Category Archives: Security Awareness

Check, Please! Adding up the Costs of a Financial Data Breach

Guest article by Andrea Babbs, UK General Manager at VIPRE

Reliance on email as a fundamental function of business communication has been in place for some time. But as remote working has become a key factor for the majority of business during 2020, it’s arguably more important than ever as a communication tool. The fact that roughly 206.4 billion emails are sent and received each day means we’re all very familiar with that dreaded feeling of sending an email with typos, with the wrong attachment, or to the wrong contact. But this can be more than just an embarrassing mistake – the ramifications could, in fact, be catastrophic. 
Check Please! Within the financial services, layered cybersecurity strategy is essential to keep sensitive information secure
In particular, for the financial services industry that deals with highly sensitive information including monetary transactions and financial data, the consequences of this information falling into the wrong hands could mean the loss of significant sums of money. Emails of this nature are the Holy Grail for cybercriminals. So how can financial services organisations keep their confidential information secure to safeguard their data and reputation? 

How much?
According to research from Ponemon Institute in its Cost of a Data Breach Report 2020, organisations spend an average of $3.85 million recovering from security incidents, with the usual time to identify and contain a breach being 280 days. Accenture’s 2019 Ninth Annual Cost of Cybercrime found that financial services incurred the highest cybercrime costs of all industries. And while examples of external threats seem to make the headlines, such the Capital One cyber incident, unintentional or insider breaches don’t always garner as much attention. Yet they are both as dangerous as each other. In fact, human errors (including misdeliveries via email) are almost twice as likely to result in confirmed data disclosure.

Costs will be wide-ranging depending on the scale of each breach, but at a minimum, there will be financial penalties, costs for audits to understand why the incident happened and what additional protocols and solutions need to be implemented to prevent it from happening in the future. There could also be huge costs involved for reimbursing customers who may have been affected by the breach in turn.

Priceless damage
The fallout from data breaches goes far beyond that of financial penalties and costs. Financial services businesses have reputations to uphold in order to maintain a loyal customer base. Those that fail to protect their customers’ sensitive information will have to manage the negative press and mistrust from existing and potential customers that could seriously impede the organisation as a whole. Within such a highly competitive market, it doesn’t take much for customers to take their money elsewhere – customer service and reputation is everything.

Check, please!
Within the financial services sector, the stakes are high, so an effective, layered cybersecurity strategy is essential to mitigate risk and keep sensitive information secure. With this, there are three critical components that must be considered: 
  1. Authentication and encryption: Hackers may try to attack systems directly or intercept emails via an insecure transport link. Security protocols are designed to prevent most instances of unauthorised interception, content modification and email spoofing. Adding a dedicated email to email encryption service to your email security arsenal increases your protection in this area. Encryption and authentication, however, do not safeguard you against human errors and misdeliveries. 
  2. Policies and training: Security guidelines and rules regarding the circulation and storage of sensitive financial information are essential, as well as clear steps to follow when a security incident happens. Employees must undergo cybersecurity awareness training when they join the organisation and then be enrolled in an ongoing programme with quarterly or monthly short, informative sessions. This training should also incorporate ongoing phishing simulations, as well as simulated phishing attacks to demonstrate to users how these incidents can appear, and educate them on how to spot and flag them accordingly. Moreover, automated phishing simulations can also provide key metrics and reports on how users are improving in their training. This reinforcement of the secure messaging, working in tandem with simulated phishing attacks ensures that everyone is capable of spotting a phishing scam or knows how to handle sensitive information as they are aware and reminded regularly of the risks involved. 
  3. Data loss prevention (DLP): DLP solutions enable the firm to implement security measures for the detection, control and prevention of risky email sending behaviours. Fully technical solutions such as machine learning can go so far to prevent breaches, but it is only the human element that can truly decipher between what is safe to send, and what is not. In practice, machine learning will either stop everything from being sent – becoming more of a nuisance than support to users – or it will stop nothing. Rather than disabling time-saving features such as autocomplete to prevent employees from becoming complacent when it comes to selecting the right email recipient, DLP solutions do not impede the working practices of users but instead give them a critical second chance to double-check.
It is this double-check that can be the critical factor in an organisation’s cybersecurity efforts. Users can be prompted based on several parameters that can be specified. For example, colleagues in different departments exchanging confidential documents with each other and external suppliers means that the TO and CC fields are likely to have multiple recipients in them. A simple incorrect email address or a cleverly disguised spoofed email cropping up with emails going back and forth is likely to be missed without a tool in place to highlight this to the user, to give them a chance to double-check the accuracy of email recipients and the contents of attachments.

Conclusion
Email remains a risky, yet essential tool for every business. But with a layered security strategy in place consisting of training, authentication tools and DLP solutions, organisations can minimise the risks involved and take a proactive approach to their cyber defences.

Given the nature of the industry, financial services organisations are a prime target for cybercriminals. The temptation of personal information and financial transactions for hackers is never going to dwindle, so financial institutions must prioritise cybersecurity, regularly assessing risks, deploying innovative, human-led solutions and educating workforces to provide the best defence possible.

Cyber Security: Three Parts Art, One Part Science

understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”

There is quite a bit of subjectivity in the cyber security business. One auditor will look at evidence and agree you are in compliance; another will say you are not. If you are going to protect sensitive information, do you encrypt it, obfuscate it, or segment it off and place it behind very tight identification and access controls before allowing users to access the data? Yes. As we advise our client base, it is essential that we have all the context necessary to make good risk-based decisions and recommendations.

Let’s talk about Connection’s artistic methodology. We start with a canvas that addresses the core components of cyber security: protection, detection, and reaction. By addressing each of these three pillars in a comprehensive way, we ensure that the full conversation around how people, process, and technology all work together to provide a comprehensive risk strategy is achieved.

Related: Cyber Security is Everyone’s Business

Protection:

People
Users understand threat and risk and know what role they play in the protection strategy. For example, if you see something, say something. Don’t let someone surf in behind you through a badge check entry. And don’t think about trying to shut off your end-point anti-virus or firewall.  In today’s remote workforce environment, good employee security awareness, especially related to phishing is essential.

Process
Policy are established, documented, and socialized. For example, personal laptops should never be connected to the corporate network. Also, don’t send sensitive information to your personal email account so you can work from home.

Technology
Some examples of the barriers used to deter attackers and breaches are edge security with firewalls, intrusion detection and prevention, sandboxing, and advanced threat detection. Security leaders need to become a student of threat, and deploy the correct technology to protect, detect, and react to threat.

Detection:

The average mean time to identify an active incident in a network is 197 days. The mean time to contain an incident is 69 days.

People
Incident response teams need to be identified and trained, and all employees need to be trained on the concept of “if you see something, say something.” Detection is a proactive process.

Process
What happens when an alert occurs? Who sees it? What is the documented process for taking action?

Technology
What is in place to ensure you are detecting malicious activity? Is it configured to ignore noise and only alert you of a real event? Will it help you bring that 197-day mean time to detection way down?

Reaction:

People
What happens when an event occurs? Who responds? How do you recover? Does everyone understand their role? Do you War Game to ensure you are prepared WHEN an incident occurs?

Process
What is the documented process to reduce the Kill Chain—the mean time to detect and contain—from 69 days to 69 minutes? Do you have a Business Continuity and Disaster Recovery Plan to ensure the ability to react to a natural disaster, significant cyber breach such as ransomware, DDoS, or—dare I say it—a pandemic?

Technology
What cyber security consoles have been deployed that allow quick access to patch a system, changing firewall rules, adjusting ACLs, or policy setting at an end point, or track a security incident through the triage process?

All of these things are important to create a comprehensive InfoSec Program. The science is the technology that will help you build a layered, in-depth defense approach. The art is how to assess the threat, define and document the risk, and create a strategy that allows you to manage your cyber risk as it applies to your environment, users, systems, applications, data, customers, supply chain, third party support partners, and business process.

More Art – Are You a Risk Avoider or Risk Transference Expert?

A better way to state that is, “Do you avoid all risk responsibility, or do you give your risk responsibility to someone else?” Hint: I don’t believe in risk avoidance or risk transference.

Yes, there is an art to risk management. There is also science if you use, for example, The Carnegie Mellon risk tools. But a good risk owner and manager documents risk, prioritizes it by risk criticality, turns it into a risk register or roadmap plan, remediates what is necessary, and accepts what is reasonable from a business and cyber security perspective. Oh, by the way, those same five cyber security professional we talked about earlier, they have 17 definitions of risk.

As we wrap up this conversation, let’s talk about the importance of selecting a risk framework. It’s kind of like going to a baseball game and recognizing the program helps you know the players and the stats. What framework will you pick? Do you paint in watercolors or oils? Are you a National Institute of Standards (NIST) artist, an Internal Standards Organization artist, or have you developed your own framework like the Nardone puzzle chart? I developed this several years ago when I was the CTO/CSO of the Commonwealth of Massachusetts. It has been artistically enhanced over the years to incorporate more security components, but it is loosely coupled on the NIST 800-53 and ISO 27001 standards.

When it comes to selecting a security framework as a CISO, I lean towards the NIST Cyber Security Framework (CSF) pictured below. This framework is comprehensive and provides a scoring model that allows risk owners to measure and target what risk level they believe they need to achieve based on their business model, threat profile, and risk tolerance. It has five functional focus areas. The ISO 27001 framework is also a very solid and frequently used model. Both of these frameworks can result in a Certificate of Attestation demonstrating adherence to the standard. Many commercial corporations do an annual ISO 27001 assessment for that very reason. More and more are leaning towards the NIST CSF, especially commercial corporations doing work with the government. Keep in mind that frameworks mature, and compliance requirements change.  For example, if you are a commercial corporation doing business with the federal government, you will need to comply with the new Cyber Security Model Certification (CMMC) soon to continue doing business with the government.

As I reflect upon my 40 years as a cyber security professional, I think of the many instances where the basic tenets of cyber security—those we think have common understanding—require a lot of additional explanation. For example, what is a vulnerability assessment? If five cyber professionals are sitting around a table discussing this question, you will end up with seven or eight answers. One will say that a vulnerability assessment is vulnerability scanning only. Another will say an assessment is much bigger than scanning and addresses ethical hacking and internal security testing. Another will say that it is a passive review of policies and controls. All are correct in some form, but the answer really depends on the requirements or criteria you are trying to achieve. And it also depends on the skills and experience of the risk owner, auditor, or assessor. Is your head spinning yet? I know mine is! Hence the “three parts art.”

The post Cyber Security: Three Parts Art, One Part Science appeared first on Connected.

Securing an Agile and Hybrid Workforce

Guest article by Andrea Babbs, UK General Manager, VIPRE

2020 has forced businesses to revise many of their operations. One significant transition being the shift to a remote working model, for which many were unprepared in terms of equipment, infrastructure and security. As the government now urges people to return to work, we’re already seeing a shift towards a hybrid workforce, with many employees splitting their time between the office and working from home.

As organisations are now reassessing their long-term office strategies, front and centre to that shift needs to be their IT security underpinned by a dependable and flexible cloud infrastructure. Andrea Babbs, UK General Manager, VIPRE, discusses what this new way of working means long-term for an organisation’s IT security infrastructure and how businesses can successfully move from remote working to a secure and agile workforce.

Power of the Cloud
In light of the uncertainty that has plagued most organisations, many are looking to options that can future-proof their business and enable as much continuity as possible in the event of another unforeseen event. The migration of physical servers to the Cloud is therefore a priority, not only to facilitate agile working, but to provide businesses with greater flexibility, scalability and more efficient resources. 

COVID-19 accelerated the shift towards Cloud-based services, with more data than ever before now being stored in the Cloud. For those organisations working on Cloud-based applications and drives, the challenges of the daily commute, relocations for jobs and not being able to ‘access the drive’ are in the past for many. Cloud services are moving with the user – every employee can benefit from the same level of security no matter where they are working or which device they are using. However, it’s important to ensure businesses are taking advantage of all the features included in their Cloud subscriptions, and that they’re configured securely for hybrid working. 

Layered Security Defence
Cloud-powered email, web and network security will always underline IT security defences, but these are only the first line of defence. Additional layers of security are also required to help the user understand the threat landscape, both external and internal. Particularly when working remotely with limited access to IT support teams, employees must be ready to question, verify the authenticity and interrogate the risk level of potential phishing emails or malicious links. 

With increased pressure placed on users to perform their roles faster and achieve greater results than ever before, employees will do what it takes to power through and access the information they need in the easiest and quickest way possible. This is where the cloud has an essential role to play in making this happen, not just for convenience and agility but also to allow users to stay secure – enabling secure access to applications for all devices from any location and the detection and deletion of viruses – before they reach the network. 

Email remains the most-used communication tool, even more so when remote working, but it also remains the weakest link in IT security, with 91%of cybercrimes beginning with an email. By implementing innovative tools that prompt employees to double-check emails before they send them, it can help reduce the risk of sharing the wrong information with the wrong individual. 

Additional layers of defence such as email checking tools, are removing the barriers which slow the transition to agile working and are helping to secure our new hybrid workforce, regardless of the location they’re working in, or what their job entails. 

Educating the User
The risk an individual poses to an organisation can often be the main source of vulnerability in a company’s IT infrastructure. When remote working became essential overnight, businesses faced the challenges of malware spreading from personal devices, employees being distracted and exposing incorrect information and an increase in COVID-related cyber-attacks. 

For organisations wanting to evolve into a hybrid work environment, their IT security policies need to reflect the new reality. By re-educating employees about existing products and how to leverage any additional functionality to support their decision making, users can be updated on these cyber risks and understand their responsibilities.

Security awareness training programmes teach users to be alert and more security conscious as part of the overall IT security strategy. In order to fully mitigate IT security risks and for the business to benefit from an educated workforce, both in the short and long term, employees need to change their outdated mindset. 

Changing the Approach
The evolution of IT and security over the past 20 years means that working from home is now easily achievable with cloud-based setups, whereas in the not too distant past, it would have been impossible. But the key to a successful and safe agile workforce is to shift the approach of full reliance on IT, to a mindset where everyone is alert, responsible, empowered and educated with regular training, backed up by tools that reinforce a ‘security first’ approach. 

IT departments cannot be expected to stay one step ahead of cybercriminals and adapt to new threats on their own. They need their colleagues to work mindfully and responsibly on the front lines of cyber defence, comfortable in the knowledge that everything they do is underpinned by a robust and secure IT security infrastructure, but that the final decision to click the link, send the sensitive information or download the file, lies with them. 

Conclusion
As employees prove they can work from home productively, the role of the physical office is no longer necessary. For many companies, it is a sink or swim approach when implementing a hybrid and agile workforce. Introducing and retaining flexibility in operations now will help organisations cope better with any future unprecedented events or crises.

By focusing on getting the basics right and powered by the capabilities of the Cloud, highlighting the importance of layered security and challenging existing mindsets, businesses will be able to shift away from remote workers being the ‘exception,’ to a secure and agile workforce as a whole.

Securing the COVID-19 ‘New Normal’ of Homeworking

The COVID-19 pandemic has put into motion a scale of remote working never before seen. Our teams are no longer just grouped in different office locations – but working individually from kitchen tables, spare rooms and, for the lucky ones, home offices! It’s therefore inevitable that this level of remote working will reveal security pitfalls for remediation, with improvements that can be carried forward when this period is over.
Attackers are taking advantage of heightened anxiety and homeworking
Tony Pepper, CEO at Egress, provides his insight below, as well as his six tips to improve data security while working from home.

Phishing

It’s sad, but it’s no surprise that phishing attacks have increased due to COVID-19– and businesses need to be prepared. Attackers are taking advantage of an environment of heightened anxiety and disrupted work settings to trick people into making mistakes, and they’re unlikely to stop until at least the main wave of the pandemic has passed.

Research shows that phishing is a major security issue under normal circumstances. Egress’ recent Insider Data Breach survey found that 41% of employees who had accidentally leaked data had done so because of a phishing email. More worryingly due to their level of access to data and systems, senior personnel are typically the most likely group to fall victim to phishing attacks, with 61% of directors saying that they’d caused a breach in this way.

And education and training can only go so far. Of course, we must continue to encourage employees to be vigilant to suspicious emails and to do things like hovering over links before clicking on them. We also need to reduce blame culture and free up employees to report genuine mistakes without fear.

But this can only go so far. People will always make mistakes. The good news is that advanced technology like contextual machine learning can remediate the targeted attacks, like conversation hijacking, that usually do the most damage to businesses.

Productivity and Security
Even in our tech-savvy world, there are still organisations that don’t have VPN access set up or enough laptops, mobile devices or processes to enable home working. But while IT teams try to quickly sort this situation out, we’re seeing employees finding workarounds, for example by sharing files using FTP sites or sending data to personal devices to work on.

We talk a lot about ‘human layer security’ technologies, which find the right balance between productivity and security. Right now, as well as looking at technologies to help securely move meetings, events and other activities online, businesses should also check that usually easy routine tasks can still be carried out safely – such as sharing large files or sending sensitive data via email. In particular, technologies like contextual machine learning and AI can identify what typically ‘good’ security behaviour looks like for individual users and then prevent abnormal behaviours that put data at risk.

For example, with people working on smaller screens and via mobile devices, it’s more likely they might attach the wrong document to an email or include a wrong recipient. Contextual machine learning can spot when incidents like this are about to happen and correct the user’s behaviour to prevent a breach before it happens.

Human Error
People are the new perimeter when it comes to data security – their decisions and behaviours can put data at risk every day, especially at a time of global heightened anxiety.

We know from our 2020 Insider Data Breach Survey that over half of employees don’t think their organisation has sole ownership over company data – instead believing that it is in-part or entirely owned by the individuals and teams who created it. And we also know that people are more likely to take risks with data they feel belongs to them than data they believe belongs to someone else. When they don’t have access to the right tools and technology to work securely – or they think the tools they do have will slow them down, especially at a time when the need for productivity is at its highest – they’re more likely to cut corners.

Maintaining good security practices is essential – and the good news is there are technologies on the market that can help ensure the right level of security is applied to sensitive data without blocking productivity.

Six Tips to improve Data Security while Working from Home 
We can all agree that times are incredibly tough right now. For security professionals looking to mitigate some of the risks, here are six practical tips are taken from the conversations we’re having with other organisations right now:

  1. Look for security software that doesn’t hamper productivity. It’s generally the aim of the game anyway – but right now, employees are feeling increased pressure to prove their productivity. If you’re finding yourself selecting new solutions, it’s never been more crucial to select technologies that don’t add difficult extra steps for them or anyone they’re working with outside the organisation.
  2. Choose collaboration/productivity solutions that have security baked into them. The other side to the coin of the point above, really: when choosing any new solution to implement at this time, make sure that security measures are part of a product’s standard design, and not an after-thought.
  3. Automate security wherever possible. If it’s possible, take decisions out of end users’ hands to ensure the security of sensitive information in line with policy, reducing the risk of someone accidentally or intentionally not using security software.
  4. Engage employees over security best practices. Phishing is a good example of this. Some inbound risks will evade the filters on your network boundary and end up in users’ mailboxes. Effort to proactively engage employees through e-learning and other educational measures can help them to know what to do with emails they think are suspicious (for example, hovering over links before clicking on them).
  5. Look to AI and machine learning to help solve advanced risks. Use cases like conversation hijacking, misdirected emails or people attaching the wrong files to documents can now be mitigated by intelligent technology like contextual machine learning, which determines what “good security behaviour” looks like for each individual, and alerts them and administrators to abnormal incidents – effectively stopping breaches before they happen.
  6. Implement no-fault reporting. People often don’t report security incidents because they’re concerned about the repercussions. Where it’s appropriate to do so, implement no-fault reporting to encourage individuals to report incidents in a timely manner, so you can focus on remediating the problem as quickly as possible.

    Returning to the Workplace and the Ongoing Threat of Phishing Attacks

    Guest post by Richard Hahn, Consulting Manager, Sungard Availability Services

    According to the Office of National Statistics (ONS), approximately 14.2 million people (44% of the total number of working adults) have worked from home during the coronavirus pandemic. To put these figures into perspective, this number stood at around 1.7 million in 2019, representing just 5% of the total working population.

    While these statistics are unsurprising, it’s clear that the paradigm of working from home every day was sudden and significant. Few businesses can claim to have anticipated such a scenario, nor to have had the business continuity planning capabilities to contend with its consequences. For example, one of the biggest cybersecurity trends to have emerged in recent weeks is a surge in phishing attacks targeting remote workers.

    As will be described in this article, phishing thrives on isolation, uncertainty and periods of change, which have all been common characteristics of the working world recently. Accordingly, Google has reported a 350% cent increase in phishing attacks from January to March of this year. 
    Education is the First Line of Defence against Phishing Attacks
    Now that organisations are beginning to transition back to former work settings, social distancing will mean that change and uncertainty will continue to be a significant factor. During this time, it is imperative that all workers are aware not only of how phishing attacks work, but also the impact that it can have on an organisation’s reputation, it’s the bottom line, and, crucially, the continuity of the business overall. Here are some key pieces of advice for staying secure under these circumstances.

    1. Phishing Attacks are Socially Engineered
    The anatomy of an effective phishing attack is rooted more in social engineering than technology. Phishing messages try to trick individuals into taking an action, such as clicking on a link or providing personal information, by offering scenarios of financial gains or ramifications, or the potential of work disruption or playing into a personal panic.

    However, phishing messages typically have tell-tale signs that can – and should – give users pause. Attempts to obfuscate the sender, poor spelling and grammar, and malicious attachments are a few of the classic signs that the message is not genuine.

    Phishing attack messages that have the highest response rates are often related to time-bound events, such as open enrolment periods or satisfaction surveys. Some other common phishing message themes include unpaid invoices, confirming personal information and problems with logins.

    Before acting, think about what is being asked. For example, phishing attacks may take advantage of the fact that many workers are currently anticipating updates from their employers about returning to the workplace. The email may ask users to log in to a new system designed to allocate socially distant spaces within the workspace upon their return. This tactic exploits the user’s often unconscious confirmation bias, not only impersonating their employer but also taking advantage of their expectations around returning to work and acknowledgement of social distancing.
    If unsure whether it might be a malicious message, encourage staff to ask a colleague or the IT team to analyse the message (including the full Simple Mail Transfer Protocol (SMTP) information).

    2. Attackers Use a Diverse Portfolio of Tactics
    Attackers often attempt to impersonate a known person or entity to obtain private information or to carry out an action. This is also known as pretexting and is commonly executed by crafting a fraudulent email or text message to execute an action that is not part of the standard process.

    One example is calling the service desk and pretending to be a valid user to get a password reset. Another ruse attackers frequently take advantage of is an out-of-band wire transfer or an invoice payment for a critical vendor. Small companies have traditionally been the targets, but larger companies are increasingly being targeted.

    Organisations must understand that pretexting is considered fraud and is often not covered by cyber insurance policies. Therefore, it’s critical that organisations design effective business processes with oversight so there are no single points of approval or execution, and stick to them. While it may be tempting to bypass processes, such as accounts payable or IT procurement, businesses can’t afford to let their guard down – especially when large numbers of workers are logging on remotely as is the case for so many today.

    3. Education is the First Line of Defence
    Phishing is often discussed within the cybersecurity space, but the conversations typically don’t involve intent and rigour.

    The common compliance measure usually involves in-person or virtual annual training, along with some other method of education, such as hanging posters around the workplace. This approach pre-dates highly connected computing environments and doesn’t address the urgency needed for the current threat landscape or pattern of working experienced by so many in 2020.

    Organisations must conduct security awareness education with the same decisiveness and gravity that other industries do with safety training. For example, it’s not uncommon for drivers in the commercial trucking and transport sector to take monthly training modules, or for managers to participate in quarterly safety meetings.

    Planning for the New Normal
    The main priority for organisations moving forward is to be more proactive about implementing, practising and testing cyber hygiene from the ground up. There’s much more in the way of fundamental change on the horizon which opens organisations up to a diverse and complex threat landscape. 

    At the same time, bad actors will constantly be on the lookout for opportunities to take advantage of the chaos. By paying attention to the signs, looking out for pretexting and emphasising regular training, companies can better fend off future phishing attacks.

    Investing time and resources into regularly training and educating staff on information security awareness and current cyber threats is critical in building resilience in the ‘new normal’ of the post-COVID-19 working world. A crippling cyberattack is always just around the corner, but by establishing plans and capabilities that reduce risk and prevent data loss, leakage or offline systems from disrupting business continuity, the chances of survival rise exponentially. 

    How to Embed a Positive Security Culture in the COVID-19 Remote Working ‘New Normal’

    Guest Post by the information security experts at Security Risk Management Ltd

    If promoting a positive company-wide security culture had been a challenge before the Covid-19 pandemic, that challenge has just become a whole lot more difficult. That is because the widespread move to remote working has added another layer of vulnerability. It is not simply a question of sharing office systems across a range of settings and the fact that some are using home computers (frequently shared with personal accounts); instead, it is that individuals are now one step removed from the reach of those responsible for in-house information security, usually the Chief Information Security Officers (CISOs), and the organisation’s security protocols.

    This fact has not been wasted on ever-opportunistic hackers

    Email phishing attacks target individuals, often persuading them to check or type passwords on malicious domains that appear to be legitimate. Researchers have found a 600 per cent increase in the number of phishing emails worldwide this year, frequently using Coronavirus-related themes to target individuals and businesses. These are not always easy to spot, including email headings like ‘revised vacation and sick time policy’ or ‘important message from HR’. It is easy to see how a lone worker could fall into the trap.

    The sharp rise in this type of attack reflects what hackers already know: that the human element of an organisation’s security is the weakest link. Of course, best practice network security relies on a number of elements but perhaps the hardest to establish is a positive security culture. CISOs have, however, struggled with this, even before the Covid-19 pandemic changed business practices. A survey of CISOs by ClubCISO reported that 49 per cent felt that organisational culture was already a block to them achieving their security objectives.

    In a world where remote working has become the ‘new normal’, effectively engaging individuals is more important than ever. Understanding protocols and providing easy-to-understand training and awareness are crucial for every single user of a network system and this needs to be prioritised in the current climate. But it is equally important that employees feel able to report suspicious activity quickly and in full without fearing blame or repercussions. Without this element of positive security culture, the security policy could fail because employees will be reluctant to highlight suspicious activity, with potentially devastating consequences.

    Effective Information Security Management
    In the traditional setup, the CISO or ISM would be responsible for network security. Based on an office, they manage the protocols and policies for everything from regulatory and legal compliance to staff training and breach notification. Yet, with little time for preparation, many will be challenged, perhaps lacking the immediate knowledge or experience of how to translate these to the complexities of employees working from home offices.

    This is not necessarily bad news but presents an opportunity for positive change. Now we are becoming used to the fact that employees no longer need to be office-based, we can take a step back and ask if the CISO actually needs to be resident within the bricks and mortar of an organisation? Would an outsourced (or virtual) CISO model not be equally well suited – if not better suited - to the ‘new normal’ of remote working?

    Virtual CISOs are highly skilled professional teams, drawing on a wealth of experience, working with organisations to meet all the requirements of the CISO function. Individually assigned team members work remotely with an organisation, overseeing network security at all levels; from board-level engagement and compliance to effectively embedding a company-wide positive security culture.

    It is also worth noting that they can be used for as much or as little as required, simply advising the resident CISO on strategy or developing and implementing the whole policy. Yet this best-practice alternative does not cost the earth. In fact, it is likely to cost significantly less than the traditional model, while delivering a service which is ideally suited to remote working.

    Secure IT: Shop Safe Online

    Everything we do on a daily basis has some form of “trust” baked into it. Where you live, what kind of car you drive, where you send your children to school, who you consider good friends, what businesses you purchase from, etc. Trust instills a level of confidence that your risk is minimized and acceptable to you. Why should this philosophy be any different when the entity you need to trust is on the other end of an Internet address? In fact, because you are connecting to an entity that you cannot see or validate, a higher level of scrutiny is required before they earn your trust. What Universal Resource Locator (URL) are you really connecting to? Is it really your banking website or new online shopping website that you are trying for the first time? How can you tell?

    It’s a jungle out there. So we’ve put together five ways you can stay safe while you shop online:

    1. Shop at sites you trust. Are you looking at a nationally or globally recognized brand? Do you have detailed insight into what the site looks like? Have you established an account on this site, and is there a history that you can track for when you visit and what you buy? Have you linked the valid URL for the site in your browser? Mistyping a URL in your browser for any site you routinely visit can lead you to a rogue website.

    2. Use secure networks to connect. Just as important as paying attention to what you connect to is to be wary of where you connect from. Your home Wi-Fi network that you trust—okay. An open Wi-Fi at an airport, cyber café, or public kiosk—not okay. If you can’t trust the network, do not enter identifying information or your payment card information. Just ask our cybersecurity services experts to demonstrate how easy it is to compromise an open Wi-Fi network, and you’ll see why we recommend against public Wi-Fi for sensitive transactions.

    3. Perform basic checks in your browser. Today’s modern browsers are much better at encrypted and secure connections than they were a few years ago. They use encrypted communication by leveraging a specific Internet protocol, hypertext transfer protocol secure (HTTPS). This means that there is a certificate associated with this site in your browser that is verified before you are allowed to connect and establish the encrypted channel. (Just so you know, yes, these certificates can be spoofed, but that is a problem for another day). How do you check for this certificate? Look up in your browser title bar.

    4. Create strong password for your shopping sites. This issue is covered in another blog post, but use longer passwords, 10–12 characters, and keep them in a safe place that cannot be compromised by an unauthorized person. If a second factor is offered, use it. Many sites will send you a code to your smartphone to type into a login screen to verify you are who you say you are.

    5. Don’t give out information about yourself that seems unreasonable. If you are being asked for your social security number, think long and hard, and then longer and harder, about why that information should be required. And then don’t do it until you ask a trusted source about why that would be necessary. Be wary of anything you see when you are on a website that does not look familiar or normal.

    We all use the Internet to shop. It is super convenient, and the return on investment is awesome. Having that new cool thing purchased in 10 minutes and delivered directly to your door—wow! Can you ever really be 100% sure that the Internet site you are visiting is legitimate, and that you are not going to inadvertently give away sensitive and/or financial information that is actually going directly into a hacker’s data collection file? Unfortunately, no. A lot of today’s scammers are very sophisticated. But as we discussed up front, this is a trust- and risk-based decision, and if you are aware that you could be compromised at any time on the Internet and are keeping your eyes open for things that just don’t look right or familiar, you have a higher probability of a safe online shopping experience.

    To recap:

    • Visit and use sites you know and trust
    • Keep the correct URLs in your bookmarks (don’t risk mistyping a URL).
    • Check the certificate to ensure your connection to the site is secured by a legitimate and active certificate.
    • Look for anything that is not familiar to your known experience with the site.
    • If you can, do not save credit card or payment card information on the site. (If you do, you need to be aware that if that site is breached, your payment data is compromised.)
    • Use strong passwords for your shopping site accounts. And use a different password for every site. (No one ring to rule them all!)
    • If a site offers a second factor to authenticate you, use it.
    • Check all your payment card statements regularly to look for rogue purchases.
    • Subscribe to an identity theft protection service if you can. These services will alert you if your identity has been compromised.

    Safe shopping!

    The post Secure IT: Shop Safe Online appeared first on Connected.

    Best Practices for Keeping Tabs on Your Apps

    Let’s start this conversation out with the definition of device. The list of what constitutes one is growing. For now, let’s say that you have a home computer (desktop, laptop, or both), work computer (desktop, laptop, or both), home tablet, work tablet, personal smartphone, and work smartphone. This is a pretty extensive list of devices that an adversary could use to attack you professionally and personally. But what about your Amazon Alexa or gadgets, smart toys, and smart clocks? What about Google Assistant or Microsoft Cortana? Do you also have a SmartTV? What about NEST, Wink, WeMo, SensorPush, Neurio, ecobee4, Philips Hue, Smart Lock, GarageMate? Hoo boy! The list of connected devices goes on and on.

    Are all of these devices safe to use? Well, the simple answer is no—unless you specifically paid attention to its security. Also, for your smart devices that work via voice control, do you know who might be listening on the other end? To make things worse, many of these devices are also used in the corporate world, because they are easy to deploy, and are very affordable.

    What about applications? Did the developer that created the application you are using ensure they used good secure coding techniques? Or is there a likelihood they introduced a flaw in their code? Are the servers for the application you are running in the cloud secure? Is the data you are storing on these cloud systems protected from unauthorized access?

    All really good questions we rarely ask ourselves—at least before we use the latest and coolest applications available. We all make risk-based decisions every day, but do we ever ensure we have all the data before we make that risk-based decision?

    What Can You Do?

    Start by doing whatever homework and research you can. Make sure you understand the social engineering methods that the malicious actors are currently using. Unsolicited phone calls from a government agency (like the IRS), a public utility, or even Microsoft or Apple are not legitimate. No you don’t owe back taxes, no your computer has not been hacked, no you don’t need to give out sensitive personal information to your power company over the phone.

    How Can You Choose Safe Applications?

    Simply Google “Is this <name of application> secure?” Never install an application that you don’t feel you can trust. Using an application is all about risk management. Make sure you understand the potential risk to device and data compromise, prior to choosing to use it.

    How Can You Better Secure Your Home Network?

    1. Upon installation of any device, immediately change the login and password. These are often stored in the configuration files that come with the product, therefore are easy to look up.
    2. Change the login and password on your home Wi-Fi router frequently.
    3. Ensure the software for anything that connects is up to date.
    4. Make sure you have a clear sense of where your sensitive data is stored—and how it is protected. Is it adequately protected—or, better yet, encrypted?
    5. When in doubt, don’t connect an IoT device to the Internet.

    Lastly, look at some solutions that can be added to your home Wi-Fi network, that provide additional layers of protection and detection against IoT and other advanced attacks. F-Secure Sense Gadget is one such solution, as is Luma smart Wi-Fi router, Dojo, and CUJO. Dojo, for example, monitors all incoming and outgoing traffic and performs analysis looking for malicious traffic. With known weaknesses in IoT and home networks in general, solutions like the above are a good investment.

    Don’t Give Hackers Easy Access

    Not long ago, a casino in the Northeast had a fish tank in their lobby. To make management of the fish tank easier, they installed an IoT-enabled thermostatic control to set and monitor water temperature in the tank. The thermostatic control was connected to their internal network, as well as IoT-enabled to allow easy access from anywhere on the Internet. The device was breached from the Internet by malicious actors, and the internal network was penetrated, allowing the hackers to steal information from a high-roller database before devices monitoring the network were able to identify the unauthorized data leaving the network and shut it down. A classic case of what can happen without the right due diligence.

    Try and follow this motto. Just because you can, does not mean you should. The latest shiny IT gadget that will make you seem cool, or potentially make some portion of your life easier to manage, should be evaluated thoroughly for security weaknesses, before you turn it on and open it up to the world. Make that good risk-based decision. Not many of us would consider doing this: “Hey Alexa, open up my desktop computer so that all my sensitive data is opened for all the world to see.” Or would we?

    The post Best Practices for Keeping Tabs on Your Apps appeared first on Connected.