In order for our security awareness programs to be as successful as possible, they need to mitigate every threat–not just the ones with top billing. Although phishing attacks are extremely common, there are other threats quickly catching up. The change in priorities and environment brought on by the shift to remote work last year highlighted several areas of weakness that may not be getting enough attention, including password security, network protection, safe web browsing, and general remote work best practices. So, while users may be incredibly adept at spotting phishes, they could be jeopardizing organizational security in a number of other areas without even knowing it. 

Password security

Passwords and authentication are an easily overlooked area of security training simply because they’re so “simple.” Administrators commonly make the crucial mistake of assuming that their employees already understand how password security works. Unfortunately, the number of breaches over the past few years enabled by weak credentials would indicate otherwise. Infamously, the massive Equifax breach, which exposed the personal data of 143 million users, was partially caused by a username/password combo of “admin/admin.” The shift to work-from-home and the increased use of cloud services has also initiated credential-related hacking attempts; if there were ever a time to hone in on password security, it’s right now.

Network protection

Back when everyone still worked from an office, locked-down office networks and an on-site IT team could be counted on to bolster the organizational firewall. Home networks, on the other hand, throw an extra wild card into the mix. While employees may have been instructed how to set things up properly (assuming there were enough time and resources to do so), continued upkeep and proper usage aren’t a given. Many of the habits that ensure secure networks, such as installing updates, need to be repeated often; regular network security training is an effective way to keep best practices top of mind and encourage formation of those habits.

Web browsing

The web has always posed a significant risk to security, from malicious ads infected with malware to fake web pages used to harvest credit card information. Add to that a home/work environment with less oversight and fewer organizational controls, and browsing the web may be even more of a risk than it was before. Even if users theoretically understand the basics of web security and what warning signs to watch out for, the distraction of remote work could cause an inadvertent slipup. Beyond that, the threat landscape in this area is constantly shifting and becoming more sophisticated, putting even the most knowledgeable users at risk.

Remote work security 

Again, remote work introduces a plethora of new security threats that simply weren’t an issue before. The fact that work is suddenly intermingled with kids, remote schooling, even visitors to the house means that employees need to work harder than they would at the office to maintain a secure, separated work environment. Devices are more likely to get lost, damaged, or stolen, sensitive documents can get picked up or misplaced, and conversations may be overheard by people who shouldn’t be hearing them. In general, organizational privacy is a lot more difficult to maintain. If employees haven’t been trained on how to protect their data and devices at home, they need to be, before a major breach occurs.

Achieving security awareness in all these areas might seem like a difficult task, especially if it means pivoting from a phishing-centric program to a more holistic one. Thankfully, it doesn’t need to be. General security awareness courses are specifically designed to train users across all aspects of security, while being mindful of employees’ time constraints and attention spans. If you haven’t considered general security awareness training, there has never been a better time.

About the author

Larry Cates is the President and CEO of Global Learning Systems, a leading provider of enterprise security awareness and compliance training solutions to Fortune 1000 clients. Working directly with senior-level executives and security officers, Mr. Cates advises and consults on the design and implementation of client-tailored continuous learning and behavior management programs to address key security concerns and prevent security breaches related to inappropriate user actions.. Mr. Cates and the GLS team are actively developing new solutions and capabilities that promote an organizational security culture through user assessments, security metrics and goals tracking, as well as game-based learning, behavioral analytics tools and just-in-time targeted user training. 

The post The importance of general cyber security awareness appeared first on OpenSesame.

Common areas of vulnerability

While technology has helped automate many  business processes, the opportunities for breaches has multiplied as a result. It is essential that your employees are not only cautious with their computers, but also with their cell phones and USB connections. Something as simple as using a USB plug to charge your phone in a public place can leave your information vulnerable if you don’t take necessary precautions.   

52% of businesses admit that their employees’ biggest weakness is in IT security. Furthermore 46% of cyber security incidents are from careless or under trained staff. 

Check out these courses offered through OpenSesame to get your workforce up to speed: 

• • Data Privacy and Information Security
  • Data Protection: General Data Protection Regulation
  • Privacy and Data Protection Essentials

In addition, be sure to check out this recent OpenSesame webinar with expert Dr. Robert K. Minitti from OpenSesame course publisher Wolters Kluwer where he outlines how to incorporate fraud and IT security as part of your learning and development strategy. 

OpenSesame helps companies like yours develop the world’s most developed and admired workforces. For more information on how we can help you save time, money, and curate the right courses for your training program, contact us today at info@opensesame.com. 

The post Get your entire team trained for cyber security appeared first on OpenSesame.

Proper employee training can prevent your company from falling victim to the most common types of fraud, including asset misappropriation, corruption, and financial statement fraud. Furthermore, dedicating time to train your entire workforce on fraud sends the message that this is an issue that your company takes seriously and will not be tolerated. 

It is equally important to educate your employees on how to prevent fraud from sources outside your company as it is to recognize potential red flags within it. Threats like ransomware, spoofing, and phishing are on the rise and every employee that uses a computer, company smartphone, or email is a potential entryway for these dangerous types of malware. 

OpenSesame helps protect companies like yours with the most comprehensive catalog of elearning courses to train and develop your workforce on topics such as fraud and IT security. Check out these courses, offered through OpenSesame, today to get started. 

• • Introduction to Cyber Fraud
  • Fraud, Bribery, and Corruption Awareness
  • International Fraud, Bribery, and Corruption

Be sure to also check out this recent OpenSesame webinar with expert Dr. Robert K. Minitti from OpenSesame course publisher Wolters Kluwer to gain additional insights on multiple types of fraud schemes, including asset misappropriations, corruption, financial statement fraud and cyber frauds, as well as methods of employee fraud prevention training to keep your company compliant and how to incorporate fraud as part of your learning and development strategy. 

For more information on how OpenSesame can help you save time, money, and curate the right courses for your training program, contact us today at info@opensesame.com. 

The post Protecting your company from fraud appeared first on OpenSesame.

As most of us are aware, phishing attacks can take many different forms, from Business Email Compromise scams that mimic employee emails and request money or information, to fake emails from trusted business that use bad links or attachments to steal data. Ransomware takes a more direct route by installing malware, stealing data, and then requesting some form of payment to—ostensibly—restore the data to its owner. In some attacks, the data is in fact restored after the ransom is paid. Other times, hackers accept the ransom but never give the files back—which is why security professionals typically advise against paying the ransom. Either way, ransomware means a huge risk to personal data and—more likely than not—exorbitant costs to get systems up and running again. It’s important that we be able to protect ourselves and our organizations against these scams—but how do we do that?

First of all, like other phishing scams, email is the most common attack vector for ransomware. When a malicious link or attachment is clicked on, the virus runs a payload on the computer and encrypts files so that the owner can’t access them. What this means is that—typically, at least—preventing ransomware is as simple as preventing any other phishing attack. Don’t click on any strange links or attachments in unexpected emails, and remember to check for warning signs that the email may be malicious. If it’s unexpected, comes from a strange or incorrect email address, or requests unusual information, it’s probably a scam. When in doubt, delete the email and verify its contents externally—it could mean the difference between continued security and a ransomware nightmare.  

Second of all, in the event you do fall victim to a ransomware attack, it’s critical to have certain security measures in place to help you deal with the fallout. As IT expert Sean Gallagher notes, backups are key when it comes to surviving ransomware. If data is properly backed up to an external location, it can be recovered in the event that it’s stolen from the device itself. In addition, companies need a “disaster recovery (DR) plan,” something that plans for a potential worst-case scenario—not just low-level security snafus—and lays out ahead of time how the recovery process would work. A good DR plan minimizes loss and allows for a smoother recovery process in the event that a disaster does occur. (For more information on how to create a solid disaster recovery plan, see this article.)

What happened in Baltimore and Riviera Beach should serve as a serious wake up call. Ransomware attacks not only happen, they’re on the rise—and they could mean financial ruin or irrecoverable loss of data. As organizations or even as individuals, it’s important that we take the appropriate steps to recognize and prevent—or at least be able to deal with the consequences of —a breach. And the first step is awareness. Company leadership needs to be aware that ransomware could be a serious threat, and that concrete steps are needed to avoid disaster. Similarly, all company employees, down to the lowest level, must be familiar with phishing attacks and how to prevent ransomware from the first click. With that awareness in place, alongside strong communication between teams, maintaining and strengthening security—and keeping ransomware at bay—becomes much easier.

For more information on ransomware and cybersecurity check out available courses from Global Learning Systems in the OpenSesame course catalog.

Global Learning Systems provides security awareness and compliance training programs for employees that effectively promote behavior change, protect your organization and Strengthen Your Human Firewall®. In addition to carefully tailoring program materials to client needs, we offer an online learning platform, phishing simulation tool, courseware customization and high-touch customer service.

The post What is ransomware? appeared first on OpenSesame.

• • Have annual gross revenues over $25 million.
  • Annually buy, receive, sell, or share personal information of over 50,000 California consumers, households, or devices.
  • Derive at least 50% of annual revenue from selling California consumers’ personal information.

How does the law work?

Californians will be able to request information from your company about what data is collected about them, why it was collected, how you received their information and who it was shared with or sold to. California residents will also have the right to bring a direct lawsuit if their unencrypted or unredacted personal information is subject to a data breach as the result of a business’s failure to implement reasonable security. If a company is found to be in violation of the CCPA, they have 30 days to comply with the law once regulators notify them of a violation. If the issue isn’t resolved, there’s a fine of up to $7,500 per record which can add up quickly when the volume of consumer records at a company is considered.

Start preparing now for the law to limit penalty 

The new law goes into effect 1 January 2020, with an enforcement date of 1 July 2020. Don’t scramble at the last minute to keep your company compliant and customer data legally safe. Now is the time to guarantee your employees are well-versed in consumer privacy and data security best practices.  Check out these courses offered through OpenSesame to get your workforce up to speed: 

• • California Consumer Privacy Act (CCPA)
  • Cyber Security Overview
  • Privacy and Data Protection Essentials
  • Information Security Essentials

OpenSesame helps companies like yours develop the world’s most developed and admired workforces. For more information on how we can help you save time, money, and curate the right courses for your training program, contact us today at info@opensesame.com.

The post California’s new Consumer Privacy Act effective 1 January 2020 appeared first on OpenSesame.

There are actually many other specialty areas in security available for us to discuss (like those created by industry leaders like Cisco, GIAC, SANS, ISACA, (ISC)² and many others). But for the interest of brevity, I’d like to highlight some of the more popular ones. The first two I’d like to introduce are from ISACA and are favorable certifications for those who wish to move into management positions. Those two are: Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).

There are more than 140,000 professionals certified globally with CISA and it is one of the top paying IT certifications of 2018 as reported by Global Knowledge. As companies are faced with increasingly more security challenges including new global threats (e.g. ransomware), new government regulations (e.g. GDPR), and new technologies to secure; they are under enormous pressure to hire the right talent to manage it. With the CISA certification, you will be recognized as someone that can take a comprehensive view of information systems and their relationship to a success business-wide security initiative. In addition to passing the exam, this certification requires the submission of a formal application which requires certain levels of education and work experience. Check out their web site for more information.

The CISM certification is different and comes at security from a company policy standpoint. It covers four key areas: information security governance, Information risk management, information security program development and management, and information security incident management. Passing this certification demonstrates that you understand security and how it relates to the overall business goals. It shows that you not only understand security, but also how to build and manage an information security program within the company.

But perhaps you’re looking to achieve an even higher position, one that leads all of the company’s security needs, such as Chief Information Security Officer (CISO) and Director of IT Security. Moving into these roles require digging much deeper into all the individual niches in the security field. The first one to consider is CompTIA’s Advanced Security Practitioner (or CASP). CASP is a relatively new certification from CompTIA and is meant to test the student on a broad range of security skills. In fact, it meets the ISO 17024 standard and is compliant with regulations in the Federal Information Security Management Act (FISMA).

Once you pass the CASP certification, you’ll likely be feeling pretty good about your skills, a Luke Skywalker of Security experts if you will. But what if you want to go for Yoda status? One of the top respected certifications is undoubtedly the (ISC)² Certified Information Systems Security Practitioner (or CISSP), which is not your average certification and will require significant work to achieve. It is meant to demonstrate a clear and deep knowledge of all things security and is fast becoming a requirement for many of the very top positions in IT security.

Although CASP and CISSP are great options for some of the top IT positions and cover a broad range of security topics, they are very different in what the exam covers. The CASP exam tests whether you know HOW to implement many of common security concepts, so their questions will be mostly unambiguous. For example, “what command line tool is used to create a 128-bit hash?” The CISSP exam, on the other hand, tests whether you know what the best practices are when dealing with complex security situations. Here, the options available to choose from may, in fact, all be technically correct. For example, take the following question, “Which of the following is the PRIMARY advantage of data classification for an organization?” Here, all the options could be valid examples of legitimate advantages, but the correct answer is the one that has the most advantages.

Be sure to check out many of the training titles we have in security, and good luck my young Jedi.

About the author: Martin Schaeferle is the Vice President of Technology for LearnNowOnline. Martin joined the company in 1994 and started teaching IT professionals nationwide to develop applications using Visual Studio and Microsoft SQL Server. He has been a featured speaker at various conferences including Microsoft Tech-Ed, DevConnections and the Microsoft NCD Channel Summit. Today, he is responsible for all product and software development as well as managing the company’s IT infrastructure. Martin enjoys staying on the cutting edge of technology and guiding the company to produce the best learning content with the best user experience in the industry.

The post Navigating Your IT Security Certifications, Part 2 appeared first on OpenSesame.

For the IT professional, this is a great climate for those looking to update their skills and join the relatively new and growing sector of IT security. Don’t believe me? In a March 2018 article posted by Forbes, five of the top 15 most valuable IT certifications are security based. Security certification has become a serious and well-respected career.

If you’re attempting to enter a security field and IT is not a current profession or hobby, then I’d suggest tackling a couple of certification courses to get you started as an introduction. The first is CompTIA A+ offered by LearnOnlineNow through OpenSesame, which focuses on learning the standard computer hardware, basic operating system functionality, and general troubleshooting. From there, I’d recommend getting certified in CompTIA Network+, which will get you familiar with basic networking concepts like IP addresses, DNS, domains, routing—essentially everything that defines the framework that Internet security relies on.

Okay, you are now an IT expert! What’s next? It’s good to start with the basics of security, and the best certification for that also comes from CompTIA. Their Security+ covers all the core concepts in IT security from Wi-Fi passwords and firewalls to employee best practices.

After you have Security+ finished, start considering some specialty certifications. One of the most popular next steps is EC-Council’s Certified Ethical Hacker (CEH) certification and Certified Security Analyst (ECSA). Once certified, you will understand the tools and techniques that you can use to assure companies that their systems are indeed secure.

Another very popular certification is EC-Council’s Computer Hacking Forensic Investigator (CHFI) certification. Like the television show CSI, it is an area of the security field that focuses on how to collect and analyze digital evidence to detect when something is about to or has happened. Most companies know that it’s not if you will be hacked, but when. This certification is about learning the skills for detecting or mitigating the aftermath of a successful hack.

For more online courses on how to get started in IT Security, how you can protect your company with trained and certified IT professionals, or ways to develop your current skillset, check out LearnNowOnline through OpenSesame, or contact OpenSesame at (503) 808-1268.

About the author: Martin Schaeferle is the Vice President of Technology for LearnNowOnline. Martin joined the company in 1994 and started teaching IT professionals nationwide to develop applications using Visual Studio and Microsoft SQL Server. He has been a featured speaker at various conferences including Microsoft Tech-Ed, DevConnections and the Microsoft NCD Channel Summit. Today, he is responsible for all product and software development as well as managing the company’s IT infrastructure. Martin enjoys staying on the cutting edge of technology and guiding the company to produce the best learning content with the best user experience in the industry.

The post Navigating Your IT Security Certification, Part 1 appeared first on OpenSesame.