Employees Expose Sensitive Data Outside the Workplace

Workers expose company data beyond the workplace, including very sensitive information. Typically, the employee has no idea how risky this is. It’s as easy as the crook capturing data, that’s displayed on a screen, with a smartphone camera as he passes by or secretly looks on continuously from nearby.

And there’s little corporate policy in place to guard against this. Many professional employees admitted their company lacked any explicit policy on conducting business in public. Some employers don’t even have a policy on privacy filter use.

Either communication about policies with employees is feeble, or attention to visual policy from the decision makers is lacking.  This proves security awareness training and education are needed as an integral part of information security. 

An increasing number of people are taking their online work to public places, but if they knew that company data was properly protected from roving snoops, they’d be more productive. Companies need to take more seriously the issue of visual privacy and this includes equipping employees with tools of protection. Some employees don’t even know what their employer’s policy was.

Type of Data Handled in Public

• Internal financials
• Private HR data
• Trade secrets
• Credit card numbers
• SSNs
• Medical data

Another factor is that of enlightening workers about the whole issue. An enlightened employee is more likely to conduct public online business securely.

Businesses are sadly lacking in security tactics relating to data that’s stored, transmitted, used and displayed. This is a weak link in the chain of sensitive information is the human. Any effective IT security strategy needs to address this issue and take it right down the line to the last employee.

Why Cyber Security Matters To Everyone

Your cyber hygiene affects others

It’s not unlike public health. One of the reasons health officials urge almost everyone to get a flu shot is because people who are infected are more likely to infect others. And the same is true for cyber security. Infected devices have a way of infecting other devices and compromised systems can make everyone vulnerable. So your cyber hygiene isn’t just about protecting you, it’s about protecting all of us.

Bots or zombie networks are just one example. Bad guys look for vulnerable machines to infect and enlist them into a zombie army that infects other machines, thus greatly amplifying their ability to reach millions of users.

Even bad social networking and email security can be contagious. If your accounts are insecure, it makes it easier for others to go online as you and spread infections or social engineering attacks designed to steal data or money.

What’s in it for you?

But forget altruism for a moment. Having an insecure machine or password can be personally devastating. I’ll spare you the scare tactics, you’ve probably heard them before — but I will remind you that an intrusion into any of your accounts or devices can escalate into a full-scale attack on your financial and reputational well-being.

Even something as basic as inadvertently sending out spam, can be embarrassing, but there is also the risk of identity theft and financial crime that can leave you with an empty bank account.

Shared responsibility

Cyber security is a shared responsibility. Internet companies and brick and mortar merchants can do their part by shoring up the security of their networks and payment systems. Government can educate the public and enforce anti-cyber crime laws. Businesses can make sure that they have strong security processes in place; including making sure their employees use strong passwords and everyone can play an important role by securing our devices and being sure that our passwords are strong and unique.

Kids too

And it’s not just for adult. Just as we teach our kids to lock their bicycles, parents and teachers need to remind them to password-protect their phones and other devices. And kids need to know that some things in life need to be kept secret. Passing on your passwords is not a way of proving that you’re a good friend. If a friend asks for a password you can really be a good friend by reminding them that it’s never a good idea.

Cybersecurity Awareness Is About Both ‘Knowing’ and ‘Doing’

Ask any IT security professional and you’ll get the same answer. One of the biggest cybersecurity challenges is the human factor, making cybersecurity awareness more vital than ever in our mobilized, interconnected world.

According to the 2014 Cyber Security Intelligence Index, an astounding 95 percent of all security incidents involve human error. The most prevalent mistake? Double clicking on an infected attachment or unsafe URL. Other common errors include lack of patching, using default user names and passwords and easy-to-guess passwords, lost laptops and mobile devices, and inadvertent disclosure of sensitive information by use of an incorrect email address.

All the more reason to support and participate in National Cybersecurity Awareness Month, which is observed in October in the U.S., with similar months or weeks set aside in other countries. Cybersecurity awareness events like these are valuable opportunities to shine a spotlight on what it means to be aware and how to promote not only knowledge, but deliberate, mindful behavior to actively protect valuable data and information in our businesses and communities.

What is cybersecurity awareness? It’s not just knowledge. Knowing isn’t doing. Security awareness is knowledge combined with attitudes and behaviors that serve to protect our information assets. Being cybersecurity aware means you understand what the threats are and you take the right steps to prevent them.

We work to create a risk-aware culture where employees are educated about the cybersecurity hazards we face and trained to take the right actions to defend against them. Training courses, simulated phishing exercises, awareness campaigns, videos and a steady stream of awareness messaging and social media conversations are some of the ways we work to keep cybersecurity top of the mind.

We encourage staff to visit the StaySafeOnline and Stop.Think.Connect websites to cultivate cyber awareness at home and in their neighborhoods. StaySafeOnline offers tips and resources, including content for teaching cybersecurity to students from kindergarten through college. The Stop.Think.Connect. site offers information on how to protect our digital lives online.

We’re all in this together, and each of us has a stake in reducing human error and encouraging cybersecurity best practices in our workplaces, homes and communities. Help spread the word to promote a safer, more productive digital experience for all of us.

Beware of Socially Engineered Phishing Attacks on Facebook

Phishing attacks are one of the most common scams on Facebook. The goal of these scams is to obtain your Facebook user name and password. If successful, the scammers can totally take over your Facebook account and use it to spread more spam and scams to your friends. They can also mine everyone in your network for data they can later use for identity theft or other socially engineered attacks.

Here are some examples of popular phishing schemes on Facebook:

1. Facebook Lottery – You’re likely to receive an email stating you’ve won a sum of money. These can also be advanced fee scams.

2. Confirm Your Account – Any messages asking you to confirm your account should be viewed with extreme suspicion. If you receive an email like this, don’t follow any links. A better option is to log in to Facebook directly.

3. Violated a Policy – Hacked accounts often send messages posing as ‘Facebook Security.’ If you encounter one of these scams, you’ll notice that Facebook Security will be spelled with non-traditional characters. This is done to bypass Facebook’s filters.

4. Photos & Videos - The scammers attempt to capitalize on our curious nature. You will receive a message from a compromised friend’s account asking you to look at this photo or video. A popular theme is to say the picture is embarrassing or they can’t believe you did that, etc. Other variants of this scam contain files laden with malware.

Most all of these scams direct you to external links to pages designed to look like Facebook. Before logging in to any site, always verify that you are indeed on the main site. Careless and unsuspecting users are often fooled by these tricks.

The Role of Human Error in Successful Security Attacks

The Threats of Inadvertent Human Error by Insider Mistakes

One of the leading errors made by insiders is sending sensitive documents to unintended recipients. This is relatively easy to solve by deploying security controls to monitor sensitive information being leaked out of the organization. Once considered complex to deploy, these controls have been made considerably easier to implement by vendors in recent years. This has dramatically reduced the level of user involvement required and increased the use of such controls.

These tools can also prevent users from engaging in inappropriate behavior, such as sending documents home via email or placing them on file-sharing sites or removable media such as USB sticks. Lost or stolen mobile devices are also a major concern that is exacerbated by the growing trend toward the use of personal devices.

Human error is also a factor in other security incidents caused by insiders who are the most trusted and highly skilled, such as system and network administrators. Some of the most commonly recorded forms of human error caused by such employees are misconfigured systems, poor patch management practices and the use of default names and passwords.

Successful Security Attacks Exploit Human Interest Factor

The human interest factor is also being exploited by attackers and plays a large part in successful security attacks seen today, but it is not always attributed to mistakes made by insiders. Many of these attacks involve social engineering techniques to lure individually targeted users into making mistakes. Advanced and targeted attacks involved spear-phishing scams with emails containing malicious attachments that can cause malware to be downloaded onto the user’s computing device. This gives attackers a foothold into the organization in search of valuable information, such as intellectual property.   

Today, legitimate websites are increasingly being hacked since they are just the sort of websites that users would routinely trust. However, compromised websites are also being used in attacks that target the interests of specific users or groups. There has also been a particular increase in so-called watering hole attacks.

People, Processes and Technology

It is often said that any successful organization must focus on people, processes and technology in equal order. Technology provides automated safeguards and processes to determine the series of actions to be taken to achieve a particular end. Oftentimes, there is insufficient attention paid to the “people” part of the equation. To stem errors made through social engineering and to raise awareness of the potential caused by carelessness, technology and processes must be combined with employee education. This way, employees are aware of the threats they face and the part they are expected to play in guarding against them. Keeping organizations safe relies on constantly educating employees about identifying suspicious communications and new possible risks.

Breaking The Compliance Mindset

Addressing security threats requires a new direction from the mindset that compliance equals security.  While compliance is a requirement for many organizations, compliance does not equal security. I was recently talking to a CISO who has divided his department into two teams – one focused on security and the other focused on compliance. The security team deals with emerging threats to the network, while the compliance team deals with regulations. It’s an interesting strategy, and one that reflects how separate compliance and security concerns have become.

Security awareness has traditionally been associated with the compliance side of security, but to be truly effective, it needs to focus on current threats and evolve with the threat landscape.

Compliance is useful in that it forces organizations to focus on security, but security departments should no longer view compliance as anything more than what it is – the floor, not the ceiling. Depending on your requirements, you may have to require awareness training to be compliant. Organizations often achieve compliance through annual training or assessments that have little positive impact on an organization, and can sometimes create a negative perception of security awareness. Compliance-driven training will only require that you prove people have completed the training, it won’t require any proof that employees can apply information provided during training. Checking off the security awareness box on your compliance checklist is necessary and it may feel comforting, but it’s a false sense of security.

I understand that compliance is not going away, and that for many CISOs addressing it consumes a large part of their budget and time, so how do you break out of the compliance mindset? For security awareness, start by presenting training material that addresses relevant and emerging threats. Training employees on topics like password complexity overloads them with information that does little to improve security. Training on topics like this may be an easy way to fulfill compliance, but training that empowers your employees by giving them knowledge they can apply will truly improve your security posture. Regulations fail to address security concerns because they are rigid and don’t adapt to new tactics; however, users can be trained to be dynamic threat detectors.

Just as organizations have unique needs; humans have different needs as well. Applying a one-size-fits-all approach to training will meet compliance needs, but it won’t be as effective as continuous training with multiple education modes; thus appealing to a variety of learning styles. Your security awareness program needs to evolve beyond annual training into a living, continuous program. Make security awareness part of your organization’s culture by conducting training periodically and varying the presentation of that training content to ensure you resonate with everyone in the organization.

While compliance struggles to keep pace with emerging threats, security awareness that succeeds in improving employee behavior could keep you ahead of the curve. The adversaries are dynamic, creative humans, having security-aware employees with the skills to identify anomalous activity as a strategic objective will go much farther than checking the box.  It’s time companies moved away from the “I have read and understand” model, and instead move employees into a “I have read, watched, performed, been assessed, and can prove that I understand” mindset. One size definitely does not fit all, and I one question tests prove nothing.

Cloud Computing is a Security Awareness Issue

Whether or not your organization is officially looking into cloud computing as a potential business tool, chances are that your employees are already be using cloud-based applications without you knowing about it.

Cloud-based applications are already widely used – some of the better known examples being Google Docs, Windows Live, Salesforce, Acrobat.com, Dropbox, and KnowledgeTree. And they don’t require IT approval for a user to set up an account – anyone can sign up with a credit card.

Once employees start using a cloud-based application, security questions start popping up very quickly. Where’s the data being stored? Who has access to it? How is it being backed up? How stable is the cloud service provider?

It’s possible that most use of these services by your employees involves only data that’s unclassified. But that’s not a risk that you can afford to take. And use of a cloud-based application could break the law, and/or agreements with partners – especially if an employee uploads data to a cloud service that stores data in another jurisdiction e.g. out of the country.

You could try restrict use of these applications by blocking access from your network, but that’s probably impractical. And, as with many things, it’s likely that users will find ways to bypass your security measures.

So what’s the solution? Clearly, the first step is to establish a clear IT policy that covers the use of external services. This will probable be part of, or a supplement to, your Acceptable Use Policy. Make it fair and reasonable, or users will find ways to circumvent it.

Then, as with all policies, you’ll need to tell your staff about:

§  Why the policy is needed, and the implications of failing the follow the policy.

§  What employees CAN do with cloud-based services – probably a list of approved cloud-based services.

§  What employees CAN’T do with cloud-based services.

§  Who to talk with if they have questions.

The final point is particularly important since cloud computing is such a new field that many of the legal and technical issues have yet to be resolved.

Hackers Find Way to Outwit Tough Security at Banking Sites

Researchers uncovered what they say is a sophisticated, multistage attack by cybercriminals determined to bypass the so-called two-factor authentication systems at banks in Austria, Japan, Sweden and Switzerland, according to a report to be released Tuesday.

Most sites ask for a single password. But two-factor authentication systems require customers to enter a second, one-time password that has been emailed or texted to their phones. The hope is that a second identifying factor eliminates the risk that criminals can break into customers’ accounts simply by stealing an online password.

But hackers were able to bypass the two-factor authentication systems at the European and Japanese banks through an attack that begins — as most do — with a phishing email.

The email, which purports to be from popular retailers, includes malicious attachments disguised as receipts. By opening the attachments, victims download malicious software onto their machines. In turn, when someone tries to reach a real bank site, that software redirects the victim to a site managed by criminals.

The criminals would also prod victims to download a mobile application, available in Google’s Android store.

The app was posing as something that would improve security. But once downloaded, it allowed criminals to gain full access to their victims’ bank accounts. It was able to intercept the second password that legitimate banks send their customers so that they can log into their bank accounts remotely.

Security Training is Lacking

Humans are the weakest link in the enterprise security chain. But a survey finds that more than half aren’t getting any security awareness training at all. The good news is that there is plenty of advice on how to do it, and do it better

But, it is apparently not common enough throughout the enterprise sector. A recent  report by Enterprise Management Associates (EMA) found that 56% of workers may not receive any security awareness training (SAT) at all.

The report, titled “Security Awareness Training: It’s Not Just for Compliance,” is based on a survey of 600 people working for companies ranging from fewer than 100 employees to more than 10,000.

Any doubts about the need for SAT should have been dispelled by last year’s Verizon Data Breach Investigations  Report (DBIR), which found that four out of five breaches were caused by stolen credentials – usually the result of social engineering attacks or weak passwords. And there is abundant evidence that social engineering attacks have become much more sophisticated, and therefore successful.

Effective security awareness includes everyone

I’m often asked which employees are most likely to be targeted by phishing emails. It’s interesting to think about, but the truth is that adversaries will target whichever employees can offer access to the enterprise’s network—and that could potentially be anyone in your organization. Recent research from ProofPoint confirmed this, finding that staff-level employees were targeted by phishing attacks more often than middle and executive management.

The takeaway here is that for security awareness to be effective, it needs to include everyone in your organization. Aside from the obvious security necessity, including the entire organization in your security awareness initiatives enhances your program in a number of ways.

First and foremost, inclusion of everyone in security awareness training reduces the security gaps across organization. While training will never be 100% effective, the more people who receive training, the more potential security risks will be reduced.

Including executives and senior managers in training exercises creates solidarity within the workforce, as staff will be more likely to embrace the exercise knowing their bosses are participating. Training staff-level employees truly makes security awareness part of your organization’s culture, and helps each employee understand that everyone—not just the IT department—has a responsibility for IT security. If you’re collecting metrics with your campaigns, you should be, including everyone will provide a broader baseline of your user population’s susceptibility and pinpoint strengths and weaknesses in your security posture.

Immersive Security Awareness Training

Ultimately, immersing your employees in an experience will improve their behavior. With that said, here are ways to make your immersive security awareness engaging.

Start simple: For the average user, security concepts are difficult to grasp, so start simple! Sending a beginner down a black diamond trail is a good way to turn them off of skiing forever (or worse, get them injured). It's the same with security. Don't trip up your users by starting them off with complicated concepts – get them on the beginner slope.

Be Specific: Hollow platitudes will undoubtedly get your users to tune out. Avoid vague messages like “keep company resources safe”, instead give users specific, actionable information that will help them change behavior.

Mix it up: How many of you pay attention to the airline safety demonstration prior to take-off? That demonstration never changes so ultimately people lose interest. Don't make the same mistake with security awareness. Vary both the content and delivery method of your security awareness to continually engage recipients.

Keep it going: Why is it so easy to forget what you learned in a boring class? After the final exam, you don't need the information, so there's no need to retain it. We do know that security is a constant and changing threat; therefore, security awareness needs to be continuously reinforced. By continuously training users at different times throughout the year, safe security behavior becomes a habit, and not something forgotten as soon as training is over.

Be Positive: It might be tempting to expose the users who are security risks, but in our experience the negative backlash this generates will quickly undermine your security awareness program. Keep things positive by measuring the results of your program and recognizing people and departments who have done well. Educate and support those that need additional help.

Tax ID Theft

What is tax identity theft?

It’s a fast-growing crime that costs taxpayers billions of dollars a year, and shows no signs of abating. Someone uses a taxpayer’s personal information to commit fraud on tax returns to claim refunds or for other crimes, including:

• Filing a fraudulent tax return using another person’s Social Security number
• Claiming someone else’s children as dependents
• Claiming a tax refund using a deceased taxpayer’s information
• Earning wages under another person’s Social Security number

How does it work?

Crooks look for discarded tax returns, bank records, credit card receipts, Medicare cards and more, often relying on email or telephone phishing, dumpster diving or stealing from your mailbox. They use that info to file for a tax refund before you do. When you file your return later, IRS records will show the first filing and refund, and you’ll get a notice or letter from the IRS.

What can you to do protect yourself?

Reduce tax time stress. File as early in the season as possible, and mail tax returns directly from the post office. If filing electronically, use a secure network and encrypt.

Stay safe online. Do not respond to emails that appear to be from the IRS, and never click on links! The IRS does not send unsolicited, tax-account related emails and never asks for personal and financial information.

Protect your personal information. Never store important account numbers or data in purses or wallets, or on smartphones. Use a shredder for paper documents, and install a locking mailbox.

Monitor your accounts and review financial statements regularly. Sign up for your free annual credit report at www.annualcreditreport.com.

Think you’re a victim of tax ID theft?

Take these four steps right away:

• File a report with the local police.
• Contact your bank and credit card companies. Inform credit bureaus and consider freezing your accounts (a credit freeze restricts access to credit reports, making it unlikely that thieves can open new accounts in your name).
• Contact the IRS Identity Protection Specialized Unit at 800-908-4490 and complete Form 14039.
• Get an IP (Identity Protection) PIN from the IRS so they can verify your identity as they work with you on the theft going forward.

Fraudsters Target Those Signing Up for Health Insurance

Open enrollment has begun for Obamacare as well as for health insurance plans offered by many employers. And that means its prime time for fraudsters to target consumers with phishing scams, disguised as official-looking open enrollment messages, in an attempt to steal personal information.

Privacy and security experts stress the need to remind those participating in open enrollment about the dangers of phishing, including avoiding clicking on links in suspicious e-mails that bring individuals to fake websites designed to gather information.

The open enrollment scams typically involve e-mails that purport to be official communications about health insurance but link the user to a fake employee or government web portal designed to collect personal information that can be used to commit fraud. In some cases, simply clicking to open the e-mail or a link it contains can lead to an immediate malware infection, Kennedy says.

"People freak out when they receive e-mails about their health benefits or new regulations, and the possibility of losing [coverage] if they don't act," Kennedy says. That's why so many consumers fall for the ploys.

In addition to spear-phishing e-mails targeting employees at specific companies during open enrollment season, scammers are also targeting consumers who are interested in shopping for insurance on new state health insurance exchanges and seniors looking for supplemental Medicare plans.