Originally posted on Forbes by Expert Panel, Forbes Technology Council.
From shopping to banking and investing to working, much of our lives can be conducted online these days, and many consumers are taking full advantage. Yet many aren’t aware of best practices for protecting their private information. Having one’s personal data stolen is a devastating experience that can take years to correct. Some people even volunteer information online—particularly on social media—that can give the unscrupulous an inside look at their personal lives.
Fortunately, there are steps everyone can take to make their online transactions and interactions more secure. We asked experts from Forbes Technology Council to share their best tips.
1. Use Hardware Security Keys And Complex Passwords
Add a hardware security key, such as YubiKey or Google’s Titan, to every account that supports it. Two-factor identification with SMS is very insecure and easily hacked, but it’s better than a password alone. Computers easily crack passwords less than 50 characters long: Thieves break into sites, copy the password files and crack them offline. Use password managers to generate and keep track of complex passwords. – Sandra Carrico, Glynt.AI, a business unit of WattzOn
2. Do A Yearly Checkup
This is an easy, yet often overlooked, hack: Do a yearly audit of the sites you’re using. If you use a password manager like LastPass, you can export all the sites it has saved. Go through those sites and make sure that you have secure passwords (and two-factor authentication), then close out any accounts you no longer use. – Michael Zaic, Wild Sky MediaForbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
3. Limit What You Share On Social Media
Stop sharing so much personal information online, including your location, pictures, birthdays and trips. Hackers love this stuff, and considering how sites like Facebook are now admitting that employees and vendors had access to these profiles, it is even more important to not include as much personal information on social media profiles. – Chalmers Brown, Due
4. Check Your Bank And Credit Protection Policies
There is no absolute data privacy when it comes to any online activity. If you transact any business online, you should make sure bank and credit accounts have policies to protect you in case of fraud. You do not want to self-insure if your account is hacked and being misused. Finally, never allow your browser or websites to remember your login or payment information—that is a recipe for disaster. – Wayne Lonstein, VFT Solutions, Inc.
5. Have A Strong Password Strategy
It’s too easy to reuse passwords when setting up online accounts, which leaves you vulnerable when sites are compromised. I have found that using a password management tool like LastPass provides an additional layer of protection by allowing you to set strong, complex passwords. By relying on a password manager to fill in your information, you become less dependent on your “go to” and can create unique passwords for each account. – Nathan Nordby, Velma
6. Don’t Share Your Social Security Number
A surprising number of services will ask for your social security number (SSN), ranging from car rental companies to doctor’s offices. They want your SSN because it allows them to tie your data together with many other sources very reliably, but legally you are not required to provide it to anyone other than the federal government. Refuse to share it and you will keep your data safer. – Sean Byrnes, Outlier
7. Use More Than One Email Account
To best protect your data online, you should be creating and using more than one email account. For example, you should have one email address for sensitive information like banking, and you shouldn’t give that email out to just anybody. You should have a second email account to sign up for email lists, to receive retail coupons, for online games, etc., and a third for communication with friends and family. – Thomas Griffin, OptinMonster
8. Read The Fine Print And Ask Questions
Consumers must recognize that protecting personal data is a joint responsibility between themselves and the brands they frequent. For their part, consumers should read and question the privacy policies of the websites/apps they use to clarify how and why it will be used. In turn, brands should have documented privacy policies and guidelines and have the ability to effectively address any concerns. – Michael Ringman, TELUS International
9. Be Aware Of Scams
It would be so easy if there was only one thing that consumers could do to protect their data, but hackers’ tactics are constantly evolving, and the average consumer cannot evolve that fast. We see a lot of clients/consumers falling for phishing scams. Clients should just take a minute to stop and think before they react to an alarming email asking them for their data or asking them to “click here.” – Warren Finkel, ACE IT Solutions
10. Set Up Multifactor Authentication
Perhaps the most basic thing that can be done to protect private data is to ensure that you set up multifactor authentication. Most email providers and banks will allow you to turn it on somewhere in settings. Some may then ask you to scan a QR code with an app to enable multifactor authentication. If you have the choice, I recommend Authy. – Justin Morgenthau, Triax Technologies, Inc.
Preparing for any potential cyberattack is an increasingly important precautionary steps in every organization. Here’s how your team could do it without disrupting existing processes.
In an age when cybercriminals abound, it pays to prepare and be always on guard. It means being aware of strategies criminals often resort to and investing in monitoring tools as well as preventive measures to avoid such massive cyber atrocities in the first place.
Security software company Avast found that of 132 million routers tested, 41 percent could easily be hacked, a recent GSMA Intelligence report showed. In the recent years, we have seen cyber thieves switching from personal computers to smartphones to steal personal information or credentials and get the unwitting victims’ funds. Successful cyberattacks in years past may also have spawned a new generation of criminals who now focus on the preferred terminal for online payments and shopping transactions: smartphones.
Various forms of cyberattacks
Just as there are software programs that can protect users from cyber crooks’ exploits, including creating malicious phishing websites that closely resemble trusted destinations, there are software that hinders users from accessing their systems. Being locked out of their computers has sent many people into panic mode.
So, what can regular users do to avoid or be ready for cyberattacks? First and foremost, be mindful and do not be easily tricked into clicking on a link or attachment. Accessing the web or sensitive information through VPNs is another way (free VPNs are no way to go!).
Information technology experts have repeatedly warned people about the existence of malicious sites that impersonate legitimate URLs. It is high time PC and other gadget users heed such warnings and keep a closer eye on URLs.
Now that cyber villains have turned their attention to smartphones, it is crucial to protect personal information and other data stored in it in two ways: One is by avoiding installation of unofficial applications. Another is by doing regular updates of the operating system when requested, and not forgetting to enable security mechanisms.
At the recent Mobile World Congress held in Barcelona, smartphone makers have unveiled phone innovations with enhanced security features. With the growing uneasiness of consumers over hacking incidents, companies have lost no time rolling out into the marketplace supposedly more “secure” devices.
Notwithstanding the arrival of gadgets with improved security features, consumers still should not be complacent. Software firm strategists have advised checking out online file sharing services and making the most of protective features that come with certain devices.
With its ability to predict health conditions, support more accurate and timely clinical diagnoses, and streamline clinical operations, artificial intelligence is opening new frontiers in healthcare.
CEOs and IT security experts continue to underscore how perilous cyber threatsare to their organizations. They maintain that there are ways to safeguard systems and be prepared for such attacks. The best form of an advance, they say, is advance planning.
Numerous companies across the world have taken a proactive stance and instilled greater awareness in their workforce on the steps to take to protect organizational assets in the face of rampant cyber attacks.
There are five ways to brace for cyber attacks, as The Guardian gathered from a range of experts:
- Identifying the key threats and ensuring that incident management processes address those threats
- Deciding which data or information to protect and opting for a pragmatic approach
- Practicing response to a potential attack and creating a sense of urgency as well as a culture of security in the workforce.
- Enlisting the services of a good forensic vendor at the soonest possible time
- Consider the role of big data, and meld data analytics with human threat research
Importance of preparations
Various industries have fallen prey to cyber villains. Studying and using a multi-faceted approach and making informed decisions may save organizations a great deal of resources, apart from eliminating huge stress on IT workers.
At an event in Beijing that doubled up as a pre-briefing for the MWC 2019, Huawei announced the TIANGGANG chip that will support simplified 5G networks and large-scale 5G networks all over the world.
It is also important to note that cyber attacks may strike and affect even established firms. In addition, companies should look into investing in monitoring tools.
David Mytton, CEO of a scalable infrastructure monitoring software company, lamented that “most businesses aren’t up to speed with how to mitigate the damage if an attack occurs.” Among the things that can help is a well-structured recovery plan, and testing the plan with regular simulations and practice runs, The Huffington Post reported.
Cybersecurity measures require more than fleeting attention. Cyber crimes have become commonplace, necessitating planning and implementation of strategies and countermeasures. Undertaking concrete steps now may help neutralize the threats. An updated knowledge on the vulnerabilities that you or your organization faces can go a long way.
Author: Josh Althuser
According to Gartner in 2018 information security spending will exceed $96 billion — companies will be purchasing credential management software, infrastructure and network security equipment, information security services, client data protection software.
Learning about new incidents companies agree to increase their costs. Businesses are mostly focused on protection from external threats. WannaCry alerted people to the dangers of cyberattacks: during the first two days of ransomware activity there were hacked more than 200 thousand users from 150 countries. All the attention is drawn to hackers, zero-day vulnerabilities and ransomware, while incidents caused by just one click or just one decision of an employee may be overlooked.
South African financial services company Liberty Holdings got its corporate email compromised. The violators were going to sell the obtained information. They would release the data if they didn’t get paid.
There were a few pointers which made everyone question the breach source: the leak wasn’t reported straight away, the facts confirmed by the Liberty CEO seemed to lack details, the server was fully accessible to those who seized the data. When a leakage happens the source should be a company’s major concern. Hackers are never as informed as insiders are, only the people who cooperate within a particular network know exactly what and where can be accessed. Although hacks are no good news, companies are encouraged to be vocal about an incident, while insider leaks are often skimpily, half-heartedly exposed.
Human factor can trigger different situations and any of them might appear detrimental to an organisation.
Joe Sullivan, former Uber cybersecurity chief, used to have an impeccable track record. He participated in the investigation of high profile cyberattacks in USA, worked at Facebook, eBay and PayPal — he’s been chasing and catching criminals all his life. An undetected data theft which happened in 2016 affected his professional reputation. Joe decided that the incident should be withheld even if it would take him collaborating with his own enemies. He paid hackers $100 thousand for keeping silence. 57 million passengers and drivers had no idea their data has been compromised for more than a year.
Vainglory is what led to another real life case. In February, 2017, the photo of the USA President and the Prime Minister Shinzō Abe at the golf club was made by a businessman who was sitting next to them and published by various media. He posted on Facebook the photo commenting that “…it was fascinating to watch the flurry of activity at dinner when the news came that North Korea had launched a missile in the direction of Japan.”
One of the photos depicts club members gathering around the confidential documents. The other photo captures the USA President talking on the phone turning away from Japanese Prime Minister. Here’s the human factor at its best. First of all, the heads of states rushed into discussing the secret issue in front of people. Second of all, smartphones which were used by those standing around could be a direct leakage source.
That’s the main reason why many contractors reveal client data.
In 2017 an American telecommunications giant Verizon lost the data of 14 million clients: names, addresses, account data and PIN codes for client verification. The data was uploaded to Amazon by a contractor hired to improve the call center functioning. The specialist forgot to check security settings — a URL with the information could be freely accessed by anyone in the Internet.
Amazon became part of many leakage stories: 198 million registered US voters were exposed in the cloud (the archive didn’t have even a password protection — it was uploaded to the cloud by a company which collected data for Donald Trump’s election campaign); 2.2 million Dow Jones company subscribers got their data compromised; 3 million WWE clients (an American entertainment company known for managing wrestling events) got their data leaked in the Amazon service; Time Warner Cable (the second largest cable network in the USA) got 4 million client records exposed.
Amazon could have introduced some extra control to detect faulty configuration and limit the access to sensitive data without password protection. In November 2017 the service provider presented a solution: the control panel featured a notification warning users that incorrectly configured storage endangered data security. Amazon also applied full data encryption by default.
Some people tend to profit from their status — one of the biggest temptations which cause incidents.
An information security director of North American Association of State and Provincial Lotteries cracked a random number generator. The specialist had been working in the organisation for 10 years before he decided to create a malware and infect computers which managed winning combinations for the lotteries. The “correct” tickets were bought by his brother and friend. The scheme was started in 2005 and was running for 7 years.
A leak can be accidental — a mere fatigue or automated address selection in the email client. That is what happened to the Pentagon in 2017 — Public Affairs included an email of correspondent for Bloomberg in the mailing list. The journalist informed the Pentagon of the mistake but the email kept coming. The correspondence between the Department of Defense and the Federal Emergency Management Agency employees discussed ways the media covered the scale of Hurricane Maria’s destruction. They were sharing instructions on how to make the news seem positive.
The journalist benefited from the opportunity and equipped an article for Bloomberg Businessweek with some excerpts from the emails which he received accidentally from the Pentagon.
Another unintentional data exposure occurred in Finland. In 2017 a citizen of Oulu received an email revealing some messages sent by local policemen to each other discussing security measures which should be taken during the visit of Vladimir Putin. The email contained a detailed itinerary of Sauli Niinistö and the precise time of Putin’s helicopter arrival.
The Eastern Finland Police Department weren’t silent about the incident and explained the confidential email sent to a random person admitting a human factor to be the cause. The email client suggested contacts from the list of those who were addressed at least once automatically. The citizen of Oulu who received the secret email and the press officer appeared to have similar names.
Author: Alexei Parfentiev
It’s budget season. As the current fiscal year comes to a close, business leaders everywhere will convene to discuss business strategy, opportunities and return on investment (ROI) while prioritizing next year’s budget spend. Amidst the planning and prioritization, it is a safe bet that IT organizations will renew their annual request for an increased budget allocation for security. After all, increasing cybersecurity spend will stop the attackers from compromising their infrastructure next year, right?
Cybersecurity Ventures recently predicted that global cybersecurity spending will increase steadily to exceed $1 trillion from 2017 to 2021. But the news site also claimed that the cost of cybercrimearound the world will rise to $6 trillion annually by 2021. Something seems wrong with any prediction that correlates increased spending on prevention with increased damages from successful penetration of those same defenses. That’s not because I disbelieve the numbers but because they show how truly broken the legacy approach to cybersecurity is. The industry has literally gone decades with no real improvement. How is this acceptable?
It is time we shined a light on the industry’s worst kept secret: Throwing more money at the problem simply does not keep attackers out or breaches from happening. It is a good bet both things will continue to happen. What’s more disconcerting to consider is that they have already happened and you just simply don’t know it yet.
Why The Math Doesn’t Add Up
The problem isn’t solely centered on technology, there have been many significant innovations in the cybersecurity industry in recent years. For many companies, the elephant in the room is treating security as only a technology problem. Just look at Facebook’s current situation. Modern-day CISOs have increasingly found themselves helpless to effect real change to secure an organization’s data and infrastructure because they lack the insight of the conditions that give rise to bad or risky behavior.
For instance, traditional IT security assumes everyone is a potentially malicious actor and therefore works to prove the guilt of someone who clicks suspicious links, visits dangerous websites or inappropriately accesses sensitive data. Not everyone is intentionally bad, but their behavior is a continuum that can change in an instant, especially when their identity is stolen. Even more basic, employees can make honest mistakes in today’s 24/7 culture. Pushing work-life balance to meet compressed deadlines, they may be too tired to recognize a phishing email compromising their credentials until after they clicked on it. What’s potentially more damaging, they could simply become disgruntled with their employer and decide to steal company data.
Behind Every AI Strategy Is A Data Strategy
Investments focused on securing a constantly changing IT infrastructure do not address the unpredictability of human behavior. Instead, organizations need to make a fundamental change in their approach to cybersecurity and reprioritize budgets to align with this newly defined reality of our modern society.
Rethink Operations Budgets To Focus On Behavior
The first step is to stop thinking about security as solely a technical problem with technical solutions. Today’s sophisticated threat landscape is a rich, multifaceted organizational challenge that requires insight on how data is used across myriad business functions. Shifting the focus to understanding the behavior patterns of people and their interactions with technology provides clarity in regard to who is using sensitive data, why and from where.
Having a baseline for behavior, a digital rhythm or routine, can help security and business leaders better manage risk. If an employee is working normally on the job, IT can get out of the way. But if the behavior is inconsistent with the organization’s mission, IT can recognize the risk and quickly respond with coaching or stronger enforcement policies. Context matters. Security teams that only focus on securing computers and servers will miss the broader perspective and the signs of an incident or data breach until months after it happened.
The cybersecurity skills gap has been another area where the security industry is struggling. With more seats to fill than there are educated and experienced people to fill them under the traditional model of cybersecurity, many cyber issues have arisen from simply lacking the time and manpower to find and resolve threats before they impact businesses. Businesses will always need skilled workers, but they can leverage automation and behavior analytics to help lighten the load.
Security leaders will also be more effective if they establish functional partnerships and strategic programs with human resources and legal teams. The HR and legal departments share the mission to secure the organization’s data and people. These business functions have a vested interest in user and data protection, from preventing confidential information from falling into the wrong hands to protecting the workforce by ensuring compliance, employee privacy, and safety.
It is no real surprise that the cybersecurity industry has been so resistant to changing its approach. Continuing reports of breaches are good for budget increases. But it’s clear this model is not good for global business, as breaches cost economies billions of dollars each year. It is time for a paradigm shift in the cybersecurity industry. When we understand people and their interaction with data, then we have the tools to mitigate cybersecurity risks before any real damage can be done.
Author: Matthew Moynahan
Cybercrime, DDoS, IoT – what should you pay attention to next year?
1. Increase in crime, espionage and sabotage by rogue nation-states
With the ongoing failure of significant national, international or UN level response and repercussion, nation-state sponsored espionage, cyber-crime and sabotage will continue to expand. Clearly, most organisations are simply not structured to defend against such attacks, which will succeed in penetrating defences. Cybersecurity teams will need to rely on breach detection techniques.
2. GDPR – The pain still to come
The 25th of May, 2018 has come and gone, with many organizations breathing a sigh of relief that it was fairly painless. They’ve put security processes in progress and can say that they are en route to a secure situation – so everything is OK?
We are still awaiting the first big GDPR penalty. When it arrives, organizations are suddenly going to start looking seriously at what they really need to do. Facebook, BA, Cathay Pacific, etc. have suffered breaches recently, and will have different levels of corporate cost as a result, depending on which side of the May 25th deadline they sit. So GDPR will still have a big impact in 2019
3. Cloud insecurity – it’s your head on the block
Cloud insecurity grew in 2018 and, unfortunately, it will carry on growing even more in 2019. Increasing amounts of data are being deployed from disparate parts of organizations, with more and more of that data ending up unsecured.
Despite the continual publicity around repeated breaches, the majority of organizations do not have good housekeeping deployed and enforced across their whole data estate in the cloud. To give an idea of the scale, Skyhigh Networks research indicated that 7 percent of S3 buckets are publicly accessible and 35 percent are unencrypted.
4. Single factor password – the dark ages
As if we need the repetition, single-factor passwords are one of the simplest possible keys to the kingdom (helped by failure to manage network privileges once breached). Simple passwords are the key tool for attack vectors, from novice hackers right the way up to nation-state players. And yet they still remain the go-to security protection for the majority of organizations, despite the low cost and ease of deployment of multi-factor authentication solutions. Sadly, password theft and password-based breaches will persist as a daily occurrence in 2019.
5. Malware – protect or fail
Ransomware, crypto mining, banking Trojans and VPN filters are some of the key malware challenges that continue to threaten businesses and consumers. Live monitoring by Malwarebytes, Kaspersky and others, has shown that the mix of threats varies during the year, but the end result of malware threats will be a bad 2019.
Increasing sophistication will be seen in some areas such as ransomware, alongside new malware approaches and increased volumes of malware in other areas. Traditional AV will not provide sufficient protection. Solutions that have a direct malware focus are essential for organizations, alongside tracking of network activity (in and out of the network). With Cybersecurity Ventures predicting that ransomware damage costs will exceed $11.5 billion by 2019, it certainly won’t be going away. Oh yes, and make sure that your backup plan is working and tested.
6. Shift in attack vectors will drive cyber hygiene growth
The ongoing shift of attack vectors, from the network to the user, is causing a reappraisal of how to manage security. Driven partly by the shift in boardroom awareness, and partly by GDPR, many organizations are recognizing, perhaps belatedly, that their users are their weakest link.
Not only is there a greater awareness of the insider threat from malicious current and ex-staff, but there is also a growing recognition that staff cyber awareness and training is a crucial step in securing this vulnerable area. The response from organzations will take the form of cyber education, coupled with testing, measuring, and monitoring staff cyber behavior. Increasingly, Entity and User Behaviour Analytics (EUBA) systems will be adopted, alongside training programs and automated testing, such as simulated phishing and social engineering attacks.
7. IoT – the challenge will only increase
We’ve already seen some of the security challenges raised by IoT, but 2019 will significantly demonstrate the upward trend in this area. Driven by the convenience and benefits that IoT can deliver, the technology is being increasingly deployed by many organizations, with minimal thought by many as to the security risks and potential consequences.
Because some IoT deployments are well away from the main network areas, they have slipped in under the radar. In the absence of a standard, or indeed a perceived need for security, IoT will continue to be deployed, creating insecurity in areas that were previously secure. For the greatest percentage of IoT deployments, it is incredibly difficult or impossible to backfit security. This means that the failure to segment on the network will further exacerbate the challenges IoT will create in 2019 and beyond.
8. Increasing risks with shadow IT systems and bad housekeeping
Shadow IT systems continue to proliferate, as do the number of applications and access points into systems, including legacy applications. In the case of shadow IT systems, these are indefensible as they are; and in the case of increasing applications and access points, if they relate to old or abandoned applications, they are difficult to identify and defend.
In both cases, these are an easy attack surface with significant oversight, internal politics and budget challenges, and were previously seen as a lower priority for resolution. However, there has been both an increased awareness of the opportunity for attack via this route, and an increase in the number of attacks, which will accelerate in 2019.
9. DDoS – usually unseen, but still a nightmare
DDoS is the dirty secret for many organizations and attacks will continue to grow in 2019, alongside the cost of defending against them. Nevertheless, DDoS attacks aren’t generally newsworthy, unless a big name organization is involved, or the site is down for a long time. And, of course, the victim does not want to draw attention to their lack of defence. That’s not good for custom or for share prices.
The cost of launching an attack is comparatively low, often shockingly low, and the rewards are quick – the victim pays for it to go away. Additionally, cryptocurrencies have aided the money transfer in this scenario. Yet the cost for the victim is much higher than the ransom, as it involves system analysis, reconstruction and, naturally, defending against the next attack.
10. Cybersecurity in the boardroom
A decade, perhaps two decades, late for some organisations, cybersecurity is now considered a key business risk by the board. 2019 will see this trend accelerate as boards demand clarity and understanding in an area that was often devolved as a sub-component of the CISO’s role, and was not really a major topic for the boardroom. The financial, reputational and indeed C- Suite employment risks of cyber breach will continue to drive board focus on cybersecurity up the agenda.
Author: Ian Kilpatrick