Topic 1- Social Engineering Killed the Cat
Social Engineering has been one of the critical topics of cybersecurity hacks and organizations fear it because us humans are the weakness. It is an interesting topic because it’s all about psychology and understanding the person you are trying to use to assist. There are endless ways of social engineering activities which can be utilized to attempt to gaining access, but I will list the 3 main ones which I continuously hear and read about repetitively:
- The Flash drive- this is one of many psychological tests of curiosity where the hacker leaves a USB drive laying anywhere in public or even in a cab and the curious person takes the device and plugs it into their home or even on a work computer to see what is on it. Once the unit is plugged in it automatically triggers the malware on to the computer. Some people would think they can outsmart it by plugging it into a computer not connected to the internet, so the hacker has no way of communicating with the malware; however, it usually shows that there is no activity done to the device but once it is connected to the internet, the malware is triggered.
- The FREE Wi-Fi- Everyone loves to get free internet access and especially those individuals who have a limited internet plan package so their attempt is to minimize the consumption from their plan and trying to connect to whatever they can get to get free Wi-Fi. This is another popular psychological trick for those individuals into thinking they are getting free internet and sometimes they are lured to desperately connect because they read the “FREE PREMIUM WIFI” and they attempt to connect to it. This is the part where hackers are monitoring your activities since you are connected to them or even may ask you to “SIGN UP” to get the Wi-Fi___33 accessibility. This is where many individuals make the simple mistake of reusing their typical password and now the hacker has an attempt to know your password to other services you use whether it is your email, social media accounts or even financial services.
- The QR code- This is one of the newly trending ones because we are starting to see a lot in different places that we may go to whether it may be a restaurant where the individual scans the QR code to get access to see the menu (very popular especially after COVID-19), at the gym to see the schedule for the classes offered, or even at a mall to get the list of store directory or may be offers and after scanning what usually happens is that individuals are very excited to see the “offered” services that they click “Yes” or “Allow” to any pop ups; this is where the hacker takes advantage of triggering the attack by using a pop up message to the content of the device or even has full accessibility.
Topic 2- Security Awareness
This is one of those topics that many organizations neglect and overlook because it is classified as operational expenses with no tangible value to the organization. Year on year the security team requests a specific amount to budget for security awareness for the organization staff and this is the best practice for it because as a SRM leader you have to make sure that individuals within the organization are constantly reminded about the critically of this issue and how all it takes is one individual to cause a state of emergency and may even shut down their entire operations. These awareness activities can be as follows:
- Video Content or awareness message via email– This may be one of the easiest methods since it may have cost minimal or no cost at all and security leaders may create content or reuse available content to distribute using the company’s email. It may raise awareness with the right amount of recurrence frequency.
- Physical/ Remote Training- The recurrence of this activity might be less frequent to achieve; however, it provides the basic understanding of how and why you need to follow the protocol when it comes to cyber security to keep the organization safe.
- Social Event within the organization– This may be a once-a-year activity and usually achieve though a third part. In my current organization, it was achieved though one of the outsource contracts for its cyber security operation. It was a great success; it was conducted on premises and invited all the employees to go through different booths and learn about cyber security.
I believe there are a lot of similarities between the practice of Cyber Security and Enterprise Architecture in terms of gaining the continues support to ensure the organization achieves a higher level of return for their investments. Both practices require continues efforts to develop their maturity levels within its domain’s fields.