Phishing voor Vlaamse besturen

Meet de weerstand van al uw personeelsleden tegen phishing aanvallen en versterk deze. Kom te weten hoe uw bestuur het doet t.o.v. andere gemeenten en steden. Mis deze unieke campagne die start in september 2016 niet!

KBC selected Krinos for their awareness campaign

"Krinos helped us to define clear objectives and measure the Return of Investment (ROI) of our awareness campaign. Because of their end-to-end managed service the campaign could startup very quick without the need to buy tools or train internal people." says Jan Nys, Chief Risk Officer, KBC Group

Gemeente Glabbeek investeert in cyberveiligheidsopleidingen

Gemeente Glabbeek omarmt digitale media met o.a hun website en de Glapp!. De Krinos Academy online trainingen blijken een leuke en efficiënte manier om hun personeel essentiële cyber security skills bij te brengen.

Krinos Academy User Awareness Solutions

End-to-end managed services that builds awareness in any organisation via our Attack-Train-Measure approach. Attacks offered are: Emails phishing, voice phishing, USB drops, physical inspections and IT penetration tests.

6 things the board must know about cyber security

SEPT 2015 – The following artikel explains 6 things that successful cyber resilient organisations KNOW and DO.

Any organization that wants to be successful in protecting against today’s cyber threats must have the board and the general management on their side. It is only when the management accepts the downsides of applying essential security best practices and the awareness effort that comes with it that an organization can be truly successful. Many organisations are hiring a Chief Information Security Officer (CISO), because maybe they are advised to do so. In many cases the CISO doesn’t have a strong mandate and has limited leverage in convincing business and IT managers to really embrace a secure mind-set and act on in. Business managers get their bonuses based company profits and IT managers on up-time of the IT environment. At first glance cyber security does not play into their bonus cards. As a result, in many cases the CISO will have a hard time convincing managers to give cyber risks the attention it needs and to get his projects executed with the military precision they require.

The board might ask themselves the question what a good cyber security strategy looks like.
How do you benchmark yourself with similar industry players? Today it seems that many organization are getting breached no matter how much they invest to protect themselves. So why would they even bother as the battle seems lost from the start. Organizations will have to figure out how to carefully balance their efforts against the business reality.

The question remains for a realistic definition on what defines a successful cyber resilient organization in today’s seemingly unequal battle.

What Cyber Resilient organizations KNOW & embrace

Successful organizations understand and embrace the following 3 realities. It is only when the management truly becomes aware of these realities and starts acting on it that a transformational change towards a truly in control and cyber resilient organisation can start.

1. Security is not compliance

The days that organizations could state that they are safe because they have obtained a security certification (for example ISO27000) or have passed a yearly audit are gone. This type of check-in-the-box approach has proven to give a false sense of security. While it has it values it doesn’t define a successful organization. Many of these standards gives organizations a very big checklist on WHAT should be done, but it remains vague and HOW it should practically be done, and even vaguer on how to verify if controls have been successfully implemented.

These standards put too much trust on governance, processes, documents and questionnaires. Based on this one cannot objectively assess how secure a compliant organisation is compared to another one. These standards can bring great value for consultants’ wallets, but how much value do they really bring to the organisation? Many standards miss a pragmatic focus with clear and objective evidence based verification mechanisms.

Successful organizations take a more down-to-earth approach using for example the SANS 20 critical security controls. The SANS 20 critical security controls bring people, process, clear technology concepts and objective verification rules together for organising people and processes around. It is a set of prioritised controls whereas the ISO27000 standard doesn’t put forward any prioritisation at all.

2. Assume hackers are already inside

Hacker-InsideIn today’s cyber battle you will be pulling the shortest straw, more than once. Every organization will be breached, the question is how they will deal with that. The opponents have a much easier task of finding just one weakspot that they can abuse, while organizations need to control all possible avenues that could lead to a break-in. It is an unequal fight that organizations should not assume to win all the time.

The real revelation comes when organizations embrace the fact that every day they must assume that malicious actors have succeeded to break-into their IT systems and are in a clandestine way moving around inside the network.
Everyday organisations must assume that hackers are inside and are investigating, gaining knowledge and planning for executing the real attack. Organization that state they have never been breached are by definition wrong, and have no clue where to start or how bad the situation really might be. The organizations that seriously start assuming that hackers are already inside and organise themselves according to this reality, have reached an essential pivot point on their journey towards a cyber-resilient organization.

3. There is no silver bullet solution.

It doesn’t matter how much organizations invest in security technologies, they must assume technologies can be bypassed and will fail. It is best to invest in many different protection and detection technologies and establish a layered defence. Today too many organisations are focussing on protective technologies compared to detective techniques.

“Never forget that protection is essential, but detection is a MUST.”
Successful organizations combine a technologic strategy with human awareness across the organization. They realise that people are the most important detection sensors an organization can have. Many cyber related attacks can be detected and reported by humans. Resilient organizations empower their people in a positive way, challenge them to remain vigilant, have them report suspicious events.

What Cyber Resilient organizations DO.

4. Control the news headlines

Successful organizations are still hacked and will go into the news headlines. They will make the difference by writing the story themselves based on solid facts, and not allow the story to be written for them. Great organizations communicate clearly, sufficiently and correctly. Successful organizations don’t change stories during the breach investigation. They make sure that all statements done are correct and not based on guesswork to satisfy the media or in an effort to quickly (but foolishly) save their ass. They understand there is no shame anymore to state that you have a security incident. It is however a shame not to handle it professionally and to learn from it.

Preparing for the inevitable is key. Great organizations organise scenario planning sessions with the general management and the board. Via a set of realistic scenarios the management is forced to assess the situation and to make decisions. These workshops are repeated at least once every year. The lessons learned are valuable learning objectives to improve the organizations reaction and collaboration.

5. Communicate from the board down

Let’s face it, people are inherent lazy and look for the easiest route. When defending against cyber-attacks such behaviour is detrimental. Cyber resilient organisations make strong commitments towards the board and communicate those very clear to the IT and business staff.

From the board down a clear message is given to all staff that:

  • Controls and security standards must be rigorously applied
  • Incompliance with basic controls will not be acceptable anymore
  • Everyone in the organisation needs to think and act more with a hacker’s mindset
  • The management is aware that this requires operational trade-offs to be made
  • After such a message IT engineers might still seek for exceptions to these rules. That is why a continuous message must be given that there are no compromises possible (non-)compliance must be monitored and reported upon.

    6. Attack themselves and continuously evolve

    AttackYourselfThe world has changed. Today’s cyber battle is like a chess game where you need to have the flexibility to change your strategy based on the attackers moves. Protection and detection measurements must go hand in hand.

    Successful organizations dare to challenge the status quo and attack themselves to measure how good their technology and people really are.
    They communicate openly about the results with positive and constructive mind-set with the goal to motivate people to think and change their behaviours.

    Security technologies are changing fast, and what might work this year might not work anymore next year. Some security technologies might need to be re-evaluated sooner than expected. Organizations should align their procurement strategy to support this. A decade ago security technologies where managed in technology and team silos. Organizations would select different vendors for firewalls, internet proxies, end-point antivirus and network security monitoring systems. Nowadays organizations might benefit from a strategic vendor that can offer an integrated solution in order to be capable of responding fast enough.

    Not only technologies but also the technical teams must be integrated so that suspicious events can be correlated by a team that sees the big picture. This is even more important than integrating your technologies. Successful organisations make sure they can quickly investigate incidents across departments and technology borders.


    Choose Us

    If you are looking for pragmatic security that goes beyond compliance based checkbox approach.

    • Cyber Strategy assessment & roadmap
    • Attack & train to built awareness
    • Invest security budgets better
    • One-stop: We talk and walk

    Subscribe to our newsletter

    I am interested in:

    Happy Customers

    Testimonial: sdworx Goes Phishing

    SEPT 2016 - Like most companies nowadays, we’ve had our share of cyber incidents: virus infections, ransomwares, phishing emails, etc…... Read more

    Wachtwoorden stelen: Kind & Gezin vertelt hun verhaal

    OCT 2015 – Krinos Academy deed een phishing oefening bij Kind & Gezin. De dienst communicatie vertelt het verhaal in hun... Read more

    KBC selected Krinos Academy for managing their email phishing awareness campaign.

    AUG 2015 – KBC must be top-class in providing secure financial services to its customers. An important part of their... Read more

    Gemeente Glabbeek traint college, bibliotheek, school en OCMW

    MEI 2015 - De gemeente Glabbeek heeft de reputatie "innovatief" en "digitaal-minded" te zijn. Zo lanceerden ze een smartphone app... Read more