Frequently changing your passwords is the enemy of your security. Over the past few years, organizations including the US National Institute of Standards and Technology and UK government agency CESG have also concluded that mandatory password changes are often ineffective or counterproductive. When people need to change their paswords most of them will use some kind of small change that is easily guessable. Attackers can often work out the new password, if they have an older version.
There is no real good reason anymore to only use a username and passwords to login to popular apps like Facebook, Dropbox, LinkedIn, Mailchimp, Twitter, Gmail, Yahoo, etc… All these services offer you strong multi-factor authentication totally for free. If you set up multi-factor authentication for these apps, will see that is quite user-friendly to use.
Remember that the holy grail for hackers is hacking your email address. Why? Because once they have access to your mailbox they can use it to request password resets of all our apps where you have registered using that email address. Consider protecting at least your mailbox with multi-factor authentication today.
Are you tired about having to manage all those different passwords? It doesn’t seem to matter how strong you make these passwords as hackers always seem to find a way to steal them. With all those password being stolen by hackers it is time to better protect your online digital identities. In this article we explain how to you use stronger authentication or a 2-step verification mechanism for your LinkedIn account. Set it up today! You will find that is quite user-friendly to use and very secure at the same time.
SEPT 2016 – Like most companies nowadays, we’ve had our share of cyber incidents: virus infections, ransomwares, phishing emails, etc… . Something we’ve always knew was that most of these incidents involve some form of human error. This became even more apparent when the news reached us of the Crelan CEO Fraud, namely the CFO of the bank received an urgent request for a wire transfer from his CEO. Or so he thought it was his CEO. It was not… The impact of a single human error: 70 million €. Ok, maybe this will not easily happen to us, but still. It’s time to act, we thought.
We internally agreed that we needed cyber awareness training for all our employees, preferably including simulations where ‘human error’ occurs most (email phishing). We also believed repetition and measuring the impact were an absolute must in any awareness initiative.
An option was to do it ourselves, using the (DIY) tools available on the market. But we decided to work with Krinos, as their standard offering was just what we needed: providing a yearly campaign that included several email phishing simulations, online learning modules, input & advice around communication, and extensive reporting to all staff, IT-ers and managers. (more…)
AUG 2016 – If we ask organizations what kind of security issues they experienced recently, ransomware is usually mentioned. This is not strange as security reports confirm that ransomware is booming and has become a business model that is constantly optimize and innovated.
We are seeing a growing number ransomware incidents all over the world over the past year. We won’t explain here what ransomware precisely does or which variant exists.
Instead we want to focus on 2 key questions:
- Why do we see a growing number of ransomware incidents?
- What can you do about it?
JUNE 2016 –We advise organizations to have people report email phishing and (other security) incidents as much as possible. But why is this needed, and how to do this safely. Remember that emailing malware around the same as playing fire.
Why is reporting phishing emails relevant?
People are your last line of defence: One of the possible objectives of user awareness campaigns and email phishing exercises is to make people your strongest firewall and human detection sensors. Your employees might be your last layer of defense in detecting and reporting a security breach that has bypassed all other technical defenses.
Learn & Adapt: Reporting allows the organization to analyze the incident and take actions if needed. Additionally, lessons learned can be drawn that can result in steps to improve the technical defenses in place.
Reporting & analysing phishing emails has become an essential incident response element in any prioritized layered defence strategy. There will always be some phishing emails that succeed, but there will also always be someone that reported it. you cannot just ignore them.
JAN 2016 – More and more organizations are performing email phishing exercises, often on a smaller scale. Organizations send out a phishing email and measure how many people are susceptible for this type of cyber attack. But only a few of them repeat phishing exercises on a regular basis. This is definitely a missed opportunity.
This article explains why repeating phishing exercises is so important for raising awareness.
Measure the ROI of your security awareness program
In security it is not easy to calculate return on investment, as it is difficult to predict the impact of an attack. But by measuring the effect of subsequent phishing exercises on people, through the amount of people that click on a suspicious link, you are able to see the evolution of clicks inside your organization. This is in essence the return on investment of your awareness initiative. The most common objective of a phishing campaign is to raise awareness by decreasing the click rate and increasing the reporting rate.
OCT 2015 – Kind en Gezin (K&G) is an agency of the Belgian Flemish Government with around 1300 employees. Their mission is to actively improve the well-being of children and families. They do this via a variety of activities including: preventive medical aid, children shelter coordination and child adoption guidance. Through these activities K&G staff manages sensitive personal information on a daily basis. Therefore, it is essential that staff is well trained in properly handling such information. One of the initiatives to train people is via an awareness campaign, managed by Krinos Academy, which includes email phishing simulations, communication aspects & online trainings.
In this customer case the communications department tells the story in the 3-monthly internal personnel magazine. What follows is an abstract from that article. We have taken out the actual phishing results that were also included. This goal of this article was to debrief the email phishing results to everyone and to raise additional attention and awareness around the topic. (more…)
AUG 2015 – KBC must be top-class in providing secure financial services to its customers. An important part of their cyber security strategy is to educate the KBC employees and customers to make them more “cyber aware”. Therefore, KBC has been launching various user awareness initiatives. In 2015, KBC hired Krinos Academy to carry out a Belgian-wide email phishing awareness campaign.
Bringing the campaign message across
Probably the most important part of an awareness initiative is (positive) communication. KBC’s campaign goals were to decrease the number of people accidentally clicking on suspicious links in emails and to increase the number of people reporting the emails as phishing. Together with Krinos, KBC announced the campaign to all employees and informed essential stakeholders upfront like the helpdesk and management. Krinos created an instant learning page for the phishing victims and prepared the debriefing message that was sent to all employees shortly after each phishing mail. (more…)