407-445-2414 info@wrmllc.com
How to Enhance your Businesses Cyber Security

How to Enhance your Businesses Cyber Security

The past couple of years have seen an increase in online criminal activities and attacks. For companies and businesses, the threat of ransomware and information threat has grown significantly. A lot of businesses have started to become dependent on technology, so they need systems in place that are fool proof as well as paying close attention to the data security in their systems. All companies need to invest in separate cyber security teams that will monitor and protect the company’s network, they will also keep testing and updating these cyber security systems. 

As well as employing a security team, you will also need to adopt other protocols in your working process that will help enhance data security measures. If you’re a small or medium business, then you will need to especially adopt secure practises as smaller businesses are an easy target.

Discipline and Security Protocols 

One of the first steps in attaining high levels of data security is to establish clear protocols for access and operation. So, employees need to be given clear guidelines regarding their access to the network, sources of data and communication channels. A system must be in place to check if employees deviate from the established protocols and a clear identity confirmation protocol must be in place, so employees know what to do if someone they don’t know tries to get into the business. 

Update Systems 

More business operations are changing their activities to software platforms due to the growing popularity of SaaS (Software as a Service).  A lot of businesses today employ a range of software services like enterprise resource management, inventory management, workforce, and operation scheduling, etc. These systems come with built-in security that will need to be foolproof updated because of new threats that might get generated. 

Training Employees 

By having awareness and knowledge of basic cybersecurity is vital. Since a lot of these cybercrimes are carried out on software platforms employees will need to be aware of the vulnerabilities and their solutions. 

Source: Pinfields Information Technology

As digital threats grow, will cyber insurance take off?

As digital threats grow, will cyber insurance take off?

Cyberattacks cost the world more than natural disasters – US$3 trillion in 2015, a price that may climb to $6 trillion annually by 2021 if present trends continue. But most people – and even most businesses – don’t have insurance to protect themselves against this rising threat.

Insurance against all kinds of risks – disease, disaster, legal liability and more – is extremely common. In the U.S., companies, families and even government agencies paid a combined $2.7 trillion in insurance premiums in 2016 – and received payouts totaling $1.5 trillion. But just $2.5 billion – 0.09 percent of the total spending – went to buy insurance against cyberattacks and hacking. Elsewhere in the world, there’s even less coverage. For instance, in 2017 the cyber insurance market in India was $27.9 million0.04 percent of the total insurance premiums paid in the country that year.

From my research on cybercrime and cybersecurity over the past two decades, it is clear to me that cyberattacks have become increasingly sophisticated. The cyber insurance market’s extremely small size suggests that organizations and individuals might have underrated its importance. However, more and more internet users are finding reason to protect themselves. In 10 years’ time, insurance coverage for cyberattacks could be standard for every homeowner.

Who is buying cyber insurance?

Certain types of companies tend to have – or not have – cyber insurance. The larger the firm and the more closely it depends on computerized data, the more likely it is to have coverage against digital threats.

For a company, that can make sense, because a digital intrusion can cost hundreds of thousands or even millions of dollars to fix and recover from. For individuals, the costs of a breach are lower, but still significant – even as high as $5,000.

Regular people are far less likely to have digital protection than companies are. In India, personal cyber insurance is less than 1 percent of the total cyber insurance market. In the U.S. and elsewhere, most products are targeted at rich people. Insurers such as AIGChubbHartford Steam Boiler and NAS Insurance sell personal cyber insurance policies as add-ons to homeowners’ and renters’ insurance.

The insurance industry is doing more, too. A wide range of insurers such as Munich Re, AIG’s CyberEdge, Saga Home InsuranceBurns & Wilcox and Chubb all offer cyber insurance for individuals. These plans cover as much as $250,0000 to repair or replace damaged devices and to pay for expert advice and assistance if a cyberattack affects a policyholder. They may also include data recovery, credit monitoring services and efforts to undo identity theft.

Even health services may be included: AIG’s new product Family CyberEdge policy includes a coverage of one year of psychiatric services if a family member is victimized by cyberbullying. Also covered is lost salary if the victim loses a job within 60 days of discovering cyberbullying. Some insurers offer policies that provide help to assess policyholders’ data security practices and scan for cyberthreats.

Emerging dangers

Another cybercrime that’s becoming increasingly common is called ransomware – in which malicious software takes over a person’s computer and encrypts his or her data. Then the program demands the victim pay a ransom – often in bitcoin or other cryptocurrencies – to get the data decrypted.

Some ransomware attackers don’t actually decrypt the data, even if they get paid – but that hasn’t stopped victims from paying big bucks – at least $1 billion in 2016 alone. Even so, there are insurers who sell coverage against ransomware, providing backup and decryption services – or even paying the ransom.

Smart home technologies may be vulnerable to hackers. mangpor2004/Shutterstock.com

As smart home systems become more popular – as well as various technologies to monitor and help coordinate local government services – they’ll provide more potential entry points for hackers. An average home insured by AIG has 20 Wi-Fi-enabled devices. Replacing a hijacked home’s entire smart lighting system, smart entertainment center, thermostat and digital security devices will be expensive – and the bill will only be higher for communities using internet-connected streetlights, water meters, electric cars and traffic controls. Those are opportunities for insurance companies to step in.

Some current challenges

Before cyber insurance becomes more common, however, the insurance industry will likely have to come to some consensus about what will and won’t be covered. At the moment each plan differs substantially – so customers must conduct a detailed assessment of their own risks to figure out what to buy. Few people know enough to be truly informed customers. Even insurance brokers don’t know enough about cyber risks to usefully help their clients.

In addition, because cybercrime is relatively new, insurers do not have much data on how much various types of cybersecurity problems can cost to fix or recover from. They therefore tend to be conservative and overcharge.

As people become better-informed about the digital dangers in their lives, and as insurance companies are able to more clearly explain – and more accurately price – their coverage options, the cyber insurance market will grow and may expand rapidly. In the meantime, most policies have some degree of custom design, so consumers should be careful to look for policies that actually cover their needs, and not just evaluate plans based on cost.

Author: Nir Kshetri
Source: The Conversation

Why security awareness training sometimes fails – and what you can do about it

Why security awareness training sometimes fails – and what you can do about it

To demonstrate why security awareness training so often fails, it’s worth conducting a quick thought experiment.

Imagine you’re a smoker and, one day, you find out you’re genetically susceptible to lung cancer. Thanks to your genes, you’re two-three times more likely to contract lung cancer than the average person.

The elevated risk has nothing to do with your record of smoking – but continuing to smoke increases the risks even further.

Given the situation, do you think you’d be more or less likely to quit smoking than other smokers?

Studies show that, actually, you’d be just as likely to continue smoking as others. Your new knowledge wouldn’t change your behavior.

Could this also be why security awareness training sometimes fails?

The problem with traditional security awareness training

As we’ve discussed elsewhere, traditional security awareness training usually focuses on trying to raise security ‘awareness’. Increasing people’s knowledge of the risks is the goal. It’s mostly assumed that, if people are aware of the risks, they’ll start behaving in a secure manner. Unfortunately, the assumption is flawed.

Increasing security awareness rarely changes security behaviors. People can spend days learning about security threats only to return to their desks and consciously ignore security warnings.

Security awareness training that changes behavior

In order for security awareness training to be successful, campaigns must focus on more than just awareness. They must focus on awareness, behavior and culture – the ‘ABC’ of information security.

Changing people’s behaviors and building a culture of security isn’t as simple as increasing security awareness. The latter can be achieved through a series of simple comprehension exercises.

By contrast, to change people’s behavior, your security awareness campaigns should be fuelled by insights from the world of behavioral science.

Security awareness training that encourages a secure culture

Cultural change is just as important as behavioral change, and there are a number of simple ways you can nurture a culture of security through your own security awareness campaigns. Training everyone, engaging the board, demonstrating the value of security, highlighting the personal benefits of security, facilitating questions and increasing face-to-face interaction, all play a part.

Arguably most important of all, though, is quantitatively measuring culture. It’s only by measuring culture today and then culture tomorrow that you can be sure culture is moving in the right direction.

Why good security awareness training is so important

In the interests of balance, it’s worth pointing out two things.

First: security awareness training is improving. Where security awareness training has historically taken the form of ticking a compliance-shaped box, increasingly, campaigns focus on awareness, behavior and culture. Increasingly, companies are implementing security awareness training to demonstrably reduce cyber risk.

Second: when security awareness training works, it has the potential to nullify threats that technological defenses cannot. Every time someone reports a malicious email, they save a great deal of heartache. Heeding security warnings, using VPNs, setting strong passphrases, challenging identities; combined, the actions of vigilant people save reputation, financial and emotional distress countless times over every single day.

So while security awareness training sometimes fails, when it focuses on the ABC of information security, it does a lot of good. And society as a whole needs more people to move towards meaningful training quickly.

Focusing solely on increasing security awareness makes life easy for criminals. By focusing on awareness, behavioral and cultural change, your campaigns can prevent advanced attacks and keep people safe.

Source: CybSafe

Managing Risk In A Connected World

Managing Risk In A Connected World

As digital transformation takes hold, organizations must learn what their cybersecurity risks are – and how best to address them.

Cybersecurity is in the news, but the risks posed by weak and outdated security measures are hardly new. For more than two decades, organizations have struggled to keep pace with rapidly evolving attack technologies.

With the arrival in May of WannaCry, a massive and highly coordinated ransomware attack that left tens of thousands of organizations around the world hoping for the safe restoration of their data, the threat posed by malware creators took an ominous turn. The attack sent an unambiguous wake-up call to organizations worldwide that now is the time to reassess and reinforce existing cybersecurity strategies.

Connectivity Creates Opportunities and Challenges

Emerging technologies, particularly the Internet of Things (IoT), are taking global connectivity to a new level, opening fresh and compelling opportunities for both adopters and, unfortunately, attackers.

Sadik Al-Abdulla, director of security solutions for CDW, says growing connectivity has ushered in a new era of critical security threats. “The same viruses we’ve been fighting for 20 years, now those viruses grow teeth,” he adds, noting that organizations are just beginning to respond to more dangerous cybersecurity adversaries. “Suddenly, just in the last 18 months, with the explosion of ransomware, we’ve seen really substantial support from outside IT to actually start getting these projects done, because there has been real pain experienced.”

IoT poses a significant new challenge, Al-Abdulla observes. “As new devices are connected, they represent both a potential ingress point for an attacker as well as another set of devices that have to be managed,” he says. “Unfortunately, most of the world is trying to achieve the promise provided by IoT projects as rapidly as possible, and they are not including security in the original design, which creates a greater weakness that is very, very hard to get back after the fact and correct.”

Al-Abdulla also notes that many organizations are unintentionally raising their security risk by neglecting routine network security tasks. “Every time our assessment team looks at the inside of a network, we find systems that haven’t been patched in 10 years,” he says. “Sometimes, it’s IoT devices.”

Al-Abdulla’s team has observed devices with “a flavor of Linux or Windows embedded” that have not been updated since they left the factory. Security cameras, badge readers, medical devices, thermostats and a variety of other connected technologies all create potential attack gateways.

“All it takes is the wrong guy to click the wrong thing in the wrong part of the network,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group. “You get mass propagation throughout the environment, and then you have a huge problem.”

“It’s a very complicated world that we live in right now because the attacker and defense problem is highly asymmetrical,” Roesch adds.

The changing nature of networks and the devices located within them, combined with the fact that organizations keep introducing new software and hardware into their IT environments, make it nearly impossible to keep pace with a new generation of skilled attackers. “It becomes very, very difficult to respond and be effective against the kind of threat environment that we face today because the attackers are highly motivated,” he says.

The Danger of Giving in to Ransomware

Ransomware is like a thug with a gun: “Pay up, or your data gets it!”

Facing such a blunt demand, many organizations simply cave in and hand over whatever amount of money (usually in the form of bitcoin) is necessary to regain their data.

Problem solved? Not necessarily, says Michael Viscuso, co-founder and chief technology officer of endpoint security provider Carbon Black, who sees no easy way out of a ransomware attack. “It’s still surprising to me that people who have paid the ransom think that the game is over,” he says. “The reality is that the attacker has access to your system and is encrypting and decrypting your files whenever he wants to – and charging you every time.”

James Lyne, global head of security research at security technology company Sophos, notes that many ransomware attackers hide code within decrypted data, allowing them to reinfect the host at a future date. “Because if you’ll pay once, you’ll pay twice,” he explains.

Lyne also warns about the emerging threat of “shredware,” malware that encrypts data without requesting a ransom, effectively destroying it. “I bring that up because I’ve had a lot of board advisory meetings recently where people have said, ‘Well surely, we’ll just keep a fund, and if our data is encrypted, we will just pay the cybercriminals,’” he says.

Instead, organizations can take steps to defend themselves against ransomware. These steps include:

Effective backups: IT staff can save themselves trouble and money by implementing regular backup practices to an external location such as a backup service. In the event of a ransomware infection, backup data can get organizations back on their feet quickly.

User training: Most infections are the result of users clicking on links or attachments that are connected to malicious payloads. IT teams can avoid these pitfalls by training users to look out for them.

Deployment of security solutions: Measures such as anti-malware, firewalls and email filters can help detect ransomware and prevent infections.

The Human Factor

While following security best practices is essential to network security, many organizations remain unaware of or pay little attention to, the weakest link in the security chain: people.

It doesn’t make sense to try to solve what is essentially a human problem solely with technical means, says Mike Waters, director of enterprise information security for management consulting firm Booz Allen Hamilton. “We have to create an atmosphere, an environment, where people can tell us what risks they know about, and we can document them and work through it in a deliberative manner,” he adds.

Booz Allen has 25,000 people working for it, Waters says, adding, “I need 25,000 people to defend Booz Allen.” Educating users — and instilling in them just a touch of paranoia, he quips — leads to an alert organization in which users report every suspicious thing they encounter. “Ninety-nine percent of what they report is not bad, but the 1 percent that’s critical can get to us,” he says. “We reinforce that behavior — tell us everything.”

Meet the Evil Entrepreneurs

In much the same way that organizations boost their results through ambition and innovation, cybercriminals also are improving the way they operate. “The bad guys are entrepreneurial,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group.

Most successful cybercriminals are part of large and well-structured technology organizations. “There’s a team of people setting up infrastructure and hosting facilities; there’s a team of people doing vulnerability research; there’s a team of people doing extraction of data; there’s a team of people building ransomware; there’s a team of people delivering ransomware; there’s a team of people doing vulnerability assessment on the internet; there’s a team of people figuring out how to bypass spam filters,” says Michael Viscuso, co-founder and CTO of Carbon Black.

Roesch says organizations have found it “very difficult to respond and be effective against the kind of threat environment that we face today,” but says security experts within Cisco have specifically targeted cybercrime organizations and achieved some success in shutting them down.

Weighing Risk Against Benefits

Security boils down to measuring risk against anticipated benefits. “One of the fascinating things about risk is that low-level engineers know where the risks are, but they don’t necessarily tell anybody,” Waters says. As an example, he cites Operation Market Garden, a World War II Allied military effort (documented in the book and movie A Bridge Too Far) that was fatally hampered by poor radio communication. “People knew those radios weren’t going to work when they got over there,” Waters says. “They didn’t tell anybody because they didn’t want to rock the boat.”

Once a risk is identified, users and IT professionals must be committed to addressing it, with the support of executives. Across all departments and in all situations, calm person-to-person communication is always a reliable and effective security tool. “If we’re running around with our hair on fire all the time, they don’t want to talk to us,” Waters adds. “We want everybody to be able to talk with us and share their risks, so we know to prioritize and trust them.”

In a perfect world, security professionals would strive to create a risk-free environment. “We want it all down to zero,” Waters says. That’s not possible, however, because some degree of risk is inherent in every action an organization takes. “As challenging as it may seem, there are risks businesses are willing to accept,” Waters adds.

Too much caution blocks or degrades benefits, particularly when security mandates unnecessarily interfere with routine activities. Simply telling people what not to do is rarely effective, particularly if what they’re doing saves time and produces positive results. “We talk about Dropbox and things like that,” Waters says. “If your policies are too restrictive, people will find a way around them.”

Author: Forbes
Source: Forbes

8 steps to a stronger cybersecurity strategy

8 steps to a stronger cybersecurity strategy

If there’s an attack on the country, the military mobilizes. When a natural disaster strikes, recovery plans go into effect. Should an infectious disease start to spread, health officials launch a containment strategy. Response plans are critical to recovery in emergency situations, but when it comes to cybersecurity, a majority of industries are not paying attention.“The reality is no matter how amazing you are with your prevention capabilities, you’re going to be hacked,” said Mohammad Jalali, a research faculty member at MIT Sloan whose work is currently focused on public health and organizational cybersecurity. “Then what are you going to do? Do you already have a good response plan in place that is continuously updated? And communication channels are defined, and stakeholder responsibilities are defined? Typically the answer in most organizations is no.”To help address cybersecurity weaknesses in organizations, Jalali and fellow researchers at Cybersecurity at MIT Sloan Bethany Russell, Sabina Razak, and William Gordon, built an eight aggregated response strategies framework. They call it EARS.

Jalali and his team reviewed 13 journal articles involving cybersecurity and health care to develop EARS. While the cases are related to health care organizations, the strategies can apply to a variety of industries.

The EARS framework is divided into two halves: pre-incident and post-incident.

Pre-incident

1 — Construction of an incident response plan: This plan should include steps for detection, investigation, containment, eradication, and recovery.

“One of the common weaknesses that organizations have is they put together an incident response plan, but the problem is that documentation is usually very generic, it’s not specific to the organization,” Jalali said. “There is no clear, specific, actionable list of items.”

Make sure that everyone in the organization knows the plan, not just the employees in the IT department. Set clear channels of communication, and when assigning responsibilities, make sure they are clearly defined.

2 — Construction of an information security policy to act as a deterrent: Clearly defined security steps establish and encourage compliance.

“Many companies think that compliance is security,” Jalali said. “[That] if you just follow the information you’ll be taken care of.”

Don’t set the bar so low that the organization is not secure. Regulations should ensure an understanding of cyber threats. Establish motivational reasons for the response teams to follow reporting policies. Compliance should go hand in hand with continuous improvement.

3 — Involvement of key personnel within the organization: No matter the size of an organization, key leaders need to be educated on the importance of cybersecurity and be ready to act according to the response plan.

Leaders don’t have to be cybersecurity experts, but they need to understand the impact an incident will have on their organization. The more informed they are, the more involved they can be in a response plan.

4 — Regular mock testing of recovery plans: Recovery exercises help organizations stress-test plans and train employees on proper response protocols.

If the organization only tests its recovery plan during an actual emergency, it’s likely to run into serious issues, which could increase the amount of damage caused by the cyber incident.

The shift from a reactive to proactive stance can help an organization identify weaknesses or gaps in its recovery plan, and address them before an incident occurs.

Post-incident

5 — Containment of the incident: Containment involves both proactive and reactive measures.

It’s easier to cut off infected devices from a network if they’re already segmented from other devices and connections, prior to an incident.  The researchers concede that it’s not always possible to segment networks, nor to immediately disconnect it from the whole system. At the very least, immediately report the infected device to the organization’s IT team to contain the incident.

6 — Embedded ethics and involvement of others beyond the organization: It’s important to remember that all of an organization’s stakeholders could be impacted by a cyber incident.

Promptly notify legal counsel and relevant regulatory and law enforcement agencies. Consider help from external resources and share information about the cyber threat.

7 — Investigation and documentation of the incident: Be timely and thorough; every step of the pre- and post-incident reaction should be documented.

The investigation should aim to find the root technical cause of the issue, as well as weaknesses that could prevent future attacks. Proper documentation is a necessity for this analysis.

8 — Construction of a damage assessment and recovery algorithm: Organizations should self-evaluate after the incident.

While computers are where cyber attacks happen, they can also be used to help with recovery. Organizations can leverage the power of computers, especially artificial intelligence, for real-time detection and containment of incidents.

“The commonly used frameworks for incident response strategies often miss this essential step,” Jalali said, “even though there are already AI-based products for this very purpose.”

Author: Meredith Somers
Source: MIT Management

‘Data breach fatigue’ may breed complacency about online security

‘Data breach fatigue’ may breed complacency about online security

First, it was the Ticketfly hack in May. My email was among the 27 million accounts stolen from the events company.

According to the website Have i been pwned?, which monitors data breaches, my personal email has also been found in records stolen from sites like Tumblr and LinkedIn.

By the time the Ticketmaster and PageUp data breach notification emails landed in my inbox weeks later, my attitude had devolved from concern to extreme digital nihilism.

Am I suffering from data-breach fatigue?

Peter Singer, a strategist and senior fellow at New America who writes about cybersecurity, is worried that after all the hacks, data dumps and servers left unprotected, we may be tuning out.

Data breach fatigue

Troy Hunt, who runs Have i been pwned?, has seen the rate and size of data breaches grow since he founded the site in late 2013.

Rather than becoming fatigued, he suggested people simply accept such incidents are now “a normal part of online life”.

“I’m actually finding … that people are judging companies less on the fact they’ve had [a data breach], and more on how they’ve dealt with it,” Mr. Hunt said.

What should I do after a data breach?

  • Change your account password and get a password manager
  • Report financial losses to the Australian Cybercrime Online Reporting Network
  • Check your bank account for unusual charges
  • If your credit card details have been lost, contact your bank
  • Be alert to any phishing emails

— The Conversation

We don’t yet know much about “data breach fatigue” as a measurable phenomenon, agreed Cassandra Cross, an online fraud researcher at the Queensland University of Technology.

“I don’t really think we know … whether people are making choices to do things differently, [or] whether they’re just ignoring it,” she said, suggesting more work needs to be done.

Rui Chen, an information systems academic at Iowa State University, investigated consumer attitudes after online security incidents.

In 2015, the US Office of Personnel Management (OPM) lost more than 4.2 million personnel files, among other sensitive documents.

Dr. Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack.

After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction.

In other words, Dr. Chen said, “we can see that the public is gradually losing interest in reacting to this news”.

The effects of ‘fatigue’

If people don’t take breaches seriously, they may not follow instructions to protect themselves, such as changing passwords or using credit-monitoring services.

But our understanding of how people do respond is limited.

“One thing could be there are just so many incidents of data breach happening … people consider it typical,” Dr. Chen speculated.

“It’s the norm of this digital world.”

These incidents can also feel quite abstract, Dr. Cross added.

Consider the compromising of more than 359 million MySpace accounts or more than 164 million LinkedIn accounts — these are almost unimaginable numbers.

For victims, there’s also a difference of perception between your details being lost or stolen and actual misuse of that information — in the form of identity theft, for example, which is estimated to cost Australia $2.2 billion each year.

“They’re just one small individual within an entire group, and they don’t feel that they are particularly valuable in terms of a target,” she said.

Real-world effects

New America’s Peter Singer suggested we won’t see decisive action from the government on these issues until breaches begin to have a dramatic impact in the physical world.

Connected devices, from fridges that can be accessed online to driverless cars, will make this more dangerous — and likely.

You might start caring more when a hacker uses stolen credentials to turn your lights on and off remotely.

“I think … what will inevitably happen is some type of bad outcome,” Mr. Singer added.

A badly handled data breach can also dent a company’s reputation.

Take Uber, which initially tried to cover up the exfiltration of the names, email addresses and mobile phone numbers of 57 million users.

Mr. Hunt also sees companies being judged harshly if a breach exposes their poor security posture, such as storing passwords in plain text without cryptographic protection.

On the flip side, he cited the Red Cross Blood Service’s reaction as “the gold standard” after it lost donor information in 2016.

The group was swift to act and tell the public — and was apologetic throughout.

As data breaches continue, Mr. Hunt hopes people will avoid fatigue and take control: get a password manager, make all passwords unique and turn on two-factor authentication.

“These are really basic things that we can all do, and they fundamentally change the impact of a data breach,” he said.

Source: ABC

Author: Ariel Bogle