct! Wrong!

Spear phishing is a unique form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party. Spear phishing works better than phishing because it uses information that it can find about you from email databases, friends’ lists, and the like. You can learn about the different types of phishing here

Hackers can crack your passwords by repeatedly trying to guess it. This password cracking method is called:

Photo by Soumil Kumar from Pexels

The “G” attack

Brute-Force attack

Phishing attack

None of the answers is correct

Correct! Wrong!

A brute-force attack works by repeatedly trying to guess your password until it is cracked. That is why you should always use long and complex passwords that will take ages to guess.

True or False: Physical security is NOT related to information security.

Image by PublicDomainPictures from Pixabay

True

False

Correct! Wrong!

Physical security controls are at the heart of any information security program. At the end of the day, information assets are stored on physical media such as hard disks, flash drives or simply papers.

The FIRST objective of a "Security Aware Employee" is to be able to:

Photo by Miguel Á. Padriñán from Pexels

Avoid a security threat

Manage a security threat

Report a security threat

Recognize a security threat

Correct! Wrong!

The first step in the information security awareness ladder is to make sure that the average employee is able to identify threats and then report it to the right party. Threat avoidance and management are not the main responsibility of an average employee.

Tailgating is a form of social engineering that allows hackers to:

Watch company’s main gate 24/7

Get unauthorized access to restricted areas

Watch employees as they leave the gate

Following an employee after leaving work

Correct! Wrong!

In information security, tailgating is a social engineering technique used by hackers to deceive organization's officials through direct speech or actions in order to gain access into restricted areas. An example of tailgating is when one person tags along with an authorized employee to access a building or pass a certain checkpoint.

Information Security Awareness Assessment Quiz for Employees

Your score is low. Security awareness is urgently needed.

We highly recommend that you get involved in an information security awareness program that will help you recognize cyber security threat when you see one. The good news is that we are here to help. Learn more

There is a room for improvement.

Your score indicates that you have a sense of security when it comes to cyber threats, but there room for some improvement. We can help you with that. Learn more
Share your results and challenge your friends.

You have a good sense of security, you are an asset!

Your score indicates that you have a very good sense of security when it comes to cyber threats in the subject domains. But what about your colleagues? Do they all have the same security awareness level?
A well implemented security awareness program will harden the human layer of security of security.Learn more
Share your results and challenge your friends.

Share your Results:

Facebook Twitter

  Play Again!

Interested in our information security awareness services?

The post Information Security Awareness Assessment Quiz for Employees appeared first on CIATEC.

Why do companies need phishing training and awareness solution for their employees? – In today’s world, 85% of IT security breaches are attributed to successful phishing and social engineering attacks targeting the weakest link in the cyber security chain (aka, employees)!
And this year 9 out of 10 phishing attempts are ransomware attacks that encrypts your data and won’t release it unless a ransom is paid.
And no matter how big the investment in high-tech security solutions is, the number of breaches from phishing and complicated social engineering attacks continue to rise bypassing all network security defenses and often making its way into users mailboxes. Luckily, Phishmark is here to reduce this risk, especially when implemented as part of a comprehensive information security awareness program.

What is Phishmark?

PhishMark is an affordable phishing simulation framework that allows information security staff to schedule and launch phishing simulation campaigns utilizing a variety of ready-made email templates. Campaign results will identify, in-real time, the users who took the bait, and provide awareness material on the spot by redirecting them into a pre-designed educational landing page. Statistical reports will provide top management with an overview of the current status and the progress of users in identifying and reporting phishing attacks and adapting safe habits.

Phishing Training for Employees – Life Cycle

Once-a-year security awareness and training session is one way of doing things, yet, it is not enough! You need an on-going solution that meets the trends and can point out the weakest link so you can harden it.
CIATEC’s PhishMark is the solution you need to empower “the human firewall“!

Phishmark is a phishing training and awareness solution for employees that goes around the year running simulations to cover every angle a hacker might use to get into a company’s network through phishing and social engineering attacks. We follow the below steps:

1. Baseline: The first step is to establish baseline by running an initial campaign.
2. Train: Provide awareness material based on the results of the first campaign.
3. Phish: Run new phishing campaign.
4. Analyze: Analyze the results and measure the progress.

It is important to note that Phishmark is proven to provide better results when integrated with Ciatec’s information security awareness program.

PhishMark – Phishing Training Main Features

Dashboard

PhishMark will show a dashboard for all campaigns as well as separate dashboard for every single campaign. The dashboard will show:

1. Number of phishing simulation emails “or baits” successfully delivered.
2. Number of employees that opened the simulation phishing email.
3. Percentage of employees that actually took the bait, i.e.; clicked the link.
4. Number of users who actually submitted data to the pretend hacker.
5. And finally, the information security specialist running the simulation will be able to count the number of employees that actually reported the threat.

Email Templates

Administrator will be able to create his own email templates that fits his organization. Or use ready-made email templates covering many domains and season, including: Banking, social media, eCommerce and many more.

Grouping Users

The solution allows creation of target groups. Useful for targeting every department with a separate phishing campaign.

Landing Pages

Employees who fall victims for phishing campaigns will be redirected to a previously designed landing page similar to the below. Administrator is free to use ready-made phishing awareness landing pages provided by PhishMark, or upload his/her own.

Questions?

Ask us on ask@ciatec.com or contact us today to start using PhishMark to Phish and Mark employees that need further training and awareness on phishing and social engineering.

The post Meet PhishMark: Phishing Training & Awareness Solution from CIATEC appeared first on CIATEC.

• Information Security Management: ISO/IEC 27001 Information Security.
• IT Security: ISO/IEC 27032 Cyber Security and ISO/IEC 27035 Incident Management.
• Continuity and Resilience: ISO 22301 Business Continuity Management System.
• Service Management: ISO/IEC 20000 IT Service Management and ISO/IEC 55001 Asset Management.
• Quality Management Systems (example: ISO 9001 Quality Management Systems, ISO 13053 Six Sigma, ISO 21500 Project Management).
• Health, Safety and Environment (example: ISO 14001 Environmental Management, ISO 22000 Food Safety Management, ISO 45001 Occupational Health and Safety Management).

together we can build a strong and value-based society Eric Lachapelle, CEO of PECB

PECB issued an official press release announcing this partnership, where Mr. Eric Lachapelle, CEO of PECB, expressed PECB’s determination to make a renewed and positive contribution towards building a strong value-based society (Read full press release here).

At CIATEC, we truly believe that adopting and adapting internationally recognized standards and frameworks can transform organizations and lift them up to a whole new level. And this partnership with PECB will definitely contribute to CIATEC’s mission to provide our clients with the highest quality of management systems implementation, consulting and training services. We look forward to a successful long-term partnership with PECB.

About PECB 

PECB is a certification body for persons, management systems, and products on a wide range of international standards. As a global provider of training, examination, audit, and certification services, PECB offers its expertise on multiple fields, including but not limited to Information Security, IT, Business Continuity, Service Management, Quality Management Systems, Risk & Management, Health, Safety, and Environment. For more detailed information regarding PECB principal objectives and activities, visit www.pecb.com.

The post CIATEC signs partnership agreement with PECB appeared first on CIATEC.

Lack of cyber security awareness training and accountability tops the list of causes of information security breaches. According to Gartner, spending on information security products and services reached a value of $114 billion US dollars in 2018, with an increase of 12.4 percent from 2017. On the other hand, the average total cost of a data breach in 2017 was $3.62 million according to IBM and Ponemon Institute. And 2019 forecasts are not any better. When you dig deeper in the studies, you realize that a high percentage of data breaches surprisingly took place in organizations of high IT security budget. And while some attacks could be traced back to disgruntled workers, a great deal of other attacks are simply a result of actions done by naive and non-harmful employees that simply weren’t well informed.

Over the past years, IT became the main enabler of almost every business. And security has always been a major concern. Implementing a security awareness program has become a must for an organization, regardless of it’s size, industry, or location.

• Main causes of Cyber Security Breaches
• Importance of Cyber Security Awareness and Training
• Cyber Security Awareness Topics
• Cyber Security Awareness Channels

Top Reasons of Cyber Security Breaches

1- Uninformed Employees

Uninformed, naive and non-harmful employees lacking information security awareness and training tops the list of causes. Our experience taught us that technology alone cannot completely secure IT environments, there will always be the human factor involved, whether within IT department side or at end users side. Unfortunately, human brain cannot be patched same as a computer! It can only be nourished by knowledge, training and awareness material.

It only takes one single uninformed employee who takes the bait of a phishing email to compromise organization’s cyber security.

Hint: Deploy Information Security Awareness Program that goes around the year and keep it up-to-date with the latest threat trends, accompanied with phishing simulation solution.

2- Human Errors

Human errors of regular IT users are always a threat. However, the bigger threat are the errors done by IT administrators! Lack of knowledge, sometimes lack of focus leads to configuration errors that leaves some doors open for hackers.

Hint: Adapt a framework or a standard that organizes change, event, problem and incident management, such as ISO 27001, ISO 20000 or ITIL.

3- Malware

Successful malware attacks such as ransomware, viruses, worms, and trojans are always a threat to cyber security and a reason behind security breaches.

Hint: Train your staff on how to deal with malware attacks and apply endpoint security best practices.

4- Stolen Devices

Laptops and mobile devices that are sometimes stolen during commuting or traveling pose a significant risk that should be handled by risk management.

Hint: Raising awareness and applying mobile devices encryption.

5- Disgruntled workers

Dissatisfied employees and third-party contractors with bad intentions.

Hint: Deploy proper employee termination, segregation of duties, and vendor management processes.

6- Lack of Funds

Low cyber security budget is a problem on its own for some organizations. While other organizations fall in the trap of “budget maldistribution”, where most of the budget goes for sophisticated security software and hardware appliances while employees information security awareness and training are neglected; Big Mistake!

Hint: If there is no way to increase cyber security budget, existing budget should at least be distributed properly.

What will Security Awareness and Training add?

Cyber security awareness and training provides the following benefits:

1-  Hardening the Last Layer of Defense

Employees are the last layer of defense, and in some case they are the first layer, depending on the nature of the attack. Yet, they are the weakest link in the cyber security chain, this has become a universal truth. A well implemented and maintained cyber security awareness program will insure hardening this link and empowering a stronger network.

2- Compliance Requirement

All major information security standards and frameworks such as ISO/IEC 27001 requires an information security awareness program to be in place.

3- Adapt with the Continuously Changing Threats

The complexity of threats and attacks is increasing every day. Cyber security units needs to keep up and more importantly, cyber security awareness units needs to keep all users informed about the latest threats and cyber attacks trends.

4- Increase Engagement

Does your organization have an information security handbook containing all your information security policies? Is it updated and distributed to users on regular basis? If so, how many of them do actually read it, understand it and become familiar with its content?

With awareness things are different. Running cyber security awareness campaigns all over the year and on various channels will create a culture of security within the organization and engage employees in information security practices.

Cyber Security Awareness Topics

Importance of cyber security awareness topics varies from one organization to another. Each organization has its own priorities. Yet, it is always recommended to work holistically on covering all topics when implementing a cyber security awareness program. The major topics that should be covered in an information security awareness program:

1- Physical Security

Physical security is a sub-domain of information security that goes beyond IT to address issues related to entrance points, locked doors, drawers, cabinets, desks, as well as desktops, laptops and mobile devices security. Users should be aware and able to deal with physical security threats of all kinds.

2- Data Security

Cyber security is all about protecting information assets, right? Educating users on how to handle data security should be a major topic in any cyber security awareness program.

3- Print Security

Whether in hard copies or in soft copies, information needs to be secured. Print security is one of the many topics address in information security awareness program.

In addition to making users aware of concepts of secure printing, there are plenty of built-in and third-party printing solution that can be of great use in implementing secure printing policies.

4- Network and Wireless Security

Given the insecure nature of wireless networks, enterprises counts on employees awareness to better harden this area. An organization owned laptop or other mobile device, has at least 10 wireless networks SSID stored. SSID’s of office, home, airport, hotel, coffee shop…etc. Sniffing can occur on any wireless network jeopardizing the organization information assets. Hence, wireless network security awareness.

On the other hand, with sophisticated wired network security solutions, organizations might reach a significant level of security. Yet, awareness is always needed to harden the weakest link.

5- Data Destruction

Security doesn’t stop when you stop using a certain device. If a device still got your data, security policies will still apply, even if the device is not used any more. And if the device is to be disposed, it must be disposed securely. Cyber security awareness programs should cover topics on how to get rid of old devices in a secure manner.

6- Password Security

Password security is one of the most challenging domains in cyber security awareness. A lot of resistance is found here, users hate to be forced to remember new passwords and have a difficulty creating new passwords that meet complexity requirements.

Luckily, there is a solution: CIATEC’s information security awareness program helps users get over this.

7- Phishing and Email Security

Phishing attacks are getting serious. 9 out of 10 phishing attacks are now ransomware, and pseudo ransomware is a new trend. Pseudo ransomware attacks are here to make users pay a ransome for data that is not even encrypted!

Training on how to avoid phishing scams and what to do in the event of an attack is a high priority in cyber security awareness program. Phishing awareness and training cycle goes through four steps: Asses, Educate, Phish, Get results, and REPEAT. Phishing awareness, like any other cyber security awareness component, is a continuous cycle.

For more info about phishing awareness: ciatec.com/phishing

8- Malware

Users in any business industry, size, or even home users should have the ability to identify a malware attack when they see one. It is also important that users identify the malware type (virus, trojan, worm, adware, spyware, ransomware…). But what’s more important is to know how to act in the event of malware infection. A good cyber security awareness program should provide this know how.

9- Mobile Devices Security

Mobile devices, whether personal or corporate owned, holds information assets that must be protected. Mobile devices security is a serious topic that should be addressed thoroughly in a corporate cyber security awareness program.

10- Browser Security

Training users on how to check URLs and ssl encrypted site (i.e.,https), keeping browsers up-to-date, minimal plugin usage, and scan any downloaded files are basic browser security awareness material.

Cyber Security is everyone’s responsibility.

Cyber Security Awareness Channels

Communicating the information is as important as the information itself. What fits one organization, may not necessarily fit another. Communicating cyber security awareness material to the right audience and using the right channels is what an awareness program is all about. Here is a list of the most commonly used cyber security awareness channels.

Educational Videos

Videos are one of the most effective learning material. CIATEC provides cyber security awareness videos hosted on CIATEC’s servers or on client’s portal. Like all cyber security awareness material, videos are continuously updated to keep up with the latest cyber security awareness trends as well as latest animation trends.

Billboard or Roll-up Banners

A roll-up banner in a meeting room, in the lobby, or any other public space will help raising cyber security awareness without an effort.

Screen Posters

Same as roll-up banners, displaying cyber security awareness material on screens if available in public places will help raising cyber security awareness by targeting all staff.

Email Posters and Newsletters

Email posters and newsletter is another channel, that can become handy when trying to address specific topics in cyber security awareness program. Especially, when presented as an element of a bigger campaign.

Gaming material

This has also proved to be one of the most effective techniques to pass the awareness message in atmosphere of fun and entertainment. Whether a simple cross-words puzzle or matching gaming, or much more sophisticated information security gaming material, it all helps to easily relay the information to users.

Educational Magazine

Educational magazines, whether as e-magazine, email newsletter or a paperback. When published and distributed on regular basis it will keep users informed of the latest security trends and how to avoid breaches.

Information Security Courses, Workshops, and Quizzes

Old fashion class room training courses, and online courses are always a good channel to reach out to employees. In training, it is advised to group employees based on trades or departments. This way the trainer can address specific security topic that may be associated with the audience trade.

Training should also be followed by a quiz to measure cyber security awareness and training effectiveness.

Phishing Simulations

Proven to be one of the most effective ways to identify points of weakness against phishing attacks. Phishing simulations awareness campaigns, as part of overall cyber security awareness program, use hundreds of templates and provides accurate reports identifying:

This way, information security team can identify and educate employees accordingly. Contact us here to start a phishing awareness campaign.

Dedicated Information Security Portal and Mobile App

A dedicated information security web portal will serve as a reference for all users in all information security matters within the organization and will help keeping users well informed. It may contain the below elements:

A dedicated cyber security awareness mobile app is even better. It will allow information security units to reach users on the go.

Hint: By combining our web and mobile enablement skills along with security awareness services, CIATEC can build your information security web portal and mobile app in no time!

Conclusion

Cyber security awareness is no longer an option. It is a significant layer of security that every IT-enabled organization must have.

CIATEC‘s cyber security awareness program is designed to help organizations of various sizes and industries to minimize the risk of data breaches. Contact us today to start building your own program.

The post Successful Cyber Security Awareness Program Elements appeared first on CIATEC.

If you are reading this on an iPhone, you might want to stop reading and immediately go into your settings and disable Facetime.

Apple confirmed an unpatched bug in group Facetime app that allows a caller to see and listen to you without even picking up the phone!

The bug was reported in January 21st by @MFT7500

My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval. I have video. Submitted bug report to @AppleSupport…waiting to hear back to provide details. Scary stuff! #apple #bugreport @foxnews

— MGT7 (@MGT7500) January 21, 2019

It is worth mentioning that this major privacy issue was reported days before the world celebrated #DataPrivacyDay on January 28th.

The post [Awareness] Disable Facetime on your Apple Devices till a Patch is Released appeared first on CIATEC.

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.

What is GDPR?

At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.

The GDPR applies if:

1. Your company processes personal data and is based in the EU, regardless of where the actual data processing takes place; or
2. Your company is established outside the EU but offers goods or services to, or monitors the behavior of, individuals within the EU.

What is personal data under the GDPR?

Personal data is defined as any information related to a natural person or data subject that can be used to identify the person directly or indirectly.

Some key points to note in respect of GDPR:

Organizations must maintain a Personal Data Breach Register and, based on severity, the regulator and data subject should be informed within 72 hours of identifying the breach.

Fines for breaches of certain important provisions can amount to up to €20 million or 4% of global annual turnover, whichever is the greater. 

Individuals’ rights under the GDPR

All individuals in the EU will have the following rights with regards to their personal data:

Do we need to appoint a Data Protection Officer (DPO)?

Under the GDPR, an organization must appoint a DPO if:

• It is a public authority (except for courts acting in their judicial capacity).
• Its core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking).
  
• Its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offenses.

Ready to comply?

Obviously, tech giants such as social media networks, google, amazon are the most affected parties. However any other company operating in Europe or providing services to EU citizens must comply. And with fines reaching €20 million, the cost of not complying with GDPR is far greater than any investment to be made in order to comply with it.

Contact CIATEC today, to have all your information security processes are in complaint with GDPR.

The post GDPR Explained in 2 Minutes (Video Inside) appeared first on CIATEC.

ISO/IEC 27001:2013 is the standard for Information Security Management; ISO 27001 is part of the ISO 27000 family of standards which helps organizations keep information assets secure. It is used by thousands of companies worldwide and allows them to establish a clear effective system for maintaining confidential data so that it is safe and secure, yet, available. This standard combines requirements for the security of procedures, the workforce, as well as the physical and technical aspects of the company.

As defined by the International Organization for Standardization, ISO/IEC 27001:2013 standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

Why ISO 27001:2013?

Information security is not an IT issue, but rather a company-wide problem. Security risk management is a vital component for an effective security plan and there are many options available to companies. Therefore, a reputable, proven standard like ISO 27001 provides a comprehensive guideline to base a security system on and a plan for recovery in the case of a security breach.

The ISO 27001 standard includes requirements for investigating the company’s information security risks and considers the threats, vulnerabilities and impacts that are specific to that company. It consists of a guide for selecting and implementing a set of data security controls, measures and procedures to manage the most dangerous risks to the company. It also highlights the necessity of continuous monitoring so that the security procedures and risk treatments are kept up to date and continue to meet the organization’s individual information security needs on an on-going basis.

What value does ISO 27001 certification add to a business?

There are a number of important business benefits in adopting ISO 27001, whether applying it as a best practice or getting an official certification. Here is an infograph highlighting the most important ones.  

ISO 27001 Benefits include:

• Allow doing business globally
• Improve planning and control
• Achieve better human relations among different departments.
• Improves your ability to recover your operations and continue business as usual
• Reduces likelihood of facing prosecution and fines
• Increase the ability to comply with the GDPR (General Data Protection Regulation) approved by EU.

Make no mistake, achieving ISO 27001 is not a guarantee that information breaches will never occur, however by having a robust system in place, risks will be reduced and disruption and costs kept to a minimum.

Implementing ISO 27001 Process

Implementing ISO 27001 can often be seen as quite an administrative and procedural business process. There is a false belief that ISO 27001 implementation is a clerical and bureaucratic business route and that the severity of the standard limits the operations of a company.

An obvious consideration to make when deciding whether to implement ISO 27001 or not is the potential drain on time and resources. The hints below explain how to achieve an effective execution of ISO 27001.

Top tips on making ISO/IEC 27001 effective for you

Conclusion

The ISO 27001 method provides a company with the optimum framework on which to base a security strategy. It provides information on how to introduce and update security methods and a guideline to work off for internal compliance or external certification against the standard.

The use of ISO 27001 is the optimum method of guaranteeing information security of a company. This is not a stand-alone method however, and it requires a joint task-force of a culture respecting and valuing information and keeping it secure, through individual ownership and responsibility for information security.

Need consult regarding ISO 27001? Contact us here, @AskCiatec on Twitter and follow us on Linkedin for future updates.

The post ISO 27001:2013 How will your organization benefit? appeared first on CIATEC.