by Kathleen L | Jan 20, 2022 | Compliance, Cybersecurity
The Federal Trade Commission (FTC) released an alert, warning companies that they may face legal penalties if they aren’t taking the proper steps to mitigate Log4j vulnerabilities to protect consumer information. Earlier this month, FTC officials said there is a “severe risk” to consumer products, software, and applications caused by a vulnerability in the Java logging package. This vulnerability is being exploited by hackers and it is critical that vendors who rely on Log4j take the proper precautions to reduce their likelihood of an attack.
An example of this is the Equifax breach, which was caused by failing to patch a known vulnerability. Because of this vulnerability, the personal information of 147 million consumers was left exposed. Equifax paid $700 million to settle actions taken by the FTC. The FTC intends to pursue any companies that fail to take steps to protect consumer data from exposures caused by Log4j, or similar vulnerabilities that may occur in the future.
The FTC advises companies to keep your Log4j software package updated to the most recent version, and reference Log4j Vulnerability Guidance provided by CISA. This FTC alert is a wake-up call to many companies that cyber threats are evolving, and so are security requirements and legal actions that will be taken if they do not take the proper steps to protect consumer information.
by Kathleen L | Jan 5, 2022 | Human Factor
A company’s employees can often be seen as a weakness in terms of cybersecurity. In fact, according to the Verizon Data Breach Investigations report, 3 out of the top 5 threat actions involve human risk. We all have biases in our thinking that can create risky behavior. Some even argue that there is a connection between employee personalities and security.
The traits with the highest correlation to information security behavior (positive or negative) are risk taking, openness, agreeableness, and conscientiousness. For example, employees who score high on conscientiousness are less likely to engage in risky behaviors and vice versa. Employees who are natural risk takers and tend to engage in sensation-seeking activities may take chances when it comes to security.
Personality tests like Meyers-Briggs and DISC, have been used by organizations for screening and training purposes for years. How should an organization use these tests for cybersecurity purposes? There are no definitive answers, but here are a couple of thoughts:
- Build processes that create healthy behaviors. Well documented procedures for systems administration or development with a solid change management process, automated testing tools and peer review are an example of methods to ensure that proper behaviors are deployed consistently and minimize non-compliance. Pilots with decades of experience still use checklists to inspect planes, take-off, land and taxi; your IT team should as well.
- Install tools that minimizes impact of non-compliance. Tools such as Multi-factor authentication, email and web filters and endpoint detection and response (EDR) can go a long way to mitigate non-compliant employee behavior.
- Conduct role- and behavior-based security awareness training. Best practice security awareness training states that an organization should provide security awareness training particular to the role the individuals plays in the organization. Consider paying particular attention to training those with non-compliant tendencies.
- Ensure that there are proper incident response procedures in place. Even with a fully “compliant” staff from a cybersecurity perspective, stuff happens. Make sure you have a solid incidence response plan and are testing it on at least an annual basis.
Finally, the most important area the organization should focus on is leadership and governance. Spend some time thinking about the personality of the organization’s culture and how it can positively or negatively impact risk behavior. Remember, people will tend to mimic the leadership’s style in everything they do, including cybersecurity behavior. Whether that’s a good thing or not, is up to you.