October 2, 2013

A step in the right direction during National Cyber Security Awareness Month

Here’s something meaningful we can all do to improve security awareness in our organizations. As your management to sit down for an hour or two and […]
March 30, 2014

Would your employer dare to take away your access to Salesforce, Box and Gmail?

  t seems like the momentum is really swinging to allow employees to do whatever they want in terms of accessing the web, as long as […]
December 16, 2014

Some reasonable privacy predictions for 2015

I’ve never been a big fan of the hype stories at the end of each year about security or privacy predictions for the coming year. But […]
March 31, 2015

Why not put a 2 person over-ride in every commercial airliner?

Just a quick thought after this week’s air crash in France, in which the co-pilot locked the pilot out of the cockpit and intentionally crashed the […]
February 8, 2016

Highlighting privacy risks from connected devices – Is it FUD?

I was recently asked to participate in an interview with CBC news columnist Laura Fraser. The topic to be discussed was privacy risks from connected devices. […]
February 28, 2016

…But our iOS passwords go to 'Eleven'

If you haven't been following the controversy around Apple and the FBI, maybe all you need to know is that you should probably have an 11 character, random alpha-numeric passcode on your iPhone. This will probably be good enough to protect your iPhone from being cracked open by a brute force attack, no matter what Apple is forced to do for law enforcement.
February 29, 2016

Try using due diligence risk to justify security

For the past several years, I've talked about how "fear or compliance" are often the best ways to help justify the need for security. It's not that I'm trying to convince my readers that security investment is needed in their organization by scaring them or threatening them... They know it is needed. The problem is that they have a hard time articulating the need to executives who have limited time to listen, a whole different mentality around risk and a need to watch the bottom line in the short term. Sometimes pointing out the worst case impacts (e.g. fear) or pointing to regulations (e.g. threats of penalties from non-compliance) are needed, but sometimes they aren't effective or appropriate. I recently had a conversation with an executive that gave me this idea, to focus on what I call Due Diligence Risk.
April 1, 2016

Hospital ransomware attacks are just a stepping stone to your industry

This week, hospital chain Medstar Health in Washington, D.C. was hit with a crippling ransomware attack that encrypted file systems on computers throughout the organization’s network. […]
April 1, 2016

Three dumb routers are coming to a home network near you

If you're keen to use all the cool new gadgets that are coming on the market, but are wondering how you can protect your network from their inevitable vulnerabilities, I have a suggestion for you: Three Dumb Routers. First, I'll explain, in simple terms, what it takes to set this configuration up, and then I'll try to briefly explain why it is a good approach to protecting your network from the Internet of Things, assuming you really have your heart set on playing with these things, or at least showing them off.
May 1, 2016

3 reasons why teaching somebody to drive a car is easier than training employees to work securely

I love using analogies when explaining things to people. If we compare learning some common activity that we all understand, like training people to drive, with […]