Google’s Threat Analysis Group announced a zero-day against the Zimbra Collaboration email server that has been used against governments around the world.

TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this activity occurred after the initial fix became public on Github. To ensure protection against these types of exploits, TAG urges users and organizations to keep software fully up-to-date and apply security updates as soon as they become available.

The vulnerability was discovered in June. It has been patched.

Read More

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

It’s not uncommon in today’s corporate world to see a creative marketer launching catchy security awareness campaigns, steering the entire company towards robust online safety practices. Elsewhere, job reviews increasingly assess how well employees are performing on the cybersecurity front. The shift in focus is clear. Organizations have come to understand that sophisticated tech tools aren’t the ultimate solution. People are the weak spot. In fact, researchers from Stanford University revealed that roughly 88% of data breaches are caused by employee mistakes.

Not to mention that we’ve observed a surging trend of attacks that sidestep technology and instead, zero in on people. The strategy is proving effective. Prominent ransomware incidents, such as those affecting Colonial Pipeline, JBS Foods, and Kaseya, have dominated headlines. As our tech-driven defenses become more advanced, malicious actors are adapting, always looking for the easiest entry point. Seeking efficiency and reduced effort, these cyberattackers often find employees to be the most appealing targets.

So, training everyone to have better awareness about cybersecurity isn’t just a good idea; it’s a must. Based on all this, we’ve got some recommendations for what leaders need to know and smart questions they should keep in mind for their next big meeting.

Five things leaders need to know about cybersecurity culture

Understanding security culture

The ambiguity surrounding the term “security culture” often stems from a foundational problem: its frequent usage without a clear definition. This lack of clarity paves the way for varied interpretations and assumptions. With this work, we aim to bring clarity to the concept. Security culture is described as the beliefs, traditions, and collective behaviors of a group that shape its security posture.

Why does security culture matter?

Sometimes, employees adopt poor security habits, either independently or due to a lack of proper guidance from the organization. Addressing these habits can be challenging. However, establishing a robust security culture can change their behaviors, enabling an organization to safeguard its reputation, brand, and financial well-being.

What does a good security culture look like?

Suppose an employee, Alex, receives an email from a bank filled with typos and featuring a suspicious link. At a workplace lacking a security culture, Alex thinks, “This is odd. I’ll set it aside for now.” However, in a company with a solid security culture, Alex’s immediate reaction is, “This could be dangerous. I need to inform IT.” Such a prompt action gives the tech team an early warning, allowing them to act before more damage occurs.

It isn’t about turning every employee into a cybersecurity specialist; it’s about ensuring each individual acts responsibly, embodying the qualities of a “security champion.”

Prioritizing values, attitudes, and beliefs over rules and policies

Cyber threats often catch organizations off-guard because a significant portion of their workforce isn’t adequately informed or prepared for these risks. Leaders hope for their teams to act responsibly, like locking an unattended computer or reporting suspicious emails. However, just organizing training sessions or phishing drills isn’t the complete answer. It’s the foundational values, attitudes, and beliefs about security that truly drive safe actions. A genuine security culture, anchored in shared responsibility and trust, surpasses standalone policies or tech solutions in effectiveness.

Cybersecurity culture gives your organization a competitive advantage

When employees handle important data and systems daily, they play a key role in maintaining security. It’s more than stopping threats; their careful actions make the business more reliable. This strong focus on cybersecurity can make your organization stand out and become a top choice for customers who value safety.

Seven questions leaders need to ask

Leaders must take a front-foot approach to embedding a cybersecurity culture. Evaluating the depth and effectiveness of such a culture requires critical self-reflection. To aid in this endeavor, consider these seven pivotal questions:

1. Is cybersecurity a priority at all levels?

Cybersecurity should be important at every level of an organization. The Cybersecurity at MIT Sloan consortium has a maturity model that talks about four different stages of organizations’ cybersecurity awareness. At the top stage, everyone knows cybersecurity is part of their daily job. In contrast, at the starting stage, people just know that some tools they use come with security features.

2. How often are employees trained on cybersecurity best practices?

Cybersecurity isn’t a one-time lesson; it’s a continuous process. While many companies might provide an initial training session, it’s crucial to keep everyone updated about the ever-evolving threats. The best practice is not just to remind them but to engage them. Regular sessions, say every 4-6 months, using interactive methods like examples and videos, can help in retaining the information and ensuring they implement it in their daily tasks. After all, the more informed the staff, the stronger the organization’s security front becomes.

3. What mechanisms are in place for reporting and addressing security incidents?

For an organization to react quickly to security threats, there must be a clear system for spotting and sharing these risks. Every team member should be familiar with the signs of potential security threats and know exactly how to report them. Equally crucial is the company’s response – there should be an established process to address and mitigate these incidents.

4. How do we encourage a proactive security mindset among employees?

The key to strong security isn’t just responding to threats but anticipating them. By nurturing an anticipatory approach to security among employees, they won’t just react; they’ll be ready. They might even stop potential risks before they become real issues. This proactive approach ensures the team is always a step ahead, safeguarding the company’s assets and reputation.

5. Are we measuring the effectiveness of our security culture initiatives?

Without metrics and regular evaluations, it’s challenging to determine if security initiatives are making an impact. Metrics can range from tracking the incident frequency and training completion rates to monitoring phishing simulation success rates and the time taken to respond to threats. Regularly assessing metrics like these provides a clear picture of the organization’s security posture, ensuring it remains resilient against evolving threats.

6. How are we addressing the human element of cybersecurity?

Machines can be updated and patched, but human behavior is more complex to modify. Acknowledging humans as a potential weak link means directly addressing their everyday online habits, training frequency, and awareness levels. Solutions might range from behavioral analytics tools that detect unusual actions to regular, hands-on training sessions that simulate real-world cyber threats.

7. Are our leaders and executives setting the right example?

Leadership’s behavior and commitment to cybersecurity cast a significant shadow over the organization. When top-tier leaders actively uphold and emphasize secure practices, it fosters a ripple effect, cultivating a collective sense of responsibility.

Conversely, if these key figures seem careless or not strict towards cybersecurity measures, it could inadvertently send a message down the line that such precautions are secondary or optional. The stance of leadership on cybersecurity not only defines the current values and principles of the organization but also paves the way for future decisions and responses.

Leaders hold a crucial position of trust and responsibility in shaping the cybersecurity culture of the organization. Every moment of delay in addressing culture-related concerns could be costly. By bringing these questions to the forefront during leadership discussions, they can set the organization on a secure path.

Read More

Securolytics COO wanted to drum up custom

Read More

Duo linked to corruption investigation

Read More

Idaho National Laboratory is also a center for nuclear research

Read More

Kathleen Moriarty discusses an unexpected LLM misinformation problem: students incorporating non-vetted AI results into their assignments.

Read More

November 20 is World Children’s Day, a day that celebrates “international togetherness, awareness among children worldwide, and improving children’s welfare.” Highlights from last year’s celebration show the remarkable effort so many put into broadcasting their commitment to protecting children. However, the volume of online homages to the world’s youth also underscores how daunting the task of keeping children safe can be. The internet can bring a community together as it has over this event; it is also where many criminals and predators operate.   

Statistics from the Global Cybersecurity Forum (GCF) show the risk that digital life may pose for kids. Nearly three-quarters of children have experienced at least one type of cyberthreat. Inappropriate ads, images, content, and phishing attempts find children even when they’re not attempting to dodge parental controls. For parents, the thrust of International Children’s Day is an ongoing adventure, wherein they often struggle to provide the safe online learning environment their children need to thrive. To celebrate this year’s day of awareness, we’re sharing six tips for ensuring a more private and safe digital life for kids.   

1. Encourage children to talk about their encounters with you 

According to GCF data, 83% of children claimed they would alert their parents if they experienced an online threat. Yet only four in 10 parents surveyed said their child had ever expressed concerns to them about inappropriate content. If parents want to make their child’s internet time safer, they can focus on making conversations about online content comfortable. When parents know their children are experiencing threats online, they will be better equipped to do something about those threats.   

Remember, sometimes children can be exposed to traumatic content even if they follow your guidelines and go online with parental controls. Here are some additional tips for talking to your child about some of the content they may see online.  

2. If you see something, say something 

On plenty of occasions, online threats children experience likely do not require the involvement of law enforcement or similar entity. When online threats involve malicious or solicitous content, it can warrant reporting the incident. Most parents (56%) tend to simply delete content rather than report said content to the police (41%) or inform schools, when appropriate (34%). If parents want transparency from their children, they may consider practicing a bit more transparency themselves, especially when it comes to encounters that may represent criminal acts.  

3. Limit screen time altogether 

More than 80% of children go online daily, and 36% spend 3-5 hours online in a normal day. In the digital age that has seen a large uptick in digital learning, it’s tough to keep kids away from screens. But the easiest way to ensure kids remain safe from online threats is to limit their screen time altogether. That’s an easier-said-than-done task to be sure. If parents can find ways to decrease the amount of daily time kids spend behind screens, it will reduce the amount of time they’re available to be targeted by bad actors or inappropriate content.  

4. Demonstrate social media security 

Social media, one of the most popular online activities, is a popular way for younger generations to interact with one another. Built-in messaging on social media apps gives kids a place to message each other that’s one layer removed from text messages that parents may see. Social media has also made inappropriate content more accessible and gives hackers and other bad actors anonymity. Given that 36% of kids report coming across inappropriate images or content, and nearly 20% encounter hacking or phishing attempts when online, it’s not surprising that parents are worried about the social media content their children consume.  

Parents can educate their children about more secure social media behavior. Creating awareness of potential scams in their children starts with strong passwords, locked accounts, and reminding them not to click on links from or interact with accounts of people they don’t know.  

5. Enable parental controls 

This may seem like an obvious safeguard against disturbing online content, but not every app, browser or device’s parental controls settings are obvious. Some portals to the internet have more granular settings and others are a bit higher-level, so creating a hermetic seal around kids’ environment can be challenging depending on how they get online and what they access when they get there. Devices like iPhones and major internet companies like Google and YouTube have pretty robust parental control settings to block mature content or remotely limit screen time. Some social media apps also have controls parents can adjust to reduce the likelihood strangers find their child’s account.  

 6. Install software like browser plugins and/or VPNs 

Most browsers offer a library of plugins that allow parents to cast a web around potentially harmful content. Ad blockers can keep ads with mature content off of websites, and parental-control plugins can establish browsing controls so that kids can’t even navigate to places inappropriate content is more likely to be. Some plugins block website URLs or entire domains, rendering those destinations unnavigable.  

There are also many affordable VPNs on the market for parents. Most VPNs can do things like encrypt internet connections or obscure IP addresses and locations, making overarching internet connections safer and more private.   

Protecting children from online threats is an ongoing endeavor 

The UN established World Children’s Day to commemorate both the Declaration of the Rights of the Child, as well as the Convention on the Rights of the Child as guidelines for how to provide for and protect international children. Parents don’t need to wait for the calendar to turn to November to create a safer digital world for their families. These steps for protecting kids from malicious or inappropriate online content are not exhaustive but do provide a strong framework for adults who aren’t sure how to contend with the vast volume of information the world wide web generates.    

For those who want to introduce another obstacle between kids and inappropriate content, there’s always something like McAfee+ Family Plans. McAfee+ Family plans add protection against everything from unwanted content via parental controls to identity monitoring and social media privacy management. It’s an all-in-one way to make it that much more unlikely children encounter online content they shouldn’t.  

The post Six Steps to Protect Kids From Harmful Online Content appeared first on McAfee Blog.

Read More