Preventing Fraud from Top to Bottom | Information Security Summit 2014

An estimated 5% of annual corporate revenues are lost each year to fraud, represented in part by computer fraud. Protection against this threat requires a strong, proactive and comprehensive, entity-wide set of policies, procedures and controls. Anti-fraud measures should include strong manual and automated controls which are designed, implemented, tested and monitored to prevent and detect fraud on a timely basis. This presentation aims to explain how organizations can integrate anti-fraud initiatives into their daily activities to:

  • Develop a system of manual and automated, preventative and detective anti-fraud internal controls
  • Proactively monitor, identify, assess and manage fraud risks
  • Creating an anti-fraud culture and fraud awareness program
  • Respond to incidents involving fraud

Is staying safe online possible?

I was asked a question on Twitter today. The question was, ÔÇ£Is staying safe online possible?ÔÇØ This is a great question because I increasingly see a sense of apathy in users due to the frequent threats to online safety that are reported. They ask questions such as ÔÇ£If big companies canÔÇÖt protect themselves, what chance do I have?ÔÇØ or ÔÇ£If identify theft is inevitable, what is the point of protecting oneself?ÔÇØ LetÔÇÖs look at the question in an Aristotelian manner. We first must establish what staying safe is. LetÔÇÖs start with this definition:

Being safe online is having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself to harm*

Having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself or others to harm*

 *harm is being described as the following:

  • Unauthorized disclosure of personal or sensitive information
  • Identify theft
  • Misuse of computing resources due to unauthorized access or presence of malicious code
  • Persuasion or coercion to perform actions due to misrepresentation or incorrect facts presented in phishing emails

With this definition in hand, I can now consider whether this is possible. First, this definition means that no harm, as described above, would come to the individual despite the frequency of use as long as they utilized sufficient knowledge, ability and opportunity. I believe this is false. Even those equipped with sufficient knowledge, ability and opportunity will eventually come to some harm in utilizing the Internet and Internet-based resources. So, what if I revise my definition to this?

Being safe online is having the knowledge, ability and opportunity to minimize the harm* and frequency of harm caused due to the use of the Internet and Internet-based resources.

This definition allows for someone to be safe online but still have harm occasionally occur. However, in such occurrences, the damage done would be minimized. For example, if personal information was disclosed, the individual would be able to recognize that disclosure quickly and work with persons and companies to restrict the value the ability of malicious user to employ the information disclosed and to reduce the amount of damage incurred through use. More specifically, if a person entered a username and password in a fake web site, they would realize their mistake and change their password on the legitimate site before an attacker would have the ability to utilize their credentials. They would also utilize different credentials for other sites so the information gained would have no value if employed for other Internet services.

Using this definition, I believe I could say that it is possible to stay safe online. However, possibility is not probability. Those that would be safe under this definition must have the knowledge, ability and opportunity. If the majority of people utilizing the Internet do not have this then the majority of users are not safe. Our logical step, therefore, is to educate users to give them the knowledge and ability and to make the technology and environment that will provide them with the opportunity something that is available to the majority of users.

For more information:

The Human Side of IT Security

Organizational Security Culture

Securing the Network against Inevitable Human Slipups

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and donÔÇÖt necessarily represent DellÔÇÖs positions or strategies.

Cyber safety at St. Mark Lutheran

Gail Larrow invited me to speak at St. Mark Lutheran school on cyber safety.┬á It was a pleasure to speak to the students there and to find out how they are using technology.┬á Honestly, I didn’t even recognized some of the technology they mentioned.┬á However, I was able to offer them a lot of information on how to protect themselves online.┬á Here is a copy of the presentation.

Security Awareness: 360 empowerment for cyber defense

A few days ago, I delivered a training session on security awareness.  The employees who attended the training discussed quite a few items that they will bring back to their management that I hope will inspire some culture change and a differing view on information security.  Here is the presentation if you would like to view it.

Improving software development security at CodeMash 2014

I will be delivering two lightning talks at CodeMash 2014 titled “Maximizing Technology Adoption ROI” and “Data Breach Lessons from 2013”.┬á Even those who have not attended the talk can view the talks here.

 

Twas the Night before the Breach

Twas the night before the breach, when all through the place
Not an alarm was ringing, nor even a trace
That data was being pilfered, with the greatest of care
In hopes that its access would none make aware
 
The employees were off early, out for the day
Some to go shopping and others to play
Leaving the office empty, ÔÇÿcept for one man
Filling a thumb drive as fast as he can
 
The passwords he had, some from Susan, others Paul
One under the keyboard, another on the wall
So he gleefully posed as his oblivious colleagues
Obtaining the data while humming a melody
 
Till leaving the office, no clue he neglect
To remove with him lest someone start to suspect
Ill intentions from such an employee as he
Whose reputation was spotless as spotless could be
 
The holiday proceeded much as expected
Families gathered, read stories and collected
The gifts they desired but hardly touched after
Great feasts were consumed, songs sung with laughter
 
But one of them partook in much more than cheer
Anonymously he sold them, stolen secrets most dear
Highest bidder to win, take all you can handle
Spreadsheets, memos, personal and financial
 
Returning to work, the breach first went undetected
Till profits sagged much lower than projected
Our secrets were stolen, they cried in shock
Our competitors have knowledge of things they ought not