Skip to content

Prompt Breach Disclosure Essential

June 27, 2018

At the RSA Cyber Security Conference this spring, a shocking double-standard was exposed in a survey of attendees regarding breach disclosures by access management company Thycotic.

Not shockingly, 84 percent expected an organization to notify them immediately if it suffered a data breach.

Shockingly, only 37 percent said they would notify their customers promptly if their organizations suffered a breach.

On second thought, when you see the blatant disregard for users’ privacy and PII by corporate America (think Uber, Equifax, Panera Bread breaches, etc.), the figure shouldn’t be that shocking.

Far too often, businesses in particular compound the inherent damage of a breach by covering up the facts as long as possible out of a greater concern for the company’s and executives’ reputations than their customers’ identities.

Of course, such foot-dragging in disclosing breaches never ends well for the company, as it claims a hefty percentage of sales in the immediate aftermath, a dramatic drop in stock price for publicly traded entities, causes a public relations disaster and lost goodwill, government investigations, and typically costs the CEO and key IT personnel their jobs.

Unnecessary butt-covering in disclosing breaches is why business owners are so often viewed as suspiciously as the hackers instead of like other crime victims.

Nevertheless, we get survey results like this one indicating the desire to cover up is stronger than the desire to do the right thing by customers and suppliers.

But, if ethical and moral considerations don’t motivate executives enough, perhaps increased regulatory pressure like the GDRP in the European Union or increasingly strict state disclosure laws across the United States will.

The GDRP requires companies doing business in the EU to disclose breaches within 72 hours of discovery. State laws also put a time limit on notifications. Federal legislators have even proposed a bill to jail executives who hide breaches.

Just from a moral and ethical standpoint, you should inform your customers and vendors, as well as the authorities, ASAP after a breach has been discovered and its breadth has been determined.

I’m talking days, not weeks or months. It will go much more smoothly, too, if you have developed an Incident Response Plan that lists those responsible for breach disclosures in your company — who contacts authorities, who handles customer / vendor / public notifications, public relations, etc.

Don’t be stupid and irresponsible with your breach disclosures when you become a victim. Be considerate and responsible and look out for your customers’ and vendors’ best interests too.

Advertisements

Does Your Data Depart With Employees?

June 11, 2018

When employees leave your company, do you know if your company’s data leaves with them?

Part of your procedures for off-boarding employees should involve the protection of the data they had access to while employed.

You pay a lot of money to build relationships with customers and clients. Your data of their activities, purchases, etc., fuels those relationships.

Unscrupulous employees, however, could take all of that hard work and expense and give it to their next employers — quite likely your competitors — for free.

That happens more frequently than you might think, as corporate presentations, customer lists and intellectual property leave with departing employees. Osterman Research reported that 69 percent of employees take data with them to their next employers. A Biscom survey in 2015 put that number at 87 percent.

The consequences range from loss of revenue to regulatory violations, legal battles and damage to a company’s competitiveness.

Protection of that data should begin while your employees still work for you. For example, employees should be required to sign an Acceptable Use Policy that explicitly states that the data they handle belongs to the company. It should specify that company data may not be copied to any removable storage media or external network drives or emailed or transmitted in any way without the written permission of management.

Other controls should include:

  • Visibility into employee practices
  • Limiting employee access to only the data they need for their jobs
  • Requiring encryption of sensitive data
  • Managing devices properly
  • Ensuring that data is backed up and archived properly
  • Requiring the use of enterprise apps
  • Deploying technologies that aid in achieving the above

For more information on how FlexITechs can help you protect your data from loss to departing employees, contact Eric Magill at 302-537-4198 or ericm@flexitechs.com

 

Supply Chain Security

February 18, 2018

If you haven’t already, chances are you will be required in the next year or two to submit proof to a supplier or customer that you are taking all reasonable precautions to secure their data or network when you access them.

With hackers learning that the easiest way into a large enterprise’s treasure trove of data and dollars is through a smaller supply chain partner that can’t afford 24×7 cyber security, you will find those large enterprises will expect proof that you are securing your own network when you access their network portals and handle their data.

In fact, you might consider requiring that of your partners and commercial customers yourself.

Why should you or your suppliers and customers care about each other’s cyber security practices?

Some of the largest breaches in history started with a hack of a third-party supplier or vendor and these supply chain breaches are rising.

  • The Target breach that lost 40 million credit cards didn’t start with a sustained hack on Target but with an employee at one of Target’s HVAC vendors opening a bad file attachment that installed malware on that employee’s computer. Using that machine, hackers found the HVAC company’s login credentials to Target’s vendor portal and from there worked their way to Target’s cash registers. When the dust settled, Target lost all of those credit cards, its sales fell 46 percent at one point, and recovery costs exceeded $200 million.
  • The Home Depot breach also resulted from a third-party breach and the home improvement giant spent more than $150 million in recovery, even after insurance paid $100 million.
  • According to the 2017 Ponemon Institute Data Risk Study, 56% of respondents reported they had suffered breaches that began with intrusions at third parties — a 7 percent increase over 2016.
  • Cyber criminals routinely hack email accounts to send email to all of that account’s contacts to make the email — laden with infected file attachments or links to fraudulent web sites — appear to be from a known and trusted source.

The security institute, SANS, has developed a document detailing how to establish a supply chain security program at https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252.

SANS conclusion:

“Supply chain partners are just as likely to be attacked today as any organization, and if not managed properly, they may afford attackers a back door into the networks of host organizations.”

You can also assure your partners and customers that you have taken appropriate security precautions to protect your network by implementing anti-virus and firewalls, patching software, and Security Awareness Training for your employees.

For details on such a program, call enduseritsecurity.com at 302-537-4198 or email us at securityinfo@enduseritsecurity.com.

SMBs Profitable Targets for Hackers

January 20, 2018

Most small business owners don’t believe they would be of interest to hackers. They can’t envision that cyber criminals would spend weeks or months trying to break into their networks.

And they’re right …  except for one thing.

Cyber criminals take their “businesses” as seriously as legitimate business owners by investing in more efficient methods of stealing data and money from all sizes and types of organizations — and no business is too small, right down to moms-and-pops who have found themselves caught in the cross-hairs of a Ransomware attack.

By following the practices of legitimate businesses, hackers can efficiently attack thousands of small businesses at a time and trick unsuspecting employees into divulging sensitive information such as login credentials that “earn” a hefty ROI — up to 1,400% in 30 days on a $5,000  investment — without ever trying to crack a single password.

The fact is, businesses of all sizes have data hackers want and can monetize. The data you store on yourself, your customers, your employees and your vendors can generate anywhere from 50 cents per record for basic contact info to thousands of dollars for financial account login credentials on the Dark  Web underworld.

As long as the ROI remains high and the risk of getting caught remains low, cyber criminals will continue to invest in ever more efficient methods of stealing your data and money — including A / B market testing, out-sourcing, franchising, demos, and customer service — that legitimate business owners would instantly recognize.

A study by UBM in 2016 found that “Businesses aren’t up against hordes of elite hackers but an industry efficient at finding those who  are vulnerable.” Hackers have concluded that small businesses are most vulnerable because they can’t afford the 24×7 security monitoring solutions that large enterprises can.

Further, that same UBM study stated that “The most common weak spots are employees who get caught by attacks that use social engineering and under-budgeted IT teams that don’t have the necessary skills, tools, or time to properly patch and defend complex, sprawling networks.”

If you don’t think your small business has a “complex, sprawling network”, a risk assessment will likely provide an eye-opening look at just how vulnerable your network is for your company, employees, customers and vendors.

In fact, a study by Check Point Software Technologies found that almost half of those surveyed had been victims of social engineering attacks and had experienced 25 or more attacks in the past two years. Those attacks cost victims between $25,000 and $100,000 to recover from.

To learn more about the risk your small business faces of a cyber attack, and how to make your small business less profitable to cyber criminals with Security Awareness Training, read our FREE report, “The Business of Cyber Crime and Why Small Businesses are Profitable Targets”, at http://www.enduseritsecurity.com/reports.shtml.

Protect Your Company’s Identity

November 30, 2017

Like so many things in this country, your business is known to government agencies and other businesses such as financial institutions as a number.

Just like you personally are known to those institutions and organizations by your Social Security Number, so is your business known to them by your Employer Identification Number (EIN).

You need that to file your taxes, to apply for loans, credit cards and for other instances when a unique identifier to verify your company’s identity is required.

Hackers know this too.

They know that with your EIN, they are off and running to file fraudulent business registrations, manipulate credit reports, commit banking and tax fraud, and apply for business and vehicle loans and company credit cards, all on your company’s good credit.

In the past year, for example, the IRS has noticed a sharp increase in the number of fraudulent filings of forms 1120, 1120S and 1041 as cyber criminals attempt to obtain data that enables them to file fraudulent tax returns as your business.

The following can be signs that your business has been the victim of identity theft:

  • A request to file an extension is denied because a return with your EIN has already been filed
  • An e-filed return is rejected because a duplicate filing with your EIN is already on file with the IRS
  • An unexpected receipt of a tax transcript or IRS notice doesn’t correspond to anything you have submitted
  • You notice you are no longer receiving expected correspondence from the IRS, which could indicate a hacker has changed your taxpayer address

To learn more about how to protect your business against identity theft, visit the IRS Identity Theft web page and scroll down to the Businesses section.

There, you will find information on W-2 and SSN theft and an identity theft guide for businesses.

 

Hackers’ Toll Goes Beyond Finances

May 3, 2016

I wrote about the toll hackers and cyber criminals take on end-users four years ago and think the topic deserves a refresh given the ramped up attacks since then.

Each year, the increasing cyber crime menace impacts us beyond the financial cost of anti-virus and anti-spam programs and firewalls, expensive virus removal fees, or splurging for a Mac because they appear to be immune from infections (truth: they’re no more immune from social engineering attacks than Windows computers).

The toll is no longer just financial, however. Hackers have diminished our confidence in the good nature of others and our ability to discern between good and evil.

The attacks have been so clever — designed to look like legitimate security or virus alerts with scary messages about the consequences of not following the instructions — that not only are end-users tricked into clicking them, they no longer have the confidence to click on the legitimate notices.

Of course, if they don’t follow through on legitimate alerts, they risk the security of their computers and their data by ignoring critical updates.

Hackers have confused end-users to the point of near paralysis. End-users might spend hours or even days trying to figure out if they should abide by an update alert or ignore it out of fear that it’s an infection. We get many calls from clients asking those very questions about good notices, as many as we do about actual infections.

Phishing emails, booby-trapped attachments from friends who have been hacked, threatening phone calls and on-screen warnings, pretexting believable but false scenarios, reconnaissance with seemingly innocuous questions that reveal valuable information to hackers, forged web sites and emails with links to infections, alarming or normal emails reputedly from UPS, the IRS, FedEx, banks and retailers … all of them far more convincing than the stereotypical Nigerian Prince scams of years past.

Pile on sneaky “Recommended” add-ons that the likes of Java and Adobe add to their updates that tangibly change your settings, annoying repetitive renewal and update notices from legitmate security software that mimics the behavior of infections, and Microsoft’s shady Windows 10 update procedure, and it’s a wonder anyone clicks any notice anymore.

This particularly affects less savvy end-users for whom any alert sounds convincing or scary. Honestly, faced with a bewildering array of alarming alerts on their computers, how many end-users will be comfortable enough to trust that their next click won’t encrypt the company’s files? How much time and money is lost to such paralysis?

Your end-users need to be educated on the differences between valid and malicious alerts and appropriate responses to the malicious ones.

A good security awareness program such as our FlexIT End-User Security program, that gets their attention and maintains their diligence, can not only help them avoid infections but restore the confidence they need to work safely and efficiently.

The 5 W’s of End-User IT Security

March 2, 2016

You may have heard the terms “end-user IT security”, “end-user IT security training” or “end-user IT security awareness”, but do not have a firm grasp on what those terms mean or their importance to your small business.

The following primer explains the Who, What, Where, When, Why and How of End-User IT Security:

Who?

End-user IT Security refers to securing the humans in your organization — you, your employees and vendors — by making them aware of the social engineering tactics used by cyber criminals to evade your firewall and anti-virus solutions.

What?

End-User IT Security Awareness training teaches you, your employees and your vendors about your company’s Acceptable Use Policy in the context of the social engineering attacks they face on a daily basis:    
  • What tactics hackers deploy to evade security solutions
  • What motivates cyber criminals
  • What you, your employees and vendors should look for to recognize current and   future scams
  • What procedures you, your employees and vendors should follow if they are victimized by a cyber criminal
  • What ongoing activities can be used to keep employees vigilant in the course of a busy work-day.

Where?

To make this a comfortable learning environment for you and your employees, we present your Acceptable Use Policy at the location of your choosing followed by ongoing monitoring, testing and training through your employees’ computers.

When?

We will make the initial presentation of the Acceptable Use Policy at a convenient date and time for your organization to minimize disruption. Subsequent ongoing efforts will be conducted with minimal disruption to your company, as well.

Why?

  • To tout your employees’ training and ongoing vigilance to your customers and vendors as evidence of your commitment to securing their information.
  • Cyber criminals bypass your costly security solutions by attacking your employees — more than half of security incidents in small businesses result from employee error or ignorance (52% according to the computer trade association CompTIA).
  • More than half of small businesses that lose critical data to hackers file for bankruptcy within a year. If the breach is large enough, it could result in expensive notifications to potentially affected parties and negative publicity.
  • Almost all Ransomware attacks are launched through social engineering tactics.
  • Hackers successfully steal data from small business networks they breach at an alarming rate (82.6% according to a 2015 Verizon study).
  • Small businesses represent easy prey because they can’t afford dedicated security specialists. They can also be potential paths to much larger prey (the Target breach in 2013 started with a social engineering attack at a Target HVAC vendor).

How?

The FlexIT End-User IT Security Program works by:
  • Developing or updating an Acceptable Use Policy for your employees’ and vendors’ use of the network
  • An engaging presentation of your Acceptable Use Policy that explains how the policy protects your employees, your company and your customers, with real-life examples of social engineering cons, the motivations of hackers, and steps to follow in the event of a successful attack
  • Keeping your employees’ vigilance high with regular email alerts about new attack methods and imminent threats
  • Ongoing monitoring to ensure compliance with the Acceptable Use Policy
  • Random testing to ensure continued vigilance

Understand that the size of your small business will not make you immune to probing by hackers. They understand that no matter how small, your business might store data that can be re-sold on the black market, used as a path to larger prey you do business with, or be held hostage for a sizeable ransom. And the barrier to entry might only be an ineffective anti-virus solution.

With a 10 percent increase in the past year in social engineering attacks by hackers (Verizon study), you don’t want to have to explain to authorities, your customers, your vendors, your employees, the media and the public that their personal or confidential information might have been compromised — because an employee unwittingly opened the door to hackers.

To learn more about how the FlexIT End-User IT Security Program would apply to your small business, contact Eric Magill at 302-537-4198 or ericm@flexitechs.com.

%d bloggers like this: