Search Results

87 results found

Blog Posts (1)

  • The Future of Employee Security Awareness Behaviour and Culture Change for Enterprise Organisations

    This is the first in a series of blogs showing how by changing security culture you can simply reduce human risk easily and get your employees to truly engage in your security awareness programme. By getting your employees to report more, you have the data to ensure spear phishing business email compromise and ransomware attacks, experienced every day by your employees, can be reused virtually to hack your employee's with similar risks across the business. By using machine learning in a positive gamified security culture, you can automate and train your employees in microseconds on the type of attacks they are likely to experience. Your employees will get truly amazing results compared to the old way of security awareness training. Here are a few examples of the three main challenges we speak to clients about every day that impact implementing a strong security culture. 70% of organisations with security awareness training have had an incident caused by employee security behaviour. Awareness training alone is not reducing risk effectively enough. There is only one way to enable increased knowledge retention using adaptive control algorithms to change security culture and enable just in time training based on real threats, we have discovered the best way is to use Adaptive Continuous Algorithms to automate the flow of learning depending on your learner’s level of knowledge. Social attacks from phishing are not reported by employees. Using gamification and employee focused techniques helps to report more potential attacks. By making gamification training fun and engaging, you can make sure employees are rewarded by points when they report threats, and you can show how to compare their progress to other employees on the leader board Employees still click on phishing emails within organisations that believe they have a good security culture. How do you prove you have minimised risk? The industry is flooded with pop-up awareness training providers throwing around the terms “awareness”, “behaviour” and “culture” almost interchangeably. Forgetting the marketing hype, what do these terms mean to organisations looking to reduce cyber security risk? Security Awareness simply means, “does an employee know how to behave securely?” Raising awareness does not guarantee an improvement in behaviour or a reduction in risk. Security behaviour is how people behave from a security perspective in real-life situations (e.g. do they set strong passwords?). This is influenced by awareness, capability, attitude, cognitive process and social norms. Measuring security behaviour is a great measure of risk for known behaviours. Ira Winkler, RSA keynote speaker explains here in his white paper the science behind behavioural change. https://www.hoxhunt.com/blog/case-study/ira-winkler-why-hoxhunt-is-unique Awareness training alone is not reducing risk effectively enough. Today learning is about “learning flow” and not “instruction”, helping bring learning and knowledge retention to people throughout their digital experience. A major challenge for clients is how do you get your employees to take cyber training and retain knowledge minimising risk to your business in amongst your daily routine and daily digital distraction? Security awareness and changing behaviour isn’t enough. It's all about security flows, changing your security culture and minimising risk to employees and the business by ensuring the right training provided to the employee is based on their job role, function and geography to minimise the impact to their working day. Organisations are now working on the best methods to: Take information on typical attacks relevant to their employee’s job role and providing just in time training to employees. Explaining to their business stake holders how you can capture information from the wild and then automate the sending of phishing attacks based on their employees level of expertise. Learning to use machine learning to automate the learning process positively. Using the science behind automating this process and improving their programme using adaptive continuous algorithms allowing you to run the flows above on autopilot dependent on user level of knowledge. By using a solution with adaptive continuous algorithms, they can add value to existing manual processes and provide just in time training to minimise risk. “There is no such thing as memorizing. We can think, we can repeat, we can recall and we can imagine, but we aren’t built to memorize. Rather our brains are designed to think and automatically hold onto what’s important. While running away from our friendly neighbourhood tiger, we don’t think “You need to remember this! Tigers are bad! Don’t forget! They’re bad!” We simply run away, and our brain remembers for us.” Gabriel Wyner, Fluent Forever: How to Learn Any Language and Never Forget It Enterprises spend large amounts of time and money on information security training and awareness for employees to drive various positive outcomes: better threat responses, reduced risky behaviour, and increased regulatory compliance. However, the metrics and reporting on the actual success of these training and awareness activities is often lacking -especially when you consider the level of detail that goes into most security-related reporting. The goal of these activities should not be to satisfy a "check-the-box" mentality, but to bring positive behavioural change within an organisation, according to our recent document: A manifesto for changing the way we think about Security Awareness & Traditional Learning Development Programs. Overcoming training and awareness challenges, security awareness campaigns can under perform for many reasons including: Lack of effective messaging - lacklustre content that fails to achieve the desired outcome. Lack of engagement - failure to appropriately engage the user or failure to communicate the importance of good cyber hygiene and its impact on the enterprise. Campaign design - inapplicable or mis-targeted campaigns, or content that is too densely packed into a communication channel, causing the audience to stop listening it is not acceptable in a security awareness context. Those individuals who do not proceed from one stage to the next stage in the security arena represent a potential source of unaddressed risk for the enterprise. Security and awareness professionals are facing increasing forces of change. New technologies and the emergence of artificial intelligence hold major implications for the way security awareness managers provide services to its stakeholders and internal clients. Increasing pressures from leadership to deliver tangible value is demanding new and more effective solutions. Digital transformation is at the top of everyone’s agenda and are occupying security awareness minds and resources. There is no option to stand still. Are you well positioned to exploit your role fully as an agent of continuous improvement across your organisations? Despite the intention to extend formal learning solutions, in today’s world, security awareness needs also to embrace automated security learning flows in order to adapt to an ever-changing and fast-moving environment where learning and working are increasingly intertwined, and where learning from working is equally important, if not more so, than learning to work. Plan to focus on learning at the point of work: just-in-time learning focused on providing practical solutions to situations faced by employees in the moment. We call this security awareness learning flows. Plan to focus on adaptive learning: including using algorithms to orchestrate interaction with the learner to deliver customized resources and learning activities that address the unique needs of each learner. Plan to focus on Adaptive Controls Algorithms: including micro learning, adaptive learning, artificial intelligence. On-the-job learning is more important for workers’ human capital development and knowledge retention than formal training. This work also highlights the importance of keeping workers’ skills up to date through informal learning in the workplace when skill demands change frequently due to technological and organisational innovations. For security awareness to remain relevant, we need to develop new, business focused and technology-enabled ways to support workers to deliver business results. This involves exploiting new ways of working, new technologies and machine intelligence. The increasing “granularisation” of formal learning has been an extension of e-learning over the past 20 years. Although this has resulted in providing marginally easier access to learning content, it fails to address a fundamental issue; e-learning and “micro-learning” remain formal learning approaches, as do higher bandwidth video-based systems and rich media learning solutions. They are not exploiting the full potential of technology to deliver business results. To achieve this, security awareness needs to fully embrace knowledge retention using security flows and learning from working. Most of our learning results from our working experiences and requires constant exposure to new situations, practice, the opportunity to react with others and most importantly, time to reflect. As a result, learning can occur anywhere and at any time, and often where we least expect it. Today’s security awareness departments need to focus on supporting action and output, not on information. This presents a challenge for many security awareness professionals. Careers have been spent designing, developing and delivering content to be ‘consumed’ by internal or external clients. Over the past 50 years L&D professionals have been engaged in developing primarily content-rich, experience-poor solutions. Yet, ‘learning’ is all about retention. We are not taught how to learn in school, we are taught how to pass tests. The spacing effect is a far more effective way to learn and retain information that works with our brain instead of against it. “How do you remember better? Repeated exposure to information in specifically timed intervals provides the most powerful way to fix memory into the brain. …Deliberately re-expose yourself to the information more elaborately, and in fixed, spaced intervals, if you want the retrieval to be the most vivid it can be. Learning occurs best when new information is incorporated gradually into the memory store rather than when it is jammed in all at once.” John Medina, Brain Rules

View All

Pages (34)

  • Stanford Human Risk and Resilience Security Awareness Training

    Stanford Human Risk and Resilience We are a vendor independent specialist in next-generation Security Awareness Training (Human Risk), Data Resilience Services and Business Continuity for Small, Medium Business (SMB) and enterprise organisations globally. ​ Stanford has developed a cyber security service model over the years delivering high value and accurate Human and Data Risk Assessments and Incident Response frameworks. A consultancy-led approach, which is summarised by the philosophy of ‘listen, understand, and deliver’. Stanford's client strategy is to build strong client trust relationships by demonstrating Stanford's technical capabilities and effective management communication. Stanford's business model is to provide a full service of cyber security solutions to meet our client’s security needs, including Cyber Awareness, Cyber Engagement and Resilience from Testing and Incident response through to Outsourcing and Certifications. Stanford's focus is on delivering risk assessments to identify, estimate, and prioritise risk to organisational operations (i.e. mission, functions, image, and reputation), organisational assets, individuals, other organisations, and the nation, resulting from the operation and use of information systems. Get in Touch Listen to our podcast here!! Stanford Assessments Data Risk Assessment If your to-do list is as long as your arm, you definitely don't have time for a breach. Stanford eliminates the threats traditional products are blind to - without giving you another product to babysit. Our risk assessment will show you how Stanford can make your data more secure. Security Awareness Engagement We help our customers improve user awareness about cyber-security threats. We reduce the likelihood that you will be impacted by ransomware, financial fraud and data breaches. Our customer experience is world class, hands on and delivered by innovative and great people. Find out more Cyber-Security Resilience We specialise in 24/7/365 security breach detection and artificial intelligence (AI). A cyber-security partner that can help you in all aspects of your information and cyber security requirements, we have helped clients in over twenty countries recover from incidents, enhance their cyber security, and gain a range of information and cyber-security certifications. We have a wide range of free publications written by our consultants and technical experts available in our resource library. Find out more To request your free risk assessment - click here Incident Response If you have been, or suspect that you have been, a victim of a security breach, Stanford's 24/7 Incident Response service can provide rapid on-site support. Whether you are new to Stanford, an existing client, or have a guaranteed response retainer in place, you can call us now and speak to one of our experienced Security Engineers. ​ +44 (0) 203 488 6424 ​ ​ incident@stanfordhrr.com Individuals and Families Learn More Cyber Security Professionals Learn More Large Organisations Learn More Self Employed and Sole Trader Learn More Who Needs Human Risk and Resilience? SMB Organisations Learn More Public Sector Learn More Store ​ Please speak to one of our cyber associates before ordering your Risk Assessment Contact Us 27 Old Gloucester Street, London, WC1N 3AX, UK info@stanfordhrr.com + 44 (0) 0203 488 6424 Quick View Data Risk Assessment for Enterprise Regular Price £5,000.00 Sale Price £500.00 Quick View Incident Response Retainer (Gold) Regular Price £8,000.00 Sale Price £4,000.00 Quick View Data Risk Assessment for SMB Regular Price £2,500.00 Sale Price £250.00 Quick View Human Risk Assessment for SMB Regular Price £2,500.00 Sale Price £250.00 Quick View Data Risk Assessment for Enterprise Regular Price £5,000.00 Sale Price £500.00 Quick View Incident Response Retainer (Gold) Regular Price £8,000.00 Sale Price £4,000.00 Quick View Data Risk Assessment for SMB Regular Price £2,500.00 Sale Price £250.00 Quick View Human Risk Assessment for SMB Regular Price £2,500.00 Sale Price £250.00 Quick View Data Risk Assessment for Enterprise Regular Price £5,000.00 Sale Price £500.00 Quick View Incident Response Retainer (Gold) Regular Price £8,000.00 Sale Price £4,000.00

  • Events | www.stanfordhrr.com

    Upcoming Events 20 Wed Jan Cyber Security: How to Establish a Cyber Security Team / Webinar RSVP 20 Wed Jan Cyber Security: Critical Lessons from 2020 / Webinar RSVP 21 Thu Jan Cyber Security: SIEM vs SOAR - The Importance of Breach Detection / Webinar RSVP

  • Extended Detection and Response | www.stanfordhrr.com

    Extended Detection and Response (XDR) Extended Detection and Response (XDR)is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” ​ XDR enables an enterprise to go beyond typical detective controls by providing a holistic and yet simpler view of threats across the entire technology landscape. XDR delivers real-time information needed to deliver threats to business operations for better, faster outcomes. ​ Extended Detection and Response (XDR) primary advantages are: Improved protection, detection, and response capabilities Improved productivity of operational security personnel Lower total cost of ownership for effective detection and response of security threats ​ ​ Extended Detection and Response (XDR) holds the promise of consolidating multiple products into a cohesive, unified security incident detection and response platform. XDR is a logical evolution of solutions into a primary incident response tool. endpoint detection and response (EDR) Click here for more information Cyber Insurance 2.0 Click here for more information Cyber-insurance is a risk transfer mechanism and an important part of an effective cyber strategy. Organisations have insurance for other hazards such as flood, fire, hurricane and other threats but rarely consider cyber insurance as important. In general, cyber insurance will pay for business interruption, data exfiltration and regulatory costs. Today, most brokers and carriers use loss events and industry metrics to create their cyber risk algorithms to determine how much to sell and pricing. This does not align to the way the insurance is actually paid out. Furthermore, these are not dynamic enough metrics. Cyber is dynamic and rapidly changing. Looking at historical data is not useful. Remediation incidents does not affect your posture. Criminals are exploiting insurance payouts. Risk-Adjusted Pricing ​ ​ We continuously assess your cyber security posture and share the analysed data with the insurance company. A supervised formula is used to discount your premium based on good cyber stewardship. Inherent Risk Score Residual Risk Score Cyber budgeting Vendor Cyber Risk IOT/OT Cyber Risk AI/ML Cyber Risk. Cyber Risk Management Each organisation has a different level of cyber maturity which we take into account based on resources, skill needed and the depth of experience in cyber management. We classify companies in 5 levels: Level 1: unaware Level 2: tactical Level 3: focused Level 4: strategic Level 5: pervasive Managed Detection and Response Our focus is on improving your current cyber-security posture and maturity level in incident detection and response. Many organisations are solely focused on preventative measures which is always the number one choice, our motto is prevention is better than cure. Organisations need to have a balance between defensive measures but also invest in a security team that can perform the detection and response. The quicker you can detect, react and remediate to the threat the more you reduce the possible damage that can be caused. We have a three-pronged approach working with our partner Armored Pangolin Security to achieving this which consists of people, technology and process. Endpoint Telemetry Reaqta analyses your endpoint telemetry using our cloud-based detection engine composed of thousands of behavioural analytic use cases. Facilitates compliance A proactive approach to threat detection is now required to achieve compliance with the latest regulations and standards. With ThreatDetect, you can quickly elevate your organisation’s cyber security capabilities to a level needed to help meet the requirements of the GDPR, NIS Directive, PCI DSS, ISO 27001, and more. Evolving Detection Our team of experts maintains industry-leading detection coverage for attacker techniques and investigates every potential threat via our proprietary analyst workbench. Your SOC Ally Armored Pangolin's Security Operations Centre experts manage and monitor all the security technologies included as part of our toolset. By investigating and triaging all the alerts they generate, our analysts ensure that your in-house team is not burdened with the responsibility of around-the-clock threat detection. Investigation & Automation We only alert you to confirmed threats. A detailed threat report is posted in your SOC portal where you can customise automated response actions. Cyber-insurance Integration Full audit trail and claim integration with our cyber security provider. The claim process is is automated to contain all the forensics evidence required for the insurance provider to assess the cost of the incident. This means fast payouts and fast remediation. Click here for more information

View All