Cybersecurity - What's in your strategy?

Our constant connectivity to the Internet exposes us all to a hostile environment of rapidly evolving threats. Because of the size, complexity, and continual evolution of the cyber environment, there is no simple, one-size-fits-all approach to managing the risks associated with cybersecurity. In this post, we will discuss five components of a cybersecurity strategy.  This is not an exhaustive list, by any means.  I highlight some key attributes that can establish a sound strategy with limited resources and, as I did in the two previous posts, I include links to some helpful resources.

Understand your network and your potential exposure

The best way to start is with an identification of your company network systems, hardware, and software and their location(s).

·       Physical devices and systems

·       Software platforms and applications

·       Maps of network resources, connections, and data flows

·       Connections to the company’s networks

Network physical and system security

The physical security of your network and IT assets (computers, networks, servers, smartphones, multi-media printing devices, etc.) is a cybersecurity first line of defense. The effect of a stolen laptop or smartphone can be just as disruptive to an organization as a cyber-attack. Below are six best practices for consideration.

·       Install anti-virus and anti-spyware programs and firewall on all computers. Ensure that they are enabled and configured for automatic updates.

·       Keep all security programs, along with the operating system and software, current with the most recent updates. If the operating system is discontinued, support may no longer be available.

·       Upgrade to a newer operating system. Centrally manage both physical and systems access. Audit system activities, such as successful and failed user logins, file and system access. All operating systems, and most applications such as firewalls, have the ability to audit system activities. 

·       Back up files incrementally (daily) and fully (weekly). Test restore function to ensure backups are working as intended. Keep backups off-site.

·       Employees should put away sensitive items before leaving their work area. In addition, a clean desk will keep sensitive information out of the hands of personnel who do not have a legitimate reason for accessing this information.

·       Restrict access to your computer’s contents by locking the screen when you are away.

Personnel screening and insider threat

An insider threat is defined by Wikipedia “as a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.”  Here are six areas where an insider threat can pose a risk to the organization.

·       A disclosure of confidential  – jeopardizing an organization’s relationships

·       Fraud

·       Loss of intellectual property

·       Monetary loss

·       Regulatory repercussions

·       Embarrassment, public relations and/or reputational risk issues

By recognizing the potential harm posed by current or departing employees, you can mitigate the damage that may arise from insider threats.  Regularly auditing the network for suspicious activity, promptly removing system access when an employee departs, and monitoring for system use by former employees are three best practices to protect again insider threats.

Cybersecurity awareness and training

When it comes to a cybersecurity strategy many organizations focus heavily on the technical aspects of network security (we even discussed first the technical and physical security solutions in this post).  However, most of these technical controls can be ineffective when employees lack a general awareness of cybersecurity. Employees can take risks online that greatly increases cyber-related risks to their organization. Risky activities include opening suspicious emails and not protecting sensitive information stored on, or transmitted from, their computers. Employee education and a culture of cyber awareness are often just as impactful to the overall strategy as the implementation of the most advanced cybersecurity systems. Here are eight best practices to create a cybersecurity awareness.

·       Implement policies covering the acceptable use of, and the secure use of, computer systems.

·       Make cybersecurity training and awareness mandatory for all personnel. This includes executives and the C-suite.  Creating a culture needs to begin at the top of the organization.

·       Instruct users not to open suspicious emails or click on suspicious links, regardless of the source.

·       Instruct users not to connect devices to the network and are using pre-approved devices.

·       Instruct users to follow good password practices.

·       Train users about the dangers and safe use of external media (USB sticks and CDs).

·       Train users not to download or install unauthorized applications. (Restricting administrative access to computers so general users cannot download software or applications is a good practice).

·       Provide continuing education for executive management and employees to include videos, webinars, policy updates or articles that educate users.

Assessment of threats and vulnerabilities

Cybercriminals continue to take advantage of basic security vulnerabilities in computer systems. Organizations that do not scan for vulnerabilities and proactively address weaknesses in their network face an increased likelihood of having their systems compromised. A vital element of a cybersecurity program is to a perform a risk assessment of all systems, sub-systems, and devices to determine what vulnerabilities are present.

·       Run an automated vulnerability assessment tool against all systems on the network on a regular basis.

·       Develop a prioritized list of the most critical vulnerabilities and an action plan to mitigate or resolve.

·       Stay aware of emerging threats and exposures.  (Most network security software companies have user groups or blogs to help keep you up to speed with the latest threats)

·       Ensure that the vulnerability scanning tools you use are regularly updated and contain the latest security vulnerabilities information.

·       Ensure computer software/applications are updated with security patches regularly.

Resources

For additional information on how you can protect yourself and your business from criminal activity and data loss, below are several good resources I have discovered. 

U.S. Department of Transportation, National Highway Traffic Safety Administration  - McCarthy, C., Harnett, K., & Carter, A.. (2014, October). A summary of cybersecurity best practices. (Report No. DOT HS 812 075). Washington, DC: National Highway Traffic Safety Administration.

Microsoft - Internet Safety for Enterprise & Organizations offers tools to help your employees learn the skills they need to work more safely online and better defend company and customer data and their own personal information.

Norton by Symantec - Norton Small Business Resources offers information on scams, IoT, family safety and more.

IoTCrimes.com – All Internet of Things (IoT) devices are at risk of theft, damage or destruction

Department of Homeland Security - DHS, has created a webpage that has information and resources on cybersecurity and combating the threat of cybercrime.

Until next time, stay safe and be kind to one another.

Knowledge is Power

They say that knowledge is power, data and information give one knowledge, and with power comes a tremendous responsibility to protect.  Continuing our conversation from the previous post Phishing Anyone?,  we will dive a little deeper into information and data management and the some of the risk associated with the responsibility to protect.  In this conversation, we will talk about hard copy data as well as electronic data.  The handling of paper files and information tends to get overlooked with the intense focus on securing electronic data.  As such this can be an easy target for a criminal.  We will look at five best practices for handling, storage, and disposal of hard copy sensitive information.  We will then move to protecting electronic data and discuss five best practices for protecting electronic data.  Finally, as I did in the last post, I will provide some resources to further develop your knowledge and understanding. 

Let’s begin with framing the conversation around what information and data need to be protected.  In most cases, we all have a basic understanding of what needs to be protected.  For our conversation, we are going to divide data into three categories:

Confidential Information 

“Confidential Information” is that which has been so designated by statute or by promulgated rule or regulation based on statutory authority.  Examples include Corporate Records relating to pay and the payment of benefits which are considered confidential. 

Privileged Information 

“Privileged Information” is that which is available only to authorized persons and is granted access to by one’s position. This information is not confidential pursuant to the law but is sensitive in nature.  For simplicity in management, privileged information is often subject to the same restrictions as confidential information. 

Personal Information 

“Personal Information” refers to a corporate record that contains a person’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such person:   

(a) Social Security Number (“SSN”);  

(b) Driver’s license number or state-issued identification card number; or 

(c) Financial account number, or credit card or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a person’s financial account.  Personal Information does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. 

Through the daily course of business, the use of confidential, privileged and personal information is common.  Creating an awareness and developing processes to manage this information can prevent sensitive information from getting into the hands of criminals.  Below are five best practices for managing hard copy files and data.

1. Personal Information collected, received and stored should not be shared with any unauthorized party. Authorization to access such information is limited to those employees determined to need access to carry out their job responsibilities and such other persons or organizations who are legally entitled to receive such information, such as, auditors, regulators, and outside counsel.  
2. All paper records and data containing personal information should be stored in locked storage areas or containers, and access to such records and data should be limited to authorized persons.
3. Printing, transportation or duplication of personal information must be limited to the greatest extent possible.
4. Each year, inactive paper files should be purged from the active files storage location and placed into archive storage.   Archive storage should be in a locked facility with very limited access.  Unless ample space is available in the general office area, arrangements to store archive documents with a third party such as Iron Mountain can ensure secure storage with limited access.  Third Party archive storage also mitigation the risk of maintaining onsite storage for prolonged periods of time.  
5. Companies should develop an archive data management and destruction policy which outlines the storage requirements for various files and a file destruction process.

Historically, hackers seeking to steal data and money used to target primarily large corporations and government bodies. The focus has now shifted and they now direct quite a bit of attention to hacking small businesses and individuals.  This change is not surprising since larger corporations and governments may offer larger higher bank balances and jackpots of data to steal, they also have both large information-security departments and tighter relationships with law enforcement–lowering the odds of a hacker's success and increasing the chances of them getting caught and imprisoned.

With the new dynamics, it is increasingly important for small business owners, entrepreneurs considering starting a business, and people in general to cyber-protect themselves.  Here are five best practice recommendations for managing your company’s electronic data.

1. Understand that you are a target. Educating employees and creating a general awareness of the importance of caution and vigilance can be a good defense.  Employees who believe that criminals want to breach their computers and phones act differently than those who don't understand this reality.
2. Store all sensitive data in an encrypted format. If you have doubts as to whether something is sensitive enough to warrant encryption, err on the side of caution and encrypt.
3. Conventional wisdom is to require complex passwords for all systems.  Inevitably, that leads to people writing down passwords or using the same password for multiple log-ins.  The new best practice is to ask employees to select combinations of words, numbers, and proper names (e.g., "investing9goats2Starbucks"), or create a passphrase (“My1dog2is3George”). For extremely sensitive systems, consider stronger forms of authentication such as biometrics or multi-factor authentication.
4. Inappropriate social media posts can cause many problems–such as leaking sensitive information, violating compliance rules, and assisting criminals to carry out attacks. Implement technology to ensure social media does not become a problem.  Do not rely on simply telling people not to make particular types of posts on Facebook or Twitter–history tells us that many people simply do not realize when they are making such posts, and even those who do, may inadvertently leak data when posting from a smartphone that "auto-corrects" a misspelled word to a sensitive, internal term.
5. If your company uses the internet for eCommerce, or if your company falls under state or federal requirements for handling information and data, make sure that you be sure to comply with all regulations. This sounds very basic, but in a world of a myriad of requirements and regulations, electronic data management should be a focus. 

For additional information on how you can protect yourself and your business from criminal activity and data loss, below are several good resources I have discovered. 

National Cyber Security Alliance - The National Cyber Security Alliance (NCSA) builds strong public/private partnerships to create and implement broad-reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems and their sensitive information safe and secure online and encourage a culture of cybersecurity.

Microsoft - Internet Safety for Enterprise & Organizations offers tools to help your employees learn the skills they need to work more safely online and better defend company and customer data and their own personal information.

Norton by Symantec - Norton Small Business Resources offers information on scams, IoT, family safety and more.

Federal Trade Commission - The FTC, has created a webpage that has information on scams targeting small businesses, and tips to help avoid them. It also includes cybersecurity articles and videos to help small business owners protect the networks and systems and their employees’ and customers’ sensitive data.

Until next time, stay safe and be kind to one another.

Phishing anyone?

Digital Treat Management, eCrime, Cyber Security; all terms associated with one of the fastest growing areas of risk facing business operations.  Today, criminals do not need to break through network firewalls to have access to a company’s private information.  In most cases, access through network security can be provided by unsuspecting computer and mobile device users.  In a recent report by APWG (an international coalition of governments, law enforcement sectors, and NGOs to combat cybercrime) the volume of cyber-attacks has continued to increase.  These attacks are most often carried out through phishing scams.

In this post, we will discuss a general overview of phishing and five ways to protect yourself and your firm from a phishing scam.  We will also look at malware and ransomware (usually the result of falling prey to a phishing scam), and five ways to protect against a ransomware attack.  Finally, we review a couple of good resources to get some additional information about cybercrime.

What is Phishing?

Phishing is when someone uses fraudulent emails, texts or copycat websites to get valuable user information or to gain access to your computer or company network.  Once inside the network, these people can install programs like ransomware that will lock out users from important files.  Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or co-worker.

In a 2017 survey conducted by Wombat Security, 70% of the working Americans surveyed knew what a phishing scam was, but only 37% of the same group knew about ransomware.  Education is the best defense against phishing since phishing requires the user to take some sort of action.  While awareness will allow the user to recognize a potential threat and take the appropriate precautions, here are five other things you can do to protect against a phishing scam. 

1. Be suspicious of any email or communication (including text messages) with urgent requests for personal financial information.
2. Avoid clicking on links. Instead, go to the website by typing the Web address directly into your browser or by searching for it in a search engine. Calling the company to verify the legitimacy of a request is also an option.
3. Don’t send personal financial information via email and avoid filling out forms in an email that ask for your information.
1. You should only communicate information such as credit card numbers or account information via a secure website or telephone if you have called the company requesting the information.
4. Use a secure website (https:// and a security “lock” icon) when submitting credit card or other sensitive information online.
1. Never use public, unsecured WiFi for banking, shopping or entering personal information online, even if the website is secure.
2. When in doubt, 3/4G or LTE connection is always safer than using public WiFi.  Most computer security software programs will offer a virtual private network (VPN) option for mobile devices, or they will recommend a VPN app. 
5. Typically, phisher emails are not personalized, but they can be. Messages from the bank and eCommerace institutions are usually personalized. When in doubt, call the company directly to see if the email is in fact from them.

What is Ransomware?

Even with education and vigilance, there is still the chance that your computer or company network will receive malware.  Malware (malicious software) is any program or file that is harmful to a computer user. Malware includes computer viruses, worms, Trojan horses, and spyware. There are ever increasing news reports about a type of malware called ransomware.  Ransomware is a type of malware that accesses a victim’s files, locks and encrypts them and then demands the victim to pay a ransom to get them back. Cybercriminals trick users to click on attachments or links that appear legitimate but contain malicious code to attack the system. Under a ransomware attack, the victim has a certain amount of time to pay to get “the code” that will unlock and release the files.  Even if the victim pays, there is almost never a code provided that will unlock the files.  Any individual or organization can be a potential ransomware target.

Education and awareness are the best defense against a ransomware attack, but combining an awareness with the steps below can help mitigate the risk.

1. All critical software, including computer and mobile operating systems, security software and other frequently used programs and apps, should be running the most current versions.
2. Back up all files, photos, music and other digital information by making a copy and storing it in the cloud or on a removable device or both. 
3. As a departure from traditional password schemes, use a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember.
4. Links in email, are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete it.
5. If you use USBs and other external devices to share files, or if you use email to attach and share files, these can all be infected by viruses and malware. Use your security software to scan them before downloading files onto your computer.

Resources

There are a number of great resources centers to get a better understanding of cybercrime and how to protect your business from any malicious attacks.  

Anti-Phishing Working Group, Inc. (APWG) - APWG is the international coalition unifying the global response to cybercrime across industry, government and law-enforcement sectors and NGO communities. 

STOP. THINK. CONNECT. - STOP. THINK. CONNECT.™ is the global online safety awareness campaign to help all digital citizens stay safer and more secure online. The message was created by an unprecedented coalition of private companies, non-profits and government organizations with leadership provided by the National Cyber Security Alliance (NCSA) and the APWG.

Associated with these organization are a number of private companies that can provide additional resources in the protection against cybercrime. Cybercrime is a rapidly changing and evolving risk to individuals and businesses.  The more we know, the better we can be vigilant and protect. 

Until next time, stay safe and be kind to one another.