Category: Blog

Regardless of the money businesses invest in cybersecurity, technology is only part of the cybersecurity puzzle. Regardless of new hardware, updated software and the best IT support team, cybersecurity is an ongoing commitment. Cybersecurity must be on the minds of every employee every hour of every day.

A Chain Is Only As Strong As Its Weakest Link.

This idiom is attributed to Thomas Reid who wrote “Essays on the Intellectual Powers of Man” in 1786. It first appeared in print in 1868 in the Cornhill Magazine. Simply put, it means that a group of people can only be as strong or successful as the weakest or least successful member.

Email is a favored method of cybercriminals – email is used to transmit ransomware, viruses and other harmful software.

Each email that each employee opens represents a cybersecurity threat. Only with a continuous and ongoing employee awareness program can you have an effective cybersecurity solution. It only takes one employee opening one email to expose your business to a cyber-attack.

Employees come and go – make sure that critical passwords are changed when an employee leaves. Be sure that new hires understand your cybersecurity policies and know to whom they should report potential risks.

What Can Businesses Do to Ensure Employees Don’t Pose a Security Risk?

First, ensure that you have a firewall, up-to-date anti-virus software and a spam filter. Always make sure that every new computer, laptop or tablet is up-to-date on these items before it is given to an employee.

Email 101. Teach email safety. These simple questions will help employees evaluate emails that originate from unknown senders.

• Who is this email from? Virtually every email should be originating from a fellow employee, a supplier or a customer.
• Why am I getting this email? Emails should relate to an employee’s job description.
• Are attachments safe to open? Have you taught your employees how to decide what types of files are safe to open?
• Does an email threaten to cancel a credit card or close an account if you don’t pay money? Employees need to understand this might be ransomware.
• Is an email really from someone known? Teach employees how to spot suspicious “look-alike” email addresses.
• Does anything just not seem right about an email? Neither the IRS nor the FBI sends emails to employees.

Continuing Education for your Employees. People are people, and they forget. Employees need ongoing training about email safety. Keep the training short and exciting to keep their attention.

• Weekly mini sessions – perhaps by the department.
• Utilize a speaker from your IT provider.
• Weekly email “Cybersecurity Tip of the Week.”
• Share actual case studies (specific to your industry is ideal).
• Monthly E-newsletter – could be part of your IT partner’s service.
• Simulated phishing attack conducted by your IT partner.

The Power of Human Error

In spite of educating your employees, human error accounts for almost 50 percent of data breaches. The accidental loss of a device or a misplaced document may be the cause of a severe security breach. Shred-It vice president Monu Kalsi observes that the smallest bad habits may result in substantial security risks. Examples include:

• Leaving a work computer unsecured while on break or in a meeting.
• Leaving sensitive documents out on a desk overnight.
• Accidentally leaving sensitive documents on an airplane (the Homeland Security Super Bowl debacle).
• Leaving sensitive documents within view of others in a public space.
• Using public Wi-Fi.
• Sharing company-issued computer with family or friends.

Draft a written policy to provide each employee who works remotely from home or when traveling.

Another potential source of human error may come from sub-contractors or vendors who have access to your facilities and/or employees. The Shred-It study showed that 20-25 percent of security breaches were caused by vendors. Ensure that when a vendor relationship ends that all ties are severed – change codes for keyed entrances when there is a vendor change.

Attention to small details may save your company lots of money.

The Bottom Line …

Employees are human. They make mistakes or commit errors in judgment. They also forget. Invest in updates for firewalls, security software and well-trained IT personnel. Regular cybersecurity training for your employees protects your business from damaging cyber-attacks.

• Update policies. Incorporate a clean desk policy to prevent unauthorized copying or theft of critical document. Develop and institute a vendor policy and a remote employee policy.
• Go paperless whenever possible. Invest in technology that scans essential documents into PDFs that are emailed to the owner of the document. Shred the document immediately after scanning.
• Hard drive disposal. Destroy obsolete hard drives. Never throw them away because even deleted information can be retrieved by smart cybercriminals.
• Lost device policy. Designate someone that employees can tell immediately if the equipment is lost or stolen.

Hackers Know How to Steal Money Anonymously

In West Barnstable, Massachusetts, Cape Cod Community College recently fell victim to a phishing scam that resulted in the school losing more than $800,000. The money was taken out of the school’s bank accounts. While this kind of scam is common these days, there are measures a business can take to prevent it. In the case of Cape Cod Community College, experts believe endpoint security solutions using next-generation technology would have prevented the monetary loss for the school.

The hackers of today are quite sophisticated, and if a business falls victim to one of their scams, there is often very little they can do about it. Hackers know how to remain anonymous, and leave few if any, digital footprints to follow. This means the likelihood of recovering one’s money is little to none. That is why it is so vital to prevent these things before they happen by using proper technology.

The president of Cape Cod Community College, John Cox, revealed the financial loss via a digital theft to the staff and faculty of the school in an email on December 7. By working with the bank at which the school’s accounts were held, the school has been able to recover about $300,000 of what was stolen, which is more than most smaller businesses would be able to do. It is unlikely they will be able to recover the entire $800,000, but they might be able to get some more of the money back by working closely with the bank, as they are doing.

Details of the Digital Theft

Cox gave an interview with a local newspaper after informing the workers at the college of the theft. In the interview, he revealed many interesting details about the theft, including:

• The email that allowed hackers access to the school’s bank account information appeared to come from another college, so it seemed safe to open the attachment that came with it.
• After opening the attachment, the person who initially opened the email believed the attachment was suspicious and alerted the school’s IT department. Alerting the IT department is standard protocol at the school when it comes to suspicious emails and attachments.
• When the IT department did a diagnostic on the attachment, they found a polymorphic computer virus embedded in it. They quarantined the virus, but it had already gotten into the school’s computer network.
• The scammers had a fake URL that seemed to go to TD Bank, where the college has its accounts. By placing phony calls to school employees to validate transactions, the scammers were able to make nine transfers out of the college’s bank accounts, totaling $807,103.
• The scammers attempted 12 transfers, but workers at TD Bank recognized three of them as suspicious and did not allow them to go through.
• Cape Cod Community College has recently installed next-generation endpoint protection software, but only on some of their computer networks. If it had been installed on all of them, the hackers likely would not have been able to gain access to the school’s bank account information and use it to transfer out the money.

Other Schools Have Had This Issue, As Well

Cape Cod Community College is not the only school to have this kind of issue in recent times. In June of 2018, hackers stole around $1.4 million from 21 account holders in the Connecticut Higher Education Trust.

Hackers are not just after money, either. They are out to cripple the schools they target. Sometimes, they don’t steal any money at all, but instead, generate outages of the computers at a particular school. This happened to a college in Wisconsin in June of 2018, and it resulted in classes having to be canceled for three days because the computer infrastructure to support the classes, students, and employees wasn’t there.

It hasn’t just been colleges being targeted, either. K-12 schools are also targets. A public K-12 school in New Jersey lost $200,000 in September of 2018 in a phishing incident similar to the one experienced at Cape Cod Community College.

Technology Companies are Stepping Up to Help Prevent This

Technology companies are stepping up in light of such incidents, creating phishing simulators to help schools teach their employees to avoid allowing their workplaces to become the next phishing victims. They are also reaching out to schools to increase awareness of the need for next-generation endpoint protection software, and to help schools install and use it.

In late 2018, the Federal Trade Commission (FTC) issued a stark warning about a massive data breach at a Marriott chain that exposed the records of 500 million people.

The latest major corporate breach reinforces the need for companies to invest in multilayered security protocols that protect networks, devices and users.

What Happened at Marriott?

Marriott International reported that a breach of its Starwood guest reservation system exposed personal information on millions of people, Hackers gained access to highly sensitive data, including names, physical addresses, email addresses, phone numbers, gender, and loyalty program data. Among the most potentially damaging information taken were passport numbers, dates of birth and payment card numbers and expiration dates. While the payment card data was encrypted, the company did not know if the hackers had also stolen the technology needed to decrypt that information.

The breach began in 2014 and could affect anyone who made a reservation on or before September 10, 2018, at any of the Starwood brands, which comprise Le Meridien Hotels and Resorts, Sheraton Hotels and Resorts, St. Regis, W Hotels and Westin Hotels and Resorts.

How Did Marriott and the FTC Respond?

Marriott sent an email to warn those who may have been affected by the breach. However, the company ran into some criticism in its response, too.

The emails came from a third party and not the chain itself. The domain, email-marriott.com, doesn’t load or have an HTTPS identifying the certificate. That could lead other hackers to spoof the email and pretend they’re Marriott, duping consumers out of more personal information.

The company has offered a year’s worth of free internet site monitoring that generates an alert if evidence of a consumer’s personal information is found. However, the service is not available in all countries. U.S. consumers also can obtain free fraud consulting and reimbursement coverage.

The FTC encouraged consumers to check their credit reports and credit card statements for accounts or activity that’s not recognized. The agency also suggested placing a fraud alert or freeze on their credit reports.

What Can Companies Do To Prevent These Issues?

To ensure that your systems and networks are protected adequately from such intrusions, it’s wise to invest in a comprehensive assessment of your existing security defenses. An experienced IT services provider can assist with this assessment and recommend improvements to shore up areas that are lacking.

Today’s companies need a blanket of protections on several levels, including:

• Network Perimeters. Advanced firewalls block your network’s perimeter and issue alerts when suspicious activity is detected. With 24/7 automated monitoring in place, companies can be confident that unusual behavior is identified, contained and addressed before significant harm can be done.
• Devices. Every device on your network needs to be protected with advanced anti-virus, anti-spam and anti-phishing detection systems. These applications should run continuously in the background and be updated automatically to address emergent threats. By quarantining suspicious emails, these tools help prevent users from unwittingly providing access to bad actors.
• Authentication. Companies are increasingly using multi-factor authentication protocols to safeguard access. Multi-factor authentication, for example, may involve completing additional steps after entering a password, such as typing in a code texted to a registered mobile device or clicking on an email link. While these protections may be a minor annoyance to some users, if a device is stolen or lost, the procedures can keep access protected.
• Cloud Backups. Storing data and applications in the cloud helps keep your critical information protected. Cloud providers and managed IT services companies use both digital and physical safeguards to make sure that data is encrypted and accessible in a moment of need.
• Business Continuity. When a natural disaster or hack occurs, your operations can be offline for days or weeks unless you’ve planned ahead. Business continuity planning allows your company to develop the protocols and procedures that will be deployed during and after a disaster. This planning involves identifying the people and responsibilities to manage these events, developing risk assessments, testing the responses and making adjustments as necessary.

This broad approach to security helps minimize the likelihood of a Marriott-level incident damaging your company’s business and reputation.

Small and mid-sized companies have a tendency to operate under the assumption that hackers target only more extensive operations. There’s a simple logic to that misconception that these criminals instigate cyber breaches that reap the highest possible reward. Nothing could be further from the truth.

Check out what Robert Herjavec and Scott Schober have to say on Cybersecurity.
Click Here

While hacks into the Democratic National Committee and Equifax make big headlines, the majority of cyber attacks are carried out on smaller, vulnerable systems. Most hackers merely look for the low hanging fruit. If your small or mid-sized company has modestly valuable data and lacks top-tier cybersecurity, you are that low hanging fruit.

By 2020, upwards of 6 billion people globally and 283 million Americans are expected to utilize the Internet. That means businesses of every level will be fully engaged and it only takes two miscreants on another continent to breach your security.

Cybercrime has already reportedly outpaced the combined profits of all the major drug cartels in the world at $6 trillion annually. Unlike vast criminal organizations, two computer whizzes with laptops thousands of miles away can extract sensitive information without a company even knowing until it’s too late.

These days, stealing credit card info is not among the highest priorities. Cybercriminals have discovered that personal and personnel information can yield significant paydays. If you still don’t think cybersecurity ranks among the highest priorities for small and mid-sized companies, just listen to this.

Hacks Are Often Inside Jobs

It may seem counterintuitive, but a company’s most significant cyber threat can be found among the most valued employees. Staff members are not generally acting in a nefarious fashion. In fact, loyal employees are often just that, loyal. But a pervasive attitude exists in workplaces that checking in on personal social media, using various non-work related apps and platforms is both allowable and safe.

According to cyber security experts, upwards of 93 of all breaches that are investigated thoroughly trail back to an employee. Although that person is generally not the so-called “inside man” or “inside woman” regarding criminal intent, their nonchalant attitude about checking personal sites exposed the small or mid-sized organization to a massive data breach.

Many are merely duped by phishing scams or inadvertently infest a business system with malware. This could occur by synching an unsecured device, moving data on a USB drive back and forth between home and work, or surfing the Internet among other security missteps. While many business decision-makers believe their data is not at risk, it takes a cybersecurity professional to build a company-specific “human firewall” that reduces internal threats through actionable policies and training.

Small And Mid-Sized Organizations Held Hostage Everyday

No Third World drug cartel can compare to the volume of theft leveled by small-time hackers. Ransomware remains the top malicious software and ranks among the most lucrative type of cyberattack. This variety of malware targets business systems by penetrating them through a camouflage method of encryption. Once inside a business’ network, it quickly encrypts critical data and makes everything inaccessible to the organization.

The name “ransomware” was earned by what comes after. A defiled organization will likely get a notice to pay a certain amount — often in bitcoin — to get an encryption code allowing you to restore access to your own files. This hostage situation often proves fruitful for the cybercriminal because paying them off appears to be in the company’s best financial interest. Sadly, too many business leaders only move forward with advanced cybersecurity after suffering a feeling of helplessness and humiliation.

Underachieving Cybersecurity Protocols Prove Costly

A Verizon Data Breach Report reportedly concluded that upwards of 60 percent of all incursions during 2016 could be attributed to outside forces. These data breaches were considered instances of “hacking” by a third party’s intent to circumvent existing security measures. Hackers tend to seek out a company’s weakest cyber defense points to gain access.

In essence, this follows the adage that a chain is only as strong as its weakest link. Among the more notable instances of a weak-link failure was JP Morgan’s massive breach in 2014. Despite having a top-tier cybersecurity team in place, a single server was missed during a password update. That single under-protected server resulted in what was ranked among the top 10 worst cyber thefts in history. Approximately 83 million household and business accounts were reportedly impacted at a whopping $100 million.

While this level of cyber theft makes mainstream media headlines, hackers tend to have greater success penetrating smaller companies with far less sophisticated cyber security systems. The basic criminal business model relies on volume not occasional massive paydays. Think about it this way. The Brinks Job made bank-robbing history in 1950, but stick-up men knock off liquor stores every day.

Unpatched Security Bugs Attract Cybercrime Infestations

One of the more prevalent methods used by a hacker is to infiltrate your system in plain sight. Cyber thieves often use well-known software deficiencies commonly called bugs as a type of cracked door.

When software companies send out routine fixes such as patches, users have the option of making this repair. But when a system appears to be functioning appropriately, a small or mid-sized business may discard the effort as more of a nuisance than anything else. That could prove to be a fatal data breach mistake.

When systems linger unpatched, hackers may be quick to seize on specific vulnerabilities and infiltrate a company’s network. It’s important to understand that cybersecurity only seems like another time-consuming task that detracts from company goals. Anyone who uses computers, devices, software or accesses the Internet is inherently in the cybersecurity business. Without adequate cybersecurity systems, policies and protocols in place, the entire organization remains at risk.

Data Breaches Threats Represent A Clear And Present Danger

If you remain unconvinced about how crucial cybersecurity is to your business’ integrity, consider these telling facts. The U.S. government has placed the most significant emphasis on increasing only two areas of the military budget — special ops and cybersecurity.

Today, a person’s electronic medical records are more valuable than credit card information on the dark web. And, electronic ransoms are the fastest growing cybercrime and are expected to occur every 14 seconds by 2020. The question is no longer if a sub-par system will be hacked, it’s when

Businesses of all types and sizes today must navigate a complex matrix of vendors and partners. In many cases, there is frequent sharing of data, including sensitive and proprietary information, that could be problematic if hacked or stolen.

The advent of new technologies, including the Internet of Things, automation and cloud systems, make for the collection and sharing of information more accessible than ever before. However, the increased volume, accessibility and transfer of data creates problems and added risk for companies. To help companies protect information and minimize the risk of data theft, here are 6 answers to common third-party security questions.

1. How Can I Assess My Company’s Data Security?

The place to start is with an internal audit of your system. Which vendors have access to which data? How are they connecting to your networks and what can they access?

It’s smart to map your third-party partners, understanding who they are, how they access data and what data they can access. Make sure third parties only can reach information that is necessary. Often these audits can detect access that was given long ago to third parties that no longer should or need to have access.

2. What Can I Do to Assess My Third-Party Partners?

There are basic things you can do to ensure that third parties have the right safeguards in place when using your data. Asking for copies of their data security policies and audit results is an excellent place to start. If there are practices or results of concern, you can ask for more details. Some companies require their vendors to undergo a thorough security audit with detailed questionnaires or independent verification of processes and systems.

The practice is not just good business sense. Many new regulatory mandates, including the European Union’s General Data Protection Regulation (GDPR), require companies to ensure that third-party vendors are also compliant with the appropriate requirements.

3. What Foundation Do I Need to Data Security and Third Parties?

Be sure your organization has clear policies and procedures that govern data access and security related to third parties. Policies should be evaluated regularly to reflect new technologies or practices.

4. Who Is Responsible for Data Security?

Often, risk ownership can be a gray area as companies exchange data, update it and enter it into each other’s systems. A risk assessment matrix should be created that defines and tracks data within your corporate ecosystem. The matrix should include:

• Vendors, partners, customers and subcontractors throughout your supply chain
• Classifications of each third party based on how they interact with the organization
• Risk types mapped to each third party
• Risk levels assigned to each vendors’ assigned risk types

This exercise allows you to build a comprehensive risk assessment model to inform decisions, policies and access.

5. What Technologies Can I Use to Help With Security?

Ultimately, control rests with your organization. You can control the parties with access, the types of access, and the assets that can be accessed. Here are some tools to deploy to assist with that control:

• Encryption is effective in protecting data stored in your systems and transmitted to other parties. Encryption need not be applied to everything, but high-risk information merits investment in encryption tools.
• Two-factor authentication is another consideration. If you use multi-factor verification tools for internal access, you most certainly should do the same for external access.
• Risk-based authentication goes a step further. Rule-based access, such as only allowing access from a particular domain, can be incorporated into your security plan. If an access request does not meet the pre-defined rules, additional authentication layers are applied.
• Monitoring networks is a wise move. Monitoring what is accessed and by whom allows for a better understanding of information transfer. Firewalls that inspect data packets and issue alerts when unauthorized data are in play help prevent unwanted extrusion.

6. What Documentation Does My Company Need?

When you’ve determined your guidelines, policies and rules, be sure to put it in writing. Make it a part of your new contracts and insist on amendments to any existing agreements with third parties. Contractual guidelines help to protect companies from litigation as more plaintiffs go after multiple parties in the case of a data breach.

Not all contracts need to be the same when it comes to data access provisions, although it is good practice to establish a baseline of minimum requirements in all applicable third-party agreements.

With the growing threat of cyber attacks, an active approach to data security is a way for organizations to mitigate risk and ensure that data stay in the right hands.

Data breaches never fail to stay at the top of news headlines, and these are news headlines that should be highly regarded if you are a business owner. According to the ID Theft Center, there were at least 1,579 breaches, which was a 44.7 percent increase from the year before.

A Look at Early November 2018 Data Breaches

The astounding uptick in data breaches is expected to continue as a trend for 2018, and the first half of November 2018 has already shown multiple problems. Take a look at some of the breaches that have occurred already in November for 2018.

Ontario Cannabis Store/Canada Post

The legalization of cannabis across the country in Canada brought about a lot of prickly, unfamiliar situations for consumers and business owners. However, to worsen matters, their new and booming industry took a hard hit because of a massive data breach during the first part of November. The data breach was in the form of a hacker who managed to get into Canada Post’s delivery tracking tool.

Customers who had purchased cannabis for mail delivery from Ontario’s Cannabis Store had their information exposed. This data risk is considered severe because those in the up-and-coming cannabis business in the country could face concerns with consumers about the privacy of their personal information. This data breach affected as many as 4,500 customers.

HSBC Bank USA

Domestically, a significant data breach with one of the top names in banking left financial institutions and consumers alike a bit fearful. HSBC Bank had multiple customer accounts compromised. To date, the number of accounts compromised and customers affected has not been disclosed. Nevertheless, this has been considered a severe data breach because the data taken can be severely damaging to consumers who hold accounts at the institution.

The risk to related businesses because of this kind of breach is pretty massive. Banking customers place money in their accounts because they trust the institution will keep it secure. This kind of data breach with one of the world largest banks does not fare well in the minds of consumers; it only lessens their overall faith in banking systems as a whole. So far this year, financial institutions have taken a hard hit.

Other Data Breach News Around the Globe for November

Pakistan had an epic fail in November with hackers managing to get the account information of at least 8,000 banking customers. This data breach didn’t just affect one bank; it actually affected customers from ten different banks across the country. The stolen data has already shown up on the Dark Web as records for sale for prices between $100 to $160 per record. So far, the cybercrime division in Pakistan has found more than 11,000 records.

Noteworthy Data Breaches So Far in 2018

The new November 2018 data breaches are added to a growing list of breaches that have already occurred for the year. Facebook was perhaps one of the most publicized data breaches for the year. In April of 2018, at least 87 million records were breached, and it’s most probable that there were far more. Orbitz also had a considerable catastrophe when travel booking accounts were hacked, leaving something like 880,000 customers’ payment cards exposed.

Data Breaches in 2017

Numerous businesses in the past have had problems with data being compromised, especially in 2017. There were at least 16 data breaches for major retailers, according to Business Insider, including Macy’s and Adidas, to name a few. Sears even had a data breach in April that affected at least 100,000 customers who had their credit card information compromised. Restaurants were also hit with data breaches in 2017. Sonic and Panera Bread were two of the most noteworthy.

So far this year, the numbers of data breaches have exceeded those in 2017 by a long shot, which just shows how much of a risk data breaches are continuing to be in spite of considerable efforts to stop them. All business owners should amp up their security efforts and keep a close eye on data, so it is rightly protected.