Home Podcasts Videos Guest Posts Q&A My Take Bio Contact



GUEST ESSAY — The rationale for pursuing a culture of cybersecurity– and a roadmap to get there

By Matthew T. Carr

Organizations with strong cybersecurity cultures experience fewer cyberattacks and recover faster than others.

Related: Deploying human sensors

This results from emulating the culture building approaches of high-risk industries like construction that devote sustained attention to embedding safety throughout the organization.

For most organizations, building a cybersecurity culture is a necessary evil rather than a cherished goal. Prioritizing security means desirable cultural norms like openness, trust building, creativity, efficiency, and risk-taking might suffer.

Until a decade ago few organizations needed a cyber security culture. If the security industry catches up with adversaries, then the need for a cybersecurity culture will eventually fade away. Few will miss it.

Cybersecurity culture is a subset of the overall corporate culture. It harnesses beliefs and values to promote secure behaviors by employees in everyday work activities.

Model culture

Cybersecurity culture is necessary today because routine actions such as opening emails, responding to customer requests and using productivity software can put the organization at risk for ransomware and data breaches.

GUEST ESSAY: Scammers leverage social media, clever con games to carry out digital exploitation

By Collin McNulty

One common misconception is that scammers usually possess a strong command of computer science and IT knowledge.

Related: How Google, Facebook enable snooping

In fact, a majority of scams occur through social engineering. The rise of social media has added to the many user-friendly digital tools scammers, sextortionists, and hackers can leverage in order to manipulate their victims.

Cybersecurity specialists here at Digital Forensics have built up a store of knowledge tracking criminal patterns while deploying countermeasures on behalf of our clients.

One trend we’ve seen in recent years is a massive surge in cases of sextortion. This online epidemic involves the blackmail of a victim by the perpetrator via material gained against them, typically in the form of nude photos and videos.

These sextortionists are some of the lowest forms of criminals, working tirelessly to exploit moments of weakness in their victims induced by loneliness and our most base-level human natures.

Since the dawn of civilization and economics, instances of fraud have always existed. Scholars have determined that the precursors of money in combination with language are what enabled humans to solve cooperation issues that other animals could not.

SHARED INTEL Q&A: Bi-partisan report calls for a self-sacrificing approach to cybersecurity

By Byron V. Acohido

A new report from the Bipartisan Policy Center (BPC) lays out — in stark terms – the prominent cybersecurity risks of the moment.

Related: Pres. Biden’s impact on cybersecurity.

The BPC’s Top Risks in Cybersecurity 2023 analysis calls out eight “top macro risks” that frame what’s wrong and what’s at stake in the cyber realm. BPC is a Washington, DC-based think tank that aims to revitalize bipartisanship in national politics.

This report has a dark tone, as well it should. It systematically catalogues the drivers behind cybersecurity risks that have steadily expanded in scope and scale each year for the past 20-plus years – with no end yet in sight.

Two things jumped out at me from these findings: there remains opportunities and motivators aplenty for threat actors to intensify their plundering; meanwhile, industry and political leaders seem at a loss to buy into what’s needed: a self-sacrificing, collaborative, approach to systematically mitigating a profoundly dynamic, potentially catastrophic threat.

Last Watchdog queried Tom Romanoff, BPC’s technology project director about this analysis.  Here’s the exchange, edited for clarity and length:

GUEST ESSAY: The case for complying with ISO 27001 — the gold standard of security frameworks

By Matthew Sciberras

Of the numerous security frameworks available to help companies protect against cyber-threats, many consider ISO 27001 to be the gold standard.

Related: The demand for ‘digital trust’

Organizations rely on ISO 27001 to guide risk management and customer data protection efforts against growing cyber threats that are inflicting record damage, with the average cyber incident now costing $266,000 and as much as $52 million for the top 5% of incidents.

Maintained by the International Organization for Standardization (ISO), a global non-governmental group devoted to developing common technical standards, ISO 27001 is periodically updated to meet the latest critical threats. The most recent updates came in October 2022, when ISO 27001 was amended with enhanced focus on the software development lifecycle (SDLC).

These updates address the growing risk to application security (AppSec), and so they’re critically important for organizations to understand and implement in their IT systems ASAP.

SHARED INTEL: The expected impacts of Pres. Biden’s imminent National Cybersecurity Strategy

By Shannon Flynn

The United States will soon get some long-awaited cybersecurity updates.

Related: Spies use Tik Tok, balloons

That’s because the Biden administration will issue the National Cyber Strategy within days. Despite lacking an official published document, some industry professionals have already seen a draft copy of the strategic plan and weighed in with their thoughts. Here’s a look at some broad themes to expect and how they will impact businesses:

•New vendor responsibilities.  Increased federal regulation puts more responsibility on hardware and software vendors compared to the customers who ultimately use their products.

Until now, people have primarily relied on market forces rather than regulatory authority. However, that approach often leads to bug-filled software because makers prioritize new product releases over ensuring they’re sufficiently secure.

These changes mean business representatives may see more marketing materials angled toward what hardware and software producers do to align with the new regulations.

GUEST ESSAY: Data loss prevention beccomes paramount — expecially in the wake of layoffs

By Guy Eisdorfer

When a company announces layoffs, one of the last things most employees or even company owners worry about is data loss.

Related: The importance of preserving trust in 2023

Valuable or sensitive information on a computer is exposed to theft or to getting compromised. This can happen due to intentional theft, human error, malware, or even physical destruction of servers. But it’s a real and growing risk to be aware of.

In 2020, Forbes reported that pandemic layoffs and remote work served to increase the risk of company data loss. Tesla, for example, suffered two cybersecurity events after layoffs back in 2018.

Data loss isn’t necessarily spiteful. Imagine an employee creates a spreadsheet showing all your clients and the main points of contact for each. She updates this sheet, but forgets to share it internally.

She gets laid off, and she takes the spreadsheet with her because she believes that the work she created at her job belongs to her. This may sound like an edge case, but a survey by Biscom found that 87 percent of employees took data that they themselves had created from their last job.

Data theft can also be deliberate and malicious. That same employee might use that spreadsheet as a bargaining chip in securing a new job with your competitor.

FIRESIDE CHAT: New automated tools, practices ascend to help companies wrangle PKI

By Byron V. Acohido

Arguably one of the biggest leaps forward an enterprise can make in operational reliability, as well as security, is to shore up its implementations of the Public Key Infrastructure.

Related: Why the ‘Matter’ standard matters

Companies have long relied on PKI to deploy and manage the digital certificates and cryptographic keys that authenticate and protect just about every sensitive digital connection you can name.

Reliance on PKI is only intensifying – as a direct result of the rise of massively interconnected digital systems. This has created a daunting operational and security challenge for many enterprises.

The good news is that a new batch of technical standards and protocols, as well as advanced tools and services, are on the ascension, as well.

Guest expert: Mike Malone, founder and CEO of Smallstep

One technology start-up in the thick of helping companies more effectively “wrangle” PKI is San Francico-based Smallstep, as Mike Malone, founder and CEO, puts it.

Smallstep launched in April 2022 with $26 million in funding, including a seed round of $7 million led by boldstart ventures with participation from Accel Partners, Bain Capital Ventures and Upside Partnership, LLC., and a Series A of $19 million led by StepStone Group.

I recently had the chance recently to visit with Malone; we discussed how advances in automation can help companies begin to proactively manage the swelling volume of digital certificates and encryption keys that are part and parcel of the massively interconnected digital systems. For a full drill down, please give the accompanying podcast a listen.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)