Yeah I misspoke, that is the total cost of breaches not the net profit. I’m going to pin your comment so that others can see my mistake. I doing want to mislead people
The demand must come from consumers. Right now, every software VP is telling his devs, "We need these 19 new features and they need to ship last week." And the devs say, "But what about security?" And the VP doesn't care because nobody is willing to pay for that.
Thank you for the kind words! I'm hoping to raise awareness of these issues in an easy to understand manner that is interesting for both novices and experienced professionals. I appreciate you stopping by and for your feedback
Everyone is addressing it. I don't know about US, but european countries focus on prevention, workplaces give employees secondary phones with 2FA already set up, VPN's set up, rules explained, and you are informed of your role in cybersecurity. We even receive fake phishing emails so that the cybersecurity company that works with our company can see if we fall for it, if we need additional training.
Good summary, adding my rant as a different perspective you may want to consider: Education is good and all, but human error covers more than just social engineering (such as phishing). Misconfigurations and cumbersome or complicated processes are large contributors to why the human element is such an issue; it is not exclusively that a small minority of people don't care. On top of training we need to make it easier to do the right thing and harder to do the wrong thing. Change control to minimise misconfigurations, secure-by-default/design technology for day-to-day business, and making security controls transparent to the point where personnel are unaware of how many security layers they are going through. Examples are password policies to direct users towards stronger passwords; default access control configurations to stop users creating company-wide Sharepoint sites with sensitive information; data-leak prevention to stop users from moving sensitive documents outside of the orginisation; for cloud, pre-configured hardened images, centrally managed WAF/VPC/Security Groups - you get the point.
Thanks Pat, you earned a new subscriber. I'm currently in an AS program for cyber security. Opinions like yours are helping me tighten my focus to an applicable discipline. Also encouraging me to participate in the NCL this season, so thanks!
16:00 I'm getting into cyber sec and my plan in to pass the basics that I need to show I can pass a test, then to plot out making a network, test it till I think it's ready and make it a honey pot to actively let it be attacked, or maybe make a CTF for a really bored red team to go for it, with consent. How ever yes, you wont be hired if you just pass some tests because they made it vary clear, you understand it and the best way to show it, is to make a network and defend it. Sadly that's what I see as the bare minimum, due to most places not wanting to train people, so you have to do it yourself. Which is not easy, to be honest.
Yes I'm aware setting up a net work and fire wall and defending it is vary different then having to deal with unprotected networks. How ever that's why no trust is a thing that is tossed at me so much in the stuff I'm working on test wise. To put up so many internal gates, the damage done will hopefully be limited.
Reminds me of my job hunting strategy. I make some automation involving the tech in the job listing, then I give a live demo of that automation in the job interview. Makes you stand out and more memorable.