Jul. 23, 2018 "How to protect your workplace against cybersecurity attacks": Today I found this article by Bill Ross in the Globe and Mail:
Bill Ross is the founder of Vercerta, a risk-management consulting practice.
Cybersecurity intrusions and breaches happen to all kinds of organizations and no one is impenetrable. Equifax had data on 143 million clients stolen last year. Even the U.S. Internal Revenue Service admitted that 700,000 social security numbers and other information may have been stolen in 2015.
Canada is not immune. Last year, WestJet suffered a security breach involving its rewards program members.
Usually, breaches go unreported. According to a 2017 study by the Ponemon Institute – which conducts independent research on privacy, data protection and information security policy – the average cost of an intrusion today is US$3.62-million and the average time to resolve the damage of a malicious attack is 55 days.
The question is how to protect against an attack. Clearly, there is a balance between accepted risk and the cost of doing business.
The question is how to protect against an attack. Clearly, there is a balance between accepted risk and the cost of doing business.
Cyberattacks exploit weaknesses in an organization’s systems. The most common weaknesses are:
- Software vulnerabilities owing to poor coding. Witness Microsoft’s patch to deal with file sharing: The malware called WannaCry affected users who did not carry out a Microsoft update in 2017;
- Hardware vulnerabilities caused by computer memory and buffers being under stress, resulting in reduced data protection. This can happen in the normal course of operating a system or it can be induced by an attacker who overworks the central processing unit;
- Lax security practices.
There are different types of attackers. Some just do it for fun with no particular objective in mind. So-called “White Hats” perform intrusion tests in order to highlight weaknesses, while “Black Hats” are bad guys seeking profit or commercial advantage.
Finally, “Organized Hackers” are the most dangerous, because they possess sophisticated resources to help them perpetrate fraud.
Finally, “Organized Hackers” are the most dangerous, because they possess sophisticated resources to help them perpetrate fraud.
What attackers usually seek are user names and passwords.
Potential attackers follow a user’s social-media sites to gain insights into their personal profile, and lots of information is available. Pet names, product preferences and lifestyle behaviours can help intruders get answers to security questions.
How do you crack a password? It can be done with specialized software. Another method is by listening to unencrypted data transmission in unsecured networks (such as airports or coffee shops).
Disguising oneself as a trusted visitor, such as a network printer, can be a successful gateway into a network. So, how does an organization protect itself?
Start by fostering a culture of cybersecurity. This means employees should be well-educated about safety practices and should encourage one another to follow such practices.
Having secure passwords is paramount to security, and passwords are the easiest way for attackers to get in. The problem is we are human and have a limited capacity to recall passwords, and people can have several passwords.
The solution is to use a password vault, such as LastPass, which will generate a distinct password for each site that requires one and it will store that distinct password in a secure vault. All the user needs is one strong password to let them enter the vault.
Another good idea is having several e-mail addresses. That may be daunting, but separate e-mail addresses for work, home and banking will help you recover lost information.
Many security providers offer innovative solutions to help organizations enhance their security. The trick is to determine the delicate balance between what it costs to operate a business and how much to spend on data protection.
Always evaluate the security technologies available and determine which one provides the most value to your cybersecurity defence. For any organization, big or small, creating a strong cybersecurity foundation requires investing in the basics, such as security intelligence. This means having a program that lets you continuously learn about new methods of attacker intrusion.
The final defence is really an audit, or “risk assessment,” to test the organization’s system. It involves extreme pressure testing on all entry points to the system (i.e., performing tests to ensure that all attacks are blocked).
It is never enough to only test compliance with the organization’s policies. That sort of thing has a beginning and an end, and after the test the powers that be might think everything is hunky-dory. Big mistake. Indeed, this is where attackers thrive.
Testing must be a dynamic and continuous process to identify vulnerabilities so you can outwit and outpace the attackers. In other words, make it part of the culture, or one day pay the piper.
https://www.theglobeandmail.com/business/careers/leadership/article-how-to-protect-your-workplace-against-cybersecurity-attacks/
I'm disappointed that he doesn't emphasize the most important defence of all, user education. It gets only passing mention in the tenth paragraph.
The other threat that he glosses over is the one from within. Employees should be given access and information only on a need to know basis, and monitoring and audits regularly performed.
Most attacks these days are done by social engineering through malicious emails. Hacking individual passwords doesn't have near the payoff of malware enabled by an unsuspecting user clicking on a bad link or deploying malicious hardware, since the investment in time and money is greater than targeted email attacks.
"WeWork's meat ban is an exercise in brand building": Today I found this article by Virginia Postrel in the Globe and Mail:
WeWork Cos., the SoftBank Group Corp.-backed startup that rents out co-working and office space, recently told its 6,000 employees worldwide that it won’t pay for any meals that include red meat, poultry or pork. It justified the policy as environmentally friendly.
“New research indicates that avoiding meat is one of the biggest things an individual can do to reduce their personal environmental impact,” co-founder Miguel McKelvey said in a memo, “even more than switching to a hybrid car.”
(As someone who remembers “Diet for a Small Planet” propagandizing for vegetarianism in the 1970s, I wonder about the newness of that claim, which has also been called into question.)
(As someone who remembers “Diet for a Small Planet” propagandizing for vegetarianism in the 1970s, I wonder about the newness of that claim, which has also been called into question.)
Intentionally or not, there’s more going on. The meat ban is an exercise in brand building.
In today’s “meaning economy,” what we buy carries value-laden significance. It defines our identity and marks our tribe.
The shift from function to meaning as a source of economic value also shapes who works where. Instead of trying to be blandly inoffensive, workplaces embody the cultural values of their tribe. That’s why we see Google employees refusing to work on Defense Department projects or companies boycotting the National Rifle Association.
Nothing says “We’re a tribe” like food taboos. Dietary restrictions establish boundaries and define identity. Think of kosher food and Jews, halal meat and Muslims, vegetarianism and Brahmins — or the cultural differences between completely secular vegans and paleo diet devotees.
“Any food taboo, acknowledged by a particular group of people as part of its ways, aids in the cohesion of this group, helps that particular group maintain its identity in the face of others, and therefore creates a feeling of ‘belonging,’” observes ethnobiologist Victor Benno Meyer-Rochow in a much-cited paper. Think of the ban as team building.
Of course, group cohesion also fosters exclusion. For all the lip service to diversity, corporate tribalism enforces legally acceptable homogeneity. You can’t racially discriminate, but you can use Stuff White People Like as a guide to approving expense reports. A meat ban keeps out the kind of Neanderthals who make a big deal of loving bacon and probably have too much testosterone.
Slate’s Felix Salmon is correct that WeWork’s anti-meat stance will “cause a ridiculous amount of agita for its front-line staffers and, especially, the benighted HR folks tasked with enforcing the policy.” It’s a practical nightmare for people filing or monitoring expense reports: Can you go to restaurants that serve meat if you stick to vegetarian dishes? If so, do you have to list what each person at the meal ate? What if an important client or landlord insists on ordering the lamb salad or the Brussels sprouts cooked in bacon?
Given WeWork’s business challenges, however, taking an anti-meat stand may make sense. The company is, after all, a real estate business trying to look like a tech startup. Its business model requires taking on long-term leases while renting out the space to short-term tenants. It can’t survive on function alone. It needs a mystique.
With its logistical nightmares, the meat ban represents a costly signal that the company is special. Its very peculiarity is its strength. One way to make what is in effect just another real estate company look culturally distinctive — cool, even — is to adopt a tribal food policy.
No comments:
Post a Comment