New research suggests that SMBs have a long way to go before getting up to speed with today’s cyberthreats.
A third of small to medium-sized businesses (SMBs) have no idea what ransomware is or how devastating the malware can be, highlighting a series lack of understanding which could seriously harm today’s companies.

According to new research  released by antivirus firm AVG on Tuesday, too many businesses are unaware of how dangerous ransomware can be — and how easily it is to become the latest victim of the malware strain.

Ransomware is a type of malicious code that once executed on your system — usually through a malicious link or phishing email — locks your PC, encrypts either your files or hard drive, and demands a ransom payment in return for a decryption key which claims to give you your system back.

One of the latest strains to be detected, MarsJoke, threatens to wipe data if a ransom is not paid within 96 hours.Time-sensitive threats are a common tactic used by ransomware campaign operators to put pressure on victims to pay up, and ransom payments can range from small amounts to hundreds — or thousands — of dollars.

As ransomware can be a very lucrative prospect for cybercriminals looking to cash in, unsurprisingly, infections are on the rise. Locky, Cerber and Virlock are only some of the ransomware variants which are being used in active campaigns against entities including hospitals, governments and gamers.

One UK university has reported  21 attacks in the past 12 months alone.

Last year, the FBI received 2,453 complaints about ransomware hold-ups, and out of these cases that were actually reported, the damage cost victims more than $24 million.

“The true scale of the problem is somewhat hard to define though because, understandably, many businesses and organisations are reluctant to reveal they’ve been held to ransom because of fears about being targeted again, or losing existing or new customers,” AVG notes.

In June, the security firm asked almost 400 SMB customers in the US and the UK whether they knew about ransomware. In total, 68 percent of respondents had heard of the term ‘ransomware,’ but it is the 32 percent — just over a third — that had no knowledge which is the concerning factor.

Considering the first recorded attack took place in 2005, which came in the now-common form factor of a fake antivirus message which required payment, 11 years on is a long time to not know about such a dangerous threat to business operations.

To make matters worse, out of the 68 percent of respondents which said they knew what ransomware was, 36 percent gave the wrong answer — and actually didn’t really know what the malware was, or its implications.

If you find yourself a victim of such malware, the first thing to do is research the infection to see if security companies have come up with free decryption tools, including AVG andKaspersky.

While some tools are available, it takes time to crack updated versions and so you may be out of luck. If none are available, you may have to resort to backups of your data. You might be tempted to pay up; however — if you do so, you are funding the criminal enterprise, and there is no guarantee you will be given a working key to retrieve your files after paying the ransom.

Curious to learn about other common malware that can cause trouble for business owners? Want to upgrade your existing network security system? Give us a call today, we’re sure we can help.

Published with consideration from ZDNet. SOURCE

The next time you visit Dropbox.com, you may be asked to create a new password. Why? Back in 2012 the cloud storage firm was hacked, and while it thought only email addresses had been stolen, new evidence has come to light that user passwords were compromised, too. So if you’ve been using Dropbox since that time but haven’t updated your password, the company advises you to do so ASAP.

Despite the unfortunate incident, Dropbox has implemented a thorough threat-monitoring analysis and investigation, and has found no indication that user accounts were improperly accessed. However, this doesn’t mean you’re 100 percent in the clear.

What you need to do

As a precaution, Dropbox has emailed all users believed to have been affected by the security breach, and completed a password-reset for them. This ensures that even if these passwords had been cracked, they couldn’t be used to access Dropbox accounts. However, if you signed up for the platform prior to mid-2012 and haven’t updated your password since, you’ll be prompted to do so the next time you sign in. All you have to do is choose a new password that meets Dropbox’s minimum security requirements, a task assisted by their “strength meter.” The company also recommends using its two-step authentication feature when you reset your password.

Apart from that, if you used your Dropbox password on other sites before mid-2012 — whether for Facebook, YouTube or any other online platform — you should change your password on those services as well. Since most of us reuse passwords, the first thing any hacker does after acquiring stolen passwords is try them on the most popular account-based sites.

Dropbox’s ongoing security practices

Dropbox’s security team is working to improve its monitoring process for compromises, abuses, and suspicious activities. It has also implemented a broad set of controls, including independent security audits and certifications, threat intelligence, and bug bounties for white hat hackers. Bug bounties is a program whereby Dropbox provides monetary rewards, from $216 up to $10,000, to people who report vulnerabilities before malicious hackers can exploit them. Not only that, but the company has also built open-source tools such as zxcvbn, a password strength estimator, and bcrypt, a password hashing function to ensure that a similar breach doesn’t happen again.

To learn more about keeping your online accounts secure, or about how you can protect your business from today’s increasing cyber threats, give us a call and we’ll be happy to help.

Published with permission from TechAdvisory.org SOURCE

Password security – a source of anxiety for many of us. So much of our lives rely on the strength and secrecy of our passwords. How would you like to never worry about your password security ever again?

In today’s workplace, almost everything we do requires some form of password-guarded access.

Because password security is so crucial, it is part of my job to educate others to ensure password security. Many people fall foul of poor password security at one point or another. If you’re lucky, it results in your computer’s language hilariously changed to something you have no hope of understanding. The result being time lost, spent on reversing the language change. If you’re not so lucky, a compromised password can lead to hackers and digital thieves accessing sensitive information, stealing money, corrupting data, or locking you out from your accounts. The consequences can cut deep and take many months or even years to repair.

Password practices are often taken for granted, which is one of the reasons why reminding ourselves of best practices from time to time, such as on the annual Password Day, can help us ensure complete password security.

Follow these steps to never have to worry about password security again.

Stop Being Predictable

We’ve all been trained to build our passwords the same way. Years of automatic prompts have asked us to include capitalized letters, and numerical or punctuation characters, in our passwords.

Unfortunately, password crackers out there have noticed the pattern.

Because the result is that we all:

  • Start out with a favored word to form the foundation of our password
  • Use up our capital letter on the first character
  • Add on a number and exclamation mark on the end of the password to hit the requested quota
  • And voila – we’re left with our ‘uncrackable’ password: “Ninja1!”
  • While we think we are secure, having hit all the types of characters required, we are leaving ourselves open to having our password guessed. Whether through social engineering to crack passwords, or by way of other password hacking methods, we are left vulnerable. Our best bet is to stop being so predictable.

    Stop Using One Word Passwords

    Words are very predictable. The next step we can take in upgrading our password security is to banish the use of single word passwords. Not only are one-word passwords often short, but also they are predictable. Did you know that databases exist that contain every word in every language? The purpose of these databases is to be used by hackers to crack passwords simply by trying every word. This is called a Dictionary attack, which can also take the form of a Rainbow table attack. Of course, it might seem that one-word passwords are far easier to remember than anything else is. But, when thinking of security, ease cannot be the main criteria for decision making. Security must be.

    In fact, as Better Business Bureau explained, some of the most common (and least secure) passwords are not always words.

    The following passwords were the top 10 passwords used in 2014 – You might guess, that these passwords should not your first choice for your online banking account.

    123456 2. password 3. 12345 4. 12345678 5. Qwerty
    123456789 7. 1234 8. Baseball 9. Dragon 10. Football

    Not only are more complex passwords more secure, they can be just as easy to remember too.

    What makes a strong password? On to our next step.

    Long And Strong Passwords

    How can we create passwords that are strong and still memorable? There’s a bit of a trick to it.

    First off, strong and memorable passwords should consist of multiple words. PieceOfCake you might think.

    Nope. First rule of multi-word passwords is to use a strong of words that are either nonsensical, or that are very particular to you.

    CoffeeLobsterMarathon – a good place to start for a nonsensical string of words. And the image it conjures is so bizarre it’s easy to remember.

    DavesFavoriteColorIsGrey – Knowing your mate Dave’s favorite color is a very unique circumstance to you. And very hard to guess.

    Second stage is to interlace these passwords with – you guessed it – special characters.

    Leaving us with C0ff33L0b$t3rM8r8th0n and D8v3sF8v0r1t3C0l0r1sGr3y.

    Both of these blow “Ninja1!” out of the water in terms of password security.

    Use Unique Passwords For Every Account

    I know. This advice normally elicits the response that it is impossible to remember passwords for every account. But, for reasons we will get into later, it really isn’t. And the benefits are huge.

    Does anyone you know use one password for every account? Many people do. The problem is that it is a real threat to password security. Because it only takes one leak from one of the many places you’ve used that password for more accounts to be accessed.

    If your username, email address, and password are exposed by a security breach of one of the services, accounts, or companies you have dealt with – hackers will be able to take these details and try to access any other accounts with the same details. If passwords are different for every account you use, this technique will not work. Meaning you can enjoy much better password security. So, how on earth can we remember each and every password?

    A Smarter Way To Memorize Your Passwords (A Password Manager)

    It would be very impractical to try to memorize passwords for every single account we own. For accounts we access every day, it would probably be doable. But, many times we have accounts to things we only need to access occasionally. At which point memory will likely let us down. We need some help. Password managers are secure applications that help us store and organize passwords. It is simply the best way to manage all the accounts and passwords we have. All we need to do then is remember the password we need to access the password manager. If you’ve followed the advice above, your password manager password will be strong and memorable.

    Change Your Passwords Regularly

    The dreaded password change. Often people see this as either optional, or a needless inconvenience. But there are very strong arguments for why changing passwords regularly is essential for password security. For example, brute-force attacks are used to decipher passwords. They work simply by trying every possible combination of characters. The limitation of this type of approach is that it requires a lot of time to achieve its desired result. Although – even then, this can be surprisingly short. Using our example above, according to How Secure is my Password, “Ninja1!” can be cracked in 7 minutes. Changing passwords frequently can minimize the risk that a brute-force attack has enough time to breach your password security. Not to mention that it can also minimize the danger posed by password leaks.

    Don’t Casually Share Your Passwords

    You would never share your password with anyone, right? Especially not a stranger. When we’re not focused on security, it can be easier to fall into a trap than we realize. If you think one of your accounts might be compromised, be sure to change the password as soon as possible.

    Ensure You Have Anti-Malware Installed

    What’s the connection between password security and malware? Well, some types of malware are able to track keyboard inputs for account and password information, and transmit that information to a malicious third party. The strongest password will do us no good if Malware is able to track the input from our keyboard. Which means, as part of our password security regime must be to ensure our devices are malware free. Malware often uses security flaws in unpatched software to infect a system. Therefore an up-to-date operating system is also needed to fully protect your device from being compromised by malware.

    Enable Two-Factor Authentication

    Two-factor authentication provides an extra layer of protection for your password security regime. On top of a password, authorized access requires another factor to login to your account.

    For example, a second factor might be a time-limited security code generated by an authenticator app on your mobile device – such as two-factor authentication with TeamViewer. Access is only granted when the username/email address, password, and security code is entered correctly.

    This is perhaps the most sure-fire way to ensure total password security, as even if your password is compromised, access will not be granted to your account without the correct second factor authentication.

    Password Security Key Takeaways

    Being absolutely sure of password security is a major relief. All sorts of potential problems can be avoided. Once you’ve set up the system you want to use, practice makes it a part of everyday business.

    In summary, password security means:

    Dropping the predictability. “Ninja1!” doesn’t cut it
    Leave one-word passwords behind
    Long and strong passwords are better and can be easy to remember too
    A different password for every account stops hackers in their tracks
    Password managers are a must-have tool for password security
    Changing passwords regularly is not optional
    Be careful not to reveal passwords to untrustworthy sources
    Make sure there is no malware on your devices
    Use two-factor authentication wherever you can

    I hope you found this advice useful.

    The NBA Finals may now be over but for one team, the losses keep coming. Yahoo! Sports reported that the Milwaukee Bucks fell victim to a spoofed email scam last month. Names, addresses, Social Security numbers, compensation information and dates of birth of the players were unknowingly sent to a hacker and created a massive security issue for the team. And just because your employees don’t make millions of dollars doesn’t mean hackers won’t target your company. Here are four ways to protect yourself from spoofed emails.

    Education is key
    There are countless cliches out there promoting the importance of education, but when it comes to cyber security, you might as well embrace them all. In the case of spoofed emails, you need to make sure your employees know what these are and how they can harm your company. They can come in several forms and look to attack your organization in a number of different ways. A good defense starts with trained employees using best security practices when it comes to emails. Knowledge isn’t just the key to success, it’s the building block of a comprehensive email security plan.

    Check the sender
    The easiest way to determine a real email from a spoofed one is to view who is sending it. While your basic junk mail folder will screen the really lazy attempts at spoofing, you and your employees can’t rely on it to weed out everything. A lot of cybercriminals have gotten skilled at mimicking the look and feel of companies through professional looking graphics and signatures. For starters, you are going to want to ignore email display names as these can be deceptive. The domain name provides the best clues as to who the sender really is. For instance, if an email requesting your company’s financial documents claims to be from the IRS but the domain reads IRSgov.com, it’s a spoof email since that domain is not what the IRS uses. If you ever spot an email containing a domain you consider to be suspicious, delete it immediately. If it is from a legitimate sender, they will send you a follow up email in a couple of days.

    Embrace DMARC
    Domain-based Message Authentication, Reporting and Conformance (DMARC) can help reduce the risk of spoofed emails being sent internally. For businesses that do not set this up, it is possible for someone to spoof an email account that looks like it is from your business or a current employee and send it from a different server. As we saw in the case with the Bucks, these can appear legitimate to employees who will then in turn do what is requested such as turn off security settings or handover sensitive data. With DMARC in place you can prevent spoofed emails from utilizing your domains by requiring any email sent by your domain to come from your server. This greatly reduces the risk of an internal spoofed email showing up in the inbox of your employees.

    Utilize email protections
    A lot of companies believe they can get by with the simple protections that come standard with an email client. However, doing the bare minimum is rarely enough to stop spoofed emails, not to mention all of the other threats lurking in your inbox, and high-powered email and spam protection will give your organization the added layer of security it needs. Much like elite-level basketball players need the best coaching and equipment to succeed, the only way to truly reduce the risk of falling victim of a spoofed email is to educate your staff properly and then equip them with email filtering. This ensures they aren’t wasting their time constantly trying to identify legitimate emails from fake ones but are prepared when the situation presents itself.

    When it comes to email security, working with us is a slam dunk. We may not have the skills of Steph Curry on the basketball court but when in the realm of IT, competitors say they want to be like us. Give us a call today to find out more.

    Published with permission from TechAdvisory.org SOURCE

    The financial services industry has long been a heavily targeted sector by cyber criminals. The number of attacks that involved extortion, social-engineering and credential-stealing malware surged in 2015. This means that these institutions should strive to familiarize themselves with the threats and the agents behind them. Here are 7 new threats and tactics, techniques and procedures (TTP’s) that security professionals should know about.

    Extortion

    The cyber criminal Armada Collective gained notoriety for being the first to utilize distributed denial-of-service (DDoS) attacks. This occurs when multiple systems flood a targeted system to temporarily or completely disrupt service. They evolved the idea further and started to extort Bitcoins from victims who were initially notified of their vulnerability. If they didn’t comply with the ransom demands of the criminals, they would flood their systems until the victim’s network would shut down completely.

    Social media attacks

    This involved criminals using fake profiles to gather information for social engineering purposes. Fortunately, both Facebook and Twitter began to proactively monitoring for suspicious activity and started notifying users if they had been targeted by the end of 2015. However, you should still have your guard up when someone you don’t know, or even a friend or colleague, starts asking you suspicious questions.

    Spear phishing

    Phishers thrive off familiarity. They send out emails that seem to come from a business or someone that you know asking for credit card/bank account numbers. In 2015, phishers went to the next level and began whaling. This normally involved spoofing executives’ emails (often CEO’s) to dupe the finance departments to transfer large sums of money to fraudulent accounts.

    Point-of-sale malware

    POS malware is written to steal customer payment (especially credit card) data from retail checkout systems. They are a type of memory scraper that operates by instantly detecting unencrypted type 2 credit card data and is then sent to the attacker’s computer to be sold on underground sites.

    ATM malware

    GreenDispenser is an ATM-specific malware that infects ATM’s and allows criminals to extract large sums of money while avoiding detection. Recently reverse ATM attacks have also emerged, this is when compromised POS terminals and money mules to reverse transactions after money being withdrawn or sent to another bank account.

    Credential theft

    Dridex, a well known credential-stealing software, is a multifunctional malware package that leverages obfuscated macros in Microsoft Office and extensible markup language files to infect systems. The goal is to infect computers, steal credentials, and obtain money from victims’ bank accounts. It operates primarily as a banking Trojan where it is generally distributed through phishing email messages.

    Other sophisticated threats

    Various TTP’s can be combined to extracted data on a bigger scale. Targeting multiple geographies and sectors at once, this method normally involves an organized crime syndicate or someone with a highly sophisticated setup. For example, the group Carbanak primarily targeted financial institutions by infiltrating internal networks and installing software that would drain ATM’s of cash.

    The creation of defensive measures requires extensive knowledge of the lurking threats and our team of experts is up-to-date on the latest security information. If you have any questions, feel free to contact us to find out more about TTP’s and other weapons in the hacker’s toolbox.

    Published with consideration from TechAdvisory SOURCE

    Employees are on the front lines of information security. The more that can be done to regularly educate yourself of the small things you can do can go a long way towards protecting your organization.

    Since it is the beginning of the year, many people are returning to work and trying to get out of “vacation mode.” (Us too!) We’ve decided to outline some tips to help you throughout the year to stay safe online while protecting your company in the process.

    General Best Practices

  • Avoid providing personal information when answering an email, unsolicited phone call, text message or instant message.
  • Never enter personal information in a pop-up web page or anywhere else that you did not initiate.
  • Keep security software and all other software programs updated.
  • Cyber Security Best Practices

  • Phishers will try to trick employees into installing malware, or gain intelligence for attacks by claiming to be from IT. Be sure to contact your IT department if you or your coworkers receive suspicious calls.
  • Don’t leak intellectual property- even accidentally. Sharing a picture with a whiteboard or computer screen in the background online could reveal more than someone outside of your company should see.
  • Report security warnings from your Internet security software to IT immediately, chances are, they aren’t aware of all threats that occur.
  • If traveling, alert your IT department beforehand, especially if you’re going to be using public wireless Internet. If offered, make sure you know how to connect to the company’s Virtual Private Network (VPN).
  • Be cautious of links and attachments in emails from senders you don’t recognize. Phishers prey on employees who open these without checking them out, opening the door to malware.
  • If you’re unsure about an email’s legitimacy, contact your IT department or submit the email to Symantec Security Response through this portal.
  • Online Behavior

  • Don’t steal. Taking intellectual property and releasing professional secrets are likely against corporate policies. Your company may track sensitive documents and you could get into hot water.
  • Read your company’s Acceptable Electronic Use (AEU) policy, and follow the policies for safe use of your devices.
  • When backing up to cloud services, be sure to talk to your IT department first, for a list of acceptable cloud solutions. Organizations can make this part of their AEU policy and make it a fire-able offense.
  • Best Practices for When to Contact Support

  • Call IT before you get in over your head. Often what starts as a simple update can be made more complex by attempting to “fix” the problem.
  • When you Bring Your Own Device (BYOD), ask your IT department if your device is allowed to access corporate data before you upload anything to it. Use authorized applications to access sensitive documents.
  • Learn the process for allowing IT to connect to your system. This can save time when you contact support and they need access to resolve an issue.
  • Learn basic computer hardware terms. This can save valuable time when you contact support and don’t have to describe the “mouse connector-thingy.”
  • Used with permission from Norton by Symantec by Nadia Kovacs

    As today’s companies are increasingly tending to run their business on the basis of digital assets, information security has become an even more critical factor of the business model, as it protects the most essential asset: information.

    We know that security is not a goal, but rather a process. As such, prevention and constant reinforcement of the outer edge of the corporate system are vital elements in the defense of assets in cyberspace.

    But despite this, contingencies occur, and the risk of suffering a security breach must always be considered. So let’s look at what action we should take in the face of this type of scenario to overcome a situation in which the organization’s resources could be compromised.

    Here 5 steps to take after a company is infected:

    Step 1: Determine the scope of the infection

    Time and time again, companies that have been victims of infections assess the traces of the impact just by using their intuition, rather than by means of an analytical examination of the problem. Clearly, after detecting an infection at the company, reaction speed is extremely important. However, hurrying to make groundless appraisals can divert your attention away from the right actions to take.

    If the necessary precautions have been taken, and there has consequently been an investment into the development of robust contingency management systems, it is possible to quickly gather the bits of evidence you need to answer some of the first key questions.

    In this way, to be begin with it is necessary to establish which systems have been compromised and in what way. Is the infection limited to a single piece of equipment or subnetwork? Has any sensitive data leaked out? Are we talking about corporate data, or private data relating to employees and/or customers?

    Step 2: Ensure continuity of service

    In the case of a leak of information which might compromise employees or end users, the second step would be to give them a warning of the possible breach and advise them to watch out for any unusual movements they might notice regarding the data they have stored under your service.

    If any physical equipment has been seriously compromised, you must set in motion any processes to activate backup resources, in order to maintain customer service. For this reason, it is critically important to plan your defense against attacks on availability, creating redundancy of equipment and connections. This, together with an action plan suitably defined at the level of the organization, will enable a rapid response to any events that lay siege to corporate security.

    Step 3: Contain the infection

    The containment of an infection begins with isolation of the equipment that you know has been compromised. Shutting down the segments of the network that include this equipment prevents the infection from continuing to spread throughout the corporate network, and interrupts any connection that may have been established with the attacker for the purpose of stealing information.

    If the traffic generated by the malicious agent turns out to be encrypted, the analysts must try reverse-engineering it to obtain the cryptographic keys. However, if communication is taking place on non-confidential protocols like HTTP, it will be exponentially easier to track the commands used by the attacker.

    Either way, studying these commands can lead the investigation to the discovery of new infected equipment, and the generation of traffic patterns should be translated into firewall rules, to quickly generate a first line of defense.

    To achieve this, it is necessary to have correctly labeled traffic captures in order to speed up processing. Once again, it’s self-evident that proactive prevention and detection of threats are the cornerstone of information security and define a company’s capacity to respond in times of crisis.

    Given that most of the procedures mentioned involve non-automated analysis of information, it is crucial to put in place a comprehensive corporate security solution in advance. This will make it possible to instantly deploy actions to block any harm that a malicious agent might attempt to inflict after penetrating your defenses.

    The latest generation of ESET corporate solutions was developed to be a key factor in the containment process, thereby preventing the spread of infectious components through the company’s different transaction systems.

    Step 4: Mitigate the infection and eliminate the line of attack

    Removal of the malicious part is a complex procedure which initially involves a detailed analysis of the code in order to understand how it works. Antivirus solutions support this type of activity by enabling automatic disinfection and saving valuable time in the process of responding.

    It is essential to understand that if the attackers are not completely eradicated from the network, they can resume their fraudulent activity on the infected equipment through another line of attack. Because of this, it is of vital importance to isolate the flaw that allowed them to enter in the first place, and then remove it from the system.

    Even after equipment identified as compromised has been cleaned, there remains a risk that other undiscovered infected equipment is still in operation. To prevent this from occurring, we need to reinforce the analysis of the packets transmitted by the network, as we now have the advantage of knowing the communication protocols and commands used thanks to the previous analysis of the infection.

    Together with a review of the firewall rules, changing the passwords on corporate networks is another preventive measure to take after detecting compromised resources, as this is one of the favored goals in corporate attacks. While the process of updating keys may take time and effort, it will prevent the attackers from using any stolen information to disguise themselves as a legitimate user.

    At this point, it is worth establishing whether the infection was the simple result of carelessness online, or whether it constitutes a successful link in a chain of persistent targeted attacks.

    If it is established that the infection was specifically targeting the organization, the real question to answer will be who lies behind these events, bearing in mind that another attack could be imminent.

    Step 5: Learn from any errors

    Carrying out an in-depth investigation into what happened will give cause for improving the processes within the organization. The removal of any vulnerabilities whose existence was previously unknown provides an opportunity to reinforce the perimeter of the corporate networks by identifying any other potential points of access to the system that had not previously been considered as falling within the scope of lines of attack.

    Infections are always absolutely negative events for a company; however, they offer opportunities to learn. They show which elements of the system’s design need to be strengthened and they allow you to discover the flaws in the current defense measures.

    Published with consideration from ESET. SOURCE

    Every time a stolen laptop leads to a data breach, you wonder why the business involved hadn’t set up any safeguards. When the unencrypted laptop was stolen from a former physician at the University of Oklahoma, for instance, or when a laptop was stolen from insurance provider Oregon Health Co-op containing data on 15,000 members.

    You’d think money would motivate them, if nothing else. In November, EMC and Hartford Hospital were ordered to pay US$90,000 to the state of Connecticut over the theft of an unencrypted laptop in 2012 containing data on nearly 9,000 people. The laptop was stolen from an EMC employee’s home.

    The problem extends far beyond the healthcare industry, too—such as the laptop stolen from SterlingBackCheck, a New York-based background screening service. The laptop contained data on 100,000 people.

    These types of breaches don’t quite grab the same headlines as major cybercrimes and hacking incidents, if only because a thousand employees affected by a laptop theft is less dramatic than 40 million customers at Target. But it’s a lot easier to steal a laptop than it is to hack into a corporate database, so the theft and loss of laptops, as well as desktops and flash drives, highlight the need for enhanced physical security and employee training.

    It’s easier to steal a laptop than to hack a database

    The organizations mentioned here have wised up. A spokesperson for the University of Oklahoma said it has launched an encryption program and new training for employees when it comes to handling sensitive data.

    SterlingBackCheck said it has updated its encryption and audit procedures, revised its equipment custody protocols, retrained employees on privacy and data security, and installed remote-wipe software on portable devices.

    Another threat to your data is the proliferation of Bring You Own Device (BYOD) policies and mobile workers.Gartner anticipates that half of all companies will have some need for a BYOD policy by 2017. Workers will be using their own devices as well as company-issued ones in the office or on the go. This opens up a new risk if devices are lost or stolen.

    Security firms like Sophos urge companies to put a robust policy in place for the handling of professional devices, including full disk encryption as well as encrypted cloud and removable media. A strong password is highly recommended too, but it’s not enough on its own.

    A greater sense of urgency wouldn’t hurt, either. In Oklahoma, the physician had actually left his position at the university before his personal laptop went missing. He couldn’t say for sure whether it contained sensitive data, but by the time that possibility arose, it was too late.

    In another incident, at manufacturer Tremco, an employee lost a company-issued laptop on a plane. It was several weeks before the employee realized that it contained spreadsheets of personal employee data.

    Encryption, remote wiping, better data tracking

    Companies need to know where their data is at all times—not just what device it is on, but where that device is located physically.

    This highlights the need for remote wiping tools, which SterlingBackCheck has put in place. If a laptop is lost or stolen, the company should have an easy way to remotely wipe the sensitive data to ensure it never leaks.

    Much like large-scale hacking attacks, it’s the consumer or the patient that really suffers when a data breach occurs. The onus lies with the company to handle this data responsibly, whether it’s in the cloud or on a laptop on the bus.

    Published with consideration from PCWorld. SOURCE

    Adapt to Survive: Keeping One Step Ahead of Cyber Threats

    There have been numerous high profile cyber-attacks in recent years, of privacy companies and government agencies. In May 2014, eBay was hacked and had to announce that personal details of 233 million of its users had been stolen. In November of the same year Sony suffered a similar fate when 102 million of its user accounts were compromised, and several emails were leaked from its high ranking Hollywood executives. Earlier this year, it was discovered that the United States Office of Personal Management suffered from two large-scale hacks, resulting in the theft of millions of employee personal files.

    Against this backdrop of ever increasing cyber threats—and when you consider how much sensitive data is held by law firms—you realize how vital it is for the legal industry to keep data secure. Especially when the outcome of a legal case and the reputation of the legal firm concerned rests on it.

    Security Audit

    For each individual case a busy law firm will usually be privy to large numbers of physical documents, they will hold considerable amounts of electronic data, and there will be vast numbers of exchanges between clients that may contain sensitive information. Therefore, there are considerable potential vulnerabilities and the first step is to have all the risks professionally assessed by a cyber-threat specialist. Once you know where the gaps lie in your security, you can take steps to address them. A good way to do this, especially after an audit, is to create an Information Security Policy that lays out guidelines for your staff to ensure data is kept secure.

    Some high profile clients may wish to audit your firm from a security point of view before they appoint you. This is particularly true of those industries which are heavily regulated, such as health insurance, and payment card processing companies. If you have already carried out your own internal audit, then this eventuality shouldn’t be such a daunting experience.

    Keeping Documents Safe

    It is imperative that the records a legal firm holds are kept safe to protect their clients’ reputations as well as the fact that any breach could result in damage to ongoing lawsuits. The best option is to employ the services of a secure document management company that can protect your data whilst giving you the flexibility to access it whenever needed, an important point given the day to day practicalities of life in a law firm. These providers will be subject to their own auditing and will use high levels of both physical and data security to protect your assets. They can also store both hard copy documents and data.

    Firewall and Anti-Virus Software

    Your internal network and website should have a firewall as the first line of defense. Anti-virus software is also important to protect you from malware. In one recent cyber case involving a legal firm, they were subject to spear phishing. This is when an email is opened which seems to come from a trusted source that the firm recognizes. The email then installs malware which sits in the background gathering sensitive data for the hacker.

    Anti-virus software needs to be updated regularly and all systems should be scanned on an ongoing basis. These updates and scans should be set to run automatically by your IT department, to avoid human error.

    Encryption and Off-Site Servers

    The ideal solution for a legal firm is to have all their data held off-site in a high security data center. Furthermore all data held should be encrypted and all communications, including email, should also take place through encrypted connections. Encryption is important as then even if your data center is hacked your information should still remain secure.

    Even if your law firm is relatively small, you aren’t immune to hacking. The FBI recently warned that even small and medium sized firms are now coming under attack. A law firm’s reputation is paramount. Clients expect their data to always remain confidential and the success of a case may rest on this fact. With the stakes so high are you willing to risk your reputation and a subsequent loss of business when some key steps taken now can do a great deal to protect you? Are you concerned your business’s security isn’t up to par? Need the guidance of a seasoned IT provider who specializes in security? Talk to us today.

    Published with consideration from Law Technology.SOURCE

    The report found the most popular phishing attack templates with the highest click rates are items employees expected to see in their work email.
    Phishing attacks continue to grow in volume and complexity, supported by more aggressive social engineering practices that make phishing more difficult to prevent, according to a report from Wombat Security Technologies.

    Organizations surveyed indicated they have suffered malware infections (42 percent), compromised accounts (22 percent), and loss of data (4 percent), as a direct result of successful phishing attacks.

    Survey respondents said they protect themselves from phishing using a variety of methods, including email spam filters (99 percent), outbound proxy protection (56 percent), advanced malware analysis (50 percent), and URL wrapping (24 percent).

    “The lack of measurement by security professionals concerned us the most,” Trevor Hawthorn, chief technology officer of Wombat, told eWEEK.
    He pointed out that 37 percent of respondents did not measure their susceptibility to phishing, and a staggering 56 percent do not assess end user risk.

    “Without assessing to understand security problems, you cannot create an effective plan to combat them,” he explained. “There are multiple ways that security officers can measure risk – through pulling numbers on items like policy violations, malware infections, reported and identified phishing attacks, or they can do a knowledge assessment or simulated phishing attack that will not only help them understand risk, but set a baseline to measure improvement against.”

    The report found that the most popular phishing attack templates with the highest click rates included items employees expected to see in their work email such as an HR document, or a shipping confirmation.

    “Email is a part of virtually everyone’s life. We get large volumes every day, and we have more and more details about our lives online on places like social media that allow criminals to create more targeted messages to get us to click,” Hawthorn said. “Organizations can be sure that they are continuously training their employees on what phishing messages look like and how to avoid them.”

    Wombat found the following plugins as most vulnerable for being outdated and susceptible to an attack: Adobe (61 percent), Adobe Flash (46 percent), Microsoft Silverlight (27 percent), and Java (25 percent).

    “Threats will continue to do what works until it doesn’t,” Hawthorn said. “Then they will adjust and exploit the next easiest path. Right now end users are still the easiest path. Why? Because the security industry has matured when it comes to managing risk of technical assets. We need to manage end user risk the same way we manage technical risk. Perform on-going, targeted assessments, and gather real-time user behavior data to determine a user’s risk level.”

    For additional tips on how to resolve to be better about cyber security in 2016, reach out to GCInfotech to assess your current network security and any potential vulnerabilities.

    Cyber attacks are a real concern for businesses today, but it’s important to be able to separate myth from reality. Education is key to protecting your business against an attack and keeping your business and customer data safe.

    Curious to learn about other common malware that can cause trouble for business owners? Want to upgrade your existing network security system? Give us a call today, we’re sure we can help.

    Published with consideration from eWeek. SOURCE