STANDARD ENSURES PRIVACY AND DATA PROTECTION

CSPs can use ISO 27018 to prove they are handling personal data in a manner that not only safeguards customers’ data but also protects customers’ privacy. For example, when CSPs follow this standard, they are guaranteeing that they will:

• Give customers control over their personal data
• Not use customers’ personal data for marketing or advertising purposes
• Not let third parties access customers’ personal data, unless a customer allows it
• Let customers know about any unauthorized access to their data as soon as possible
• Let customers know when subcontractors will handle their data

ISO 27018 has many other guidelines about how CSPs should protect customers’ privacy and data. They include the need for restrictions that limit or ban transmitting customers’ personal data over public networks and storing it on transportable media. CSPs even need to have proper data backup and recovery procedures in place to achieve ISO 27018 certification.

To become ISO 27018 certified, CSPs must go through an assessment process. During this process, independent third parties verify that the CSPs are properly handling their customers’ personal data. Once a CSP achieves certification, it must undergo annual audits to maintain that certification.

In 2015, Microsoft and Dropbox for Business were the first two major providers to achieve ISO 27018 certification. Other big-name companies are expected to follow their lead.

A MARK OF TRUST

When a CSP is ISO 27018 certified, you have some assurance that it is protecting its customers’ privacy and data. If your business is looking to store data in a public cloud, make sure you talk to potential CSPs about their efforts to adhere to the ISO 27018 standard.

Email mistakes in particular stand out as significant causes of data breaches. While these mistakes are understandable in many cases, they are still very costly.

MAJOR EXAMPLES OF EMAIL MISTAKES

One notable example of an email mistake that caused a data breach involved the Goldman Sachs investment management firm. In June 2014, a Goldman Sachs contractor accidentally sent a message to a gmail.com email address instead of the corresponding gs.com email address. The latter email address is connected to the company’s in-house email network.

The email contained a confidential document, and the mistake sent Goldman Sachs scrambling for a solution. To prevent the gmail.com recipient from opening the message, Goldman Sachs took Google to the New York State Supreme Court. In its petition, the investment management firm said that the message contained “highly confidential brokerage account information” and asked Google to help it prevent a “needless and massive” data breach.

The case was unprecedented, in that Goldman Sachs argued that email senders should have the right to “unsend” an email if it was sent by mistake. In the end, however, the court did not have to rule on the case, since Google voluntarily blocked the recipient’s access to the email.

Another noteworthy email mistake occurred in April 2014. An employee at the risk advisor and insurance brokerage firm Willis North America accidentally sent a spreadsheet to a group of employees enrolled in the company medical plan’s Healthy Rewards Program. The spreadsheet contained confidential information, including employees’ names, email addresses, birthdates, Social Security numbers, employee ID numbers, office locations, and the details of their medical insurance plans.

Willis North America agreed to pay for 2 years of identity theft protection for the 4,830 people affected by the breach. Although the leaked information did not include details about the victims’ health conditions or the health information of their dependents, Willis North America was still cited for violating the US Health Insurance Portability and Accountability Act (HIPAA).

A similar incident occurred in September 2013, when a Cisco employee accidentally sent an email to a “sept_training1” mailing list. The list included thousands of other Cisco workers. A large number of these workers replied to the email by asking to be removed from the list, and many of them accidentally clicked “Reply All” when responding to the message. This resulted in millions of unwanted email messages taking up space on Cisco’s network. The mistake severely damaged the employees’ productivity, and cost the company hundreds of thousands of dollars.

THE COSTS OF EMAIL MISTAKES

According to the Ponemon Institute, data breaches caused by careless human error cost companies on average $117 per compromised record. If an email mistake affected thousands of people, as was the case for Willis North America, then it could result in sizable losses. Several issues can cause these high costs.

As the Cisco case showed, losses in productivity can cost a company a significant amount of time and money. Another cost stems from paying for identity theft protection for the victims. Additionally, if the email mistake led to a data breach, then the company could find itself facing lawsuits or punitive fines. Data breaches like these could also reveal sensitive company information to the general public.

Email mistakes, especially those that cause data breaches, can also tarnish a company’s reputation, which can lead to lost business opportunities. As one example, Goldman Sachs faced substantial damage to its reputation after its email-related data breach in 2014.

AVOIDING CARELESS MISTAKES

To prevent any mistakes, create clear-cut policies and procedures about sending emails, especially those with sensitive information. You’ll also need to educate your staff members about the problems caused by carelessly sending emails. Employees are more likely to think twice about sending a message when they know just how costly a mistake can be.

By the same token, you should develop a workplace environment in which employees feel comfortable talking about their IT concerns. By making your staff members feel comfortable about discussing these issues, you can improve the odds that one of them will ask a question that could avert a mistake.

Data loss prevention (DLP) software can also help in this regard. This software can stop employees from sending confidential information by accident. Look to your IT staff or service provider for help when searching for a DLP solution that matches your individual needs.

With that in mind, here are several best practices that companies can follow to better protect their digital information.

1. USE AND MAINTAIN ANTI-VIRUS SOFTWARE

Using anti-virus software is an absolute requirement for companies of any size. Viruses and malware are some of the most effective weapons in a hacker’s arsenal. Even computers with the latest security measures are still at risk if they were compromised in the past.

Simply installing and using an anti-virus application is not enough. The software must be updated frequently. Keeping your anti-virus programs up-to-date is important to maintaining a well-secured computer.

2. CREATE A BACKUP AND RECOVERY PLAN

A catastrophic loss of data will cripple your company, often beyond the point of recovery. For this reason, backup and recovery plans are essential, even for startups. These plans help companies survive and recover from both physical and digital disasters.

A backup plan specifies how backups will be made, as well as how frequently they will be tested. If you already have a backup plan, consider revisiting it. Many plans fail due to changes in infrastructure or data organization.

A recovery plan attempts to restore the backup, taking various concerns and scenarios into account. Successful recovery plans can minimize both the loss of data and downtime associated with a catastrophic event. They are worth their weight in gold if and when such an event occurs.

3. USE A FIREWALL

Firewalls are another important tool in keeping your information secure. They manage and control incoming and outgoing traffic, providing an inherent defense from attackers. Firewalls are available as either software or hardware.

Creating a firewall by using a hardware device can be complicated — leave this to the experts. Hardware firewalls are most useful for large companies since they can provide uniformity across the entire system. Software firewalls are typically pre-configured and easier to set up. These are more appropriate for smaller businesses.

4. CONTROL ACCESS TO PROTECTED INFORMATION

Controlling who accesses privileged or protected information is vital to protecting customer privacy. As a result, access control systems must be established to determine which users have permission to view which documents.

Implementing role-based access levels is the solution to this problem. An employee working in the billing department would have an authorization level different than that of a physician. The same is true about administrative assistants and senior partners, or other comparable positions in any industry.

For larger companies, system administrators should be responsible for setting users’ access levels. Smaller companies can manually assign access through the use of an access control list.

5. TEACH EMPLOYEES THE VALUE OF INFORMATION SECURITY

Information security, or InfoSec, is the practice of defending the corporate infrastructure and related assets from exploitation. Historically InfoSec relied on highly trained individuals to monitor for and defend against attacks from outside parties.

Recently, focus has shifted toward teaching security awareness to all employees. Proper education provides even non-technical employees with the knowledge and tools to identify common attacks and react appropriately, further protecting businesses.

FINAL THOUGHTS

Unfortunately, there is no comprehensive list of IT security practices for every business. This list is a starting point for companies thinking about how they can better protect their data. Contact us to learn more about following these practices or addressing similar security issues.

As part of an investigation into the attack, the company discovered that hackers made off with more than 100 terabytes of confidential files. The attackers also deleted the original copies of these files and wiped Sony’s internal data centers. They destroyed 75% of the company’s servers and used file-sharing networks to publicly release a huge amount of the stolen information.

The list of released files featured corporate documents, private emails from Sony executives, and details about salaries and bonuses. It also included the usernames and passwords of hundreds of employees, as well as personal information, such as their social security numbers.

In addition, the attackers stole a number of movies that were scheduled for release in theaters during the 2014 holiday season. They posted these films online, hitting the company even harder.

Following the attack, Sony shut down nearly all of its global IT infrastructure. This left the company’s employees without any voice mail, corporate email, or production systems.

Sony’s problems didn’t end with the attack on its systems. The hackers, calling themselves the “Guardians of Peace,” threatened to attack theaters if Sony went ahead with its planned Christmas day release of “The Interview,” a comedic movie depicting the assassination of North Korean leader Kim Jong Un.

Shaken by the security breach and the threat of attacks against theaters, the company initially decided to cancel the movie’s release. A wave of criticism followed the move, and Sony was forced to change its stance. The movie was ultimately screened at a limited number of theaters, and made available online by the company.

THE HACKERS AND THEIR SUSPECTED METHODS

It remains unclear exactly how the attackers managed to break into Sony’s networks, though security experts suspect that a specific type of malware was used to steal the data and erase the original copies. It is believed that the attackers first stole the login credentials of a high-level systems administrator working in Sony’s IT department. Using this information, they were able to access the company’s entire network.

The US government has stated that it believes that North Korea was behind the attack, with the FBI releasing the IP range from which the attack originated, leaving little room for doubt as to the source.

SONY’S ATTEMPTS TO REGROUP FOLLOWING THE ATTACK

Sony clearly didn’t have a disaster recovery plan. After discovering that it had been hacked, the company shut down its entire local system, rendering its landline phones, computers and corporate email system inoperable.

The company’s senior executives used a phone tree to relay updates from one person to the next. More than 6,000 employees were forced to use cell phones, Gmail accounts and notepads to remain operational. The payroll department had to use an old machine to manually issue paychecks instead of using its electronic direct deposit system. The company’s network remained impaired for weeks.

A LONG LIST OF IT FAILURES

The attack on Sony exposed its poor cyber security practices. A lack of IT training, strong password protection protocols, and file encryption technology played a role in Sony’s faulty operations.

The company’s employees used easy-to-guess passwords, such as “password” and “s0ny123.” The passwords, along with other important data, were all stored in one place. This made it remarkably easy for the hackers to gain access.

In addition, Sony executives sent plaintext passwords in unencrypted e-mails. The company also failed to encrypt sensitive materials related to some of its employees, such as salaries, revenue numbers, medical information, and strategic plans. Without encryption, this information was relatively simple to steal.

A large part of this IT mismanagement stemmed from a lack of knowledge and preparation. Sony failed to implement company-wide protection measures or develop an adequate computer training program for its employees.

According to the company’s former employees, Sony repeatedly ignored warnings about specific vulnerabilities. While the company did carry out risk assessments, it rarely acted on them.

Physical security was another major problem for the company. According to a statement made by one of the alleged hackers, the company did not have the most basic physical security parameters like locked doors, CCTV cameras, or proximity card readers.

It appears that Sony also failed to protect itself against social engineering. Several media reports have suggested that the hackers tricked some executives into revealing passwords. The attackers also allegedly convinced some sympathetic employees to help them.

THE KEYS TO BETTER CYBER SECURITY

According to security experts, Sony’s haphazard practices are commonplace in the corporate world. Both multinational conglomerates and small businesses are equally vulnerable in this regard. Abandoning these ineffective policies are crucial to securing a company’s IT infrastructure.

Basic precautions are vital, especially when it comes to physical security. Even the little things, like failing to lock a door, can have a huge impact on cyber security.

Simple mistakes are prevalent in the digital world as well. These include using obvious passwords, repeating passwords, or sending passwords via email. Using encryption and password managers can help companies eliminate these costly errors.

Hackers are becoming more and more sophisticated in the level of their attacks. In light of these new and dangerous threats, companies must have up-to-date, comprehensive anti-malware and antivirus programs.

Finally, companies should educate their employees about IT. An awareness of these issues, along with the help of outside experts, goes a long way toward preventing attacks.

According to a 2014 study sponsored by the Carnegie Mellon CERT Insider Threat Center, more than 40 percent of organizational security professionals say their greatest concern is that their own employees will accidentally jeopardize the organization’s security. These accidental employee security breaches are called unintentional insider threats, or UITs. There are three basic types of UITs of which companies should be aware.

ELECTRONIC

The best-known form of electronic UIT is phishing. Emails are sent either to targeted members of an organization or to the organization as a whole. These messages appear to come from a trusted organization (such as a bank) or from a fellow employee. They typically request verification of either personal or company information. Once the employee verifies the information, the attacker gains access to the victim’s personal information or to an organization’s computer network.

The CERT study offered a couple examples of successful phishing attacks.

In the first example, attackers sent phishing emails to the customers of a payment processing company. The emails warned the victims that they needed to download a web browser plug-in in order to gain access to a website. In reality, the plug-in was malware designed to steal the victims’ usernames and passwords. The attackers targeted the customers by name. The message also referenced the recipients’ usernames and a portion of their passwords for the site. This information was obtained by the attackers through a direct attack on the company’s servers.

In another example, an employee replied to a phishing email which they believed had come from a financial services provider. In doing so, the employee downloaded and installed keystroke-logging malware. This malware captured the employee’s credentials. The attackers then used these credentials to transfer hundreds of thousands of dollars.

Phishing is not the only kind of electronic UIT. Another common type is fraudulent websites and social media pages (Facebook, etc.) These sites target employees who surf the Internet. They trick their victims into clicking on a link, such as a music download, that installs malware on the victim’s computer. Still another common type features CDs or flash drives that, when inserted into a computer, install malware that gives the attacker access to information.

PERSONAL

This type of attack is in some ways the most effective of all. Personal UITs are carried out by people, not machines, and it is human nature to trust other people.

One form of personal attack is dumpster diving. This involves searching the trash for documents that could benefit the attacker, such as financial records, confidential reports, or personal information.

Next is impersonation. This threat, which targets a specific individual, sometimes occurs as a follow-up attack after dumpster diving. During impersonation, the attacker poses as someone in a position of authority and asks the victim for help in solving a problem. The solution requires the victim to provide sensitive information. That new guy from IT who shows up one day to work on your computer because it’s sending a faulty IP address. He must be who he says he is, right?

Another type of personal UIT is tailgating. An attacker poses as an employee to slip into a restricted area by walking behind a person with legitimate access. Employees are victimized by this kind of attack because they’re too trusting of others, too distracted by work, or simply too embarrassed to challenge the attacker.

Lastly, don’t underestimate shoulder surfing. This form of attack is like copying off someone’s test at school. The attacker looks over the victim’s shoulder while the victim enters security codes or passwords. It’s simplicity itself, and that’s why it works. No one expects it.

ACCIDENTAL

You could also call this the “dumb,” or “stuff happens” type of UIT. It doesn’t require a hacker, and it’s also the hardest UIT to defend against. Someone loses a laptop or a flash drive containing vital information. Someone accidentally posts sensitive information on a website or emails it to the wrong person. Someone leaves sensitive information in the trash (remember dumpster diving?).

FINAL THOUGHTS

Attacks producing UITs are successful for a number of reasons: inadequate security systems and policies, stressful work environments, and a tendency for individuals to overlook threats (the “It can’t happen here” mentality), among others.

These reasons can be combatted through improved security systems and better employee training. However, there’s one thing that can’t be prevented, and that’s the thing that gives hackers the “house edge.” As the CERT study states:

“Some social engineering campaigns may be so well crafted that individuals may still be exploited no matter what countermeasures (training, policies, etc.) are employed . . . . No matter how skilled, savvy, or trained an organization’s employees are, there will always be a chance that a phishing campaign will succeed, especially because it takes only one individual to succumb to the scam to open new opportunities for the social engineer to execute further exploits against the organization.”

In other words, human nature. People being people, a certain number are always going to click on that website, or lose that flash drive, or let that stranger in the door behind them, no matter how much training they’ve had. The only thing you can do is keep up the training and situational awareness. Hope that one day when that new guy from IT shows up to work on your employee’s computer because it’s setting a faulty IP address, the employee stops and says, “Hey, wait a minute . . .”

Here are 5 ways you can train your employees to become more security-conscious:

1. KEEP TRAINING SIMPLE AND PERSONAL

Employees will not be able to prevent threats if they cannot recognize them. Educating employees on how to recognize cyber security threats should be the first priority in any training program. From there, the key is to keep the content of the training program as simple as possible. Make sure to use personal terms when explaining these issues to your staff. Provide examples about how these threats could affect their personal and financial information. Connecting these issues to your employees’ personal circumstances will motivate them to learn and retain this knowledge.

2. USE AN AUTOMATED TRAINING SYSTEM

An automated training program is the best way to ensure that employees are all on the same page. Another benefit of an automated system is that it ensures consistent material on the latest developments in cyber security. It also allows for the easy tracking of employees’ progress and provides metrics for measuring their understanding of the material.

3. ESTABLISH A NO-SHAMING POLICY

All employees should be aware of best practices and company data policies, especially those who are less familiar with the dangers of cyber security threats and the potential role they can play. With that in mind, it is critical to establish a no-shaming policy for your training program.

Shaming achieves nothing but making people feel worse about themselves. It can damage professional relationships and create a hostile learning environment. These factors decrease the effectiveness of training. In a culture of shaming, employees are less likely to be honest about their lack of knowledge and are unable to make accurate assessments about the success of their learning. Staff will remain a security liability to your business unless you take the time to build and reinforce an atmosphere of support. Employees should feel free to ask questions and clarify their understanding without ridicule or retribution.

4. USE MOBILE DEVICE MANAGEMENT TO PREVENT JAILBREAKING

Many people view jailbreaking as an easy and convenient way to gain more control over their mobile devices. However, since this process removes some security restrictions, it can make mobile devices more vulnerable to cyber attacks.

Employees should be aware of the dangers of jailbreaking. Strict policies against this practice should be established and made clear to staff. A mobile device management program can ensure your employees do not jailbreak company-owned devices or engage in other practices that expose your company to security risks. If mobile devices are used to conduct business for your company, policies that apply to personal devices are important, too.

5. DISCOURAGE OVER-SHARING ON SOCIAL MEDIA AND SHARING DEVICES WITH FRIENDS

With the booming popularity of social media, sometimes hackers don’t even need to break into your system to obtain company information. Instead, they find confidential information that employees share on social media. Posting company information online is generally referred to as over-sharing. Educating your employees about this issue is crucial to your cyber security training program. Similarly, you should instruct your employees not to allow family or friends to use company-owned devices. In many cases, sharing the actual device can be worse than sharing information.

Purchase Anti-virus Software

Every computer is vulnerable to the wide variety of viruses, trojans, and worms that are on the Internet. These malicious software programs can do anything from damage your computer and files to steal your password and other important information stored on your computer. Purchase a good anti-virus software program and make sure that it is always up to date. Also, check to see that your anti-virus software checks for spyware, adware, and any other type of malware that could be hiding on your computer.

Avoid Phishing Emails

It is important to discuss with your employees the importance of not opening spam email, attachments or forwards that could possibly contain viruses. Make sure that your email has a filtering system that helps to filter out spam and other malicious email. Responding to phishing emails can be another costly mistake. Phishing emails are disguised as legitimate emails that then request login and password information. Changing passwords monthly can help to lessen the damage should an employee accidentally respond to a phishing email.

Minimize Damage From Dishonest or Disgruntled Employees

It is often difficult to predict if one of your employees will become disgruntled or dishonest, but you can put some safeguards in place to help minimize the damage should you find that you have one. Thoroughly screen your employees before hiring them, especially if they will have access to any confidential or financial company information. Limiting the number of employees that have access to this confidential information and changing your company passwords often can help to prevent former employees from accessing company computers.

Secure Your Wireless Network

Make sure that your wireless router is encrypted, and that your business is using WPA2 wireless security. A firewall is another important key to protecting the security of your small business. A firewall will allow access only to authorized users while blocking unauthorized access to the computer.

Have An Internet Use Policy

Aside from the obvious lack of productivity that personal Internet use can cause for your business, it can often be too easy to click on websites that contain malicious software that could easily infect your company computer and shut your system down temporarily or even permanently.

Avoid Having Everything on One Computer

Purchasing computer equipment is costly, so many small businesses will try to get away with fewer computers in order to save money. If you have your financial information on the same computer that your employees are accessing their company emails, you could risk losing everything that is vital to running your business should an infected email slip through.

Have a Data Backup System

Be sure to have some type of data storage and backup system in place in the event that your current system goes down. Having all of your files readily available to you in case of an emergency can ensure that your business will retain customers and continue to run smoothly no matter what the disaster.

Minimize Damage From Stolen Equipment

It difficult to prevent break-ins or equipment from being stolen from your home or office building, but you can have some security by ensuring that all of the information on your computer is encrypted and password protected.

Trying to scrimp when it comes to your small business’s computer security can be a costly mistake. Arm yourself with the knowledge of what your business could be up against and take steps towards prevention. The investment will give your company the security necessary to keep your information secure.

Visit site:
What You Need To Know About Anthem’s Security Breach

How the 2014 Attack Occurred

After the news broke about the theft of the celebrities’ photos, Apple said that the incident was “a targeted attack on user names, passwords, and security questions.” While the exact details of the incident are unknown, many believe that it was due to an iCloud vulnerability. According to this theory, a security flaw in the Find My iPhone service allowed hackers to repeatedly guess a user’s log-in information. There were no consequences for trying numerous attempts, and the hackers were not locked out after a number of tries. As a result, the hackers were able to break into their victims’ accounts by flooding the service with log-in attempts. Apple appears to have solved this problem. However, it claimed that the hackers did not exploit any specific iCloud vulnerabilities. Instead, the company said that phishing or brute force attacks were responsible for the breach.

The Methods Used by the Hackers

The iCloud hackers used a variety of common techniques to gain access to their victims’ private information. These include social engineering, phishing, and brute force. Brute force attacks involve hammering the system. Hackers first research their target. Specifically, they are looking for the answers to common security questions like “What was the name of your first boyfriend/girlfriend?” or “What is your mother’s maiden name?” Once they have enough information, they use an unlimited number of attempts in order to access the system by trying every possible answer. They begin with the most likely options, and these options are supplied by their background research. Hackers who employ phishing methods attempt to trick their targets into giving away their account information. They typically send out personalized emails claiming that the recipient has won a prize or is eligible for an award. These emails instruct the target to call the hacker, who is posing as a legitimate organization. The unwitting victim will contact the hacker in order to claim their reward. The criminal will ask for their personal information, and will then politely end the conversation. Using this information, they will break into their target’s accounts. Phishing can also involve hiding malware inside a file that is sent to the target. The malware infects the computer when the recipient opens the file to learn about their winnings. Social engineering is another hacking technique. This term describes a process of cyber intrusion that relies on a human, rather than a technical, exchange in order to complete a theft. The hacker will physically access the target’s computer by posing as the representative of a reputable organization, like the target’s IT company. Another method involves talking to the target at a bar or public place, and slowly drawing personal information from them throughout the conversation.

How to Protect Your iCloud Account

Following the recent iCloud breach, Apple released a patch that addressed the issue of security. The service now sends notification emails to users when their iCloud accounts are accessed or changed. It also has a two-factor password authentication system that texts users a randomized access code. These changes add an extra layer of security to iOS and iCloud accounts. However, they are no substitute for password security. Users should update their passwords frequently, and should refrain from reusing them. Passwords should be fairly complex. They should include both uppercase and lowercase letters, as well as symbols. Users should also avoid using obvious passwords like their birthday or their spouse’s name. Remembering several passwords at once can be difficult. Some IT experts recommend using mnemonics or writing them down. Others suggest using a password manager program. The use of a password manager is widely considered to be the best way to keep passwords safe. This tool will randomly generate passwords and will store them in a protected vault. Users only need to keep track of one password in order to protect all of their accounts.

Conclusion

In spite of the recent security breach, people should still continue to use their iCloud accounts. However, they should take the proper precautions. These include both the basics of password security and an awareness of hackers’ methods. For more information about cyber security, please contact us.