User Blogs

It wasn’t pretty: those fairly recent credit card breaches at a few big-name retailers. As newsworthy as these were, they’re actually not the greatest risk for wealthy folks; a bigger foe is a money management firm lacking sufficient checks and balances.

Attack schemes:

Another type of attack can hit an organization hard: some cyber punk getting into your clients e-mail account, then using their stolen information to rob money from the clients financial accounts. E-mail related fraud is booming.

Perhaps the biggest scheme is when an employee gets an e-mail in which someone is requesting money—and urgently. Often, the employee is lured into clicking on a link inside the e-mail, and the end result is that the employee ultimately reveals personal data, allowing the system to get hacked.

Another common realm of infiltration is via unsecured public wireless networks, such as at an airport or hotel. Fraudsters will set up hot spots—fake, of course—that yield Internet access but will ensnare employee data.

Employees can also expose their accounts to hacking by using their e-mail address to log into their own financial accounts. This makes the job easier for cybercriminals.

Protect Your Business

Here are some ways to add protection:

Revamp how employees wire money for clients (one way to do this is to require that the recipient’s authenticity be verified with a phone call).

Clients should verify any and all wire transfers from their accounts.

If a client’s computer is not recognized or has an unfamiliar IP address, the client should be called with a code that completes the transaction.

Incorporate multifactor authentication in the login process and when transfers of any substantial amount are made.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

With Wi-Fi, your data is literally in the air, up for grabs by anyone with the right tools. It needs protection from nearby users who may want to freeload off you (which can slow you down) or…hijack your accounts. You need encryption.

Especially when you’re connected in airports, hotels, coffee shops, etc., almost always the connection is not secure.

Wi-Fi Security Options

Varying security levels are provided by WEP, WPA and WPA2. WEP is not secure. WPA provides moderate protection. WPA2 is the best. But you can use both WPA and WPA2. Use the “personal mode” (for one or two users) of WPA/WPA2 with a long, non-dictionary word passphrase.

For more than a few users, the “enterprise mode” is suitable, but requires a server. It has stronger security than personal, and each Wi-Fi user has his or her own password and username. Enterprise prevents snooping and hijacking among your organization’s employees.

Personal: To enable personal mode WPA2 on a wireless router, create a passphrase on access points or the wireless router. Type the IP address of each AP or router into a web browser to log into the control panel of each AP or router. Then enable WPA2-Personal with encryption/cypher type by finding the wireless security settings. Create a non-dictionary-word long passphrase—which is required to connect to the Wi-Fi.

Enterprise: You need a RADIUS server to get WPA/WPA2-Enterprise going. A hosted service will set up the server if you can’t. Some APs have built-in RADIUS servers. After the RADIUS server is all set up, input a password (shared secret), etc., for each AP or router. Input usernames and PWs for your organization’s Wi-Fi users into the RADIUS server.

Configure each AP or router with authentication and security settings. Log into the control panel of each AP or router by typing its IP address. Find the wireless security settings; enable the enterprise WPA2 (“WPA2”). Enter the IP address; input the password (shared secret). Users can now connect.

Your private information may not be safe with your own mortgage lender, even a small one, says cybersecurity firm HALOCK Security Labs. The leak may occur when data goes from applicant to lender.

Seventy percent of the 63 U.S. mortgage lenders that HALOCK investigated allowed applicants to send private and financial data (like tax documents) as e-mail attachments—over unencrypted e-mail. Seventy percent also promote faxing sensitive data—not nearly as secure as encryption.

While more than 40 percent provided a snail mail option, only 12 percent offered encryption. Several survey participants, when the subjects were asked why they didn’t offer a secure e-mail portal, replied it was an issue of what the applicant was “most comfortable with.” (Certainly, who’d be comfortable with a leak of their most private information?)

While lenders place customer comfort ahead of security, they fail to realize that customers have been steadily losing confidence in their banks’ commitment to privacy.

Another consideration is whose comfort is really at issue? In a study, one former mortgage lender stated that it was a time hassle to explain to customers about secure portals; unprotected e-mail was quick and convenient.

But it’s well-worth the time to hassle with this, says security expert Graham Cluley. Regular e-mail, by definition, is non-secure.

There’s no shortage of methods to send e-mail securely. It’s just that they’re underutilized by organizations. Decision makers want to make things easy for customers, but this doesn’t have to be at the expense of their security.

Security measures that are customer-friendly exist. Bank customers are more demanding than ever for security, even though they usually do not understand about encryption. What bank wants a weak link in the form of a gaping hole through which customer data can leak? An ounce of prevention (secure portal log-in) is worth a pound of cure (identity theft).

When it comes to protecting an organization’s information, flaws with this can involve either implementing strong technology to protect too much trivial data, or inadequate protection of important and sensitive data.

In short, not enough attention is cast upon a company’s most important information; there’s a gap between the IT department and the operational units of the business.

A thorough risk assessment is warranted in these cases. Once all the risks are identified, strategies can be created by personnel to prioritize risk minimization. This is risk management.

Risk has several components: assets, threats and weaknesses. Businesses must address (risk-assess) all components—internally, rather than externally by outsourcing.

A risk assessment identifies all potential risks, then analyzes what might happen in the event of a hazard.

A BIA (business impact analysis) is the process by which potential impacts are determined that result from the impediment of critical business activities. With a BIA, the results of disrupted business processes (which can include losses or delayed deliveries, among many others) are predicted; information is collected to come up with recovery strategies.

The objective is to maximize cost/benefit: identify the most relevant risks and reduce them with minimal investment.

The strategy is to determine what risks this company may face in a given year (e.g., digitized information, reputation, paper documents, employee safety).

Next is to formulate a list of possible sources of threats (employees, hackers, customers and competitors, to name some) based on the experiences of many in the organization. There are also risk assessment plan guidelines online.

Then next is a risk assessment chart. A list of assets must be compiled (e.g., employees, machinery/equipment, IT, raw materials, etc.) in a left column. Then opposite each asset, put down its associated hazards that could yield an impact. Each hazard is broken down into high probability-low impact and low probability-high impact.

Review the impacts for vulnerabilities that may make the asset prone to a loss. Here you’ll find opportunities for threat prevention or mitigation. Probability of occurrence can be specified with L for low, M for medium, H for high.

Information from the BIA would go towards rating the impact on “Operations.” Make an “entity” column for estimations of potential impacts (e.g., financial, brand/reputation, contractual). “Overall Hazard Rating” combines “probability of occurrence” and the highest scoring that impacts operations, employees, property, etc.

A worst case scenario? Do nothing. After all, a failure to plan is a planned failure.

Here are nine ways you can add a lot of security to your laptop when traveling.

Bag it. Keep the laptop in a sturdy bag that’s specially designed for laptops. The sleeve should be well-padded and the bag TSA-compliant. The bag should be collapsible and expandable (depending on contents), and easy to wear near your body for extended periods.
Don’t part with it. Pretend your laptop is a baby. In public, you wouldn’t leave your baby unattended while you went to the restroom or moved around in your location. Likewise, take your laptop with you wherever you go in public, even if it’s just one aisle over.
Hang the “Do Not Disturb” sign. If you must leave your laptop in your hotel room when you’re out, put up the “Do Not Disturb” sign. The fewer people in your room, the less likely your laptop will be stolen. You can also put the laptop in the hotel’s safe, though that’s no guarantee of security, either.
Use a cable lock. Though a persistent thief won’t be deterred by this in a setting where nobody will notice him, it can indeed keep him at bay if the laptop is in a busy public place. Find out if your company provides cable locks. Otherwise, you can purchase them online.
Software leash. A stolen or misplaced laptop can be located with software. For best results in the event your laptop gets stolen or lost, register with one of these anti theft tracking services prior to your trip. MyLaptopGPS is good.
Don’t be nice. Yes, don’t be nice enough to let a stranger use your laptop.
Use a VPN. VPN stands for virtual private network, and it’s very effective at providing data security when you use a laptop in public (airport, coffee house, hotel) where the network is open season all season for hackers. You’ll be protected when you’re on any site. Ask if your company can give you a VPN when you travel. Use Hotspot Shield.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Many executives are concerned about social media related risks (e.g., data security and ID theft), but far fewer actually have any social media training.

A recent survey of executives puts the concerns into four categories: disclosure of confidential information; damaged brand reputation; ID theft; and legal and compliance violations.

Another feature that the survey unveiled was that 71 percent of the participants believed that their company was worried about potential risks, but they also thought these risks could be avoided or resolved.

Over half the respondents said that their company lacked any social media risk assessment strategy.

Here’s another striking finding: 33 percent of businesses had a social media policy; 27 percent of participants reported no such policy; and the remaining 40 percent consisted of an even split: those who said their company was planning on creating such a policy, and those who said their organization had some other related policy.

Solutions

While social media can bring benefits to businesses, namely in the realm of marketing exposure, they can also bring in lots of trouble as far as security issues.

How can companies find the right balance in between the two extremes of either banning social media altogether and allowing free reign of social media? Below are some solutions.

#1. Ban the ban. First of all, don’t outright ban access to social media. Otherwise, this can lead to other security issues. Furthermore, an employee who really wants to gain access to social media will dodge security, making the organization more susceptible.

#2. Execute policies. Do implement some kind of structure that regulates employee activity regarding social media. Employees need guidelines for proper use, which would also include what not to do.

#3. Social networks should be limited. There are hundreds of social networks—many uses are served, ranging from movies to music. But there are other uses that are not so innocent and less secure. Learn about these and make sure employees know not to go near them.

#4. No default settings. Default settings typically leave networks very vulnerable to attack. Settings should be locked down; most social networks do provide privacy settings and these must be managed at the highest level.

#5. URL lengthening service. Employees should never click on a shortened URL without first decoding it to see where it leads to. Shortened URLs can be pasted into an URL lengthening service.

#6. Train IT personnel. Don’t effectuate policies from the bottom up, but rather, from the top on down. Those in charge of managing technology need to be fully geared up with the risks of social media.

#7. Keep security updated. A business network always needs to be up to date with its security.

Would you reasonably expect success when attempting to drive cross country in a 1975 Pinto with balled tires, no brakes, dried cracked belts and with already 250k on the motor? You might if you didn’t stop and think about things.

The same is true of an individual or a business who’s still using a Windows XP operating system on devices that have even 1 megabyte of sensitive data. You cannot reasonably expect security with one of the most hacked operating systems in existence.

But I digress. Fret not, there’s temporary hope yet for Windows XP procrastinators: Microsoft is extending support into 2015. It was previously believed that April 8, 2014 was the end of the world for support towards MS Security Essentials, System Center Endpoint Protection, Forefront Endpoint Protection and Forefront Client Security.

This meant that on that date, new malware signatures plus engine updates to XP users would cease, even though updates for the same software that was running on Windows Vista would continue to be provided.

However, a recent blog post by Microsoft’s Malware Protection Center notes that XP users will continue receiving support—but it won’t last long: July 14, 2015 will be here before business owners know it.

With hackers swarming in like killer bees, knowing that XP’s support’s days are limited, XP users must stay in heavyweight mode for any attacks. Thieves can even use new security updates for Windows Vista (and later) as a guide to hacking into systems running on XP.

Anti-malware solutions aren’t very effective on operating systems that lack support, and hackers know this. But more alarming is that fewer users, including business owners, are ready to accept this or even have a clue about it.

After all, it’s estimated that almost 30 percent of all the personal computers across the world are using Windows XP. Business owners and other decision makers of organizations need to overestimate just how risky it is to cling onto an old favorite rather than promptly switch to a new system that has stronger support.

Most information technology (IT) experts are very much unnerved by cyber criminals, says the biggest study involving surveys of IT professionals in mid-sized businesses.

87% send data to cloud accounts or personal e-mail.
58% have sent data to the wrong individual.
Over 50% have confessed to taking company data with them upon leaving a post.
60% rated their company a “C” or worse for preparation to fight a cyber threat.

Here is an executive summary and a full report of the survey’s results.

A second study as well revealed high anxiety among mid-size business IT professionals.

Over 50% of those surveyed expressed serious concern over employees bringing malware into an organization: 56% for personal webmail and 58% for web browsing.
74% noted that their organization’s networks had been infiltrated by malware that was brought in by web surfing; and 64 percent via e-mail—all in the past 12 months.

The above study is supported by this study.

60% of respondents believed that the greatest risk was employee carelessness.
44% cited low priority given to security issues in the form of junior IT managers being given responsibility for security decisions.

The first (biggest) study above showed that about 50% of C-level management actually admitted that it was their responsibility to take the helm of improving security.

And about half of lower level employees believed that IT security staff should take the responsibility—and that they themselves, along with higher management, should be exempt.

The survey size in these studies was rather small. How a question is worded can also influence the appearance of findings. Nevertheless, a common thread seems to have surfaced: universal concern, and universal passing the buck. It’s kind of like littering the workplace but then thinking, “Oh, no problem, the custodian will mop it up.”

People are failing to appreciate the risk of leaving personal data on work systems.
They aren’t getting the memo that bringing sensitive data home to personal devices is risky.
Web browsing, social sharing and e-mail activities aren’t being done judiciously enough—giving rise to phishing-based invasions.

IT professionals are only as good as their weakest link: the rest of the employees who refuse to play a role in company security will bring down the ship.