Blog

Virtually all cyber exposure programs today are directed at addressing the cyber exposures an organization faces from its own resources and activities and from outside sources. This is necessary but not sufficient.

Why? Because most organizations also face secondary cyber exposures that they are neither aware of nor prepared to address. For example, many organizations do not manage, or own their own properties but inhabit facility space managed by someone else. That someone, generally a building

Now that vacation time is over in the Northern Hemisphere. Did you relax? Unwind? Clear your mind?

Well I sure hope so because the cyber predators have been setting new clickable traps, and sending devious emails to greet you on your return. Also, in your absence cyber predators continued to launch millions of attacks daily across the globe. And many involve ransomware.

The emergence of ransomware is simple to explain. It can be obtained free or easily made. It has a high success rate and generate

We have provided this simple self-assessment and score card free of charge in hopes that it will cause you to consider the impact that your organizations corporate cyber security culture has on your efforts to address your cyber threats and exposures.

Today the pace of change in malicious cyber events is accelerating. In the past the risks were mainly in someone gaining access to valuable information such as proprietary company information, financial records, customer credit card data, and simila

There is a weakness in cyber risk to focus on the technical issues. They are necessary but not sufficient if you want to understand and manage all your cyber exposures, which I define as the vulnerabilities that arise as a result of activity using computers and the Internet. There is a great range of these vulnerabilities that are not being addressed.

An example would be the exposures that arise through the use of Social Media if not managed and controlled. For example posts that reveal sensitive

It just seems the either no one is measuring realized risk exposure numbers for their firms, or mums the word on their findings.  The information that I collect is strongly covered by Non-Disclosure Agreements.  To help with this, I want to start publishing de-identified statistical abstracts.  

I included some of these statistical abstracts in the financial section of a paper published by ANSI.  I am a coauthor on, "The Financial Impact of Breach Health Information, A Business Case for Enhanced