The security threat from insiders is extremely challenging, so many organizations address it half-heartedly and focus instead on preventing external attacks. In my experience, this is usually because it is far easier to understand and deal with an external attacker than having to come to terms with the reality that every person in your organization is a potential threat.

Don’t get me wrong – it is important to address the external attacks. But for most organizations, this is where it stops, even if they know they have a problem.

The truth is that insiders have more access than anyone else, and any company or organization that has been around for any length of time most likely has a potential problem on their hands. And this isn’t just theory – more than half of attacks are known to come from inside the organization.

Insiders know how internal systems work, how to get into them, and probably already have at least some level of access. According to a new Ponemon Institute study State of IT Endpoint Risk, concern over negligent insider risk has been consistent over the past three years with 43 percent of organizations polled seeing this as the greatest risk moving into 2012. Insiders know exactly what to do to get in and avoid detection. Therefore, they are harder to catch and often cause far more damage than an outsider.

While many insider threat cases are the result of human error or inadvertent data leakage, all insider threats, whether accidental or intentional, have the potential to significantly disrupt your business operations and lead to losses.

Insider attacks may also lead to expensive litigation to recover missing information or require you to defend your organization against civil lawsuits for violation of privacy and loss of sensitive data. Potential insider attacks are a persistent threat and companies need to be constantly vigilant to defend against them.

Next week, I will post a list of tips for properly addressing insider threats that many organizations overlook.

In a recent Gartner report on organizations revising their privacy policies analyst Carsten Casper says, “The policy needs to be more than a just a piece of paper.” As a security educator, I could not agree more.  One of the biggest assets that companies often overlook in their struggle to secure their information is their staff.  Not just the security staff who toil away keeping threats at bay, but each and every member of your organization.  Consider for a moment all of the employees that make up your organization: Is there a single one who is not, on a daily basis, in a position to behave in a way which either protects or exposes sensitive information?  Each person you pass in the hallway is an all-powerful weapon in the battle to secure the sensitive and proprietary data upon which your organization is built and they so often remain untapped in this effort.

What sort of response would you get if you polled your employees asking who had read the organizational privacy policy?  How many of them understand what is being asked of them?  How many of them truly appreciate the gravity of the threats and their duty to guard against those threats?  Sadly we all too often see unsatisfactory answers to this line of questioning.  Each and every employee in your organization is part of your information security team. You must equip them to do their part to protect the organization.

Educating all users has been an ideal I have held up for a long time.  How many recent high profile breaches would have been avoided if employees understood the dangers of phishing emails or social engineering phone calls?

I am reminded of a security awareness course I taught at a large organization some time back.  This was a course for general staff and we covered all sorts of threats to organizations, such as social engineering.  The class was not any different than the many other times I had delivered a similar course but some months later I was back at that organization and happened upon one of the people who had taken the class.  She stopped me in the hallway to tell me about a phone call she received from a man claiming to be “Joe from Help Desk.”  It seems Joe was troubleshooting an issue and wanted the IP address of the printer in her area.  She confessed that before having taken my class she wouldn’t have thought twice about helping Joe but the discussion about social engineering gave her pause.  She immediately checked the phone display to find that the call was from an external number.  It was then that she remembered he said “Help Desk” while they referred to their support staff internally as “Support Services.”  Instead of handing over the information she began to question Joe, who suddenly no longer needed the information and hung up.  She then reported the incident to information security.

What has always struck me most about this conversation is not that she managed to avoid a social engineering attack and may have prevented a system breach, but the look of pride on her face as she told the story.  Though she didn’t formally work in the information security department, she knew she had done her job as a member of the information security team that day and her organization was better for it.  Your employees want to be helpful, and if properly educated they can put that energy toward helping you instead of “Joe from Help Desk.”

As your organization begins to dust off the old privacy policy for a frantic update, spend some time considering how you will socialize this policy within your organization.  What sort of communication vehicles can you use to effectively enlist the support of your employees in safeguarding your information?  In many ways these are far more important questions than determining which Data Loss Prevention (DLP) vendor to go with.

What successes or hurdles have you encountered when attempting to socialize security best practices within your organization?  Please join the discussion in the comments area below.

New Job Opening: Junior Developer

Rochester, NY or Boston, MA

Safelight is seeking an ambitious and talented Junior Developer to join a team passionate about creating world-class security training solutions. We pride ourselves in having a hard-working but flexible environment with plenty of opportunity to learn and grow. The ideal candidate will have a strong understanding of application development, experience working in several languages on multiple platforms, demonstrate outstanding verbal and written communications skills and have the ability to work within a cohesive team as well as independently.

• Design and write code for current and/or new product offerings
• Create and execute test plans for newly developed features
• Refactor and improve existing code
• Aggressively develop skill sets, staying informed of current and emerging trends & best practices
• Work with our source control, documentation, and code-review procedures (i.e. good habits)
• Provide time estimates for assigned work
• Embrace a work hard/play hard mentality

• BS in a technical discipline or equivalent work experience
• Strong written and verbal communication skills
• Experience with several of the following: Python, PHP, Bash, HTML5, Actionscript, Javascript, Flex, SQL, Objective-C, Microsoft Silverlight, mobile app development (iOS/Android/WindowsMobile) and COBOL
• Experience administering Linux/Apache/MySQL servers a plus
• Experience with game/simulation development a plus
• Understanding of secure coding principles a plus

This position would be based either in the Rochester, NY or the Boston, MA Safelight Office.

Safelight is redefining how our customers minimize information security risk. We are a young, fast moving training and media firm that is seeking creative professionals that want to rapidly expand their careers. Our products are used by some of the best known brands on the planet. We are profitable, growing quickly and looking for the best talent to join the Rochester design and development team.

If you think this job would be a good fit for you, drop us a note with your resume at careers@securityadvisors.com.

Full Story

PROVIDENCE, R.I. (June 20, 2011) – To bolster the security of applications coded in the C family of languages, Safelight, a leader in security education, today announced the newest addition to its on-demand courses for developers: Secure C/C++ Coding. The highly-interactive, scenario-based course equips development teams with a deeper knowledge of application security so they can find and fix common software bugs, understand how these flaws are exploited and use coding best practices to proactively reduce software vulnerabilities.

Safelight is offering organizations an opportunity to take a unit of the new course, as well as units of two of its other popular on-demand developer courses: Application Security Fundamentals and Secure Java Coding, for free during its Summer Test-Drive beginning June 20.

“There’s a lot of C and C++ code out there in legacy systems and embedded applications and many C and C++ developers may not be trained in today’s secure coding practices because they learned to code at a time when application security wasn’t a focus and systems weren’t connected via the Internet,” said Safelight Chief Executive Officer Rob Cheyne. C and C++ languages pose tough challenges when it comes to security because applications have direct access to memory and system resources. If developers code insecurely, they can create memory or resource corruption or open an opportunity for an attacker to run system commands on a local machine. “Learning C/C++ is a lot like learning English in that you have to be aware of all the exceptions to the rules,” continued Cheyne. “A mistake in C/C++ typically has many more repercussions than other programming languages and there are potentially many more mistakes that can be made.”

Presented in five units, Safelight’s Secure C/C++ Coding course delivers deep content and opportunities to interact with multiple code examples in ways that engage students and reinforce learning. Developers will follow pieces of code through a secure software development process learning to uncover vulnerabilities, understand their security implications and discover secure coding best practices. Lesson units include: Introduction to Secure C/C++ Coding, Memory Corruption Bugs, Design Bugs, Privacy & Secrets and Securing Code. View the Secure C/C++ Coding Course Overview for more details.

Companies can sign up to try out Safelight’s Secure C/C++ Coding, Application Security Fundamentals and Secure Java Coding courses on the company’s Summer Test-Drive page.

Safelight is also offering special product pricing through August 15. Organizations can save 25 percent when they purchase up to 1,000 licenses for Safelight’s Secure C/C++ Coding, Application Security Fundamentals or Secure Java Coding on-demand courses. Organizations that register for the Test Drive by July 8 will be entered to win a paid registration to the Black Hat Briefings, August 3-4 in Las Vegas, Nevada. Register at Safelight’s Summer Test-Drive education page to qualify for the offer and for more details.

About Safelight Safelight is a leader in security education—our integration of deep security expertise and innovative approaches to interactive learning sets us apart. We help organizations build comprehensive education programs that go beyond training to measurably shift the way employees think about the value of information and their role in protecting it. We offer a full range of instructor-led and on-demand courses for development, IT and general staff; each role-specific course is part of a larger program designed to cultivate a culture of security across the organization. Learn more at www.safelightsecurity.com. # # #

Full Story

Full Story

Full Story

Safelight is releasing its security education blueprint, an interactive tool that enables organizations to assess the information security needs of their personnel and develop an appropriate security educational program based on that assessment.

Full Story

PROVIDENCE, R.I. (Feb. 8, 2011) – Safelight, a leader in security education, today announced its Security Education Blueprint, a new interactive tool that helps organizations assess the people aspect of their information risk and build a comprehensive security education program that aligns with their particular risk profile.

“Most organizations look solely to technology to address information risk, but technology only solves one part of the problem,” said Safelight CEO Rob Cheyne. “People interact with valuable information on a daily basis and each person is in a position to behave in a way that either exposes or protects it. Security education programs need to address the people and process side of information risk and recognize the potential for employees to be part of the solution.”

Safelight’s Security Education Blueprint offers a practical, structured approach to beginning or growing a security education program. At the center of the blueprint is a set of self-assessment questions that measure the people aspect of an organization’s information risk. After responding to the questions, a user receives a custom blueprint for building an education program that matches the organization’s risk profile.

Safelight’s Security Education Blueprint considers five functional groups of employees—general staff, development staff, IT and operations staff, executives and management, and security staff—and defines three program maturity levels for each group. Beyond categorizing staff by their function, the Blueprint acknowledges a more nuanced reality: the behavior of people in the same functional group often represents different levels of risk. Thus, the Blueprint makes specific recommendations for low, moderate and high-risk employees within each staff group.

An organization’s risk profile maps to a custom Blueprint that recommends a specific level of education for each of the five functional staff groups. At each level, the Blueprint offers guidance for developing 8 essential components of a well-designed security education program. These components include everything from integration of training into hiring and on-boarding processes to the introduction of communications programs that support training content. At each level, the Blueprint also provides a list of recommended training topics based on the risk levels associated with different roles within the group.

“The Blueprint originated from our work with clients and our fundamental belief that organizations should train and equip every employee to protect information,” said Cheyne. “As with any information security initiative, education programs should be risk-based. A successful program, one that sustainably shifts the way employees think about the value of information and their role in protecting it, is built with a clear understanding of how employees interact with information in their everyday work.”

Safelight will showcase the Security Education Blueprint in Booth # 1831 at the RSA Conference 2011 in San Francisco, Calif., February 14-18, 2011. Companies can view their custom Blueprint at the self-directed interactive kiosks, email it to themselves, and discuss their results with Safelight if desired.

Safelight is also offering special product pricing through March 31. Organizations can train two employees for the price of one when they purchase any of Safelight’s on-demand courses for general staff, development teams and IT staff. Register at Safelight’s RSA booth (# 1831) or online, to qualify for the offer and for more details.

About Safelight

Safelight is a leader in security education—our integration of deep security expertise and innovative approaches to interactive learning sets us apart. We help organizations build comprehensive education programs that go beyond training to measurably shift the way employees think about the value of information and their role in protecting it. We offer a full range of instructor-led and on-demand courses for development, IT and general staff; each role-specific course is part of a larger program designed to cultivate a culture of security across the organization. Learn more at www.safelightsecurity.com.