🧩 ET Notes

Cyber Security Education, Awareness and Compliance

15分钟阅读

Human Factors in Cyber Security

  • Employee behavior is a critical concern in ensuring the security of computer systems and information assets. 员工行为是确保计算机系统和信息资产安全的关键问题。
  • Research show that employee actions, both malicious and unintentional, cause considerable computer-related loss and security compromises. 研究表明,无论是恶意还是无意的员工行为都会导致相当大的计算机相关损失和安全漏洞。
  • The principal problems associated with employee behavior are errors and omissions, fraud, and actions by disgruntled employees. 与员工行为相关的主要问题包括错误和疏漏、欺诈以及心存不满员工的行为。

Human Factors

  • Security awareness, training, and education programs can assist in reducing incidences of these problems. 安全意识、培训和教育项目可以帮助减少这些问题的发生。
  • Such programs can serve as a deterrent to fraud and actions by disgruntled employees by increasing employees’ knowledge of their accountability and of potential penalties. 此类项目通过增强员工对其责任和潜在处罚的了解,可以作为防止欺诈和不满员工行为的威慑措施。
  • Employees cannot be expected to follow policies and procedures of which they are unaware. 不能指望员工遵守他们不了解的政策和程序。
  • Further, enforcement is more difficult if employees can claim ignorance when caught in a violation. 此外,如果员工在违反规定时声称自己不知情,执行起来会更加困难。
  • Ongoing security awareness, training, and education programs are also important in limiting an organization’s liability. 持续的安全意识、培训和教育项目在限制组织责任方面也非常重要。
  • Such programs can bolster an organization’s claim that a standard due care has been taken in protecting information. 此类项目可以增强组织对在保护信息方面已采取合理措施的主张。
  • Finally, security awareness, training, and education programs may be needed to comply with regulations and contractual obligations. 最后,为了符合法规和合同义务,可能需要开展安全意识、培训和教育项目。

Awareness

  • Benefits from security awareness include the following: 安全意识的好处包括以下内容:
    1. Employees are aware of their responsibilities for maintaining security and the restrictions on their actions in the interests of security and are motivated to act accordingly. 员工意识到他们在维护安全方面的责任以及在安全利益上的行为限制,并因此受到激励而采取相应行动。
    2. Users understand the importance of security for the well-being of the organization. 用户理解安全对于组织健康发展的重要性。
  • To emphasize the importance of security awareness, an organization should have a security awareness policy document that is provided to all employees. The policy should establish three things: 为强调安全意识的重要性,组织应制定一份安全意识政策文件,并提供给所有员工。政策文件应明确以下三点:
    1. Participation in an awareness program is required for every employee. This will include an orientation program for new employees as well as periodic awareness activities. 每位员工都需要参加安全意识项目。这将包括为新员工举办的入职培训项目以及定期的安全意识活动。
    2. Everyone will be given sufficient time to participate in awareness activities. 每个人都会被给予足够的时间参与安全意识活动。
    3. Responsibility for managing and conducting awareness activities is clearly spelled out. 明确说明负责管理和开展安全意识活动的责任。

Training

  • A security training program is designed to teach people the skills to perform their IT-related tasks more securely. Training teaches what people should do and how they should do it. Depending on the role of the user, training encompasses a spectrum ranging from basic computer skills to more advanced specialized skills. 安全培训项目旨在教授人们以更安全的方式完成与IT相关任务的技能。培训内容包括人们应该做什么以及如何去做。根据用户的角色,培训内容涵盖从基本计算机技能到更高级的专业技能。
    • Designed to teach people the skills to perform their IT-related tasks more securely: What people should do and how they should do it. 旨在教授人们以更安全的方式完成与IT相关任务的技能:包括做什么以及如何去做。
    • General users: Focus is on good computer security practices. 普通用户:重点是良好的计算机安全实践。
    • Programmers, developers, system maintainers: Develop a security mindset in the developer. 程序员、开发者、系统运维:培养开发者的安全思维方式。
    • Management-level: How to make tradeoffs involving security risks, costs, benefits. 管理层人员:如何在安全风险、成本和收益之间进行权衡。
    • Executive-level: Risk management goals, measurement, leadership. 高管级别:关注风险管理目标、衡量和领导力。

Social Engineering-Distraction and Misdirection

  • Social engineering manipulates people into performing actions or divulging confidential information. Like a confidence trick or simple fraud, the term applies to the use of deception to gain information, commit fraud, or access computer systems. 社会工程学通过操纵人们的行为,使其执行某些操作或泄露机密信息。与信任骗局或简单的欺诈类似,该术语指利用欺骗手段获取信息、实施欺诈或访问计算机系统。

Social Engineering Attack

Ransomware

Ransomware

How to use USB Safely

  • Avoid public charging stations. They may be compromised. 避免使用公共充电站,因为它们可能被破坏
  • Don’t plug any USB that isn’t yours into your device 不要将不属于你的USB设备插入你的设备
  • Encrypt the data on the USB device in case you lose it or it gets stolen. 对USB设备上的数据进行加密,以防丢失或被盗

Cyber Security Awareness for Employees

  • In today’s world, companies need to be constantly vigilant about their cybersecurity. 在当今世界,公司需要时刻保持对网络安全的警惕。
  • The threat of a data breach or an intellectual property theft is always looming in the background. 数据泄露或知识产权盗窃的威胁始终潜伏在幕后。
  • It’s not enough just to have security measures in place; you need your employees to be fully aware of them and know what they should do if something suspicious happens. 光有安全措施是不够的;你还需要确保员工充分了解这些措施,并在遇到可疑情况时知道该怎么做。
  • Cyber security awareness and training for staff is a crucial step in protecting your company from potential cyber security threats. 对员工进行网络安全意识和培训是保护公司免受潜在网络安全威胁的重要步骤。

Cyber Security Compliance

  • New industry standards and regulations regarding data and cybersecurity have made compliance more challenging for organizations. However, cybersecurity compliance is a driving force behind any organization’s success. 新的行业标准和关于数据和网络安全的法规使组织的合规性更具挑战性。然而,网络安全合规性是推动任何组织成功的重要力量。

    Compliance,中文翻译为“合规性”,是外企管理中一个至关重要的概念。 它指的是企业在运营过程中遵循法律法规、行业标准和内部规定的一种状态,确保企业的经营活动在法律和道德的范围内进行。 外企在全球范围内开展业务,需要遵守不同国家和地区的法律法规,同时还需要遵循行业的各种要求,确保业务的可持续发展并避免法律风险。

  • Cybersecurity Compliance
    • At its core, cybersecurity compliance means adhering to standards and regulatory requirements set forth by some agency, law or authority group. 从核心而言,网络安全合规指遵守由某些机构、法律或权威组织制定的标准和法规要求。
  • Why Is Compliance Important in Cybersecurity?
    • No organization is completely immune from experiencing a cyberattack, meaning that complying with cybersecurity standards and regulations is paramount. It can be a determining factor in an organization’s ability to reach success, have smooth operations and maintain security practices. 没有任何组织能够完全免受网络攻击的威胁,这意味着遵守网络安全标准和法规至关重要。它可能是决定组织能否取得成功、实现顺畅运营以及保持安全实践的关键因素。
    • Small or medium-sized businesses (SMBs) can be a major target because they’re considered low-hanging fruit. 小型或中型企业(SMBs)可能成为主要目标,因为它们被认为是容易下手的“低垂果实”。
    • Often, data breaches can cause complex situations that can damage an organization’s reputation and financial standing. 数据泄露通常会导致复杂的情况,可能会损害组织的声誉和财务状况。
  • Legal proceedings and disputes resulting from a breach are becoming increasingly common across industries. For these reasons, compliance is a significant component of any organization’s cybersecurity program. 由于数据泄露引发的法律诉讼和争议在各行业中变得越来越普遍。基于这些原因,合规性成为任何组织网络安全计划中的重要组成部分。
  • Benefits of Cybersecurity Compliance: Having proper cybersecurity compliance measures is beneficial to organizations for several reasons:
    • Protects their reputation 保护组织声誉
    • Maintains customer or client trust 保持客户或客户的信任
    • Builds customer confidence and loyalty 增强客户信心和忠诚度
    • Helps identify, interpret and prepare for potential data breaches 帮助识别、解释并为潜在数据泄露做好准备
    • Improves an organization’s security position 改善组织的安全地位
  • Aside from these benefits, maintaining cybersecurity compliance can improve an organization’s security posture and protect intellectual property (IP) like trade secrets, product specifications and software code. All of this information can help give an organization a competitive advantage. 除了这些好处之外,保持网络安全合规还能提升组织的安全态势,并保护知识产权(如商业秘密、产品规格和软件代码)。所有这些信息都可以帮助组织获得竞争优势。
  • How to Start a Cybersecurity Compliance Program; Following the five steps below can help in developing your compliance program 如何启动网络安全合规计划:以下五个步骤有助于制定合规计划。
    1. Creating a Compliance Team: Organization’s IT team is the primary force for cybersecurity compliance. Forming a compliance team is necessary when implementing a thorough compliance program. 组建合规团队:组织的IT团队是网络安全合规的主要力量。实施全面的合规计划时,组建一个合规团队是必要的。
    2. Setting Up a Risk Analysis Process: There are four basic steps in the risk analysis process: 建立风险分析流程:风险分析流程包括以下四个基本步骤:
      • Identify: Any information systems, assets or networks that access data must be identified. 识别:需要识别任何访问数据的信息系统、资产或网络。
      • Assess: Review data and assess the risk level of each type. 评估:审查数据并评估每种类型的风险级别。
      • Analyze: Determine risk: Likelihood of Breach × Impact or Cost 分析:确定风险:数据泄露的可能性 × 影响或成本。
      • Set Tolerance: Decide to mitigate, transfer, refute or accept any determined risks. 设定容忍度:决定是缓解、转移、拒绝还是接受任何确定的风险。
    3. Setting Controls: Set up security controls that mitigate or transfer cybersecurity risks. 设置控制措施:设置安全控制措施以减轻或转移网络安全风险。
      • The controls can be technical controls, such as passwords and access control lists, or physical controls such as surveillance camera and fences. Below are some controls: 控制措施可以是技术控制,例如密码和访问控制列表;也可以是物理控制,例如监控摄像头和围栏。以下是一些控制措施:
        • Encryption 加密
        • Network firewalls 网络防火墙
        • Password policies 密码策略
        • Cyber insurance 网络保险
        • Employee training 员工培训
        • Incident response plan 事件响应计划
        • Access control 访问控制
        • Patch management schedule 给管理计划上补丁
    4. Creating Policies: Form policies regarding these controls or guidelines that IT teams, employees and other stakeholders need to follow. These policies will also be required for any internal or external audits in the future. 制定政策:针对这些控制措施制定政策或指南,供IT团队、员工和其他利益相关方遵循。这些政策未来也将作为内部或外部审计的必要文件。
    5. Monitoring and Quick Response: It’s crucial to continuously monitor your compliance program as regulations emerge or existing policies are updated. 监控和快速响应:随着法规的出现或现有政策的更新,持续监控合规计划至关重要。
      • The goal of a compliance program is to identify and manage risks and detect cyberthreats before they turn into a full-blown data breach. 合规计划的目标是识别和管理风险,并在网络威胁转变为全面的数据泄露之前将其检测出来。
      • It’s also important to have a processes in place that allow you to remediate quickly when attacks happen. 在攻击发生时,拥有可以快速修复的流程同样重要。

关系图谱