Let’s talk about staff, bay-bee

Let’s talk about you and me, and all the good things and the bad things that may be. Once you start thinking about cyber-security, you tend to focus on the external threat – the $450bn cyber-crime industry that is very definitely out to get you. They often succeed, too, and sometimes the cost is very … Continue reading Let’s talk about staff, bay-bee →

Tills down at Asda…

And in other entirely unrelated news, we still haven't had a single report of a widespread POS malware attack on a UK retailer. Almost every US hotel chain; several very large US retailers including Walmart (Asda's parent); and so on and so forth. But never in Britain. I'm sure this is entirely unrelated to our … Continue reading Tills down at Asda… →

Don’t ask, don’t tell

British businesses are immune from cyber-threat. They must be, because when I sit down to compile the list of recent compromises I use to support my talks, the examples are always American. So it can’t possibly be happening here. Never mind the Barclaycard-backed survey that reported that 48% of the surveyed businesses had been hit … Continue reading Don’t ask, don’t tell →

Front door locked, back door open

Before you leave your house, do you check all the locks – doors and windows? Bet you do. When you audit your organisation’s IT security, do you do the same thing? Bet you don’t. You may have excellent perimeter defences; strong security policies; thorough security awareness training. You may run mobile device management, and configuration … Continue reading Front door locked, back door open →

6 rules to avoid disaster: a practical guide to phishing and spear-phishing

A chain is only as strong as its weakest link. Are you that link? Hackers don’t come in through the firewall. They come in, most of the time, through a much easier route: the staff. How? By exploiting basic psychology, and being prepared to do a little research. The easiest way to get someone’s password … Continue reading 6 rules to avoid disaster: a practical guide to phishing and spear-phishing →

Why security awareness training is more important than firewall upgrades

Most people’s image of cyber-crime comes from the media. A slovenly teenager sits in a darkened room, typing frantically in front of a bank of screens. Cut to shirtsleeved workers, typing in equally frantic defence in front of their screens. At some point the hacker is “through the firewall” and has complete control. Shortly afterwards … Continue reading Why security awareness training is more important than firewall upgrades →

Non-exec? Are you asking the right questions?

A non-exec directorship might (unfairly) be seen as a sinecure – a reward for a career’s accomplishments – combining a comfortable stipend with a light workload and the occasional decent lunch. Once upon a time this might well have had some truth to it, but the winds of change have long blown through the boardroom, … Continue reading Non-exec? Are you asking the right questions? →

What a year it’s been – review of IT security 2014

By rights, 2015 should be the year of cyber security. After all, 2014 was the year of cyber-security failure. Just consider some of the highlights: Target Michaels JP Morgan Sony Pictures Viator Home Depot Goodwill Nieman Marcus US Postal Service iCloud (if none of the others mean anything to you, this one will. Just think … Continue reading What a year it’s been – review of IT security 2014 →

It could be you

You probably won’t win £108 million on the lottery. But you will get hacked… There are times when I find it harder than usual to stay upbeat. As I’ve said before, much of what we do as IT security professionals feels like preaching Armageddon to atheists. They’re convinced it won’t happen, so they don’t really … Continue reading It could be you →