A Beginner’s Guide to Web App Security

Cybercrime continues to evolve and impact more people and businesses than ever before. Enterprise stakeholders must ensure they understand what could happen if their network is not secure and how they can protect their business online.

Web apps today are a common source of security breaches for many enterprises because they lack necessary security measures. Boosting the security for web apps enables stakeholders to reduce the likelihood of a security breach for their enterprise.

What Are Web Applications?

Web applications are essentially computer programs that run off a server (or network of servers) and load inside a user’s web browser. They have an interactive component so users can use the software within a web browser without having to reload the page.

They are not simply static websites that just display information, such as a local plumber’s website. A web app could be used by a business to communicate specific information with customers, such as when a customer logs into their online bank account to view recent transactions. Or, a web app could be used for employees within an organization to collaborate, such as a shared calendar or messaging client.

Web apps are used in large numbers today. In fact, you’ve probably used a web app multiple times today without even realizing it. Because web apps often contain large amounts of personalized user data, they tend to be a prime target for security breaches.

A Brief History of Web Applications

In the early days of the internet, websites were often used for only disseminating information. A user could not necessarily interact with a website other than to read the information the website displayed.

But hackers were still prevalent and often used phishing scams to steal data that wasn’t properly secured. Eventually, scripting languages were designed to make it possible to do more online. Users could then start to interact with the website, even if it was only in basic ways such as requesting certain information.

One example of this is the search engine. Search engines were created so the user could input a keyword and obtain a list of websites that include that keyword.

Since the beginning, web development has become far more complex, leading to the increase of web applications that allow us to do so much more online. It’s now possible, with modern web apps to file taxes online, check bank accounts online, interact with businesses, watch movies and much more.

Current Web App Use Globally

In 1995, only .4% of the world’s population was online. By September 2009, 25% of the world’s population was online. As of 2017, 54.4% of people around the world are online. With this increase in overall internet usage has also come an increase in web apps for both personal and business use.

Today, breaches of web apps make up around 40% of all internet breaches that occur. The number of web app breaches has risen 300% since 2014, with this number increasing every day. The biggest risk is public-facing web apps, which are those that consumers use to interact with a business.

Recently, many web application breaches are due to simple vulnerabilities that were overlooked when the web app was originally developed. One of the reasons for this is that many web apps are not developed by the company using them, but by a third party. The third party might include no or minimal security measures designed to prevent these breaches, leading to an increased chance the web app will be breached at some point.

Best Practices for Keeping a Web App Secure

There are several ways to keep a web app as secure as possible. Stakeholders need to be aware of potential vulnerabilities in the web apps they develop, and what can be done to minimize the chance of a breach.

  • Create a Web Application Model
    Knowing what apps are used and what their vulnerabilities might be can help determine where security needs to be focused. Creating a web application model helps keep everything organized so vulnerabilities can be discovered and patched before they’re used in a breach.
  • Use Existing Technologies
    Using existing technologies designed to keep information more secure is the best way to prevent a breach. It’s important to make sure these are used in all web apps to secure the apps and lessen the chance a breach will occur.
  • Use Multifactor Authentication
    Using more than just a username and password to log into a website helps make the website more secure. These can be simple to implement and may not be needed every time the user visits the enterprise’s website. For instance, an SMS code can be sent anytime a user logs into the website using a new, unrecognized device.
  • Use Password Managers
    Instead of allowing employees to create their own password, which may not be as secure as the employee would think, businesses can use a password manager and generator. The generator will create secure passwords for the employees and the password manager will help them securely remember the passwords and easily use them to log into different web applications used by the business.
  • Use Backup and Data Recovery
    All web app data should be backed up in case of a breach. Backups should be kept off-premises and should be updated frequently to ensure the most recent data is available when it’s needed. Testing can help make sure the backup is done correctly and ready to use if needed.

Existing Technologies to Help Keep Web Apps Secure

Existing technologies are designed to help keep web apps secure, but they’re not helpful if they’re not being used. Stakeholders and app developers should ensure existing technologies are used where possible for their web apps to help prevent a breach and should keep on top of new technologies as they’re updated to ensure they can be implemented quickly.

  • HTTPS Redirection
    Websites today should be using HTTPS instead of HTTP because of the security. However, many old links will still have HTTP. Instead of having to go through and change all of the pages of an app, it’s a better idea to redirect all of the traffic to HTTPS. This ensures all pages will load securely.
  • TLS 1.2 vs. TLS 1.1
    TLS was designed to help protect privacy and data between two different web applications when they communicate with each other. TLS 1.1 is still secure to use, but 1.2 offers more security features that were not available in 1.1. TLS 1.1 is still PCI compliant, but it is recommended businesses upgrade to 1.2 for added security.
  • XSS Protection
    XSS attacks can occur when information users input is not validated, encoded or escaped. It enables the hacker to gain any information that is retained by the browser. This can be prevented with modern technology through encryption. This should be used for any web app since this is a huge source of security issues for web apps today.

High-Profile Breaches in Web App Security

Many high-profile cyber security breaches in recent years have been due to web application breaches. They affected millions of people, exposing their personal information, such as email addresses, mailing addresses and credit card numbers. These breaches occurred in a variety of different enterprises.

  • Zomato
    Zomato is a web app designed to help people find restaurants. Users who were logged in at the time of the breach were impacted, however those who logged in through OAuth services were not at risk. It is suspected that as many as 17 million people may have been impacted by this breach. Data stolen includes email addresses and passwords.
  • Ashley Madison
    Dating site Ashley Madison suffered a breach in 2015 and had over 300GB of user data compromised. This data, derived from more than 40 million users, included real names, banking information, credit card information, and more. The stolen data was released online a month later by the hackers. Because they failed to secure the data they collected, Ashley Madison was fined $11.2 million.
  • Yahoo
    Yahoo has had numerous breaches, with one impacting 32 million customers. This one occurred because the hacker was able to use forged cookies to access an account without its password. This is an example of why XSS protection is needed, as a lack of XSS protection could have led to the hacker’s ability to steal and forge the cookies for the website.

Web App Penetration Testing

So what can you do to protect your web app and keep it secure? Enterprise owners need to be aware of the vulnerabilities and how they can better protect their business and their users. Today, they can do this with web app penetration testing. This tests the web app for any vulnerabilities before a breach occurs, enabling the business owner to boost their security and prevent a potential breach.

If you need to fully secure your web app, but you aren’t sure what needs to be updated or improved, contact PeopleSec today for help. We offer web app penetration testing as well as other services to help make your enterprise as secure as possible online.

Bad vs. Good Hackers: Your Guide to Ethical Hacking

Hacking has actually been around since before there were computers. In the early 20th century, hacking was used to crack codes during war times or even to hack telephones to be able to make free phone calls or cause other people to have huge phone bills.

The 1980’s saw a more modern view of hackers, with “white hat” hackers doing the same thing but using this information to help companies fix their software to stop unscrupulous people from hacking into the software.

Today, this is considered ethical hacking and, when done properly, can be very beneficial for just about any enterprise.

What is Ethical Hacking?

Ethical hacking is using hacking for a good cause. Instead of hacking into a computer system to steal information or cause issues for a company, the hackers learn about security vulnerabilities in order to help the company fix any issues that might be present to improve the security of their network.

The idea is to help enterprises prevent hacking-related issues, not to cause them, and to help them learn what they need to know to prevent issues in the future.

How Does Ethical Hacking Work?

Ethical hacking works basically the same way “black hat” hacking works, though the person doing the hacking is working with the enterprise, not against them. Basically, the “white hat” hacker will try to get into the company’s computer system and see what information they can access or steal.

They’ll use a variety of different methods to attempt to gain access to the system to see what works and what doesn’t.

Once they are in the system, they will see what kind of information is available to them and try to find out if they can access all of the company’s information. They’ll let the company know what they find, as well as how they found it and what can be done to fix any issues or to prevent others from being able to gain access to the system.

Why Should Enterprises Look into Ethical Hacking?

Any enterprise can take advantage of ethical hacking to learn about their own vulnerabilities and their chances of someone being able to illegally access their data. In the long run, being better protected from hacking can save enterprises significant amounts of money as well as reduce the chance of their business suffering from issues related to the hacking that could lead to a loss in customers or a loss of trust by their customers.

Ethical hacking gives enterprises the chance to learn about potential issues before something occurs and gives them the chance to do what they can to prevent issues from occurring in the future. It can be very educational by showing exactly what could go wrong if someone were to successfully hack into the company’s network.

How Can Hacking Help Companies?

An ethical hacker will not just find out if there are security vulnerabilities, they’ll figure out how they can be exploited to gain access to confidential information. They’ll then let the enterprise know what they found out and how they were able to get access to the information. From there, the ethical hacker will show the enterprise how to correct the issue and what they can to do prevent issues in the future.

For instance, if the issue that enabled the ethical hacker to gain access to the system was because of passwords being too easy to guess, the enterprise will want to train their employees to use stronger passwords. If phishing was the issue, they’ll want to teach their employees about the possibility of phishing and why they should never give out personal information.

Prizes for Hacking into Google

Today, Google offers multiple Security Reward Programs for ethical hackers to use to gain a reward if they find any vulnerabilities in Google’s products. The VRP (Vulnerability Reward Program) is for any content on google.com, youtube.com and blogger.com as well as the Google Cloud Platform, hardware devices, and more.

With this program, those who find a qualified vulnerability are able to earn a reward. The amount of the award varies from $100 to over $31,000 depending on what is discovered and what can be done by using the vulnerability. For instance, remote code execution vulnerabilities that permit taking over a Google account are eligible for a reward of $31,337.

Google has other rewards programs as well geared toward different parts of their business. Those who want to try their hand at hacking into Google or their products have the ability to receive a significant amount of money if they are successful. Additionally, Google periodically holds contests with higher prizes being offered so there is the chance for ethical hackers to receive a significant reward for their time and effort.

Hacking into Government Data

The Pentagon, as well as the Army and the Air Force, have offered rewards for those who can hack into their data. These contests were designed to determine if there are any vulnerabilities that needed to be addressed as well as to make sure the data is as protected as possible from hackers.

The Army contest was intended to review the recruiting websites. In less than a month, ethical hackers found 118 vulnerabilities that needed to be patched.

Though these contests have ended, they were touted as being incredibly successful. Government data is already well protected, but the contest gave various parts of the government and military the chance to make sure the data is as secure as possible and fix any vulnerabilities they might not have found before the contest occurred.

Other Examples of White-Hat Hacking

Hacking contests and rewards are known as “bug bounties.” Many different high-profile companies have offered rewards to those who can find vulnerabilities in their computer systems or data, helping the companies make sure the data is as secure as possible against any cyber attacks. Enterprises that offer rewards or have offered them in the past include Yahoo, Microsoft, Facebook, and WordPress. They’ve paid out millions of dollars in bug bounties.

Contests and other reward programs for ethical hackers are often incredibly successful and can help significantly boost the security for the enterprise. Even when the enterprise employs security professionals to help protect their data, having outsiders look through everything more carefully can help the company make sure they’re doing as much as possible to prevent a cyber attack or a loss of data due to a breach in their security.

This also helps protect them from new threats as those who are helping an enterprise will be able to find vulnerabilities that may not have existed in the past but that could be a serious issue today.

The Ethical Hacking Community

Currently, there is a large community of people who work on white-hat hacking. Professionals who make this their job and those who just enjoy the challenge all have the chance to attend workshops, classes, and conferences to boost their skills and to learn more about what is changing in the world of security and how they can continue to help protect companies from any issues.

Conferences are held around the world and typically include guest speakers, demonstrations and more that the ethical hacking community might be interested in. One of the top conferences right now is DEF CON, which is held in Las Vegas, Nevada each year. Other conferences include ShmooCon in Washington, DC, Nuit du Hack in Paris, NorthSec in Canada, and ToorCon in San Diego.

These conferences are attended by thousands of people each year, with tickets selling out quickly for many of them. It is common for ethical hackers to attend multiple conferences to ensure they stay as up to date as possible with today’s security issues.

ShmooCon, for instance, has 2200 tickets available each year and sold out in 10.26 seconds in 2017. The conference includes contests, labs, talks by experts in the field, and more each year.

Are Ethical Hackers Certified?

It’s important for enterprises to make sure they are working with an ethical hacker they can trust. Unfortunately, there are people who may claim to be an ethical hacker, but who do not intend on being ethical in the end.

Instead, enterprises will want to look for a properly trained and certified ethical hacker. Certification is not easy to obtain and certified ethical hackers are more likely to be careful with making sure they help the companies they work with and will not end up causing more issues for the company. They understand the laws, how to hack ethically, and how to use what they know to help enterprises improve.

Contact PeopleSec Today

Enterprises that want to work with an ethical hacker they can trust should first look to the team here at PeopleSec. Our team of ethical hackers works with many different enterprises and organizations to help them find and correct security vulnerabilities within their networks. We provide all of the services needed to help business be as protected as possible against hacking and other cyber security issues.

The 10 Biggest Cybersecurity Issues That Can Take Down Your Data

Cybersecurity issues are one of the most significant problems facing business owners today. As many as 75% of data breaches are caused by external attackers.

In light of this information, we wanted to bring your attention to ten of the biggest threats facing your cybersecurity tactics. Some of the topics we detail below overlap and often, two or more strategies may be used in an attack.

Knowledge is power. Once you know the threat is out there, you can then take action to protect your business.

Let’s dive on in!

1. Cryptojacking

For those of you who don’t know, cryptojacking became a massive issue towards the end of last year.

If you’ve jumped on the cryptocurrency bandwagon, then you need to make yourself aware of these risks.

Cybercriminals can hack into your computer and mine cryptocurrencies like BitCoin. Shockingly, the victim doesn’t even need to install something to allow this to happen accidentally.

Sadly, this concern goes way beyond the theft of cryptocurrency. Attackers who intend on stealing from their victims need vast amounts of computing capacity.

This is necessary to solve the complicated math problems that provide the hacker with the info they need to complete the transaction.

Consequently, there’s a temptation for criminals to compromise other computers. To date, a few public Wi-Fi’s hosted by Starbucks have fallen foul to this. So has a Russian oil pipeline company!

The primary concern is that hackers will continue to breach more and more computer networks. Obviously, this poses a massive risk when it comes to protecting sensitive data.

2. Powershell-Based Attacks

This technique refers to a macro inserted into Microsoft Word. This targets the victim’s computer with an information-stealing Trojan.

This kind of script-based attack is incredibly difficult to identify. Unfortunately, they can easily evade antivirus engines, which is one of the reasons why they’ve received a surge in popularity.

The takeaway here is to basically never open a Word doc (or similar) attachment to an email unless it’s an email you are expecting. Even if the email appears to be from a friend or colleague, it could contain a malicious attack because that trusted friend or colleague could have had their email account compromised.

Always double check to stay safe.

3. Targeting Security Software

This year we’ve seen more cybercriminals aiming for security software than ever before.

Hackers can take control of devices (phones, tablets, computers) and manipulate the users to suit their own ends. They typically aim to leverage security products like antivirus software that allows them to intercept and redirect cloud traffic to steal valuable data.

This is often very difficult to detect so be sure to only install software on your device if it comes from a trusted source (ie app store, your company’s IT department, etc).

4. Malware

There is a growing concern that hackers will learn how to utilize malware to attack a large number of victims very quickly, even more so than they have already.

This network of worms enables the attacker to spread and infect a lot of computers very quickly, which poses a serious concern that needs monitoring.

There are many things attackers can achieve via this method, namely, infiltrating an organization through spear phishing and stealing confidential information.

On the other hand, attackers have taken great pleasure in destroying data to make a public statement. The damage this can do to your business’s reputation is insurmountable.

Furthermore, malware (AKA the remote access Trojan) is often utilized by hackers by infecting computers and laying low inside an organization’s system.

The attacker(s) will then take bids from people who want to receive the information they can retrieve from your computer.

This raises a significant challenge because this kind of virus is designed to go undetected, which is why it’s crucial you harness technology like EDR (endpoint detection response) to protect your data. This can help you spot the potential danger and allow you to take the necessary steps to flush it out of your system.

5. Ransomware in the Cloud

Over the last few years, we’ve seen a whole host of ransomware attacks. Some of the more famous ones include:

  • Britain’s National Health Service
  • San Francisco’s light-rail network
  • FedEx

It’s shocking that in this day and age, organizations as large as the ones listed above aren’t even safe from these kinds of attacks.

Ransomware is a relatively simple form of malware. It manages to infiltrate a computer’s defenses and source computer files using secure encryptions. The malware then locks down your system so no one can access the data across the network.

The thief will only allow the data to be released if a hefty ransom payment is made. Depending on the thief, payment of ransom may or may not actually cause the data to be released. Sadly, a lot of sensitive data isn’t backed up, and so the victims feel as though they have no choice but to pay to get it back.

6. Physical Attacks

It’s become increasingly popular for hackers to attack physical structures such as electrical grids and transportation systems.

Some of these attacks are designed to cause immediate damage and malicious destruction.

Alternatively, (just like the other cyberattacks discussed in this article), the attack will utilize ransomware that hijacks these systems and temporarily shuts them down.

The attacker then threatens the institutions by promising to cause chaos unless the digital ransom is paid, at which point the hacker promises to give control back to the original owner.

This is particularly dangerous when applied to the transportation sector (like shipping, airplanes, cargo, etc). The implications for physical safety as well as data protection are unthinkable.

7. Targeting Point of Sale Systems

Don’t overlook the danger your point of sales systems could be facing. These are no longer isolated systems, as today’s POS is often part of a more extensive network that is typically connected to the internet.

Cloud-based POS’s are also vulnerable to hackers, especially if merchants use either a smartphone app or laptop-based system to facilitate transactions on the move.

Therefore, business owners are advised to use point of sales solutions that focus on security and protection.

Also, if you’re implementing a system like this, we suggest consulting with a professional who can analyze the extent of your risk and advise you accordingly.

8. Threats From the Inside

Insider threats (from individuals within an organization) have become increasingly prevalent. There’s never been a greater need to balance privacy alongside compliance practices.

This issue will continue to be a problem especially as information storage systems proceed to develop in their sophistication and complexity.

Therefore, you need to keep a tight rein on access levels for employees who can access particular pieces of data. This is one of the easiest ways of minimizing threats from the inside.

In addition to this, we also suggest educating your employees on the importance of password and data security.

An emphasis on teaching them how to recognize common attack methods should be given. That way it’s less likely your business will fall foul to the deception of cybercriminals within your organization.

9. IOT Attacks

The Internet of Things (the network of various devices in your home or office that all have connectivity to the Internet) has numerous benefits including increased connectivity, automation, and the collection of data. Needless to say, these features are great for business.

However, as with any system that involves the internet, you need to ensure you’re not exposing yourself to harmful cyber threats that could destroy your business.

If this is a system your company is utilizing, then we suggest analyzing your existing security policies, and implementing more effective methods that take the risk of IoT devices into account.

10. Phishing Schemes

Phishing schemes have been around for quite a while and the danger they pose to both personal and business computers can be problematic. Unfortunately, hackers have become increasingly apt at tricking victims into visiting fake websites that look legitimate.

The victim will then unknowingly fill out a form with their username and password, attempting to login in to their real account, but instead, sending the attacker their username and password.

To prevent this from happening to you, always pay very close attention to the links you click on. If you have a bad feeling about it, don’t risk it. It’s better to be safe than sorry.

Try doing a Google search and see if anyone else has reported a similar scam. It’s always best to visit a website (like PayPal.com, for instance) by typing the address directly into your browser so you know you are at a legitimate website.

However, if you think you’ve accidentally clicked on a dodgy link or given away your personal information, change all of your passwords, immediately. This could potentially reduce the damage done.

More From the PeopleSec Blog

If you found this article on cybersecurity issues interesting, then we’re confident you’ll love the other advice published on our blog, where we discuss everything from cybersecurity risk assessment to protecting your company from phishing.

Or, if you have any questions about this subject, please feel free to reach out and contact us to see how we can help you.

5 Steps to Perform a Cyber Security Risk Assessment on Your Network

The first part of any cyber security audit is to assess risk. Risk is anything that could damage infrastructure, cost money from lost revenue, or threaten intellectual secrets. If you’re a small business owner and need to improvise, here are the steps to perform your own cursory review.

 

  1. Review Your Network Resources

 

Before you can start assessing risk, you need to review network resources. One mistake many business owners make is to only audit resources that they think could be a risk. Assess everything connected to your network, the bad guys certainly will!

 

For instance, printer memory can be used to store hidden malware, or the stored files scanned and printed by employees could be stolen by a clever hacker. Printers are normally considered benign resources, but they can be used in an attack.

 

Always document every resource even if you think it has no risk. Remember to include even the most innocent resources like printers, IoT devices, internal hubs and routers, and unused desktops.

 

  1. Identify Possible Threats

 

This part of the assessment should really be done by a professional, but it’s still possible to do a cursory review of your resources. For instance, you know that malware often infects individual desktops, so they pose a threat to your security.

 

The hard part with this step is properly identifying risk. Using the printer example, you might not realize that printer firmware must be upgraded to defend against attacks. In addition to being a possible source for document leaks, printers can also be used in DDoS attacks (http://www.securityweek.com/printer-vulnerabilities-expose-organizations-attacks). To understand resources that pose a risk, you need to understand cyber security.

 

If you have a limited understanding of cyber security, you can still do a high-level risk assessment. Just remember that even the simplest network component can still pose a threat if it has an IP address on the network, stores any sensitive data, and/or allows users to access it over the network.

 

  1. Rate Each Risk and Impact

 

Not every risk is a high priority. With this step, you rate each risk as low, medium or high. This helps to prioritize where you should focus most of your effort initially, and you work down your list to the medium and low-risk resources.

 

Perimeter routers are high risk unless patched with the latest firmware and properly configured.  A router with outdated firmware would be a high-risk, high-impact resource that should be a priority.

 

Low-risk items are resources that don’t impact much when compromised. Documents containing information already available to the public might be low risk. This drive would be low risk and low impact should it be compromised, so you should rate it low on the priority list.

 

  1. Analyze Your Protection

 

Most organizations know cyber security is necessary, so you probably have some protection in place, such as firewalls and antivirus software installed on desktops.  This step also takes a professional, because you might think you have protection in place but I guarantee you that any competent hacker will get through. Hence, why PeopleSec guarantees  our services.

 

Analyze any cyber security protection in place, because it reduces risk. This step might affect your priority because you could have a high-priority item that already has the best protection. This type of resource would then be a lower priority.

 

  1. Calculate Your Risk

 

Identify all resources an adversary could utilize. When you’re doing a cursory review to qualify risk, you won’t have a number to work with but rather an overall outlook on risk versus impact. Follow these steps, and you will have started a basic risk assessment.

 

After you finish these steps, you should have an overall outlook on what type of cyber security your business needs. A professional will still want to go through your resources and do his own risk assessment. Performing audits gives you a gauge on just how much of a target your network could be for an attacker.

 

Information Security Awareness Tips from a Newborn

While the linked post may be stretching a correlation, the points are accurate, entertaining, and what Information Security loving expert doesn’t want to buy that onesie.  The top tip, Putting in only 45 minutes a year is bad, PeopleSec is in full agreement.  A single 45-minute training a year is not a good practice.

Phishing with emotion and stress results in bad choices

Recently on one of my personal sites, I received the below phishing attempt:

Phishing

I see a ton of phishing examples as part of PeopleSec’s Security Awareness Training and Education (SATE) program.  It is not often a phish in the wild catches my eye and looks like anything other than spam.  This email is an excellent example.  It causes stress that invokes an emotional reaction which in turn solicits an emotional response.

“Emotions can cloud our judgment and influence our decisions when triggered by the [stressful] situation at hand,” stated by Harvard Business Review (https://hbr.org/2015/05/dont-let-emotions-screw-up-your-decisions).

Emotional responses are at the core of successful social engineering and phishing attacks.  As an aside, the success of emotional responses is why we use so many of them in PeopleSec’s SATE program.

In summary, it is hard to keep emotions in check, and they cloud your ability to think.  So when you are stressed and emotional, Think Before You Click.

 

The secret sauce for IT to Manage Risk – You would never guess it!

Over the last thirty years, the prevailing belief has been that process, technology and technique, manage risk. While it is true that processes and engineering & technology controls play a significant role in our risk strategy, it is ultimately people that manage risk. The dilemma is that people are very complicated; we don’t always act logically, and we can’t simply be poked once to produce the desired outcome. We have all sorts of quirks that persist in our heads and gut responses. When presented with uncertainty this will cause us to act or behave differently. Sometimes it is just raw emotion that drives our actions, choices, and responses. For example, road rage – compliant and safe on paper, but a major risk to others at the moment. If we do not factor people into our risk models, it will translate into a process that is very ineffective.

So how do we get our people to manage risk more effectively?

Well, it all starts with first educating the individual and group to recognize and understand the risks that they come across – overcoming risk blindness. From here there is an opportunity to shape their attitude towards those risks, which in turn affects behavior; and behavior shapes the risk culture of the organization.

An industry that illustrates risk management through people the best, in my opinion, is the health and safety programs. For instance, the construction industry (this is mainly because failure is quite tangible and visible). Companies with a strong risk posture operate with regular safety orientations, safety training, daily hazard assessments, incident reports, near miss reports, daily safety toolbox or team meetings, safety meetings, safety audits, etc. The purpose behind the frequency and repetitiveness of this process, which is to help the individual and group identify, assess, and manage the risks they see – or in other words, take ownership of the risks they encounter. The successful companies (which can be large or small) are those who strategically use the near miss reports, or reports of an incident that did not cause damage or injury but could have resulted in one.

Individualized Reports

These reports tell a story and allow for a tailored discussion with individuals and groups to help overcome the frequency and flawed thought process leading into the near miss. Now some companies in the construction industry will argue that they have all those meetings and forms and still have a weak risk posture. Well, the problem is they are going through the motions of safety compliance, but have failed to reach the individual.

Full disclosure, I think this industry is a leader in risk management it is also rife with bureaucracy. The system can get caught up in the process of compliance. Creating a false sense of security and can lose the spirit of the main objective – keeping people safe. Again it is people that manage the risk and not the process.

The notion of people managing risk should not be a surprise in the IT world. As many technologists are employed just to manage the aftermath of end users, despite the technology solutions in play.

We need to do a better job at seeing and understanding where people are coming from. The psychology of human thinking, and more importantly how bias plays a role in risk assessment. This will make our processes way more effective – and yes, keep our IT people sane.

Password security tips to keep you safe online

Do NOT use the same password for everything, this drastically reduces password security

It’s a bad idea. If that password is disclosed, the “bad guy” would have the keys to all your information. Furthermore, if that password is used to access your email address, all other account passwords may be reset using the “Forgot My Password” Link. Not using the same password for everything is the first step in password security.

Make your password long

Minimum eight characters long, the longer the better. Passwords shorter than 8 characters are easy to crack.

We commonly hear two rules for secure passwords:

  • Avoid common words or proper names
  • Use both uppercase and lowercase letters, numbers, symbols, and spaces

But who can remember 8UI1%@.e8aww ?

Try using a password phrase, the more ridiculous the better! Something like “There are 5 kangaroos jumping on the moon.” This phrase is 42 characters that follows all the rules, is in plain English, and very easy to remember. The odds this password would be cracked, even with a supercomputer, are astronomical. Make sure your password phrase is original and not a famous or familiar quote. Again, the more nonsensical and ridiculous the better!

Use a password protected screen saver

Desktop and laptop computers should be “locked” any time you step away. A Windows system is “locked” by setting a password protected screen saver then turning it on. To do this, right click anywhere on your desktop and go to the option “Properties”; select the “Screen Saver” tab; and check the box “On resume, password protect”.

Change your password on a schedule

Passwords are like food; they are better when fresh. The longer and more complex your password is, the harder it is to crack, and the less often you’ll need to change it. A good standard is if you use an 8-character password, you should change it about every six months. If you use a 9-character or longer password and follow the rules in Tip #2 it will stay fresh for a whole year. Can’t remember the last time you changed your password? Then it’s time to change it.

Bonus Tip: Think about using a password manager

Passwords managers, if used correctly, can simplify and secure your online presence with ease. One service I am a fan of is LastPass, though there are tons of other options available both mobile and desktop based. A good password manager will remove the need to both create passwords and remember them. In addition, a password manager, like LastPass, will hold all your passwords securely and protect them with a password and two-factor authentication (be sure to enable two-factor). For this reason, if you are a person that has struggled with password security for a long time, I highly recommend installing a password manager.