The Cyber-Security Training Tips Your Business Has Been Looking For

Strictly Enforce a Multi-Tiered IT Security Plan for ALL Staff

As new threats arise, it is imperative to keep policies up to date to protect your business. Your employee handbook needs to include a multi-tiered IT security plan made up of policies for which all staff, including executives, management and even the IT department are held accountable.

  • Acceptable Use Policy – Specifically indicate what is permitted versus what is prohibited to protect the corporate systems from unnecessary exposure to risk. Include resources such as internal and external e-mail use, social media, web browsing (including acceptable browsers and websites), computer systems, and downloads (whether from an online source or flash drive). This policy should be acknowledged by every employee with a signature to signify they understand the expectations set forth in the policy.

  • Confidential Data Policy – Identifies examples of data your business considers confidential and how the information should be handled. This information is often the type of files which should be regularly backed up and are the target for many cybercriminal activities.

  • E-mail Policy – E-mail can be a convenient method for conveying information however the written record of communication also is a source of liability should it enter the wrong hands. Having an e-mail policy creates a consistent guidelines for all sent and received e-mails and integrations which may be used to access the company network.

  • BYOD/Telecommuting Policy – The Bring Your Own Device (BYOD) policy covers mobile devices as well as network access used to connect to company data remotely. While virtualization can be a great idea for many businesses, it is crucial for staff to understand the risks smart phones and unsecured WiFi present.

  • Wireless Network and Guest Access Policy – Any access to the network not made directly by your IT team should follow strict guidelines to control known risks. When guests visit your business, you may want to constrict their access to outbound internet use only for example and add other security measures to anyone accessing the company’s network wirelessly.

  • Incident Response Policy – Formalize the process the employee would follow in the case of a cyber-incident. Consider scenarios such as a lost or stolen laptop, a malware attack or the employee falling for a phishing scheme and providing confidential details to an unapproved recipient. The faster your IT team is notified of such events, the quicker their response time can be to protect the security of your confidential assets.

  • Network Security Policy – Protecting the integrity of the corporate network is an essential portion of the IT security plan. Have a policy in place specifying technical guidelines to secure the network infrastructure including procedures to install, service, maintain and replace all on-site equipment. Additionally, this policy may include processes around password creation and storage, security testing, cloud backups, and networked hardware.

  • Exiting Staff Procedures – Create rules to revoke access to all websites, contacts, e-mail, secure building entrances and other corporate connection points immediately upon resignation or termination of an employee despite whether or not you believe they old any malicious intent towards the company.

“More than half of organizations Attribute a security incident or data breach to a malicious or negligent employee.” Source: http://www.darkreading.com/vulnerabilities—threats/employee-negligence-the-cause-of-many-data-breaches-/d/d-id/1325656

Training is NOT a One Time Thing; Keep the Conversation Going

Employee cyber security awareness training dramatically reduces the risk of falling prey to a phishing e-mail, picking up a form of malware or ransomware that locks up access to your critical files, leak information via a data breach and a growing number of malicious cyber threats that are unleashed each day.

Untrained employees are the greatest threat to your data protection plan. Training once will not be enough to change the risky habits they have picked up over the years. Regular conversations need to take place to ensure cooperation to actively look for the warning signs of suspicious links and e-mails as well as how to handle newly developing situations as they happen. Constant updates about the latest threats and enforcement of your IT security plan creates individual responsibility and confidence in how to handle incidents to limit exposure to an attack.

“Every business faces a number of cybersecurity challenges, no matter the size or industry. All businesses need to proactively protect their employees, customers and intellectual property.” Source: https://staysafeonline.org/business-safe-online/resources/creating-a-culture-of-cybersecurity-in-your-business-infographic

Training Should Be Both Useful Personal AND Professional to Stick

Create regular opportunities to share topical news about data breaches and explore different cyberattack methods during a lunch and learn. Sometimes the best way to increase compliance is to hit close to home by making training personal. Chances are your employees are just as uninformed about their personal IT security and common scams as they are about the security risks they pose to your business.

Expand on this idea by extending an invitation to educate their entire families about how to protect themselves from cybercrime during an after-hours event. Consider covering topics such that may appeal to a range of age groups such as how to control the privacy and security settings on social media, online gaming, etc and how to recognize the danger signs of someone phishing for personal information or money both via e-mail and phone calls. Seniors and young children are especially vulnerable to such exploitation.

Don’t Make a Hard Situation Harder; Remember you WANT red flags reported

Making ongoing security training a priority will greatly reduce repeat errors and prevent many avoidable attacks, however mistakes happen. It can be very embarrassing and a shock to ones pride to acknowledge their error and report involvement in a potential security breach. Your first instinct may be to curse and yell, but this would be a serious mistake. Keeping calm and collected is the key to the trust needed for employees to come to you right away, while they are feeling their most vulnerable.

For this reason, treat every report with appreciation and immediate attentiveness. Whether the alert turns out to be a false alarm or an actual crisis, avoid berating the employee for their mistake no matter how red your face may become.

When situation is under control, take an opportunity to thank them for reporting the situation so that it can be handled appropriately. Remember it takes a lot of courage to step up when you know you were to blame. Help the employee understand what to look out for next time is it was something that could have been prevented such as a user error.

Cyber Training Recap

  • Implement a Multi-Tiered IT Security Plan Strictly Enforced for ALL Staff
  • Training is NOT a One Time Thing;
  • Keep the Conversation Going
  • Training Should Be Both Useful Personal AND Professional to Stick
  • Don’t Make a Hard Situation Harder; Remember you WANT red flags reported

Effective Project Risk Assessment and Optimal Risk Mitigation Strategies

What are the nature and sources of project risks? What are the nature and function of project risk assessment? How do firms select risk mitigation strategies? What is the correlation between optimal risk mitigation strategies and effective project risk assessment? How do firms reach forecasted financial targets through quality management and statistical methods? The answers to these strategic questions are critical to effective formulation and execution of optimal risk mitigation strategy that equates marginal cost to marginal benefit of risk mitigation. Additionally, optimal risk mitigation strategy minimizes the known probability and incidence of project risks and maximizes the profit producing capacity of the enterprise.

In this review, we examine some pertinent and extant academic literature on effective project risk assessment and optimal mitigation strategies. Each risk mitigation strategy has costs and benefits. Therefore, the objective function is to maximize the net benefit of risk mitigation strategies. In practice, the optimal risk mitigation strategy equates marginal cost to marginal benefit of risk mitigation strategy by minimizing the incidence of project risks and maximizing the profit producing capacity of the enterprise. Project risk measured by the project standard deviation is the weighted average of possible deviations from the expected value (mean). The project standard deviation captures the likelihood that any uncertain event or condition might adversely affect a project and keep it from being executed as planned.

In practice, project risks like financial risks derive from weighted average of possible variations from expected results based on historical data. Therefore, firms should understand the nature and sources of variations to formulate effective risks mitigation strategies consistent with the profile of the firm which allows it to reach forecasted financial targets through quality management and statistical methods.

Not all project risks-variations are adverse. Some risk events such as innovative approaches or methods of completing an activity or favorable conditions such as lower prices for certain materials are risk-reducing and can facilitate project completion. These favorable events or conditions are called opportunities; but should still be treated as project risks-possible deviations from the expected value (mean).

Some Operational Guidance

Not all project risks can be effectively mitigated. To formulate and execute effective project risk mitigation strategies firms must develop a culture of assessment and continuous improvement. Firms cannot apply or manage what they do not understand, and they cannot measure or understand what they do not know; and they cannot know what they do not believe. Therefore, firms must always inspect what they expect by designing and deploying a robust assessment model that informs collection and analysis of relevant, accurate and timely data.

Sources and Types of Variation

In operations, variation source identification for projects is critical for product quality improvement. Many variation source identification techniques are based on a linear fault quality model, in which the correlation between process faults and product quality measurements are linear. In practice, many quality measurements are nonlinearly related to the process faults. A critical aspect of process characterization is to identify and quantify various sources and types of variation so that they may be minimized.

In addition, the ability to detect and minimize variation in the project processes gives firms competitive advantage, allowing them to provide superior quality products to their customers in the global marketplace and to reach forecasted financial targets through quality management and statistical methods. Traditional quality control focuses on statistical process control (SPC), to detect anomalies and deviations based on product and process measurements. However, this approach does not provide specific operational guidelines to identify the variation sources, a critical step toward variation reduction and the derivative project risk mitigation strategies.

Further, the availability of project and process assessment data as well as the criticality of problems caused by project and process variation led to the significant development of innovative methodologies for variation source identification. In the case of normal causes-common variation, the process is in control-stable and therefore predictable. This means that based on current process pattern, a firm can predict how it will behave in the future, i.e. always within the control limits. In the case of special causes-exceptional variation, the process is out of control-unstable and therefore unpredictable. In other words, based on current process pattern, a firm is not able to predict how the process will behave in the future.

As you know, there are not only different sources of variation but there are also different types of variation. Common cause variation describes random variability that is inherent in the process and special cause or assignable cause variation is due to specific circumstances. The two types variation are controlled variation and uncontrolled variation. Controlled variation is characterized by a stable and consistent pattern of variation over time. This type of variation is random and indicates a uniform fluctuation about a constant level. Uncontrolled variation is characterized by a pattern of variation that changes over time and hence is unpredictable.

The concept of controlled/uncontrolled variation is critical in determining if a process is stable and in control. A process is deemed stable and in control if it runs in a consistent and predictable manner. This means that the average process value is consistent, and the variability is controlled. If the variation is uncontrolled-process is out of control, then either the process expected value (mean) is not consistent, or the process variation is changing or both.

Risk Assessment and Mitigation Strategies

In practice, managing project risks is a process that includes risk assessment and mitigation strategy for identifiable and predictable risks. Project risk assessment includes both the identification of potential risks with known probabilities and the evaluation of the potential impacts of project risks so identified. Risk mitigation strategies are designed to eliminate or minimize the impact of the risk events-occurrences that have a negative or adverse impact on the project. Identifying risk is both a creative and a systematic process. The creative process includes actively developing new insights into situations and applying innovative, unique solutions to project problems. And systems approach entails ability to anticipate and understand the implications of project risks and mitigation strategies across the entire firm.

Finally, there is gathering empirical evidence in the extant academic literature suggesting that during process characterization, firms should endeavor to isolate, eliminate, or minimize all sources of uncontrolled variation. At the planning stage of the project, risks are still uncertain because they have not yet occurred. But eventually, some of the anticipated risks will occur, and the firm must deal with them. There are four basic strategies for managing project risks:

1. Risk Avoidance: The best thing a firm can do with a project risk is avoid it. If a firm can prevent risk from happening, it will not adversely affect the project. The easiest way to avoid project risk is to walk away, but this may not be a viable option. A common risk avoidance technique is to use proven and existing methods rather than adopt innovative methods, even though innovative methods may indicate better potential outcomes. Risk avoidance is often effective but seldom practical.

2. Risk Reduction: If a firm cannot avoid the risk, it can mitigate or minimize the impact. This means taking some actions that will minimize severity of damage to the project. Effective use of management information system, warning system and early problem detection system are some of the industry best practices.

3. Risk Transfer: One of the most effective ways to deal with a project risk is to pay a third party to accept the risk. The most common way to do this is to through insurance or re-insurance.

4. Risk Sharing: This involves partnering with other firms to share responsibility for the risky activities. Partnering with another firm to share the risk associated with a portion of the project is useful when the other firm has expertise or distinctive competency-resources and capabilities a firm lacks.

5. Risk Retention: This is planned assumption of risk by a firm. When a firm cannot avoid, mitigate, transfer, or share a project risk, then it must retain/accept part or all the risk. The most common way to do this is through self-insurance, co-payments, or deductibles.

In sum, there are always costs and benefits for every business decision and strategy. Therefore, firms must always weigh the costs and benefits of project risk assessment and mitigation strategies to decide whether the benefits justify the costs. The optimal mitigation strategy equates marginal cost to marginal benefit, ceteris paribus.

Importance of MVRs and Drug Screening

Why an MVR Check is Important

Employee driving records can greatly help employers identify and mitigate risk liability in the workplace. Driving Records can help employers avoid risk of third party lawsuits, medical bills, and other costs associated with automobile accidents by an employee whose primary role or even incidental role includes driving on the job.

An MVR check includes include license details such as state issued, status, expiration, suspensions, revocations, violations and sanctions. MVR Reports are easy to read and include standardized ACD violation codes.

MVR Driving History mostly repeats itself. So, if a company runs an MVR check it would be able to predict the chances of any negative activity happening in the future. Moreover, insurance companies focus on several factors in determining auto insurance rates and their premiums are sometimes based on driving history records. If a company employs drivers with a negative driving history, it can be charged with higher premiums by the insurance company. Knowing about MVR driving records helps companies safeguard themselves from higher premiums.

Driving Records should be checked at least annually; however, it is recommended to check them more frequently to proactively determine if there have been any changes to the driving record and to further reduce company liability.

A real-time MVR ordering and monitoring system can provide companies with instant verification of their company drivers.

Why Driver Drug Screening is Important

Generally, all CDL drivers who operate commercial motor vehicles subject to the CDL requirements on public roads in the U.S. are performing safety-sensitive functions are subject to DOT drug and alcohol testing. This includes all full-time, part-time, intermittent, backup and international drivers. DOT truck drivers must undergo a drug screening test prior to their employment. This is to be done once per year, after any accident, and if there is a suspicion that a driver is taking drugs. Also, CDL drivers must be randomly tested throughout the year.

DOT Drug Screening requires laboratory testing for the following five classes of drugs:

  • Marijuana
  • Cocaine
  • Opiates – opium and codeine derivatives
  • Amphetamines and methamphetamines
  • Phencyclidine – PCP.

DOT alcohol tests identify alcohol concentration of 0.02 and greater.

NOTE: Effective January 1, 2018, CDL drivers will be tested for four semi-synthetic opioids (i.e., hydrocodone, oxycodone, hydromorphone, oxymorphone). Some common names for these semi-synthetic opioids include OxyContin®, Percodan®, Percocet®, Vicodin®, Lortab®, Norco®, Dilaudid®, Exalgo®. In addition, they will no longer be tested for MDEA.

When drivers take drugs, their motor skills suffer and their reaction times are severely hampered. This can be dangerous and lead to accidents. Proper Drug screening ensures that a company has healthy drivers on the road.

Your Business Can Never Be Risk Free

Before you start your vehicle in the morning, you first check if the fuel is enough, tires have enough air pressure, you change the oil, and you make sure signals are properly functioning and so on. All you do so to make sure you can reach your destination on time and without any issue or incident. While you are on your way, driving very carefully and you are so sure that your car cannot cause you any delays as you have properly checked all necessary things. But all of a sudden your car tire busts or a vehicle from another road comes and hit your vehicle while it is not even your fault. You can never prevent some incidents in your daily life. All you can do is to have some precautions in order to reduce the impact of such events. For instance, in case of tire failure, you can have an extra tire or a plan to quickly change the tire to save your time. Likewise, in case of an accident, what can protect you from injury is an airbag. Moreover, you have some emergency numbers to reach out your family members or hospital for help.

There is no way that you can prevent these incidents from happening. Similarly, in the business world, some bad incidents or events can occur without any signal or prediction. The risk is not just an uncertain or unexpected event, the risk is when you don’t have a countermeasure to mitigate the impact of such incident. Risks are uncertain situations that can never be prevented, but instead, the chances of risk occurrence can be reduced to the point where the impact of such risk will be bearable. If a risk occurs, it can leave a huge negative impact on your business goodwill and image. For example, you have an e-commerce website and a lot of loyal customers purchase your product, one day it dawned on them that all their personal data and credentials have been compromised from your website or business platform. Would they like to avail your services ever again? Even though the next time you are doing your best to make sure the security of your website is good enough but your customer might never return to you. Once they lose their trust, it is nearly impossible to gain it back. Some risks can bankrupt your entire business if not be taken into consideration. Thus, we must learn to control such risks before they leave any huge impact.

Risk management is an art of identifying, analyzing, assessing and controlling risk. Information systems used in organizations are more targetable thus finding the vulnerability and fixing them before any incident is one of the proactive act. The best way to learn such skills is to get certified by a well-known vendor. ISACA is one the biggest name in the IT security world and Certified in Risk and Information Systems Control- CRISC is one of their certifications which covers every essential aspect an individual need to learn about controlling risks in the organization. This is the most demanded certification among professionals who want to explore their risk management skills.

Becoming certified in risk and information systems control will approve that you have enough skills to cope up with such hazards.