Does cyber insurance make sense?

Insurance relies on pooled risk; when a business is exposed to a risk it feels is not manageable with internal controls, the risk can be deferred to the capital markets through an insurance contract. For events that are unlikely to hit a very large number of insurance customers at once, this model makes sense. The … Continue reading Does cyber insurance make sense?

Handling suppliers with low security awareness

Supply chain risk – in cyberspace Cyber supply chain risk is a difficult area to manage. According to NIST 80% of all breaches originate in the supply chain, meaning it should be a definite priority of any security conscious organization to try and manage that risk. That number was given in a presentation by Jon … Continue reading Handling suppliers with low security awareness

Why “secure iframes” on http sites are bad for security

Earlier this year it was reported that half of the web is now served over SSL (Wired.com). Still, quite a number of sites are trying to keep things in http, and to serve secure content in embedded parts of the site. There are two approaches to this: A form embedded in an iframe served over … Continue reading Why “secure iframes” on http sites are bad for security

How do leaked cyber weapons change the threat landscape for businesses?

Recently, a group called Shadow Brokers released hundreds of megabytes of tools claimed to be stemming from the NSA and other intelligence organizations. Ars has written extensively on the subject: https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/. The leaked code is available on github.com/misterch0c/shadowbroker. The exploits target several Microsoft products still in service (and commonly used), as well as the SWIFT banking network. … Continue reading How do leaked cyber weapons change the threat landscape for businesses?

How to embed security awareness in business processes

All businesses have processes for their operations. These can be production, sales, support, IT, procurement, auditing, and so on. All businesses also need risk management. Traditional risk management has focused on financial risks, as well as HSE risks. These governance activities are also legal requirements in most countries. Recently cybersecurity has also caught mainstream attention, … Continue reading How to embed security awareness in business processes

The [Cyber] Barbarians are at the [Internet] Gateways?

If you follow security news in media you get the impression that there are millions of super-evil super-intelligent nation state and hacktivist hackers constantly attacking you, and you specifically, in order to ruin your day, your business, your life, and perhaps even the lives of everyone you have ever known. Is this true? Are there … Continue reading The [Cyber] Barbarians are at the [Internet] Gateways?

Security as a selling point for your business?

Most business leaders think about security as a cost. It is hard to demonstrate positive returns on security investments, which makes it a "cost" issue. Even people who work with securing information often struggle with answering the simple and very reasonable question: "where is the business benefit?". What if you turn it around, and view … Continue reading Security as a selling point for your business?