407-445-2414 info@wrmllc.com
Train Your Employees to Think for Themselves in Data Security

Train Your Employees to Think for Themselves in Data Security

Employers have learned (the hard way) that one of the biggest security threats in the organization is their own staff.

A report published by Ipswitch looks at data breach causes to find out how rogue employees rank. An interesting find is that up to 75% of data breaches result from insider threats, while a separate report by Veriato suggests that 90% of cybersecurity experts feel that their company is vulnerable to insider attacks. In fact, about 50% of the 472 professionals surveyed said they had suffered these attacks in the previous 12 months.

Deliberate or not, these threats are very real and as heavily as companies might invest in data security software, they are always going to be vulnerable because they continually ignore a large component of realizing fewer cybersecurity threats.

Since employees (insiders) have access to company information, they are technically a bigger danger to data security than the third party cyber-criminals who use all manner of innovative ways to gain access to personal data.

A curious business owner wants to know: Why must I involve employees in implementing data security when they have been shown to be a weak point in the same strategy?

1. Social engineering transcends security tools
Human error is often the weakest link in an otherwise ideal chain. From technology to literature, social engineering is the big boss you have to beat after meeting all the other mini-bosses.

By definition, social engineering involves the use of psychological tricks to manipulate people into revealing sensitive information about themselves. For an organization, once the hacker has your employee at this point, they can gain access to all the areas the employee can typically access. Through social engineering security awareness you can help your employees avoid the three commonest security scams thereby protecting your company as well: identity theft; vishing; and baiting.

Without adequate education on social engineering and covering that loophole, security tools are almost useless.

2. It’s part of their responsibility
Apart from preventing the catastrophic aftermath of social engineering, data security is the responsibility of every employee in the organization in this sense: if consumers expect organizations to protect their data, isn’t it the responsibility of employees to make sure the data doesn’t land in the wrong hands?

Dropbox’s 2012 incident, during which hackers reportedly stole data belonging to over 60 million of Dropbox’s clients at the time, was attributed to employee negligence.

As reported, the hackers who used the password of the employee were able to access the company portal by reusing a password from the LinkedIn breach of the same year that exposed the emails and passwords of 117 million LinkedIn users.

Such an example shows that as a company, you can still unwillingly betray your customers. While Dropbox wasn’t entirely to blame, one of their employees reusing passwords was a great insight into the company’s internal security standards and more importantly, a good example for all employees on password don’ts.

3. It is now a common regulatory requirement
Through internet security awareness training, organizations are required to equip their staff with knowledge about data security. Some of the laws, regulations and industry codes include HIPAAFTC Red Flags Rule and PCI DSS among others. While many SMEs don’t do any training to remain compliant, many conduct the training to avoid cyber-attacks.

These tips will help you implement a great training program:

  • Diversify your training methods. Have a mix of training techniques at your disposal including classrooms, videos, team discussions, newsletters, posters, etc.
  • Educate often. Conduct regular training in monthly, quarterly, or annual cycles.
  • There’s no one size that fits all. Different members at different levels will start learning at equally different points.
  • Don’t ignore industry regulations.

Don’t be like the owner who delegates the role of data security to themselves because it’s “too important.” If you really want to be stress-free, train your employees well and promote a culture of information security.

 

Source: InfoSecurity

Author: Joseph Chukwube

Surviving a Ransomware Attack

Surviving a Ransomware Attack

The FBI recently noted a decline in ransomware attacks reported to the agency in 2017, at 1,783 compared to 2,673 the previous year. But don’t necessarily read this as good news. The reality is ransomware, like many other cyber-attack types, goes largely under-reported. A Verizon report, based on its analysis of tens of thousands of real-world security incidents, found that ransomware incidents have doubled over the past year.

Ransomware is a class of malware that locks your system and encrypts vital files. Attackers usually demand a cryptocurrency payment to release the files, but there’s no guarantee they will actually do so after receiving payment.

Attackers have typically cast the net wide, but criminals are becoming more sophisticated about how they can maximize profit.

“We used to hear very often it was mostly consumers – but [for those attacks] you’re looking at $75 as a cyber-criminal,” says Theresa Payton, former Whitehouse CIO who’s now president and CEO of Fortalice Solutions. “Why do that when you can go from a mom and pop shop all the way up to the Fortune 50?

“And that’s what they’re doing. They’re hitting all businesses, targeting Any business connected to the internet – and what business isn’t?”

Significant Impact

In 2017 the WannaCry, NotPetya, and BadRabbit strains didn’t just disrupt business processes; they hobbled infrastructure and hurt international brands like FedEx. This took the ransomware threat vector to a “completely new level,” using worms to propagate through systems and impacting 300-400,000 devices worldwide, says Steven Wilson, head of Europol’s EC3 cyber-crime center.

And the rise of off-the-shelf kits that can be bought online for just dollars puts ransomware tools in the hands of anyone with the will to use them.

The organizational impact can be severe, ranging from downtime to reputational damage. One official British report suggested that the public response to WannaCry had even undermined trust in government.

“Just think: your entire customer records database is gone,” says Wilson. “You don’t know who owes you money, who you owe money to, or who you’re going to sell your product to. That’s the reality if ransomware strikes you. Everything is gone.”

Raising Awareness

If there is a positive outcome, it’s that WannaCry raised awareness that ransomware is here to stay: an unfortunate case of “if” and not “when”.Fortunately, there are basic cyber hygiene steps you can introduce to avert potential disaster.

Often it’s the unpredictable human element that’s the weakest link in cyber defense, so awareness training can go a long way.

On the technical side, it’s making sure your systems are up to date and fully patched so that the latest versions of your operating systems are running with trusted anti-malware solutions and the latest definitions.

And if the worst happens, maintain a recovery plan with a full set of backups.

According to Payton, organizations should also consider network segmentation and be introducing kill switches to prevent malware from moving laterally, as WannaCry did.

“Practice for the worst and hope for the best – making sure you’re thinking ahead, practicing that digital disaster, practicing your comms plan,” suggests Payton, adding that organizations should also perform test runs on full restores.

How can the technology community help?

Public and private bodies must work together with vulnerabilities out in the open, collaborating to prevent or mitigate future disasters. NoMoreRansom, for example, pools resources across organizations to provide decryptors for known threats.

Source: CIO