The financial services industry has long been a heavily targeted sector by cyber criminals. The number of attacks that involved extortion, social-engineering and credential-stealing malware surged in 2015. This means that these institutions should strive to familiarize themselves with the threats and the agents behind them. Here are 7 new threats and tactics, techniques and procedures (TTP’s) that security professionals should know about.

Extortion

The cyber criminal Armada Collective gained notoriety for being the first to utilize distributed denial-of-service (DDoS) attacks. This occurs when multiple systems flood a targeted system to temporarily or completely disrupt service. They evolved the idea further and started to extort Bitcoins from victims who were initially notified of their vulnerability. If they didn’t comply with the ransom demands of the criminals, they would flood their systems until the victim’s network would shut down completely.

Social media attacks

This involved criminals using fake profiles to gather information for social engineering purposes. Fortunately, both Facebook and Twitter began to proactively monitoring for suspicious activity and started notifying users if they had been targeted by the end of 2015. However, you should still have your guard up when someone you don’t know, or even a friend or colleague, starts asking you suspicious questions.

Spear phishing

Phishers thrive off familiarity. They send out emails that seem to come from a business or someone that you know asking for credit card/bank account numbers. In 2015, phishers went to the next level and began whaling. This normally involved spoofing executives’ emails (often CEO’s) to dupe the finance departments to transfer large sums of money to fraudulent accounts.

Point-of-sale malware

POS malware is written to steal customer payment (especially credit card) data from retail checkout systems. They are a type of memory scraper that operates by instantly detecting unencrypted type 2 credit card data and is then sent to the attacker’s computer to be sold on underground sites.

ATM malware

GreenDispenser is an ATM-specific malware that infects ATM’s and allows criminals to extract large sums of money while avoiding detection. Recently reverse ATM attacks have also emerged, this is when compromised POS terminals and money mules to reverse transactions after money being withdrawn or sent to another bank account.

Credential theft

Dridex, a well known credential-stealing software, is a multifunctional malware package that leverages obfuscated macros in Microsoft Office and extensible markup language files to infect systems. The goal is to infect computers, steal credentials, and obtain money from victims’ bank accounts. It operates primarily as a banking Trojan where it is generally distributed through phishing email messages.

Other sophisticated threats

Various TTP’s can be combined to extracted data on a bigger scale. Targeting multiple geographies and sectors at once, this method normally involves an organized crime syndicate or someone with a highly sophisticated setup. For example, the group Carbanak primarily targeted financial institutions by infiltrating internal networks and installing software that would drain ATM’s of cash.

The creation of defensive measures requires extensive knowledge of the lurking threats and our team of experts is up-to-date on the latest security information. If you have any questions, feel free to contact us to find out more about TTP’s and other weapons in the hacker’s toolbox.

Published with consideration from TechAdvisory SOURCE

Employees are on the front lines of information security. The more that can be done to regularly educate yourself of the small things you can do can go a long way towards protecting your organization.

Since it is the beginning of the year, many people are returning to work and trying to get out of “vacation mode.” (Us too!) We’ve decided to outline some tips to help you throughout the year to stay safe online while protecting your company in the process.

General Best Practices

  • Avoid providing personal information when answering an email, unsolicited phone call, text message or instant message.
  • Never enter personal information in a pop-up web page or anywhere else that you did not initiate.
  • Keep security software and all other software programs updated.
  • Cyber Security Best Practices

  • Phishers will try to trick employees into installing malware, or gain intelligence for attacks by claiming to be from IT. Be sure to contact your IT department if you or your coworkers receive suspicious calls.
  • Don’t leak intellectual property- even accidentally. Sharing a picture with a whiteboard or computer screen in the background online could reveal more than someone outside of your company should see.
  • Report security warnings from your Internet security software to IT immediately, chances are, they aren’t aware of all threats that occur.
  • If traveling, alert your IT department beforehand, especially if you’re going to be using public wireless Internet. If offered, make sure you know how to connect to the company’s Virtual Private Network (VPN).
  • Be cautious of links and attachments in emails from senders you don’t recognize. Phishers prey on employees who open these without checking them out, opening the door to malware.
  • If you’re unsure about an email’s legitimacy, contact your IT department or submit the email to Symantec Security Response through this portal.
  • Online Behavior

  • Don’t steal. Taking intellectual property and releasing professional secrets are likely against corporate policies. Your company may track sensitive documents and you could get into hot water.
  • Read your company’s Acceptable Electronic Use (AEU) policy, and follow the policies for safe use of your devices.
  • When backing up to cloud services, be sure to talk to your IT department first, for a list of acceptable cloud solutions. Organizations can make this part of their AEU policy and make it a fire-able offense.
  • Best Practices for When to Contact Support

  • Call IT before you get in over your head. Often what starts as a simple update can be made more complex by attempting to “fix” the problem.
  • When you Bring Your Own Device (BYOD), ask your IT department if your device is allowed to access corporate data before you upload anything to it. Use authorized applications to access sensitive documents.
  • Learn the process for allowing IT to connect to your system. This can save time when you contact support and they need access to resolve an issue.
  • Learn basic computer hardware terms. This can save valuable time when you contact support and don’t have to describe the “mouse connector-thingy.”
  • Used with permission from Norton by Symantec by Nadia Kovacs

    As today’s companies are increasingly tending to run their business on the basis of digital assets, information security has become an even more critical factor of the business model, as it protects the most essential asset: information.

    We know that security is not a goal, but rather a process. As such, prevention and constant reinforcement of the outer edge of the corporate system are vital elements in the defense of assets in cyberspace.

    But despite this, contingencies occur, and the risk of suffering a security breach must always be considered. So let’s look at what action we should take in the face of this type of scenario to overcome a situation in which the organization’s resources could be compromised.

    Here 5 steps to take after a company is infected:

    Step 1: Determine the scope of the infection

    Time and time again, companies that have been victims of infections assess the traces of the impact just by using their intuition, rather than by means of an analytical examination of the problem. Clearly, after detecting an infection at the company, reaction speed is extremely important. However, hurrying to make groundless appraisals can divert your attention away from the right actions to take.

    If the necessary precautions have been taken, and there has consequently been an investment into the development of robust contingency management systems, it is possible to quickly gather the bits of evidence you need to answer some of the first key questions.

    In this way, to be begin with it is necessary to establish which systems have been compromised and in what way. Is the infection limited to a single piece of equipment or subnetwork? Has any sensitive data leaked out? Are we talking about corporate data, or private data relating to employees and/or customers?

    Step 2: Ensure continuity of service

    In the case of a leak of information which might compromise employees or end users, the second step would be to give them a warning of the possible breach and advise them to watch out for any unusual movements they might notice regarding the data they have stored under your service.

    If any physical equipment has been seriously compromised, you must set in motion any processes to activate backup resources, in order to maintain customer service. For this reason, it is critically important to plan your defense against attacks on availability, creating redundancy of equipment and connections. This, together with an action plan suitably defined at the level of the organization, will enable a rapid response to any events that lay siege to corporate security.

    Step 3: Contain the infection

    The containment of an infection begins with isolation of the equipment that you know has been compromised. Shutting down the segments of the network that include this equipment prevents the infection from continuing to spread throughout the corporate network, and interrupts any connection that may have been established with the attacker for the purpose of stealing information.

    If the traffic generated by the malicious agent turns out to be encrypted, the analysts must try reverse-engineering it to obtain the cryptographic keys. However, if communication is taking place on non-confidential protocols like HTTP, it will be exponentially easier to track the commands used by the attacker.

    Either way, studying these commands can lead the investigation to the discovery of new infected equipment, and the generation of traffic patterns should be translated into firewall rules, to quickly generate a first line of defense.

    To achieve this, it is necessary to have correctly labeled traffic captures in order to speed up processing. Once again, it’s self-evident that proactive prevention and detection of threats are the cornerstone of information security and define a company’s capacity to respond in times of crisis.

    Given that most of the procedures mentioned involve non-automated analysis of information, it is crucial to put in place a comprehensive corporate security solution in advance. This will make it possible to instantly deploy actions to block any harm that a malicious agent might attempt to inflict after penetrating your defenses.

    The latest generation of ESET corporate solutions was developed to be a key factor in the containment process, thereby preventing the spread of infectious components through the company’s different transaction systems.

    Step 4: Mitigate the infection and eliminate the line of attack

    Removal of the malicious part is a complex procedure which initially involves a detailed analysis of the code in order to understand how it works. Antivirus solutions support this type of activity by enabling automatic disinfection and saving valuable time in the process of responding.

    It is essential to understand that if the attackers are not completely eradicated from the network, they can resume their fraudulent activity on the infected equipment through another line of attack. Because of this, it is of vital importance to isolate the flaw that allowed them to enter in the first place, and then remove it from the system.

    Even after equipment identified as compromised has been cleaned, there remains a risk that other undiscovered infected equipment is still in operation. To prevent this from occurring, we need to reinforce the analysis of the packets transmitted by the network, as we now have the advantage of knowing the communication protocols and commands used thanks to the previous analysis of the infection.

    Together with a review of the firewall rules, changing the passwords on corporate networks is another preventive measure to take after detecting compromised resources, as this is one of the favored goals in corporate attacks. While the process of updating keys may take time and effort, it will prevent the attackers from using any stolen information to disguise themselves as a legitimate user.

    At this point, it is worth establishing whether the infection was the simple result of carelessness online, or whether it constitutes a successful link in a chain of persistent targeted attacks.

    If it is established that the infection was specifically targeting the organization, the real question to answer will be who lies behind these events, bearing in mind that another attack could be imminent.

    Step 5: Learn from any errors

    Carrying out an in-depth investigation into what happened will give cause for improving the processes within the organization. The removal of any vulnerabilities whose existence was previously unknown provides an opportunity to reinforce the perimeter of the corporate networks by identifying any other potential points of access to the system that had not previously been considered as falling within the scope of lines of attack.

    Infections are always absolutely negative events for a company; however, they offer opportunities to learn. They show which elements of the system’s design need to be strengthened and they allow you to discover the flaws in the current defense measures.

    Published with consideration from ESET. SOURCE

    Every time a stolen laptop leads to a data breach, you wonder why the business involved hadn’t set up any safeguards. When the unencrypted laptop was stolen from a former physician at the University of Oklahoma, for instance, or when a laptop was stolen from insurance provider Oregon Health Co-op containing data on 15,000 members.

    You’d think money would motivate them, if nothing else. In November, EMC and Hartford Hospital were ordered to pay US$90,000 to the state of Connecticut over the theft of an unencrypted laptop in 2012 containing data on nearly 9,000 people. The laptop was stolen from an EMC employee’s home.

    The problem extends far beyond the healthcare industry, too—such as the laptop stolen from SterlingBackCheck, a New York-based background screening service. The laptop contained data on 100,000 people.

    These types of breaches don’t quite grab the same headlines as major cybercrimes and hacking incidents, if only because a thousand employees affected by a laptop theft is less dramatic than 40 million customers at Target. But it’s a lot easier to steal a laptop than it is to hack into a corporate database, so the theft and loss of laptops, as well as desktops and flash drives, highlight the need for enhanced physical security and employee training.

    It’s easier to steal a laptop than to hack a database

    The organizations mentioned here have wised up. A spokesperson for the University of Oklahoma said it has launched an encryption program and new training for employees when it comes to handling sensitive data.

    SterlingBackCheck said it has updated its encryption and audit procedures, revised its equipment custody protocols, retrained employees on privacy and data security, and installed remote-wipe software on portable devices.

    Another threat to your data is the proliferation of Bring You Own Device (BYOD) policies and mobile workers.Gartner anticipates that half of all companies will have some need for a BYOD policy by 2017. Workers will be using their own devices as well as company-issued ones in the office or on the go. This opens up a new risk if devices are lost or stolen.

    Security firms like Sophos urge companies to put a robust policy in place for the handling of professional devices, including full disk encryption as well as encrypted cloud and removable media. A strong password is highly recommended too, but it’s not enough on its own.

    A greater sense of urgency wouldn’t hurt, either. In Oklahoma, the physician had actually left his position at the university before his personal laptop went missing. He couldn’t say for sure whether it contained sensitive data, but by the time that possibility arose, it was too late.

    In another incident, at manufacturer Tremco, an employee lost a company-issued laptop on a plane. It was several weeks before the employee realized that it contained spreadsheets of personal employee data.

    Encryption, remote wiping, better data tracking

    Companies need to know where their data is at all times—not just what device it is on, but where that device is located physically.

    This highlights the need for remote wiping tools, which SterlingBackCheck has put in place. If a laptop is lost or stolen, the company should have an easy way to remotely wipe the sensitive data to ensure it never leaks.

    Much like large-scale hacking attacks, it’s the consumer or the patient that really suffers when a data breach occurs. The onus lies with the company to handle this data responsibly, whether it’s in the cloud or on a laptop on the bus.

    Published with consideration from PCWorld. SOURCE

    Adapt to Survive: Keeping One Step Ahead of Cyber Threats

    There have been numerous high profile cyber-attacks in recent years, of privacy companies and government agencies. In May 2014, eBay was hacked and had to announce that personal details of 233 million of its users had been stolen. In November of the same year Sony suffered a similar fate when 102 million of its user accounts were compromised, and several emails were leaked from its high ranking Hollywood executives. Earlier this year, it was discovered that the United States Office of Personal Management suffered from two large-scale hacks, resulting in the theft of millions of employee personal files.

    Against this backdrop of ever increasing cyber threats—and when you consider how much sensitive data is held by law firms—you realize how vital it is for the legal industry to keep data secure. Especially when the outcome of a legal case and the reputation of the legal firm concerned rests on it.

    Security Audit

    For each individual case a busy law firm will usually be privy to large numbers of physical documents, they will hold considerable amounts of electronic data, and there will be vast numbers of exchanges between clients that may contain sensitive information. Therefore, there are considerable potential vulnerabilities and the first step is to have all the risks professionally assessed by a cyber-threat specialist. Once you know where the gaps lie in your security, you can take steps to address them. A good way to do this, especially after an audit, is to create an Information Security Policy that lays out guidelines for your staff to ensure data is kept secure.

    Some high profile clients may wish to audit your firm from a security point of view before they appoint you. This is particularly true of those industries which are heavily regulated, such as health insurance, and payment card processing companies. If you have already carried out your own internal audit, then this eventuality shouldn’t be such a daunting experience.

    Keeping Documents Safe

    It is imperative that the records a legal firm holds are kept safe to protect their clients’ reputations as well as the fact that any breach could result in damage to ongoing lawsuits. The best option is to employ the services of a secure document management company that can protect your data whilst giving you the flexibility to access it whenever needed, an important point given the day to day practicalities of life in a law firm. These providers will be subject to their own auditing and will use high levels of both physical and data security to protect your assets. They can also store both hard copy documents and data.

    Firewall and Anti-Virus Software

    Your internal network and website should have a firewall as the first line of defense. Anti-virus software is also important to protect you from malware. In one recent cyber case involving a legal firm, they were subject to spear phishing. This is when an email is opened which seems to come from a trusted source that the firm recognizes. The email then installs malware which sits in the background gathering sensitive data for the hacker.

    Anti-virus software needs to be updated regularly and all systems should be scanned on an ongoing basis. These updates and scans should be set to run automatically by your IT department, to avoid human error.

    Encryption and Off-Site Servers

    The ideal solution for a legal firm is to have all their data held off-site in a high security data center. Furthermore all data held should be encrypted and all communications, including email, should also take place through encrypted connections. Encryption is important as then even if your data center is hacked your information should still remain secure.

    Even if your law firm is relatively small, you aren’t immune to hacking. The FBI recently warned that even small and medium sized firms are now coming under attack. A law firm’s reputation is paramount. Clients expect their data to always remain confidential and the success of a case may rest on this fact. With the stakes so high are you willing to risk your reputation and a subsequent loss of business when some key steps taken now can do a great deal to protect you? Are you concerned your business’s security isn’t up to par? Need the guidance of a seasoned IT provider who specializes in security? Talk to us today.

    Published with consideration from Law Technology.SOURCE

    The report found the most popular phishing attack templates with the highest click rates are items employees expected to see in their work email.
    Phishing attacks continue to grow in volume and complexity, supported by more aggressive social engineering practices that make phishing more difficult to prevent, according to a report from Wombat Security Technologies.

    Organizations surveyed indicated they have suffered malware infections (42 percent), compromised accounts (22 percent), and loss of data (4 percent), as a direct result of successful phishing attacks.

    Survey respondents said they protect themselves from phishing using a variety of methods, including email spam filters (99 percent), outbound proxy protection (56 percent), advanced malware analysis (50 percent), and URL wrapping (24 percent).

    “The lack of measurement by security professionals concerned us the most,” Trevor Hawthorn, chief technology officer of Wombat, told eWEEK.
    He pointed out that 37 percent of respondents did not measure their susceptibility to phishing, and a staggering 56 percent do not assess end user risk.

    “Without assessing to understand security problems, you cannot create an effective plan to combat them,” he explained. “There are multiple ways that security officers can measure risk – through pulling numbers on items like policy violations, malware infections, reported and identified phishing attacks, or they can do a knowledge assessment or simulated phishing attack that will not only help them understand risk, but set a baseline to measure improvement against.”

    The report found that the most popular phishing attack templates with the highest click rates included items employees expected to see in their work email such as an HR document, or a shipping confirmation.

    “Email is a part of virtually everyone’s life. We get large volumes every day, and we have more and more details about our lives online on places like social media that allow criminals to create more targeted messages to get us to click,” Hawthorn said. “Organizations can be sure that they are continuously training their employees on what phishing messages look like and how to avoid them.”

    Wombat found the following plugins as most vulnerable for being outdated and susceptible to an attack: Adobe (61 percent), Adobe Flash (46 percent), Microsoft Silverlight (27 percent), and Java (25 percent).

    “Threats will continue to do what works until it doesn’t,” Hawthorn said. “Then they will adjust and exploit the next easiest path. Right now end users are still the easiest path. Why? Because the security industry has matured when it comes to managing risk of technical assets. We need to manage end user risk the same way we manage technical risk. Perform on-going, targeted assessments, and gather real-time user behavior data to determine a user’s risk level.”

    For additional tips on how to resolve to be better about cyber security in 2016, reach out to GCInfotech to assess your current network security and any potential vulnerabilities.

    Cyber attacks are a real concern for businesses today, but it’s important to be able to separate myth from reality. Education is key to protecting your business against an attack and keeping your business and customer data safe.

    Curious to learn about other common malware that can cause trouble for business owners? Want to upgrade your existing network security system? Give us a call today, we’re sure we can help.

    Published with consideration from eWeek. SOURCE

    Most business owners have an employee handbook. But when it comes to the online security of their business, often times this portion is either not adequately addressed, or not addressed at all. However, with cyber crimes an ever increasing threat, and the fact that employee error is one of the most common causes of a security breach, it is incredibly vital that your staff is informed of your policies. Here are four policies that every business owner should share with their employees.

    Internet

    In today’s business world, employees spend a lot of time on the Internet. To ensure they’re not putting your business at risk, you need a clear set of web policies. Here are three important ones to keep in mind:

    1. Employees should be using the Internet for business purposes only. While this is undoubtedly hard to avoid without blocking specific websites, having a policy in place should at least cut back on employees spending time on non-business related sites.
    2. Prohibit unauthorized downloads. This includes everything from music to games, and even data or applications.
    3. Accessing personal email should not be done on business devices. If employees must access their own email account during the day, they can do so on their smartphone or other personal device.

    These are just a few Internet policies to get started, but you should also consider including information on your recommended browsing practices and your policies for using business devices (such as company phones) on public wifi.

    Email

    Just like with the Internet policy mentioned above, company email accounts should only be utilized for business use. That means your employees should never use it to send personal files, forward links or perform any type of business-related activities outside of their specific job role. Additionally, consider implementing a standard email signature for all employees. This not only creates brand cohesion on all outgoing emails, but also makes it easy to identify messages from other employees, and hence helps prevents spear phishing.

    Passwords

    We’ve all heard the importance of a strong password time and time again. And this same principle should also apply to your employees. The reason is rather simple. Many employees will create the easiest to crack passwords for their business accounts. After all, if your organization gets hacked, it’s not their money or business at stake. So to encourage employees to create strong passwords, your policy should instruct them to include special characters, uppercase and lowercase letters, and numbers in their passwords.

    Data

    Whether or not you allow your employees to conduct work on their own device, such as a smartphone or tablet, it is important to have a bring your own device (BYOD) policy. If your employees aren’t aware of your stance on BYOD, some are sure to assume they can conduct work related tasks on their personal laptop or tablet. So have a BYOD policy and put it in the employee handbook. In addition to this, make sure to explain that data on any workstation is business property. That means employees aren’t allowed to remove or copy it without your authorization.

    We hope these four policies have shed some light on best security practices. If you’d like more tips or are interested in a security audit of your business, do get in touch.

    Published with consideration from TechAdvisory.SOURCE

    Ways to Repel Ransomware


    Let’s put aside for a moment the mega data breaches that resulted in millions of confidential customer records going out the door. If 2015 is to be remembered for one thing in the world of cybersecurity, it might be the year ransomware hit the big time.

    Ransomware is “kidnapping” malware that has been plaguing home users and businesses for many years, but which has significantly spiked over the past 24 to 36 months to become a hugely profitable racket for cybercriminals – and a source of great tension for IT and security professionals. The threat initially gained notoriety for its maddening ability to freeze individual keyboards and computers – usually with bogus statements from the FBI concerning child pornography – but in recent years it has evolved to encrypt sensitive data files, with the attackers the only ones holding the private keys to unlock them. The most recent strains of ransomware are going even one step further: They are being bundled with password stealers that are used to exploit weak website security.

    The fraudsters won’t release the key, of course, until you make a payment, usually requested in bitcoins. The going-rate is around $500, but the shakedown can stretch into the several thousands of dollars for victims – never mind the costs associated with downtime and recovery, as well as potential legal and customer-related costs. Because the attack is so crippling, many businesses end up deciding to pay the ransom – an outcome that even the FBI hasn’t encouraged against. The most common ransomware family is CryptoWall, which the Internet Crime Complaint Center in the United States estimates was responsible for nearly 1,000 complaints between April 2014 and June 2015, with those victims reporting some $18 million in losses. TeslaCrypt and CBT Locker are two other families that are popular. Reveton and Chimera are still around, but somewhat outdated.

    Purveyors of ransomware typically stop short of exfiltrating compromised data as we’ve become accustomed to with traditional data breaches. Instead, they aspire for a quick hit and an even quicker reward. Once compensated, they usually live up to their end of the bargain and release the data from their control – If they didn’t, nobody would ever pay the ransom – although that’s no guarantee they’ve abandoned their foothold in the target environment.

    Ask any security expert why ransomware has become so popular and they’ll give you roughly the same answer: It’s not a complicated scam requiring different players handling specific tasks (as you might find in a credit card breach operation). It often results in quick cash – Trustwave researchers estimated the return on investment for ransomware attackers is a whopping 1,425 percent – and most of all, it works. The threat is often difficult to detect and even harder to remove once it has infiltrated a target, which, by the way, doesn’t just include PCs, but also mobile devices (where the threat is growing fast),Linux-based systems and even medical devices.

    What steps can you take to rebuff a ransomware attack? Try these seven recommendation

    1. Back up Your Data

    This allows you to quickly recover from an incident. Be sure to regularly replicate file changes in your production environment, so your fallback point is an acceptable amount of time for your organization in case of an attack.

    2. Disconnect from the Internet

    At the first sign of a malware infection, detach the compromised machine from the network, cutting off the attacker’s control of it. However, take note that this will not stop the encryption process if it’s already been initiated by the ransomware.

    3. Run Anti-Malware

    It’s not enough to simply have anti-virus running on your desktops. You also need live anti-malware capabilities that can conduct real-time code analysis and dynamic URL categorization.

    4. Spread Security Awareness

    Ransomware scams tend to begin like most malware infections – with an end-user clicking or opening something malicious. Preach the importance of social engineering defense.

    5. Deploy Advanced Email Security

    To complement awareness with technology, you should adopt an email security gateway that incorporates threat intelligence to effectively thwart emails that contain malicious URLs.

    6. Patch Your Software and Systems

    Malware often requires an unpatched vulnerability to run, so ensure that your entire environment is updated with the latest security fixes. Vulnerability scans and security testing help businesses identify their network-connected assets and learn how those assets are vulnerable to attack.

    7. Report the Event

    If you’re a victim of a ransomware attack, you need to kick in incident response, which should include contacting the authorities and/or filing a complaint with IC3.

    Published with consideration from Trustwave. SOURCE

    Potential IT security issues in 2016 – As a small or medium-sized business owner or manager, it’s only to be expected that you want to keep your company safe from cyber attacks and hacking attempts. But how much do you really know about online safety? With massive corporations such as Sony falling victim to attack, cyber security has never been more in the public eye. And that makes it the ideal time to learn just what it is you need to be doing to keep your business secure in 2016.

    If you think that only big corporations and prominent organizations are targeted by cyber criminals, you are making a deadly mistake. It might be tempting to sweep cyber crime under the carpet and assume that you are flying below the average hacker’s radar, but that simply isn’t true. In fact, it’s the polar opposite, since smaller enterprises are actually far more likely to be at risk than larger ones, owing to their typically less sturdy security postures.

    So where does that leave you as a small or medium-sized business owner or manager? Does it mean you need to be taking your cyber security even more seriously? You can bet your bottom dollar it does, as industry experts predict that 2016 is only going to become more of a minefield when it comes to online crime.

    The headline trend that IT security professionals pinpointed this year was that no longer were criminals hacking into websites purely to bolster their bank accounts. 2015 has seen the emergence of another strain of hackers, launching cyber attacks as part of a moral crusade. These people are not purely after money although in some cases this may also be a contributing factor – instead, their claimed motivation is revenge, or righting what they perceive as wrong. It is this diversification in the hacking community that has led security watchers to predict that, as we enter 2016, we are likely to see some different behavior from hackers.
    Among the unpleasant predictions being made, a number of experts agree that hacks of a destructive nature will be on the rise. The fact that hackers are using attacks for retribution rather than simple monetary gain means that a wider cross-section of organizations may well find themselves being preyed upon, all the way from government agencies – traditionally ignored by hackers – to online retailers and other commercial websites.

    Remember when Snapchat got hacked back in October 2014, and the hackers threatened to make public as many as 200,000 photos? Well, the bad news is that apps are going to continue to be targeted. In particular, those mobile apps that request access to your list of contacts, emails and messages can, in the wrong hands, be used to create the kind of portal that enables a cyber criminal to steal data or gain access to a company’s entire network. All this means that in 2016, hackers could be taking advantage of apps to do more than just steal your social media photos – they might have in mind the takedown of your entire company.

    As a local business owner, social engineering – a means of tricking an individual into disclosing revealing or personal information about themselves or their company – is something you definitely need to be concerned about. You might pride yourself on being too savvy to fall for a cyber criminal’s tricks, but what about your employees? Can you be sure that each and every one of them exhibits the same amount of self control, cynicism, and wariness that you do? Not only that but, as we enter a new era of online threats, the criminals that use social engineering are growing in confidence and creativity. Dodgy emails from a bizarrely named sender containing a link to an unheard-of website are yesterday’s news. Modern social engineering is highly evolved and extremely cunning, and has the potential to convince even the most streetwise internet user.

    How confident are you that your entire team of employees would be completely infallible in the face of a stealth attack from a seemingly innocent source? Could you trust them to restrain from divulging not only their personal details but also information pertaining to your company? Multiply the number of employees in your company by the number of phone apps they potentially use, and add to that the fact that any one of them could at any time be targeted by a social engineering scam, and the end result is a less-than-perfect security posture.

    The sad fact is that there are people who want to do you harm – regardless of whether you hold confidential information about celebrity salaries, or are privy to a database full of cheating spouses. People, no matter how well meaning or vigilant, are the weakest link in any security chain, which means that ensuring your business’s safety necessitates educating your staff and ensuring that your network is impenetrable.

    Professional training and a vulnerability assessment are two great places to start, so why not get in touch with us? We’ll make sure your business is as hack-proof as it can be.

    Should members of the U.S military who click on phishing emails be court-martialed? Admiral Michael Rogers thinks so. As director of the National Security Agency, he’s dealing with a hack of the Pentagon’s Joint Staff network that was enabled by four people who fell for phishing emails.

    “When I looked at the email, I said: ‘Why would you have opened this? It makes no sense,’” Adm. Rogers recently told The Wall Street Journal. “And the answer I got was: ‘It was early in the morning. It was a Monday. I’m just blowing through my emails.’

    “If someone had said to me: ‘Hey, it’s lonely on post. It’s the middle of the night out in the middle of nowhere. I just pulled my gun out because I wanted to quick draw,’ we would never accept that. So why are we willing to accept this kind of behavior in the cyber world?”

    That blunt assessment should be food for thought for any organization that uses email – in other words, everyone. Email’s ubiquity enables hackers to cast a wide net and as the Pentagon example shows, the amount most workers receive increases the chances that phishing and other attack methods will succeed.

    Rethinking email security

    But there’s another key aspect that many CIOs, CSOs and IT managers overlook: email is a gold mine of information that facilitates a wide variety of subsequent attacks. For example, a new employee might use email to provide HR with her dependents’ names and Social Security numbers. That information enables identity theft. Less obvious is how it also opens back doors to personal and professional data if she uses those names as passwords or as responses to security challenges. The risks multiply even further if HR sends her links to set up employer-related accounts, such as everything from health insurance to the corporate LAN.

    It gets worse: most people don’t delete messages once they’ve sent them, which means the confidential personal and professional information they contain is there for the taking for any hacker who manages to get in. This confidential information in email could linger for months, years or forever, depending on whether her employer’s IT policies automatically purge messages after a certain time (if they purge at all). She’ll also probably archive HR’s messages so she has those links and other information handy, which means more valuable data for hackers.

    If that sounds scary, it is. But practically every week, there’s a headline about a high-profile email hack, which shows that too many enterprises, government agencies and other organizations are growing complacent or simply desensitized. That increases the likelihood that they’ll eventually make headlines, too – or even have a law nicknamed after their organization because the breach was too big and too embarrassing for Congress to ignore.

    Hyperbole? Imagine a hack of thousands or millions of patient accounts that was enabled because a single internal email contained that database’s login information. Actually, you don’t have to imagine it because it’s happened so many times. One example is the University of California Davis Health System, where a single physician’s email account stored 1,326 patients’ information. They’re now among the roughly 39 million patients nationwide whose health information has been hacked so far, according to the Department of Health and Human Services.

    How to Fight Back

    The good news is there’s no shortage of proven technologies and best practices for securing email and, in turn, all of the databases, networks, accounts and other things that those messages touch. These technologies and practices are applicable and effective in nearly every vertical, and in many cases, they’re becoming must-haves to ensure compliance with laws such as HIPAA and SEC regulations.

    Encryption should be at the top of the list. It’s ironic: organizations typically back up their email servers because they recognize that the information they contain is so important to their operations, yet they frequently don’t go a step further to encrypt that valuable data.

    Ideally that encryption should be applied end to end: when messages are in transit and when at rest on servers and devices such as desktops and laptops. Don’t overlook tablets and smartphones, which are the preferred, or sometimes only, devices that employees use for email. In fact, the proliferation of mobile devices in the workplace exponentially increases the need for technologies such as encryption. One reason is because unlike desktops, tablets and smartphones are portable and thus easily lost or stolen. On-device encryption secures the messages they store.

    Organizations also should look for mobile device management (MDM) platforms that can remotely lock and erase lost and stolen phones and tablets, as well as enforce security policies. For example, when employees open an email attachment on their mobile device, that document often is then stored in RAM. An MDM platform could be used to enforce a policy that prevents email attachments from being stored on the smartphone or tablet so they can’t be accessed by someone who finds or steals the device.

    By minimizing the chances that email and other systems will be breached, an MDM platform can save organizations a significant amount of money, such as legal fees, compensation for affected customers and marketing to restore a sullied brand (or even to maintain brand status quo). Industry- and country-specific regulations can further increase an MDM platform’s ROI when it’s used to enable compliance. Two examples are financial services firms and health care providers that use MDM platforms to securely archive messages such as trade orders and prescriptions.

    No one wants someone else peering into their email. But without security, privacy cannot exist. By securing their email, organizations can provide the privacy that they and their employees want – and that hackers hate. Are you concerned your business’s security isn’t up to par? Need the guidance of a seasoned IT provider who specializes in security? Talk to us today.

    Published with permission from ITProPortal. SOURCE