4 Things Companies Should Document to Improve IT Security and Disaster Response

IT Security word cloud conceptAn IT manager has the difficult task of overseeing people, processes and technology. And, if there isn’t a departmental emphasis on documenting pertinent information, overseeing a successful IT security program can be a difficult, sometimes impossible, task.

The following are a few items IT professionals should keep a record of in order to maintain efficient IT workflows:

  1. Incident response plans. An incident response plan not only helps companies prepare for potentially crippling IT disasters, but it can also give clients, partners and customers reassurance that an organization is committed to IT security.
  2. Key stakeholders. In the event of an emergency, it can sometimes be difficult to identify who is responsible for what. This can make responding to incidents difficult and confusing. To help ensure a quick response to incidents, identify who would be the decision-makers following a variety of scenarios.
  3. Common risks. Documenting IT information and processes not only ensures business continuity in the event of an incident, but it can help IT professionals prevent threats altogether. Experts recommend that IT departments rank their top five greatest threats and detail possible actions that the department can take if and when a threat emerges.
  4. Third-party providers. More and more IT departments are working with third-party providers, especially as data continues to move to the cloud. In the event of an incident, it is important that a company is equipped with a list of contacts if there is an issue with an off-site system.

As an added bonus to documenting key IT information and processes, other departments will be able to see how data security is handled at a high level. This not only reinforces the importance of IT infrastructure, but it can help promote company-wide buy-in as it relates to ongoing training and future security initiatives.

© Zywave, Inc. All rights reserved

Preventing Social Engineering Attacks

Social EngineeringReliable security systems can prevent losses for your business. While many businesses invest large sums of money into building sound physical structures and robust IT systems or even hiring on-site security guards, they often overlook the biggest security vulnerability—people.

No matter how dependable security systems might be, people with authorized access to those systems will always be a vulnerability. That’s why criminals have begun employing a series of tactics called “social engineering” to convince people to give them access—something that costs companies billions each year, and is completely preventable.

What is social engineering?

Social engineering is the art of accessing information, physical places, systems, data, property or money by using psychological methods, rather than technical methods or brute force. In order to do so, social engineering relies upon a set of tactics that exploit psychological weaknesses and blind spots in order to convince victims to give social engineers what they want.

That’s what can be so dangerous about social engineering—criminals can use psychological blind spots to have employees willingly give unauthorized parties access, information or property. These attacks can occur in a number of different forms, including a well-crafted spear-phishing campaign, a plausible-sounding phone call from a criminal posing as a vendor, or even an on-site visit from a “fire inspector” who demands access to the company’s server room.

Psychological Weaknesses

There are a number of different types of attacks, but social engineers almost always prey upon the following psychological weaknesses in order to get what they want:

  • Fear of conflict. People dislike conflict and confrontation and will use almost any excuse to avoid them. Social engineers exploit this by exuding confidence when they ask for information or physical access that they have no right to. When social engineers display confidence, most people prefer to comply with requests rather than challenge them.
  • Getting a deal. Confidence artists have always relied upon the greed of their victims; social engineers exploit a similar principle. These criminals have often been known to use gifts and giveaways to get victims to let down their guard. Sometimes, the giveaway itself will be used to masquerade a piece of malicious code that the unsuspecting victim then uploads to his or her computer.
  • Sympathy. Sometimes, social engineers employ a softer tactic, using charisma and humor to gain sympathy or to ingratiate themselves to an individual or group. By establishing rapport and breeding positive feelings, victims are too distracted to realize that they’re being scammed.
  • Need for closure. The need for closure is a well-documented psychological need, and one which social engineers exploit. In the event that they are ever questioned or confronted, social engineers who’ve done their homework will have an answer to any challenge or question likely to come their way. In most cases, any answer—even if it’s undocumented, unsubstantiated or blatantly untrue—offers people psychological closure, giving them the sense that they’ve done their due diligence.

Preventing Social Engineering Attacks

Educating your employees is essential to minimizing the risk of social engineering. Even the best security system will fail if employees willingly allow unauthorized use of their workstations or email their system credentials to a criminal. In order to make your educational efforts stick, consider employing the following strategies:

  • Encourage your employees to “Stop. Think. Connect.” The “Stop. Think. Connect.” campaign is a global initiative that encourages people to be smarter about online privacy and security. The motto is an easy-to-remember way to approach divulging sensitive information, both in person and online.
  • Make a personal connection. The same principles that make your company vulnerable can make your employees vulnerable in their personal lives. Show employees how the same practices for security at work will make them more secure in their personal lives as well.
  • Use “social proof” to your advantage. Social engineers will often deploy social proof—evidence of a large number of people or select important people engaging in a behaviour as proof of its validity—in order to gain compliance. Use that to your organization’s advantage by making sure executives and managers make security a top priority as an example for the rest of the company.
  • Train. Getting the information out there is important, but most adult learners retain more information when they receive interactive training. Consider specific social engineering training that encourages questions and incorporates interactive examples that relate directly to your employees’ work activities.
  • Test. Make sure your educational and training efforts work by conducting regular tests. Despite growing awareness of social engineering tactics like phishing, large numbers of people still open emails and click on links that they shouldn’t. Consider conducting an in-house phishing audit to find out just how many employees have taken their security training to heart.

Remain Vigilant

Your employees will always represent a possible vector of attack for criminals, which is why you should always remember the human factor when considering security. Just as your company upgrades systems and installs software patches, so too should you periodically remind your employees of best practices and determine what new tactics social engineers are using to exploit people.

©  Zywave, Inc. All rights reserved.

4 Takeaways from a Cyber Study

Cyber lock with chainsThe Scalar Security Study is an annual report that examines how prepared Canadian businesses are for cyber threats. Specifically, the study surveyed 654 IT and IT security practitioners to determine the average cost of a cyber attack, whether organizations feel prepared for cyber threats and what tactics they find most effective when it comes to protecting themselves. The following are some of the major findings from the study:

  1. The number of cyber attacks is increasing. Survey responders reported experiencing an average of 40 cyber attacks per year. This number represents a 17 per cent increase compared to last year’s report. It’s important to note that many of these cyber attacks related to the loss of sensitive information.
  2. Organizations are less confident in their ability to protect themselves. Cyber attacks are increasing in frequency and sophistication. What’s more, insufficient personnel or lack of in-house expertise were found to be the major reasons for why organizations felt unprepared for the increasing threat. In fact, only about 37 per cent of organizations felt they are winning the war against cyber criminals.
  3. Organizations are concerned about security threats from mobile devices. Mobile devices and applications were two of the major security concerns for organizations. These risks require both technological and internal governance to help mitigate the risk.
  4. Intellectual property is a major and expensive target of cyber criminals. The loss of intellectual property and other proprietary information due to cyber attacks impacted 33 per cent of the businesses surveyed, with the average cost of the loss coming in just under $6 million.

In addition to the above, the report found that cyber security threats will increase in severity. Businesses will need to adapt to the changing landscape if they are to protect themselves from the devastating losses associated with cyber crime.

©  Zywave, Inc. All rights reserved.

The Risks of Allowing Employees to Use Tablets

iStock_cell & tablet-000022454376SmallTablets and other such devices have become increasingly common in the average workplace. And, while these devices can be important for your employee’s daily work, they also represent a cyber risk if they are not properly managed.

The following are just a few of the major risks associated with having tablets in the workplace:

  • Mobile malware. Tablets are typically infected by malware via malicious apps and phishing scams. When this happens, a cyber criminal can gain unauthorized access to the device and associated network systems. In general, iOS tablets like iPads are safer from malware than Android tablets. However, mitigating the risk of malware typically comes down to the user. Workers should avoid downloading unfamiliar apps.
  • Loss of data. Following a security breach, data loss is inevitable. For tablets, this could mean that users are locked out of their devices altogether. To protect your business, employees should always back up their data, and ensure that no sensitive or proprietary information is stored on it.
  • Unsecured networks. Unsecured networks are a particular concern for tablets because they are easy to take on the go into areas with free and public Wi-Fi connections, like cafés and airports. These connections are not always secure and can be easily hacked by cyber criminals. To prevent this, employees should be reminded that no public Wi-Fi is safe. For further protection, offer a virtual private network (VPN) that your employees can utilize to safely use the internet off-site.
  • Theft. In addition to virtual threats from hacking and phishing scams, cyber criminals could just as easily steal the tablet itself. This could give them unlimited access to proprietary or personal information. To combat this, employees should never leave their devices unattended. Using a secure password can also help prevent theft of information.

Above all, employers should have a personal device policy in place that accounts for security threats. Employees should know what they can and cannot do with their devices and how to protect the sensitive information contained within. These policies should be extended to other personal devices with internet access, such as smartphones.

©  Zywave, Inc. All rights reserved.

The Fake President Cyber Fraud

CThe “fake president fraud” is a type of scam in which a criminal posing as a company executive convinces an employee to voluntarily transfer a large sum of money directly to the criminal’s account. It may be hard to imagine that any of your employees would authorize a wire transfer to an unknown account, but law enforcement officials have seen a marked rise in the occurrence of this scam over the past several years.

What’s especially dangerous about this particular type of fraud is that many companies—even those with both crime and cyber policies—might not be covered unless they have a social engineering fraud endorsement on their crime policy. Read on to better understand how the scam works and what you and your employees can do to mitigate the risks.

Understanding Social Engineering

The scam’s success relies on criminals using something called “social engineering.” Social engineering refers to tactics that exploit common psychological weaknesses and preconceived notions about authority and social relationships to make people engage in certain behaviours. Often, that means exploiting patterns of behaviour that are automatic and subconscious, so that victims might not even realize what they’ve done until after the fact.

Because social engineering relies on exploiting your employees’ assumptions and subconscious thought patterns, it can be hard to recognize unless someone points it out. That’s why the best way to defend your organization is to learn how a scam works and educate your employees about it.

How Does the Fake President Fraud Work?

The fake president fraud may vary in some of its details, but it always contains four major elements.

  1. The “president” makes contact. Someone posing as a high-level executive in the company—often the president, CEO or CFO—will reach out to the target employee. This contact often occurs via email, either from a domain that is deceptively similar to the company’s actual domain, or via a “personal account.”
  2. The “president” asks for a wire transfer. The “president” asks the employee to wire a large sum of money to a foreign bank account. The employee might be told that the money is for a host of seemingly legitimate purposes (recent acquisitions, paying off debts, paying vendors, etc.).
  3. The “president” pressures compliance. At this point, many employees may question the unusual request or the break in typical company protocol. That’s when the “president” deploys psychological pressure on the employee to accept the scenario as genuine and comply with the request. Those pressures can rely on a number of different factors, including the following:
    • Authority: The criminal will emphasize his or her rank to convince the employee. This offers the criminal many options, such as using that authority to intimidate the employee or preying upon the employee’s desires to impress a superior.
    • Time pressure: Criminals will often claim that the transfer is an urgent matter, forcing the employee to ignore typical protocol and eliminate the chance that he or she might disclose the transfer to another party or verify the information before making the transfer.
    • Secrecy: Often deployed in conjunction with time pressure, the “president” may emphasize that this deal must remain secret for strategic or legal reasons. Having the employee “in” on the secret can make him or her feel special and thereby increase the chance that the transfer will go through.
  4. The employee makes the transfer. The employee contacts the bank, and the bank then makes the transfer. Even if it is unusual, the bank will transfer the funds to the account if the employee making the request is authorized to do so.

Why This Scam is NOT Covered by a Cyber Policy

This scam bears similarities to certain cyber scams, like spear phishing. Insofar as both kinds of scams involve sending emails targeted to specific employees, the tactics are similar. However, there are some crucial differences.

Spear phishing targets an employee in order to convince him or her to open an email or click a link, which downloads malicious code onto the employee’s computer and allows the criminal to access the company’s network. With phishing scams, the crime is an unauthorized data breach, and, as such, the exposure would be addressed by a cyber policy.

By contrast, in the fake president fraud, the employee willingly authorizes a wire transfer to the criminal’s bank account. Even though the crime was initiated via email, the fundamental criminal act is fraud, not data breach, and will not be covered by a cyber policy.

Mitigating Risks

There are a number of things companies can do to reduce the risk of falling victim to such a scam. These include the following.

  • Educate Employees. It’s essential that all employees—especially those who are authorized to make wire transfers—are aware of the scam and how it works. Ultimately, this scam works by preying on a number of psychological blind spots, including ignorance. Combat that by making your employees aware of the risk and diligent about company procedure.
  • Demand Adherence to Protocols. Your company should have protocols for authorizing the transfer of funds. Reinforce the importance of adhering to these protocols.
  • Verify Identities. This can be especially important if employees have infrequent contact with C-suite executives or if requests are frequently made remotely. Establish guidelines for independent means of verification if requests fall outside of established protocols or if timelines must be accelerated.

Make Sure You’re Covered

Insurance solutions for the fake president fraud are available, but they often come in the form of a specific endorsement on a crime policy.

© Zywave, Inc. All rights reserved.

Spear Phishing: Targeted Cyber Crime

The word password hooked by fishing hook“Phishing,” a type of cyber attack in which a hacker disguises him- or herself as a trusted source online in order to acquire sensitive information, is a common scam that can put employees and businesses at risk. However, more resourceful criminals are resorting to a modified and more sophisticated technique called “spear phishing,” in which they use personal information to pose as colleagues or other sources specific to individuals or businesses. And, when attacks contain personal information, they are much more difficult to identify as malicious.

For businesses, the potential risk of spear phishing is monumental. The 2015 Internet Security Threat Report released by Symantec Corporation, a company that specializes in security software, states that, globally, 5 out of every 6 large employers were targeted in spear phishing attacks in 2014, and that there was an average of 73 spear phishing email attacks per day.

How to Protect Your Business

Though it is difficult to completely avoid the risk that spear phishing attacks pose, there are ways to prevent further damage to your business. For example:

  • Be cautious when you are asked to divulge personal information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone. When in a Web browser, you can ensure a website is secure when you see a lock icon in the URL bar, or when an “s” is present in the “https” of a URL. The “s” stands for “secure” at the end of the normal “http”.
  • Some spear phishing schemes use telephone numbers, so be sure to never share information over the phone unless you initiate the call to a trusted number.
  • Never click on links or open attachments from unknown sources. Even opening a file that seems familiar can give a spear phishing attacker access to personal information stored on your device.
  • Ensure that your company’s security software is up to date. Firewalls and anti-virus software can help protect against spear phishing attacks.
  • Encourage employees to think twice about what they post online. Spear phishing hackers often attain personal information through social media sites. Make sure that employees know how to keep this information private to protect their own security as well as that of your business.

Regularly check all online accounts and bank statements to ensure that no one has accessed them without authorization.

 

© Zywave, Inc. All rights reserved.

Information Security is Key to a Secure Remote Work Program

laptop and coffeeAllowing employees to work remotely from home or other off-site locations can increase productivity for workers, reduce costs for the company and create beneficial flexibility to keep operations going if something happened to your business’s primary physical location. However, remote work, or telecommuting, needs to be conducted carefully with the help of established company policies in order to protect workers, your clients and your company.

Information security is the largest challenge for companies with remote workers. Physical loss or theft of devices containing data or access to data is much more likely. Remote workers will usually be in possession of laptops and/or mobile data drives issued by the company to allow them to work with the same systems and information as workers located in-house. The protection of building security, key cards and the watching eyes of other employees will not be able to protect their equipment.

Another aspect of security to be cautious about is using company-issued equipment for non-work related tasks. If laptops are accessed by family members, they could potentially download a virus or spyware. The same could happen if an employee got lax and used their company equipment for personal use. Companies should also be aware of how any sensitive data or documents will be stored and disposed of. Physical print outs especially need to be disposed of properly.

To protect your employee and your company’s interests, be sure that all equipment requires passwords and encryption for access. A thorough policy should be established regarding the line between personal and company property and activity for remote workers to prevent missteps from happening. When establishing the employee’s remote worksite, be sure that any wireless connection is secured and that your company has a policy about using unsecured connections (such as at hotels and other public spaces) for work tasks. Companies can also set up Virtual Private Network (VPN) access for connecting to the company’s networks, to ensure that access is secure.

© Zywave, Inc. All rights reserved.

5 Tips for Using Cloud Services to Keep Your Private Information Safe

Online PasswordStoring documents, photos and data in cloud storage can be very convenient. Some people feel it’s much easier to have everything in one place instead of carrying around flash drives or discs that contain your data. But recent events in the media may have you doubting whether the private information you keep in cloud storage is safe from hackers.

Here are five tips to help keep your cloud data safe from hackers:

  1. Use strong passwords and do not use the same password for multiple accounts.
  2. Don’t answer security questions honestly. Security questions can be hacked right along with passwords. Make up your own security question, if possible. The answer doesn’t have to be true-just something you can remember.
  3. Turn on two-step authorization to require more than a password, such as a security question and a password to successfully sign in to your account.
  4. Find out what you are automatically backing up in the cloud. If you don’t want your info to back up automatically, turn that setting off.
  5. Understand that you have limited control over the security of what you store on the Internet. To put it into perspective, think of it as storing data on someone else’s computer. You cannot control what he or she does with it or how it is secured.

© Zywave, Inc. All rights reserved.

C3RM to Participate in the Canadian Cybersecurity Alliance (CCA)

cropped-LOGO_Canadian-Cybersecurity-Alliance-e1471468969793-300x300C3RM is pleased to announce that it will be participating in the Canadian Cybersecurity Alliance (CCA) / Alliance canadienne sur la cybersécurité (ACC). The CCA-ACC (originally initiated as the Inter-Association Working Group on Cyber Security – IAWGCS) is a voluntary, non-hierarchical, not-for-profit agile network, founded by Grant Lecky in 2013. The primary purpose of the CCA-ACC is to enhance the professionalization of the Canadian cyber domain through effective inter-association engagement and knowledge-sharing. To date, more than 90 associations with a stake in cyber security have confirmed their participation in the CCA-ACC, making this initiative unprecedented in both scale and scope. Each of the participating associations contribute their own unique perspective on the Canadian cyber landscape.

The CCA-ACC is administered by a National Council, whose role includes maintaining the structure of the CCA-ACC itself, and facilitating inter-association dialogue.

Douglas Blakey, Managing Director, will be the primary association representative to participate on behalf of C3RM.

Contacts:

Canadian Cybersecurity Alliance / Alliance canadienne sur la cybersécurité.
Bonnie Butlin
National Coordinator and Chair of the National Council,
Bonnie.butlin@cyberalliance.ca
613-266-8048

Terry Cutler
National Council Representative and Communications Lead
Terry.cutler@cyberalliance.ca
514-791-9653

Canadian Centre for Cyber Risk Management
Douglas Blakey
Managing Director
dblakey@c3rm.org

Preventing Laptop Theft

laptop_183544As more and more companies issue laptops to employees, the chances of losing a laptop (and the data stored on it) to theft are much greater. Follow these guidelines to help keep your laptops safe.

Communicate Employee Responsibility

If your company issues laptops to employees, be sure to communicate that your employees have a responsibility to care for them.

Employees’ work laptops may have their personal information on them—stored website signin information, name, address, work documents, etc.—and they may not realize it. Making employees aware that the theft of a work laptop could personally affect them can be an incentive for them to protect their computers.

It may be beneficial for you to provide a security cable lock when you issue laptops to employees. A cable lock works similarly to a bike lock—one end of the cable has a lock that goes into the laptop’s security slot and the other end is attached to a heavy stationary object, such as a desk. This type of lock works as a visual deterrent, as well, making the laptop less appealing to a thief.

Give your employees frequent laptop safety reminders and updates on new scams or theft tactics. Laptop safety is not a one-time thing—making security a habit will keep your company’s property and information safe.

Laptops That Don’t Leave the Office Are at Risk, Too

A laptop that never leaves the office should not be considered safe from theft. If the laptop is not locked to a docking station or desk, it is vulnerable.

An employee who is planning to quit or who is feeling disgruntled may see stealing a laptop as an easy score. One way to protect your company laptops is to apply tamperproof metal labels with your company name and contact information to each laptop. There are many types of tamperproof labels available, such as labels that etch a permanent message or break into tiny pieces when removed. The labels can also be used to track inventory and software updates.

Deterring theft can also be achieved by engraving the company name on laptops. This will discourage employees from stealing them, because the permanent engraving decreases the resale value.

Use Encryption Software

The physical loss of a laptop may not be as devastating as the loss of the information and data stored on that laptop.

Encryption software uses mathematical algorithms and an encryption key to encode data so that only someone who has the encryption key can read it. There are three different encryption methods you can use, based on the sensitivity of your data. Make sure you choose the right level of protection for your company.

  • Full disk encrypts an entire disk, including all its data. This method is used to encrypt laptops, desktops and mobile devices.
  • Individual file encrypts a single file or creates an encrypted repository for file storage.
  • Data transit encrypts during a transfer, but does not guarantee encryption once the data reaches its destination.

To protect the interests of your company and employees, all devices should be encrypted and require passwords for access.

Install Tracking Software

Tracking software is often called “anti-theft” software—it tracks your laptop to its current location using IP address locations, GPS or Wi-Fi positioning. A stolen laptop can be easier to recover if you’ve installed tracking software before the theft.

Some software can take a photo of the thief if the thief turns on the computer, showing his or her identity. If the thief sells the laptop to someone, capturing the new user’s identity is helpful for finding the thief.

Tracking software can also take screenshots of what the thief is doing on your computer, which is helpful if the thief signs in to his or her own personal accounts. Some software can lock the thief out to prevent him or her from logging on to your computer at all, and some software can remotely delete sensitive data from the hard drive if you tell it to.

Keep in mind that tracking software alone does not prevent theft—your employees’ actions and habits play a major role, too. Contact Precept Insurance & Risk Management today to learn more about defending your company’s laptops against theft.

© Zywave, Inc. All rights reserved.