1500 Lake Shore Drive, Suite 400, Columbus, OH 43204
614.481.4300
Category

Cyber Security Awareness

“Helpful” Worms and White Hat Nuisances

By Cyber Security Awareness | No Comments

By definition, there’s nothing really wrong with viruses. They’re just self-replicating, that’s all. If the cash in your wallet was self-replicating, you probably wouldn’t complain. Virus researcher Fred Cohen has even put out a $1,000 bounty for the first developer who can come up with a truly helpful virus. So far, he hasn’t paid out, but theoretically, a good computer virus is possible.

“Helpful” worms, however, may prove that even a “good” virus is a bad idea.

Helpful worms like Welchia, Den_Zuko, Cheeze, Mellenium and CodeGreen were designed in the name of helping the user. Welchia’s design was actually kind of clever, finding and eliminating the Blaster worm by seeking out the same vulnerabilities as the Blaster worm, and then, usually, applying a security patch to keep any other worms from working their way in. The Welchia worm was programmed to automatically remove itself at a set date.

Here’s the problem though: The main thing that worms do is slow down your network by feeding a constant stream of data through it. Whatever else they might do, that’s the main thing people hate about worms. A helpful worm slows down the network just as much as a harmful worm will. Additionally, helpful worms are known to reboot the computer without the user’s consent, which can be a major problem if you’re right in the middle of a project that you haven’t saved recently.

Helpful viruses are an interesting idea in theory, but they still self-replicate without the user’s consent, they still eat up RAM and other resources, they still slow the network down. As technology advances we may see a day when helpful viruses are able to actually improve a computer’s performance without any adverse effects. For the time being, however, there is that old saying about where the road paved with good intentions leads to…

False Fears and Legitimate Threats

By Cyber Security Awareness | No Comments

The main thing to keep in mind when comparing real threats to false flags: The most boring interpretation of the truth is usually the one that’s closest to being correct.

Remember Y2K? Everyone was worried that turning our computer clocks over from 1999 to 2000 was going to crash the whole system and leave the world in chaos. Some companies even made a pretty penny by selling software that would make your system “Y2K compliant.” Then what happened when the clock actually turned over? Absolutely nothing at all.

All that wasted time and energy spent fretting over something as simple as a change of date, and the world just kept on turning.

We need to be able to distinguish between a real threat and an imaginary threat for the simple reason that managing those threats demands that we draw upon finite resources. The team that you have chasing after false alerts are going to be too busy to handle actual threats to your data. Skilled cyber-security professionals are in short supply, which means that even if you have it in the budget to double your current cyber-security staff, the candidates might just not be out there. You might need to make it work with the people you already have on board, and that means spending less time chasing after false alarms.

Here are some steps we can take towards wasting fewer resources in cyber-security:

  • Let the software do its job

Preventive antivirus software is a good start, but it’s also a good idea to cross-check with regular scans. This is common sense, but you’d be surprised at how many people don’t do this. A prevention-only based approach is going to lead to longer infection dwell time.

  • Follow your security team’s lead

You hire people so that you have less to do, and you’ve likely discovered that you tend to get the best results when you give your staff some breathing room and let them use their own judgment. Unless you’re a cyber-security professional yourself, there’s no reason to micromanage how your security team handles their responsibilities.

  • Don’t stress about far-fetched threats

You probably don’t have members of Anonymous working all day to crack your system. Don’t stress about it.

The truth is that cyber-security is something that a good security team and some professional-grade software can manage. It seems like every few years the business world goes into a panic about Y2K or hackers or some supervirus ravaging systems across the globe. The truth is that leaked passwords and garden-variety malware are your main concerns.

DON’T FORGET INSURANCE FOR YOUR ORGANIZATION’S CYBER RISKS

By Cyber Security Awareness | No Comments

The federal Internet Crime Complaint Center received more than 330,000 complaints in 2009, and more than a third of them ended up in the hands of law enforcement. The damages from those referred to the authorities totaled more than a half billion dollars. The Government Accountability Office estimated that cyber crime cost U.S. organizations $67.2 billion in 2005; that number has likely increased since then. With so much of business today done electronically, organizations of all types are highly vulnerable to theft and corruption of their data. It is important for them to identify their loss exposures, possible loss scenarios, and prepare for them. Some of the questions they should ask include:

What types of property are vulnerable? The organization should consider property it owns, leases, or property of others it has in its custody. Some examples:

  • Money, both the organization’s own funds and those it holds as a fiduciary for someone else
  • Customer or member lists containing personally identifiable information, account numbers, cell phone numbers, and other non-public information
  • Personnel records
  • Medical insurance records
  • Bank account information
  • Confidential memos and spreadsheets
  • E-mail
  • Software stored on web servers

Different types of property will be susceptible to various threats, such as embezzlement, extortion, viruses, and theft. What loss scenarios could occur? The organization needs to prepare for events such as:

  • A fire destroys large portions of the computer network, including the servers. Operations cease until the servers can be replaced and reloaded with data.
  • A computer virus infects a workstation. The user of that computer unknowingly spreads it to everyone in his workgroup, crippling the department during one of the year’s peak periods.
  • The accounting department discovers a pattern of irregular small funds transfers to an account no one has ever heard of. The transfers, which have been occurring for almost three months, were small enough to avoid attracting attention. They total more than $10,000.
  • A vendor’s employee strikes up a casual conversation at a worker’s cubicle and stays long enough to memorize the worker’s computer password, written on a post-it note stuck to her monitor. Two weeks later, technology staff discovers that an offsite computer has accessed the human resources database and viewed Social Security numbers, driver’s license numbers, and other personal information.

In addition to taking steps to prevent these things from happening, the organization should consider buying a Cyber insurance policy. Several insurance companies now offer this coverage; although no standard policy exists yet, the policies share some common features. They usually cover property or data damage or destruction, data protection and recovery, loss of income when a business must suspend operations due to data loss, extra expenses necessary to maintain operations following a data event, data theft, and extortion. However, each company might define these coverages differently, so reviewing the terms and conditions of a particular policy is crucial. Choosing an appropriate amount of insurance is difficult because there is no easy way to measure the exposure in advance. Consultation with the organization’s technology department, insurance agent and insurance company might be helpful. Finally, all policies will carry a deductible; the organization should select a deductible level that it can afford to pay and that will provide it with a meaningful discount on the premium. Once management has a thorough understanding of the coverages various policies provide in relation to the organization’s exposures, it can fairly compare the costs of the policies and make an informed choice.

Computer networks are a necessary part of any organization’s environment today. Loss prevention and reduction techniques, coupled with sound insurance protection at a reasonable cost, will enable an organization to get through a cyber loss event.

Cybersecurity Risk Management: Should You Delegate It?

By Cyber Security Awareness | No Comments

The recent security breach at Sony underscored not only the need for better security in protecting sensitive internal documents and information, but also the appalling lack of care being taken on an individual level to protect passwords and take other steps to protect (or remove) sensitive conversations and data. Despite a litany of other widespread and serious data breaches in recent years, many businesses still don’t seem to be taking cybersecurity as a serious issue that not only could affect them, but very well may.

As a business owner or manager, you’ve heard time and again how important it is to delegate in order to streamline processes and be more productive – and more profitable. But delegating does not mean turning a blind eye; and when it comes to cybersecurity issues, unless you have a dedicated chief information security officer, you need to take an active role in ensuring your data is adequately protected.

The key to effective management begins with understanding the types of threats that exist and how they’re evolving, as well as identifying new threats as soon as they begin to emerge. At the same time, management needs to develop actionable steps to counteract potential breaches, looking for weaknesses at every level, from individual employee passwords and use of personal devices like smartphones, to the way data is encrypted and stored, both in the cloud and on any on-site or remote servers.

Strong, company-wide policies backed up by employee education programs and Q&A sessions are the cornerstones of an effective cybersecurity policy; managers must clearly communicate to employees – at every level – the vital roles they play in protecting the company from cyber threats so they see BYOD and other policies as being protective rather than punitive.

Involving employees in cybersecurity discussions also helps ensure their cooperation and compliance.
One more lesson from the Sony breach: Unlike other cybersecurity attacks that have targeted customer identification and banking information, the Sony attackers also focused on employee emails, revealing information that proved both embarrassing and potentially costly. Many businesses fail to consider emails and personal files when considering cybersecurity measures, leaving themselves wide open to similar breaches.

In a nutshell, companies that assess and manage cybersecurity issues as vigilantly as they do financial, operational and reputation-related risks have the greatest chance of thwarting attacks and breaches. Start today to plan how to avoid breaches as well as how to respond if a breach does occur.

 

Tips To Boost Your Cyber Security In The New Year

By Cyber Security Awareness | No Comments

Cyber attacks threaten more than your company’s computers. They could affect your company’s ability to stay in business. Prepare for a safe and secure 2018 when you boost cyber security.

Update Software Often

Ensure that every device in your network is equipped with anti-virus software and set to update automatically. Commit to check for patch updates, too, often throughout the year.

Use Firewalls

Firewalls protect your computer from many viruses and other malicious content. They can block suspicious content and prevent employees from accessing malicious websites. Double check that your firewalls are working and updated.

Open Email Carefully

Cybercriminals often place viruses, malware and other malicious content in email attachments, or they entice readers to share personal information. Because your employees may receive hundreds of daily emails, host a training and equip them to recognize and avoid threats.

Improve Passwords

Require employees to change passwords every month or more frequently. Also, encourage them not to share their password with anyone, even with coworkers, and never to write down their passwords. For security, passwords should follow several guidelines.

  • Be hard to guess
  • Include eight or more characters
  • Contain a mix of uppercase and lower letters, characters and numbers
  • Be different for every site

Share Files Wisely

Many companies rely on file sharing, and your employees and clients can collaborate safely when you use cloud-based sharing resources like Google Docs, OneDrive or Dropbox. Remind employees never to share files with strangers, and disable sharing of all hard drives to prevent infections.

Back Up Data

All systems should automatically back up data throughout the day. Now’s also a great time to select and begin using an off-site data storage option for greater security.

Perform Regular Security Scans

Legitimate anti-spyware programs scan your computer and remove damaging files, malware and other malicious content. Choose a program carefully, then set it up to scan daily.

Implement a Cybersecurity Team and Safety Protocol Steps

Whether you hire several IT specialists or rely one one chief security officer, your company needs a team who will monitor, prevent and address cyber threats. Additionally, implement protocols that guide your employees on how to address and report cyber security challenges they face like pop-ups, outdated network security certificates or suspicious emails.

Purchase Cyber Insurance   

Insurance can’t prevent a cyber attack, but it does cover financial costs associated with breaches. Purchase or update your cyber insurance so you can pay for damages, remediation and other costs that result from a cyber attack.

Cybersecurity threats affect hundreds of businesses every year. These steps boost your security and prepare your business to stay safe in 2018.

Cost Of Cyber Breaches For Businesses

By Cyber Security Awareness | No Comments

A cyber breach occurs when someone gains access to information they should not have. In our age of digitization, all businesses face cyber attack risks that could halt operations temporarily or permanently. Discover the cost of a cyber breach and ways you can protect your business.

Calculating the Cost of Cyber Breaches

The Wall Street Journal estimated that cyber crime in 2014 cost U.S. businesses $100 billion. That figure could top $2.1 trillion worldwide by 2019. Consider these nine common cyber breach costs.

1. Loss of Customers – A 2016 study found that 76 percent of consumers would stop doing business with a company that suffered repeated data breaches.

2. Business Disruption – Business process failure and lost employee productivity account for almost 40 percent of the total cyber attack costs. This figure does not account for lost ideas or blueprints. Additionally, your business could lose half of its annual revenue if a cyber attack occurs during the busy season.

3. Breached Client Records – Lost or stolen records that contain sensitive or confidential information can cost a company more than $221 per record.

4. Notification Costs – PCI, HIPAA and other regulations require your company to notify each individual whose information was affected by a cyber attack. The average notification costs in 2016 totalled $0.59 million.

5. Public Relations – To repair your reputation, expect to spend significant time and financial resources preparing and distributing media resources, informing victims, employees and shareholders about ongoing breach repair efforts, and acquiring new customers.

6. Legal Costs – Major retailers have paid as much as $10 million to settle class-action lawsuits filed by consumers. Your costs may not be that high, but you could face hefty legal fees in addition to your legal defense costs.

7. Regulatory Fines – After a breach, your business could face fines from several regulatory agencies, including the Federal Trade Commission, Federal Communications Commission,  Payment Card Industry Data Security Standard or Health and Human Services.

8. Identity Theft Repair and Monitoring – The cost of identity theft repair and monitoring averages $10 per victim.

How to Reduce Cyber Attack Risk

Unfortunately, your business cannot protect itself 100 percent from a cyber breach. However, you can take steps to reduce your risk.

First, implement data loss prevention technologies, including encryption. Then train employees to protect information and systems. You should also prepare an incident response plan and team as well as a business continuity management plan. Purchase cyber insurance, too, since it can cover financial loss.

A cyber breach is expensive and could break your business. Contact your insurance agent for specific tips on how you can protect your company.

Cross-site Viruses

By Cyber Security Awareness | No Comments

The general understanding of viruses is that you can pretty much avoid them if you just never download anything that ends in dot exe, unless it comes from a source that you know for certain is legit. What some might not know is that simply browsing an unsafe website can infect your computer with a virus.

You’re probably thinking of those scuzzy websites that offer illegal torrents, adult content and so on. In fact, one of the worst places to go without any security software in place used to be MySpace. Youtube and Facebook have both been afflicted with cross-site scripted viruses and worms, as well (in other words, there may be more than one reason to restrict your employees from checking their social media accounts at work if you enforce that policy).

The way it works is fairly simple: Cross-site scripting means that if Youtube or MySpace grants a website permission to cross-post content from their own site, then they may also grant them permission to post any content from that site. The website may take advantage of this to spread viruses and worms without even needing to host them on Youtube, simply using an ad placement or a comment thread as a channel through which to spread viruses from their own site.

Why do people do this? In some cases, cross-site scripting may allow them to gain higher access levels to the content on the targeted site, such as user information. On the other hand, some people who write viruses are just vandals and they like the idea of messing up your private data.

Most major websites are fairly vigilant when it comes to seeking out and dealing with cross-site scripts. Making sure that the right software is installed should generally help to keep your hardware from being infected, but if something seems off, don’t write your concerns off simply because you haven’t downloaded anything recently.

How To Protect Your New Smart TV From Hackers

By Cyber Security Awareness | No Comments

The brand new Smart TV you receive for the holidays adds value to your home entertainment system. Connect it to the internet and use a remote control, smartphone or tablet to watch movies and videos, post photos to social media sites, and access apps such as Netflix and Skype. Despite its smart features, your Smart TV can be hacked. Take steps to protect your new Smart TV from hackers.

How are Smart TVs Hacked?

While technology manufactures work tirelessly to patch potential security problems in smartphone and computer technology, Smart TV manufacturers haven’t been as vigilant. Hackers can gain access to your Smart TV via an unsecure internet connection or application source codes. They can then perform several malicious or invasive tasks.

  • Steal your credit card information or identity.
  • Access your passwords.
  • Utilize voice recognition software for data-mining purposes.
  • Use your browsing history to send you targeted ads or instant advertising messages.
  • Turn the camera on and spy on your or your possessions.
  • Take over social media apps and post questionable, offensive or inappropriate content on your behalf.
  • Access and modify files.

How to Prevent Hackers

You can take several steps to deter hackers and protect your Smart TV.

  • Update firmware and patches regularly.
  • Utilize the firewalls on your Smart TV and network router.
  • Perform regular malware scans.
  • Check for data-mining language in your TV’s manual, features or settings. Turn off or disable any data sharing permissions if possible.
  • Separate your device networks. Use one for your Smart TV and another for other devices so a hacker can’t access all your internet-connected devices.
  • Exercise caution when browsing the internet. Consider reserving your TV for entertainment purposes, and use your secure smartphone or computer to browse the internet, perform online banking tasks or shop.
  • Inspect instant messages that pop up on your TV screen. Only open messages from reputable and reliable sources.
  • Cover the camera. A piece of tape or paper prevents a third party from accessing the TV’s camera and spying on you and your family.
  • Disconnect the internet. When your Smart TV is not in use, disconnect it from the internet so hackers cannot access the device.
  • Discuss ways you can secure your specific Smart TV with its manufacturer.
  • Purchase cyber insurance. It can protect you if your preventative efforts fail and a hacker uses your personal information, data or TV for unlawful purposes.

You can protect your new Smart TV from hackers when you take these preventative measures. They protect your personal information, secure your new device and protect you and your family.

Ten Loss Control Tips to Keep Your Work Laptop Safe

By Cyber Security Awareness | No Comments

The growing trend of staying competitive by using the mobility and freedom provided by technology can often be a double-edged sword. Although taking your show on the road to off-site business meetings is a lot more efficient and easier when everything you need to make an eye-catching presentation is right there on the laptop, the mobility of technology does open the door to losses from theft.

Here are some simple loss prevention practices that employees can adopt to ensure their laptop stays safe and secure at and away from their worksite:

    • Carry the laptop in a case that doesn’t standout or scream expensive technology with logos or emblems. The idea is that only the carrier knows the case contains a computer. To bystanders, the case could be full of useless papers or files.
    • When traveling, use the hotel safe to store your computer. Never leave an unattended computer in a hotel room. Hotels usually warn customers that they aren’t responsible for valuables left inside rooms. And, don’t think that a locked room door is a sufficient safeguard. Maid services routinely leave rooms wide open as they’re being cleaned, meaning a passer could easily swipe your computer while the maid is busy cleaning the bathroom.
    • Never leave a laptop on the seats or otherwise in plain view in a vehicle, even a locked vehicle. Trunks are also a highly-targeted area for thieves, as many assume this is where most people will try to secure their valuables. Whenever possible, take the computer with you or leave it in a more secure locked location.
    • Make sure that your laptop will be secure during breaks if you’re at an off-site meeting. Ask if the various entrances and exits will be locked during breaks and then observe to make sure the room is indeed secure before leaving your laptop. If any question, then carry your laptop with you.
    • Avoid checking your laptop as luggage during flights. There’s too much opportunity for it to be stolen or damaged. Remove the laptop from its carrying case and give it to the guard before you go through the airport security metal detectors.
    • Write down the serial number, make, and model of your laptop and keep this information separate from your laptop.
    • Even in your own office, you need to make sure that you store your laptop in a secure location when you aren’t using it, take lunch, or need to run to another area of the building. A good rule is to lock up your computer if you can’t directly see it from your location.
    • Of course, the physical computer isn’t the only loss you can suffer. Keep a regular data backup schedule to prevent lost data due to equipment failure. It’s also prudent to minimize how much intellectual property or proprietary data is stored in the hard drive.
    • Have a password system (preferably two-tiers) or a data encryption feature to protect your data.
    • Lastly, you might consider asking your employer to arm your laptop with a tracking device as a last line of defense. Tracking devices for computers operate much like a LoJack system does on your car. Once the software is installed on the computer, it will run in the background without you even knowing it’s there. Meanwhile, the program routinely reports the IP address your computer is using and who logged into it to the security company. In the event you report your laptop stolen, the security company can remotely change how frequently the above information is fed to them. Unbeknownst to the thief, the security company is tracking his/her location every time the computer goes onli

Tips to Combat Email Phishing Attacks

By Cyber Security Awareness | No Comments

As many as one in five office workers fall prey to phishing incidents, but 14 percent of office workers don’t recognize phishing attacks. Learn more about phishing and how to combat attacks on your personal or company email.

What is Phishing?

Phishing is a scam that cybercriminals use to gain access to sensitive information. It often occurs via email. The cybercriminal will send you an email that looks official but actually includes spyware, malware or other malicious software. When you open the link or download the file from the email, the criminals can access confidential information like bank account information, your social security number and other data. In many cases, you never know that your information has been compromised.

How to Recognize a Phishing Email

Phishing emails are designed to look authoritative so that you will open them and give the cybercriminal access to your computer. While these emails often look like they’re from a real company, you can usually recognize them via five signs.

    • Sender Address

      Before opening any email, look at the sender’s address. It may look similar to the official company’s address but could be slightly off. For example, it may use dot-net instead of dot-com or include a small spelling error like micrsoft or mircosoft.

    • Graphics

      Cybercriminals do a great job of imitating the graphics of popular companies. However, the logo, colors or design may be slightly off in a small way.

    • Spelling and Grammar Errors

      Most companies and organizations employ a team of copywriters who write professional content that’s typically error-free. Emails with spelling or grammar errors, are possibly phishing schemes.

    • Links

      Email links are a cybercriminal’s primary phishing tool. You can hover your mouse over any links and verify that it matches the address of the email’s sender, a sign that the link is safe.

    • Threats

      Cybercriminals use threats and fear to manipulate consumers. They may say that you will lose money, face criminal charges or suffer another devastating consequence if you don’t open the email. In most cases, these threats are meant to incite fear and get you to comply with their complicit wishes.

Steps That Protect Your Email

You can’t prevent cybercriminals from targeting you. However, you can take steps to protect yourself.

  • Install spam filters and virus scans.
  • Learn to recognize phishing emails.
  • Only open email links from verified and trusted sources.
  • Delete any emails that look suspicious.
  • Train coworkers and associates to recognize phishing threats.
  • Purchase cyber insurance that protects you if you are a victim of phishing.

You can’t stop cybercriminals from targeting your email, but you can use these tips to protect yourself and your data.