In most companies today, there is a critical divide between the Chief of Information Security (CISO) and their board of directors. Our new book, The Perfect Scorecard: Getting an ‘A’ in Cybersecurity from your Board of Directors , is an attempt to close that gap. The Perfect Scorecard features insights from 17 leading CISOs and executives known for their leadership skills and their ability to communicate across roles and sectors.

A Service Organization Controls (SOC) report provides independent validation over a company’s internal financial reporting controls. They were originally used to validate compliance with the Sarbanes-Oxley Act of 2002. When the SEC released the “ Commission Statement and Guidance on Public Company Cybersecurity Disclosures ,” SOC reports started to include cybersecurity. Understanding what a SOC Type 2 report is can give insight into why it is important to your organization.

Third-party risk is any risk brought on to an organization by external parties in its ecosystem or supply chain . Such parties may include vendors, suppliers, partners, contractors, or service providers, who have access to internal company or customer data, systems, processes, or other privileged information. While an organization may have strong cybersecurity measures in place and a solid remediation plan, outside parties, such as third-party vendors , may not uphold the same standards.

Businesses face an endless range of security concerns. Internal controls and security procedures help, but not every risk can be managed out of existence. To build a sustainable security program, then, executives need to rely on risk acceptance and security exceptions to keep operations running and to appease stakeholders as best as possible.

Even the most secure IT system can have vulnerabilities that leave it exposed to cyber attacks. Constantly changing network environments, social engineering schemes, and outdated or unpatched software are all threats that call for routine vulnerability testing. Vulnerability testing, also called vulnerability assessment or analysis, is a one-time process designed to identify and classify security vulnerabilities in a network.

Every year, more than 34 percent of organizations worldwide are affected by insider threats. For that reason, cybersecurity needs to be a priority and concern for each employee within an organization, not only the upper-level management team and IT professionals. Employees tend to be the weakest link in an organization’s security posture, often clicking on malicious links and attachments unintentionally, sharing passwords, or neglecting to encrypt sensitive files.

Headlines coming out of Sweden in July gave IT departments around the world a jolt: one of the country’s largest grocery chains, COOP, had been hit by ransomware and had to temporarily shut down hundreds of stores. Cybercriminals had infiltrated the software as a service (SAS) company Kaseya, a client management platform used by as many as 40,000 organizations (including COOP).

To get a better understanding of how RDP works, think of a remote-controlled toy car. The user presses buttons on the controller and makes the car move forward or backwards. He can do all that and control the car without actually contacting it; the same is the case while using RDP. This article shall help you become aware of RDP security encompassing threats, vulnerabilities and encryption practices.

Higher education has increasingly been attracting the attention of cybercriminals. In March, the FBI released an advisory in response to a barrage of ransomware attacks on schools, and Inside Higher Education recently reported that colleges and universities are becoming favorite victims of bad actors. It's not just colleges themselves that are being targeted; their vendors and third parties are being attacked in the hopes of compromising an institution’s data.

Cybersecurity attacks come in all sorts of ways and from all directions, so perhaps we should not be surprised at one of the latest trends in thieves trying to steal your organization’s data — “vishing” attacks, where they use the plain old telephone.