- Blog
- IT Risks
IT Risks
Published on December 20, 2009 by Karen Letain in News, Other
http://www.forbes.com/2009/12/10/adobe-hackers-microsoft-technology-cio-network-software.html
Forbes recently compiled a list of the seven Most-Hacked software titles for 2009. They took a survey of security professionals from various companies including Verisign, TippingPoint, iDefense and Qualys. Based on this survey, Forbes found that the following were the most hacked software titles from 2009.
- Adobe Reader
- Internet Explorer
- Mozilla Firefox
- Adobe Flash
- Apple Quicktime
- Microsoft Office
- Microsoft Windows
Even though Adobe has become a major focus for hackers, old targets such as Explorer and Firefox are still far from secure. Researchers also note that hackers are turning awary from bugs in operating systems to focus on applications. Partly because operating systems are more securely coded and are systematically patched more frequently than applications that run on them. Application patches are not implemented as frequently by users even after they are issued by a vendor.
For the new year, make sure you keep on top of your ptaches and make sure you are especially dilligent with patches released by your application vendors.
Have a safe and prosperous new year! Our best wishes to all of our clients and followers for the new year.
Published on July 23, 2009 by Karen Letain in Metrics, News, Planning
I have talked quite a bit in this blog about successful awareness training program factors, yet, I keep hearing stories from clients and friends about awareness training programs that are just not able to deliver.
The success of a security awareness program really depends upon the delivery of the information and how it is tailored for each audience. Security awareness training should be delivered to end users in each department as well as incorporated into new employee orientation. This can be administered using an online training format in small learning bites that are easily digestible and delivered per month or quarter or through instructor-led sessions or smaller, informal lunch and learn's. For managers and executives it may be more receptive if delivered in an instructor-led session format or online but with lessons geared toward IT risks that managers/executives need to be aware of.
When considering training options for your employees you will need to consider both instructor led and online learning formats. In security awareness training there are instances when both are required. If you need to conduct general end user security awareness training, online training options have certain efficiencies and cost advantages. Cost factors include course development, instructor time, instructor salaries, preparation time, classroom costs, travel expenses, material costs and employees time.
Other factors that are not included when looking at costs are the speed of delivery of the training and the instructional efficiency. Instructional efficiency is where all of the information delivered leads to learning that improves performance (reference - Moran, J.V. 2002 - ROI for E-Learning http://wwwlearningcircuits.org/2002/feb2002/moran.html). Online learning's advantage over instructor-led training is that it can be delivered in a timely, consistent way with the ability to easily update materials.
In the second part of this series, we will look at the advantages and disadvantages for the learner from both a delivery and efficiency factor. Stay tuned!
Published on July 11, 2009 by Karen Letain in News
The 11th Ernst & Young Global Information Security survey, which surveyed 1,400 organizations in 50 countries, found that only 44 per cent of respondents were training their staff in data handling, even though they were still continuing to fund investment in security tools. The research indicates that while processes for routine security events are critical it’s ultimately the people who help ensure that IT risks are mitigated.
People are often the most essential part of any process. When the human side does not function properly—due to inadequate process or policy design, lack of skills or education—IT systems fail. However, with proper education, employees can become an organization's strongest line of defence.
Educating employees, so they understand how IT risks can impact an organization, is an indispensable step towards properly managing those risks. Organizations frequently focus on mitigating risk by investing in new technologies, while failing to leverage the most critical asset - people.
