Scott's Human Cyber Security Insights for May 24, 2024

Hello, Cyber Warriors! Welcome to another edition of Human Cyber Security Insights. In today's newsletter we'll be discussing:

?????? Who's taking responsibility for brand impersonation scams?

?????? Ashley Madison Cyber Attack on Netflix

?????? How can risk tolerance be used in human risk management?

?????? Risk appetite or risk tolerance?

?????? Google's "security response lead" calls for a new approach to phishing training

1) Tip of the Week: Who's taking responsibility for brand impersonation scams?

Businesses should be starting to do meaningful outreach to their clients about brand impersonation scams.

Brand impersonation attacks typically don't have any direct visibility on your corporate network. So, the only way you know if they are happening is through a dialogue with your customers.

Your PR, marketing and fraud teams all need to collaborate to build a clear plan for communicating effectively with customers about what they might be facing. Start by gathering stories from customers, and identify what kinds of attacks people are seeing.

Then, consult with customers about how they would like to be informed about how attackers might target them. Being proactive with customers about protecting them against attacks that impersonate your brand will build loyalty, and reduce fraud.

If you'd like to discuss concerns about how attackers are impersonating brands to exploit people for fraud or other threats, please send me a DM.

EVENT ALERT: Join me on June 5th at 2pm EDT, along with Robert (Rob) Iannicello from Conceal and Andria Delia for a fun webinar called "Back FROM the Future" , where we explore some ransomware and cyberscam incidents with a view to analyzing what could have been done to prevent them, if we could go back in time.

2) Cyber Security in the Media: Ashley Madison on Netflix

A Netflix documentary on the Ashley Madison cyber attack is rapidly gaining popularity. The show follows multiple storylines of real people effected by the leak of personal data from a targeted breach attack on the company.

Did you know that there were documented cases of suicides as a result of the public release of the stolen Ashley Madison customer records?

This isn't a family show, but some of your team members may already be talking about it! Take advantage of this trending cyber story by asking your team who has watched and asking discussion questions.

3) RECORDING: How can Risk Tolerance be used in Human Risk Management?

The terms "Risk Management" and "Risk Tolerance" have specific meanings in some methodologies, and it's important for security professionals working in security awareness and human risk management to understand them.

Watch our latest Cyber Security Awareness Forum on how Risk Tolerance can be used in HRM:

Our bi-weekly Live CSAF sessions are free, and are jam-packed with value for security managers and anyone interested in security from a human risk management perspective. You won't want to miss our next session on Training IT teams on cyber security on May 29th at 1pm ET. You can sign up HERE .

To stay up to date, and be informed of upcoming live CSAF panel sessions, you can join the CSAF community HERE .

4) Risk appetite or risk tolerance?

Roger Tremblay presented on how risk appetite and risk tolerance can be used in a human risk management context last week in the Cyber Security Awareness Forum (CSAF).

Listen to the great examples of how this applies to specific human risk situations. ??

5) Google's "security response lead" calls for a new approach to phishing training

In this blog post Matt Linton, the head of Google's "Security Response and Incident Management division is confirming many of the recommendations I have been making for the past few years. (Other stories quoting Linton's blog post are HERE and HERE .)

Among his observations that I agree with are:

• Live phishing simulations that are designed to be deceptive are like doing fire drills with real smoke, which can lead to real, unnecessary risks during responses.
• Linton says there is still no real evidence that shows live phishing tests reduce actual incidents caused by phishing attacks; and repeat "clickers" tend to always be vulnerable.
• Live phishing tests skew data by requiring (as FedRAMP does, for example) that all other safeguards are bypassed, which is unrealistic.
• There are real, operational costs and increased workloads from live testing that are rarely considered in cost/benefit analyses.
• Erosion of trust from employees being "tricked" damages the security culture in an enterprise.
• It can be more effective to literally make live phishing tests obvious, so that people learn the proper protocols, and don't mistake the emails for real attacks and take undesirable actions.

The way I look at how security awareness training has evolved over the past 10 years is, "When the only tool you have for assessing employee vulnerability is phishing simulations, every employee looks like an adversary."

But there is no longer a need to limit yourself to live phishing tests. Individuals' skills can now be developed and assessed very effectively using interactive and immersive learning tools. For more info on this, please DM me.

About Click Armor?...

The Click Armor platform is purpose-built to fill the gaps that exist in cybersecurity training today. It uses interactive, immersive exercises and simulations to build a more resilient workforce through a more positive user experience and metrics.

Start moving your program from low-value, compliance-based training to be more focused on "human risk management", with targeted, role-based guidance using Click Armor's engaging, interactive content. We can also enable more effective remediation of your known employee security vulnerabilities, while building more confidence and proficiency.

Engagement enables better learning

Click Armor? is the interactive security awareness platform that enables fast and easy remediation of cyber security awareness issues. It engages employees, unlike anything you've seen before to learn, retain knowledge and improve resilience to attacks.

Remediation requires engagement. If employees aren't engaged, they won't learn, and will remain vulnerable.

Why is it more effective?

After 15 years of teaching security awareness, including running large scale live "phishing tests" on my customers' employees, I observed how people will use any excuse to "disengage" with awareness training. So, I created Click Armor to keep employees focused on learning, with a more rewarding and relevant experience.

Imagine how your security culture could be improved if YOU (or one of your team's top executives) could be the central character in your interactive security awareness training experience?

Find out how you can get more employees through compliance training faster, strengthen your organization's security culture, and help your employees more effectively avoid phishing and social engineering attacks that target human vulnerabilities.

Make sure you are using the right tools to build a strong, positive and inclusive security culture.

If you'd like to see a quick demonstration of how Click Armor can be a key part of your human risk management program, check out this narrated video HERE .

Visit the Click Armor website at: https://www.clickarmor.ca