Education – Kaspersky official blog https://www.kaspersky.com/blog The Official Blog from Kaspersky covers information to help protect you against viruses, spyware, hackers, spam & other forms of malware. Wed, 07 Feb 2024 12:26:39 +0000 en-US hourly 1 https://wordpress.org/?v=6.4.3 https://media.kasperskydaily.com/wp-content/uploads/sites/92/2019/06/04074830/cropped-k-favicon-new-150x150.png Education – Kaspersky official blog https://www.kaspersky.com/blog 32 32 What kind of education does a cybersecurity specialist need? | Kaspersky official blog https://www.kaspersky.com/blog/formal-education-cybersecurity/50512/ Wed, 07 Feb 2024 11:42:27 +0000 https://www.kaspersky.com/blog/?p=50512 The labor market has long experienced a shortage of cybersecurity experts. Often, companies in need of information-security specialists can’t find any – at least, those with specialized formal education and the necessary experience. In order to understand how important it is for a company to have specialists with a formal education in this area, and how well such education meets modern needs, our colleagues conducted a study in which they interviewed more than a thousand employees from 29 countries in different regions of the world. Among the respondents were specialists of various levels: from beginners with two years of experience, to CIOs and SOC managers with 10. And judging by the respondents’ answers, it looks like classical education isn’t keeping up with InfoSec trends.

First and foremost, the survey showed that not all specialists have a higher education: more than half (53%) of InfoSec workers have no post-graduate education. But as to those with it, every second worker doubts that their formal education really helps them perform their job duties.

Cybersecurity is a rapidly changing industry. The threat landscape is changing so fast that even a couple of months lag can be critical – while it can take four to five years to obtain an academic degree. During this time, attackers can modernize their tactics and methods in such a way that a graduate InfoSec “specialist” would have to quickly read all the latest articles about threats and defense methods in the event of an actual attack.

InfoSec specialists with real life experience argue that educational institutions in any case don’t provide enough practical knowledge – and don’t have access to modern technologies and equipment. Thus, to work in the InfoSec field and to fight real cyberthreats, some additional education is required anyway.

All this, of course, doesn’t mean that cybersecurity professionals with higher education are less competent than their colleagues without it. Ultimately, passion and the ability to continually improve are of the utmost importance in professional development. Many respondents noted that they received more theoretical than practical knowledge in traditional educational institutions, but felt that formal education was still useful since, without a solid theoretical basis, absorption of new knowledge would progress more slowly. On the other hand, specialists who don’t have post-graduate education at all, or who came to information security from another IT industry, can also become effective specialists in protecting against cyberthreats. It really does all depend on the individual.

How to improve the labor market situation

In order for the market to attract a sufficient number of information security experts, the situation needs to be balanced on both sides. First, it makes sense for universities to consider partnering with cybersecurity companies. This would allow them to provide students with more practically applicable knowledge. And second, it’s a good idea for companies to periodically increase the expertise of their employees with the help of specialized educational courses.


You can read the part of the report devoted to InfoSec educational problems on the webpage of the first chapter – Educational background of current cybersecurity experts.

]]>
full large medium thumbnail
Podcast: Digital education in the time of Covid-19 | Kaspersky official blog https://www.kaspersky.com/blog/transatlantic-cable-podcast-162/37115/ Sat, 19 Sep 2020 10:54:53 +0000 https://www.kaspersky.com/blog/?p=37115 For the 162nd edition of the Transatlantic Cable podcast, Dave and Jeff take a break from the mike to welcome a special feature from our friends over at Tomorrow Unlocked. In this episode, Kaspersky security expert David Jacoby looks at the digitization of schooling for parents and educators during the COVID-19 global pandemic.

Digitization is transforming all facets of society, not just work environments. The pandemic is driving digitization at an astonishing speed, showing that there is still a lot more to be done. The field of education is mainly reactive; other industries develop new disruptive technologies that existing educational cultures and systems then apply and accommodate.

The latest big disruption in the education sector came about because of the COVID-19 crisis, which has caused millions of students to learn from home instead of in school classrooms. Schools have had to react quickly. To understand more about the current situation, and how education has to change in the future, we invited Filip Dochy, an expert on education at the KU Leuven, and two parents, Daniela Alvarez De Lugo and Riccardo de Rinaldini, to talk with David Jacoby.

For more information about our speakers, please visit their profiles below.

  • David Jacoby, Senior Security Researcher, Global Research & Analysis Team at Kaspersky
  • Filip Dochy, Professional Learning & Development, Corporate Training and Lifelong Learning at KU Leuven University and expert at the HILL Academy: High Impact Learning that Lasts
  • Daniela Alvarez De Lugo, General Manager, North Latin America region at Kaspersky
  • Riccardo de Rinaldini, Head of Global Consumer Marketing at Kaspersky

]]>
full large medium thumbnail
How TikTok can help with education | Kaspersky official blog https://www.kaspersky.com/blog/educational-content-on-tiktok/37107/ Fri, 18 Sep 2020 13:56:29 +0000 https://www.kaspersky.com/blog/?p=37107 At first glance, TikTok, the fun and fresh social media platform doesn’t seem to offer much beyond addictive dance videos and risky challenges, but TikTok does host educational content as well, with more added every day. You just need to know how to find it.

The search for knowledge — on TikTok?

Social media feeds don’t come together randomly; they’re based on users’ interests. If you keep liking funny cat videos, more of them will appear in your recommendations. It’s that simple.

You can find more practical kinds of content on TikTok, however. For example, teachers from early childhood to higher education, scientists of all stripes, historians, art critics, and other professionals and enthusiasts from all over the world use their TikTok accounts to share short videos demonstrating lab experiments, solving math problems, recounting historical events, and much more.

Essentially, to make a TikTok account into an interesting educational resource, all you have to do is watch and like interesting educational videos.

How to find educational content on TikTok

So, how do you find that educational content? Start with hashtags — the # sign plus a word or short phrase on a specific topic from this year’s coursework, such as #antarctic or #climatechange.
Here are a few hashtags you can use to begin crafting your own educational TikTok feed:

#learnontiktok

This tag applies to educational videos, but it may also include various lifehacks, tips, and the like. Despite its extremely general mission, adding this hashtag to your searches may help you turn up some useful videos.

#[schoolsubject]

We’re in school for a long time, so use a variety of hashtags based on the learning level and subject matter at hand. For example, to find educational videos and accounts related to mathematics, you might start with #math or #algebra before drilling down (a little) to concepts such as #longdivision for younger learners or #planets for astrophysics. You can also search using specific key phrases such as “negative numbers.”

The #history tag has lots of educational videos about history. For more focused results, add #historyfacts, #ancientcivilizations, #wwii, and so on. Just like with math, using more specific terms narrows the results. Ditto any other subject, such as #geology, #anthropology, #paleontology, #economics, and more — it’s not rocket science (#rocketscience, however, is.)

Of course, TikTok also has tons of helpful videos for foreign-language learners. Add “speaking” or “language” to the name of the language: for example, #russianspeaking or #germanlanguage.

We offer the above simply as a taste — a way to think about how the TikTok platform can educate and inform, not just entertain. The first step is to train your newsfeed and recommendations properly. It may take a while, but it’s well worth the effort.

]]>
full large medium thumbnail
Remote learning: 10 tips for teachers | Kaspersky official blog https://www.kaspersky.com/blog/online-education-ten-tips/36852/ Mon, 31 Aug 2020 09:58:07 +0000 https://www.kaspersky.com/blog/?p=36852 Nobody planned for the current situation, but because of COVID-19, all types of education, all around the world, whether K–12, university, or continuing professional education, have at least partially moved learning to the Internet. With summer breaks coming to an end, the issue of how online learning can be conducted as conveniently, effectively, and safely as possible for both students and teachers is once again top of mind.

In this post, we present 10 pieces of advice that will help teachers make the most of online learning. However, we think students will find these tips useful as well —at least they’ll be on the same page as their teachers.

1. Learn about the tools you’ll be using

Selecting the tools you will use to conduct your online classes — the videoconferencing platform, testing service, messaging app, and so forth — gives you the most flexibility. However, your educational institution may have chosen tools for you already.

Regardless, you should get to know their capabilities and features as well as you can by reading through the instructions, learning the interface, and searching on the Internet for configuration guides. For example, we have a guide for using Zoom.

If your school or university provides you with access to Office 365 or G Suite, for example, clarify with your administrator the full list of resources you can access and use for your classes. It’s possible you didn’t know about something useful. Gain access as soon as possible and learn how to use the services.

2. Understand the rules (and review them with your students)

Your school or university probably has guidelines for the services they want faculty and staff to use, including what you may or may not use them for. And there are probably also rules stipulating which services are prohibited. For example, the school may have a policy forbidding the use of personal accounts for work purposes, or it may insist that everyone use a certain messaging app.

You should know all of those rules and requirements. In addition, you should also stay in the loop about the rules for using school-issued equipment. You might be allowed to take your school laptop home, or you might not. You might be allowed to play solitaire on it in your free time. It’s worth checking.

Last but not least, inform your students in advance about any requirements and restrictions that affect them as well. It is good practice to make such rules available in written form, too.

3. Limit your tools

The IT tools you select to conduct classes should be convenient for both teacher and students. More tools does not necessarily mean a better experience. Before starting classes, make sure you have sufficient tools for the job and that all participants in the educational process are comfortable using them.

The school may have access to a very large number of services. That does not mean you have to use all of them (unless your organization requires it).

4. Set a unique password for each service

If someone manages to crack your password for one of the services you’re using, such as the videoconferencing platform, then you have a problem. But if you use the same password for the grading or reporting platform, that problem just got a lot bigger.

Therefore, the following rule applies here just as it does for other services: For every account, you need one unique password. Of course, all of your passwords should be strong — long enough and not too obvious. We will not go into more detail here; we have written extensively about this.

Don’t write your passwords on a piece of paper or otherwise store them where someone can find them. If you find it difficult to remember your passwords, use a special password manager, such as, for example, Kaspersky Password Manager.

Finally, if at all possible, avoid situations in which several people share one account. In such cases, you may be unable to establish who made a particular change, and also, the more people using an account, the more vulnerable it is. A chain is only as strong as its weakest link, after all.

5. Develop a code of conduct for your classes

During the first lesson (or better, before it), teachers and students should reach an agreement about class procedures. You may agree, for example, that everyone’s camera should be turned on by default, but only the teacher’s microphone should be on at the start of class.

That is just an example, of course. Nevertheless, some code of conduct (preferably set in writing) is necessary in virtual classrooms just as it is in a traditional school setting. Following the code makes conducting class easier for teachers and helps students learn the material with fewer distractions.

If you conduct classes for several grade levels, you may be able to hold one rule-setting session for everyone at once, saving everyone time. During the session, actively test the code of conduct so that teacher and students share common expectations for the school year.

6. Agree on backup channels

Even the most reliable services sometimes encounter a glitch. The reason could be on the service provider side or at the network level of your institution. Regardless, you’ll need a backup plan.

To avoid having to make up classes, figure out in advance which service your class will use if the default one isn’t working.

For example, if students are unable to launch Teams at the beginning of the lesson should they join a Skype call immediately or find out the new plan in WhatsApp?

Key for that plan to work is knowing in advance where to convene.

7. Maintain punctuality

Remote learning, just like remote work, has its upsides and downsides. One of the latter is that some people may not realize others are waiting for them, which can cause them to be late.

Ten people waiting for one person to start class is a pointless waste of time, which is why maintaining punctuality is imperative. If a lesson is supposed to start at 10:00, start it at exactly 10:00. (It is a best practice to connect to the videoconferencing service several minutes before the start of class to make sure everything is working properly and that everyone has any necessary documents on hand. Let any latecomers connect without comment; arriving late to an online classroom is not as disruptive as arriving in a physical classroom after the bell has rung.)

8. Guard your educational accounts

Pay careful attention to the accounts you use for educational purposes. You should have no problems accessing them at any moment, and no one else should be able to log in to them.

If you are a teacher, your accounts may be of some interest to your students, but ordinary student meddling (say, altering grades) is far from your biggest concern. An attacker who gains access to your account can also obtain the personal data of the other students in the class, which could lead to legal consequences.

If a student loses access to their account, their time will be wasted restoring access or creating a new account. They may also lose the information saved in the account. Though not as critical as the loss of a teacher’s account, it’s still unpleasant and worth avoiding if possible. All educational accounts need protection. If the service allows it, turn on two-factor authentication for everyone.

9. Understand how to recognize phishing e-mails

Educational platforms and videoconferencing services being popular, they are of interest to cybercriminals. These attackers create phishing websites and send out phishing e-mails intended to lure you to their site, where they steal your account credentials.

Therefore, it is important to know how to distinguish phishing attempts from official mailings and the messages legitimate services might send. Phishing sites often contain errors, misaligned layouts, and broken links, but sometimes scammers manage to create phishing pages that are indistinguishable from the real thing.

First, look at the website address in the browser address bar. If it is different by even one character from the address of the service’s official website, do not enter any personal information on the page. We also recommend this post about how to protect yourself from phishing.

10. Protect devices

You need reliable protection on every device you use to access educational resources. If a student’s school computer is crawled by ransomware, for example, restoring the computer and files can waste a lot of valuable time.

And if a teacher’s computer becomes compromised, things can get even more interesting. Some malware may try to spread to students’ devices. That is why you need reliable protection on all computers, smartphones, and tablets.

]]>
full large medium thumbnail
How and why the NYPD has raised cybersecurity awareness | Kaspersky official blog https://www.kaspersky.com/blog/rsa2020-security-awareness-nypd/33960/ Fri, 06 Mar 2020 15:41:39 +0000 https://www.kaspersky.com/blog/?p=33960 While I was looking over sessions at RSA Conference 2020, a talk called Tackling cyber-enabled crime at scale: Moving enforcement forward caught my eye. As someone who is quite addicted to Law & Order and is also into cybersecurity, I thought it sounded like a real-world version of a bad hacker TV show, but at the New York City Police Department (NYPD).

The speaker, Nick Selby, had a great story to tell. You see, New York City has a big problem with cybercrime — a nine-figure problem. It seemed everyone from digital natives to baby boomers had fallen victim to cybercriminals, from phone scammers to ransomware, a Nigerian uncle needing a money transfer, and more.

Most times, it is the NYPD that victims call. However, any time the officers responding to a call heard tech words such as Bitcoin, their first response was something like “not my monkeys,” because, well, it was cyber. In police officers’ and detectives’ mental maps, cyber was what some other agencies dealt with. They used to advise victims to call FBI, and that was that.

For a city the size of New York City, that was a problem. Selby knew it, as did his superiors at the NYPD, who tasked Selby with helping change the culture and train officers to care about cybersecurity.

The whole presentation captivated me and discussed all of the cool things that the team did in terms of stopping cybercrime and helping get people their hard-earned money back. The story isn’t mine to retell here, but I strongly suggest watching the full talk below:

However, the thing that I couldn’t get past in the presentation was this notion: Selby had to help change this culture and train officers to care about cybersecurity.

Anyone who has led security training has probably gotten snarky questions or comments like:

I work in finance, why should I care?
I work at the front desk, why should I care?
I am on the service desk, c’mon man, I know security!

And my favorite overheard-in-the-office whine:

Ugh, security training, AGAIN?

Now, we’ve all been there and had to do something that we didn’t feel was necessary to our jobs. The problem though, is that cybersecurity touches everything. Seriously. Here are just a few from the average workplace:

Do you see my point? All employees are technically attack vectors, but they are typically not thinking along the lines I mentioned above.

What can we learn from the NYPD?

Unlike corporate cybersecurity trainers, the NYPD was training police officers, but their tasks an challenges were very similar, and so were their guiding principles:

  • Keep it simple. Perhaps the biggest factor in the NYPD team’s success was that they kept the training straightforward and to the point. I believe they kept the number of slides in their training sessions to fewer than 20. When planning training materials for your staff, make sure they include clear objectives to show trainees why they should care and how to succeed.
  • Empower people. Another cool approach Selby and team used was offering an app to help cops code cybercrimes, facilitating appropriate investigations. Now, I’m not saying you need to create an app for your company. Instead, find ways to empower employees to put your training into practice. If they see something suspicious, how can they report it? If they get a phishing e-mail, how can they get it blocked for the whole company, or where should they send it?
  • Show results. The NYPD measures everything it can, and with this program, the department started measuring “cyber” as well, so cops could see that their work was actually helping get more crimes investigated in their boroughs. They were also able to see how big the problem was and how their roles helped fight cybercrime. Your employees may not be fighting criminals, but you can show them how their awareness really helps. For example, nine ransomware attacks thwarted or 200 phishing e-mails averted in the year could be good things to share in a regular update.

Your training doesn’t need to be high tech or expensive. Sharing your internal expertise can lead to major changes for your organization.

Even if crafting a cybersecurity training plan isn’t in the cards for your business this year, we’ve got you covered. Kaspersky offers a free security education course series that you can share with your employees to get started.

]]>
full large medium thumbnail
How to avoid downloading an infected textbook or essay | Kaspersky official blog https://www.kaspersky.com/blog/back-to-school-malware-2019/28316/ Mon, 02 Sep 2019 13:11:01 +0000 https://www.kaspersky.com/blog/?p=28316 It is far too easy to pick up nasty stuff when you try to download popular TV shows or game cheats. However, cybercriminals do not limit themselves to tainting entertainment; you can also stumble upon a virus when looking for work- or study-related materials. This is particularly important to keep in mind as the academic year starts, because the cost of textbooks and other materials for K–12 and college students often leads to many looking for more affordable and free alternatives online.

Download an essay, get some malware thrown in

Wanting to find out how frequently malicious content is encountered among materials that are posted for free access, we checked how many infections Kaspersky solutions identified in files with school- and student-related filenames. This exercise yielded quite a few results!

As it turns out, over the past academic year, cybercriminals targeting the field of education tried to attack our users more than 356,000 times. Of these, 233,000 cases involved malicious essays downloaded to computers owned by more than 74,000 people. Our solutions blocked them, of course.

About another third of the files were textbooks. We detected 122,000 attacks by malware disguised as textbooks. More than 30,000 users tried to open those files.

English textbooks were the most common malware hiding place K–12 students encountered, with 2,080 attempted downloads. Math textbooks were the next most common, nearly infecting the computers of 1,213 students. Literature closes out the top three most dangerous subjects, with 870 potential victims in our study group.

Criminals also targeted less-popular subjects. We have come across malware masquerading as textbooks in the natural sciences (18 users tried to download these) and in less commonly taught foreign languages at both the K-12 and college levels.

Which types of malware are disguised as textbooks and essays?

If in your search for study materials you find yourself on an unscrupulous website and try to download something, you risk encountering just about any type of malware. However, certain types of threats are distributed in this way more than others. Here are the four malware types most frequently distributed as study materials.

4th place: MediaGet torrent application downloader

Sites peppered with enticing Free Download buttons often foist the MediaGet downloader on users instead of the files they were looking for. The downloader is the most innocuous of the nasty surprises that await students who are searching for educational resources. This downloader will retrieve a torrent client that the user does not need.

3rd place: WinLNK.Agent.gen downloader

Hiding malware inside ZIP or RAR archives is a popular technique that makes the threats harder to detect. Such is the case with the WinLNK.Agent.gen downloader. The archive contains a shortcut to a text file, which not only opens the document itself, but also launches the attached malware components.

They, in turn, can download more malware to the device. Typically, the additional downloads are malicious cryptomining programs that mine cryptocurrency for their owners. As a result, the computer and Internet connection speed will suffer, and the victim’s electricity bill may go up. Adware could also flood the computer with ads. In addition, this malware can download more dangerous programs.

2nd place: Win32.Agent.ifdx malware downloader

Another downloader often disguised as a textbook or an essay is called Win32.Agent.ifdx. Although it appears to be a DOC, DOCX, or PDF document, with the corresponding icon, it is in fact a program. Moreover, when it is launched it also opens a text file so that the victim does not realize anything suspicious is going on. However, its main task is to download all sorts of bad things onto the victim’s computer.

Recently, this type of malware has shown a tendency to download various cryptominers. It is worth remembering that the priorities of malware distributors can change. Nothing prevents them from modifying the malware to download spyware, banking Trojans that steal data from cards and accounts at online banks and stores, or even ransomware instead of cryptocurrency miners.

1st place: School spamming using the Stalk worm

Spammers also distribute malicious textbooks and essays. Spam is the preferred means by which Worm.Win32 Stalk.a is spread, for example. This worm has been around for quite a while, and we thought that it had fallen out of use. To our surprise, not only is it still being used, but it is also the “educational” malware with the greatest number of victims.

Once on a computer, Stalk penetrates all devices that are connected to it. For example, it can infect other computers on the local network or a USB flash drive containing the educational materials. This is a very insidious step, because then, if the recipient prints the essay using school or university resources from a flash drive, the worm will make its way onto the institution’s network.

There’s more. To infect as many systems as possible, Stalk tries to e-mail itself to the victim’s contacts. With the messages coming from the victim’s account, fellow students and classmates are likely to open the attached malicious application.

Stalk is dangerous not only because of its ability to spread itself over a local network and by e-mail, but also because it can download other malicious applications to the infected device, and copy and send files from victims’ computers to the malware owners.

The Stalk worm is still able to thrive largely because educational institutions in general, and their printer systems in particular, often use hopelessly outdated versions of operating systems and other software. This allows the worm to continue to spread.

How to protect yourself from malicious fake textbooks and essays

You can stay safe and avoid the problem entirely by finding textbooks in physical or online libraries, but general safe downloading advice applies for avoiding infection:

  • Pay careful attention to what type of site is hosting the textbook you want to download. Do not visit dubious resources that are full of flashing Download buttons or that require you to install a downloader first.
  • Do not use outdated versions of operating systems and other software. Make sure that you install any software updates in a timely fashion.
  • Be critical of e-mail attachments, including ones that are sent from acquaintances. If a friend suddenly sends you an essay that you did not ask for, that is reason for suspicion.
  • Pay attention to the extensions of the files that you are downloading. If you downloaded an EXE file instead of a document, do not open it.
  • Use a reliable computer security solution. For example, Kaspersky Internet Security recognizes and blocks not only the threats described in this post, but also many others.
]]>
full large medium thumbnail
School hacking | Kaspersky official blog https://www.kaspersky.com/blog/school-hacking/27302/ Fri, 21 Jun 2019 10:00:06 +0000 https://www.kaspersky.com/blog/?p=27302 School exams not going quite according to plan? It can happen to anyone. Most of those affected will pick themselves up, retake the tests, or change their goals. But in a few cases, students may be tempted to cheat their way to success.

Over the years, an underground industry has grown up around that temptation, from discussion fora and how-to videos for hacking into your school system to fake certificates and diplomas available for sale on the black market. We decided to look into this a little and see what schools and colleges can do to protect themselves and their students.

Getting access to grades

Many schools have introduced Web-based information platforms for school activities, homework, assessments, parent and teacher communications, and more. Some of these are open to the Internet, and many such platforms, including some of the most widely used, have a history of being vulnerable.

One of the most popular school information platforms is PowerSchool. PowerSchool is known to have carried a vulnerability (CVE-2007-1044) that would allow an attacker to list the content of the admin folder via a specially crafted URL. The impact of this vulnerability depends on the settings of the Web server and what the folder contains.

However, reported vulnerabilities and exploits such as this one do not allow an attacker to bypass the authentication or escalate privileges to gain access to the kind of information grade-hackers might be looking for. For that, there is an easier route: using account credentials.

PowerSchool’s gateway, like that of many other platforms is protected only by usernames and passwords.

Login pages of PowerSchool online system

In March 2019, students were alleged to have hacked into PowerSchool for the purpose of changing grades and improving their attendance records. And because people reuse account credentials on multiple sites, it is highly likely that these portals are being hacked using stolen or reused account details. These accounts can be obtained using different methods, from simply copying them from a sticky note on a teacher’s keyboard to actual hacking and credential harvesting on the school or college network. Alternatively, students can hire an underground hacker to do it for them.

Hacking services and forged diplomas on black markets

An online search on June 12 easily led us to an online offer for hacking services and authentic-looking forged certificates, diplomas, and degrees for a subject or institution of your choice. The process is clear and simple, with an order form and contact information.

An online black market that sells certificates and diplomas of different institutions

Improving security in education

So, what can schools, colleges, universities, and even employers looking for evidence of academic achievement do to make sure that what they are looking at is the real thing?

When it comes to certificates and diplomas, organizations should verify their authenticity with the issuing institution. If there is no record of that student obtaining that qualification, chances are you’re dealing with a fake.

In the case of Web-based information systems, a few essential measures will go a long way toward keeping staff, students, and information safe:

  • Introduce some form of two-factor authentication wherever possible, and particularly for access to student records, grades, and assessments. Set strong and appropriate access controls, so that it is not easy for a hacker to move laterally through the system.
  • On campus, have two separate and secure wireless networks, one for staff and one for students. It might also be a good idea to have a third, isolated network for visitors.
  • Introduce and enforce a robust staff password policy and encourage everyone to keep their access credentials confidential at all times.
  • Use a reliable security solution for comprehensive protection from a wide range of threats.
]]>
full large medium thumbnail
Building a cybersecurity culture | Kaspersky official blog https://www.kaspersky.com/blog/building-cybersecurity-culture/25729/ Tue, 26 Feb 2019 19:48:55 +0000 https://www.kaspersky.com/blog/?p=25729 When we talk about practical advice for companies, we always say something like “Raise your employees’ security awareness.” That advice is unquestionably strong, but we have noticed that not everybody understands the term security awareness in quite the same way. We would like to explain what we mean when talking about this subject.

Security awareness is by no means a set of dull lectures about how dangerous the cyberworld is. We have studied a variety of approaches and can say that categorically. It simply doesn’t work.

What business really needs is a culture of cybersecurity.

Our approach

According to our experience, training will work only if it matches several criteria:

  • It is not pure theory; it teaches things that are relevant to one’s job functions;
  • It does not interrupt students’ daily workflow;
  • It uses real-life, illustrative examples;
  • It gives advice that really can be applied.

Applicability

The last point may sound incredibly obvious, but actually, it is an important point. A good tip is easy: Make every password unique, at least 18 characters long, and containing random symbols; change every single one weekly; and never write down a password on paper. In theory, that advice is great — perhaps even ideal. Is it applicable, though? No. Will anyone follow it? Not a chance. They will continue writing “Passworddd123” on a sticky note. They might start taking the extra second to hide the paper under their keyboard.

That is why our version of password security instead advises people to create several complex “roots” that have meaning only to them and are not part of everyday speech (e.g., meow!72!meow); add a keyword to the root each time you create a new password (e.g., oxygen-meow!72!meow); take a piece of paper and write aqualung-cat on it (i.e., something that you associate with the keyword and the root).

From a classical cybersecurity perspective, that advice is far from ideal. Any security expert would yell, “What are you doing, how can you advise people to write down part of their password?” But it’s actually highly practical — and the best advice is advice people will follow.

Compatibility

Training’s compatibility with daily work is another sensitive issue. When someone at the top decides to “raise security awareness” (and let’s keep in mind that in most cases, the idea comes up after some sort of security incident), they put someone in charge and rest easy, certain that everyone will just drop everything and turn to cybersecurity.

In practice, it’s a lecture — a big, long affair that probably summarizes a topic or implements a “cybersecurity week.” Some employees will consider it an opportunity not to work; others will be nervous about pressing deadlines; and the rest simply won’t get much out of it, because there’s only so much information you can cram into your brain in a short period of time.

At the end of it, employees will have completed training, so someone can check that off their list. But will there be a real result? Sure, some will feel shaken, and for a week or two they will remember to examine each incoming e-mail to guard against phishing attempts. But what will they remember in a month?

That is why we try (in particular with our Automated Security Awareness Platform) not to overload people with information. Running through a couple of small activities — lessons, tests, and simulations — per week gives employees a digestible amount of information, and in small enough bites to integrate with daily work, building a foundation for cybersecurity culture. And thanks to our platform, little administrative effort is required. You can read more about it on our corporate Website.

Relevance and visualization

On this subject our position is direct — we work with people, not with faceless accounts. If the process isn’t interesting, it will be quickly forgotten. And it needs to be relevant. We use a system of levels, each recommended for a group of employees with an area of responsibility in common. After all, why would we train someone who has no access to banking systems on resisting financial cyberthreats? Accountants, on the other hand, need a deeper understanding of those threats specifically. Moreover, first we explain why employees should know something, and only then give practical advice.

Interactive simulations also go beyond giving simple information about threats and provide practical expertise. They also may be the best way to work with top managers, who may have extensive access but rarely agree to attend common training sessions.

People perceive our Kaspersky Interactive Protection Simulation not as some sort of education, but as a team-building event.  Working together with staff to keep a simulated company intact, directors come to truly understand why the company needs protective measures, where to spend on defense, and how the company’s income depends on cybersecurity. It is truly a unique experience.

We are not the only ones thinking about the advantages of building a cybersecurity culture, not to mention modern and effective ways of conducting security training. Analytic companies are expressing similar ideas. Here, for example, is Forrester’s report about security awareness.

]]>
full large medium thumbnail
Kaspersky Lab opens a new office for developers in Dublin, Ireland | Kaspersky official blog https://www.kaspersky.com/blog/dublin-forum-2016/12933/ Mon, 12 Sep 2016 15:11:18 +0000 https://www.kaspersky.com/blog/?p=12933 The cybersecurity industry has a fundamental insecurity: talent supply. Frost & Sullivan estimates that by the year 2020 the field of cybersecurity will see a talent shortage of 1.5 million skilled employees despite the effort of education systems around the world to increase capacity.

The IT departments of large companies will bear much of the brunt of the shortage. However, the real fight will happen between specialized security vendors searching and competing for experts with cross-domain knowledge. You don’t find people like that in your average university.

The challenge of talent shortfall was discussed at a panel held by Kaspersky Lab in Dublin, Ireland. Widely known as the Silicon Valley of Europe, Ireland — and Dublin in particular — is very active in training and hiring IT professionals, making the city a natural choice of venue for a discussion involving a huge group of interested parties: security vendors, educational institutions, recruitment agencies, and government representatives.

All panelists shared the view that although education systems are already actively adapting to address the issue, it’s not enough to overcome the expected shortage. Shane Nolan, CEO of IDA Ireland explained: “The capacity to train new people at the academic level stepped up a number of notches during the past five years. Pretty much every college in the country has an undergrad or postgrad course in cybersecurity…. I think promoting this capacity to kids is vitally important. And the work placement part of the education system is vitally important. Many students choose generic IT education. If we could divert this traffic towards cybersecurity applications, that would go somewhere as well.”

Futureproofing cybersecurity

Jacky Fox, risk advisory director for Deloitte Ireland and leader of Deloitte’s Cyber Security and IT Forensic service in the country, added that ideally, at least one lesson in cybersecurity should be provided to every student regardless of his or her field of study. “It may turn some heads. It may be a potential option for them,” she concluded.

Dr. Michael Schukat, a lecturer in the Department of Information Technology at the National University of Ireland, Galway, emphasized that the problem should be addressed in earlier stages as well, during the school years: “Teenagers are interested in programming, but they end up doing mechanical engineering or civil engineering because that’s the advice they got. Where we can step in? I suppose we have a right person sitting here [points at Eugene Kaspersky]: We need role models, we need rock stars of cybersecurity being more visible, showing those teenagers (and their parents) there’s a career, there’s money, there’s a lot of excitement in cybersecurity. And also, we need to enhance our efforts to get students interested in cybersecurity — right now ICT is just programming. We can spin it off to make it focus on cyber, we could have hackathons, open days, you name it. Eventually we will find students gravitating to cybersecurity.”

Eugene Kaspersky himself thinks that it’s not that difficult to get students interested: “First, IT security is now everywhere from a phone to a turbine,” he said. “Second, in many cases we have to investigate, to hunt the men. Third, there’s more demand for cybersecurity experts, so they’re better and better paid.”

However, even educated and engaged graduates are rarely fully qualified for advanced cybersecurity tasks. That’s why graduates who undertake additional training or internships with real cybersecurity teams are more likely to find success in the field. Of course, this task is much easier to achieve in an oasis like Dublin, which has many such companies and teams. “At Deloitte, we take interns, we have graduate programs — three years of training to bring them from grad space to trained cybersecurity professional,” said Jacky Fox.

To evolve, cybersecurity companies need such oases: They often need to find a rare or unique expert. As Shane Nolan put it: “Having the majority of industry here is vitally important because you want a level of skilled employees, not just graduates, not just PhD students, but people with experience…. It’s our part of the deal to help Ireland to create a platform for these companies to continue to build the IT cluster.”

Kaspersky Lab has this need too. That’s why we opened our first EU-based research and development center in Dublin the same day the panel took place. About 50 developers will work there during the first stage.

Keith Waters, head of engineering at Kaspersky Lab Ireland, said he feels quite inspired by his task: “It’s a great and interesting challenge to build the type of products we do for protecting enterprise companies. To build the advanced products and solutions that we want to do in Dublin requires a combination of security expertise, big data knowledge, machine learning — it’s difficult to find a more exciting and interesting combination of skill sets and technologies for the engineering community.”

Eugene Kaspersky hinted that in addition to the new R&D center, Kaspersky Lab may create a special training center dedicated to education in emerging cybersecurity fields such as critical infrastructure protection and transportation security. “I am certain that our office in Dublin will help us to build better cybersecurity systems, services, training, and education, working closely with the Irish government and universities,” he said.

Prime Minister of Ireland (Taoiseach) Enda Kenny attended the opening ceremony and promised governmental support for the industry: “The breadth and scope of the skills needed in this area are well recognized by the government, and the new strategy for education and skills will seek to ensure that IT and digital skills are a key part of all levels of educational system.”

]]>
full large medium thumbnail
Kaspersky Lab tells about its numerous social project | Kaspersky official blog https://www.kaspersky.com/blog/kaspersky-labs-reveals-social-programs/10214/ Tue, 13 Oct 2015 13:31:11 +0000 https://www.kaspersky.com/blog/?p=10214 It’s not easy to be successful even in advantageous time, and it is even more challenging to stay best in class for nearly two decades. This year our company turns 18 years’ old and there are a lot of cool things, which we have achieved.

 Kaspersky Lab social responsibility report 2015

At Kaspersky Lab, we have always been more than just business. Over the years, there have been good days and bad days, but each time when Kaspersky Lab employees begin thinking of their career choice, they can be sure: our work saves people from real threats. There are few things more inspiring.

Kaspersky Lab cooperates with Interpol, Europol and police, fights cyberbullying and tackles cybercrime on a global level. Our work is not limited by anti-virus solutions development, although we do provide top-of-the-range protection to people, businesses and communities (which is annually proved by a number of independent tests). We also train people in the basic skills of Internet security and help young professionals develop their expertise.

Our employees call Kaspersky Lab “a company for people,” and the positive impact of this attitude reaches far beyond the boundaries of our offices. That is what matters the most.

Founded in 1997, Kaspersky Lab has evolved into an international company that operates in almost 200 countries and territories worldwide. Registered in the United Kingdom, we have 34 representative territory offices in 31 countries across 5 continents. The company employs more than 3,000 highly qualified specialists and this number is growing by about 7% a year.

Kaspersky Lab employees satisfaction level is high!

Employees at Kaspersky Lab find time to conduct their own charity initiatives. For example, Kaspersky Lab North America employees gather Christmas presents for disadvantaged families of Woburn and donate food for those who cannot afford it. Since 2011 colleagues in North America have donated US$ 65,000 for different kinds of charity projects.

Kaspersky Lab's social responsibility budget includes:

The team is not afraid to get their hands dirty if it is for a good cause. Last year employees of the NA office picked up shovels and cleared an emergency exit for a local zoo. In Kaspersky Lab North America employees get 3-paid days off each year to spend doing charity work.

One cannot make a world safer all alone. Solo heroes are excellent for comics, but in the real world you need to respect the concept of teamwork. In the beginning of 2014 joint educational project between Kaspersky Lab and the City of London Police started.

We held a series of exclusive training sessions in cybersecurity fundamentals designed especially for the City of London Police officers. The first ten officers visited Kaspersky Lab Headquarters in Moscow, where our Global Research and Analysis Team professionals trained them over the course of three weeks. It was not a theoretical course; basically, it turned to be so effective that the City of London Police Academy has since incorporated them into their curriculum.

We also have programs for teens and children. The Kaspersky Academy is a project created to support and develop young cybersecurity talent. Young people receive the opportunity to take part in a number of educational programs, develop their knowledge and skills and be noticed in the cyber security society.

We are also an associated partner of ENABLE Hackathon, which has been held as a part of European Coding Week 2015, Kaspersky Lab was asked to choose the best app in the anti-bullying category. We selected Youth Panel from Germany. They developed the First‐Aid App for smartphones against cyberbullying.

We’ve chose the German team because their app gives a simple and effective opportunity to support victims of cyberbullying. The team was awarded with a 3-day trip to Italy, where they can visit the Ferrari museum in Maranello, attend the Ferrari Challenge World Finals at the Mugello circuit and meet and greet a Scuderia Ferrari Formula One driver.

At Kaspersky Lab we are going to use our strength — the things we can do the best — to make world a safer place. Yes, we can’t do that all alone, but we don’t have to — as 80 millions of people help us. This is how much volunteers are connected to our cloud security network, called Kaspersky Security Network. And you know, joint efforts pay off! KSN not only helps us enhance the usability of our products, it also makes it possible to deliver data on newly emerged threats and their sources in less than a minute — 40 seconds.

So we owe our thanks and respect to all the users who support us and help us save the world: with word, technology and good strategy.

]]>
full large medium thumbnail