fbpx

Cyber breaches of mega-retailers like Home Depot and Target, health care insurers like Anthem, Premera and Excellus and federal agencies -- most prominently, the Office of Personnel Management -- dominate the headlines, but it's only a fraction of the story. What most people don’t realize is that a staggering 90 percent of breaches impact small businesses. Those figures, released by payment technology solutions powerhouse First Data, highlight the seriousness of the cyber security issue for small businesses.

Unlike larger organizations with revenues in the billions, small businesses might easily experience a near extinction-level event from a data breach. The recovery expenses mount quickly -- credit monitoring for affected customers, lost revenue, crisis management, customer notification and investigation of the breach, just to name a few -- and can create a financial loss so staggering it has the potential to crush a small business. With 2016 already on pace to see a 4.7 percent rise in the number database compromises over last year, according to data released by the Identity Theft Resource Center, members of the business community have a right to wonder if or when this seemingly never-ending assault will plateau.

Small businesses need to follow the 3Ms in order to navigate a most dangerous digital world. Minimize the risk of exposure; monitor networks; and have comprehensive incident response and resolution programs in place in order to manage the damage. In other words, respond urgently, transparently and empathetically to customers and employees in the event of a compromise.

Here are four strategies that can help small businesses better defend against malicious insider and hacker attacks and more effectively deal with them if a breach does occur. 

1. Know your risks

It’s imperative that small businesses acknowledge the value of their data and do what they can to protect it. Companies of every size can reduce the chance of an exposure if they scour their network and data assets with an eye toward where vulnerabilities might be lurking.

First, review the type of data that you are collecting and storing. Businesses handling medical or financial information, for example, may need to comply with industry regulations or state and federal laws that require specific security measures. Also, understand where sensitive information currently resides. A server with remote access could present an easy target for hackers. Consider keeping top-level data somewhere that’s more difficult to reach. 

Get a handle on how data moves across your network. How are mobile devices authorized to connect? Which data is shared with third parties? See if security gaps exist at those connection points and fix them.

2. Make employees your first line of defense

Employees typically have wide access to stored information -- from customers’ financial data to personnel records. A better strategy is to match network access permissions to the requirements of specific job duties. If an employee doesn’t need access to sensitive data, don’t give it to them. When you change an employee’s role, update his or her login credentials to maintain a strong security posture. Equally important, immediately deactivate the network access of any employee who leaves the company, regardless of the circumstances of their departure.

Employees represent a delicious target. Hackers view them as the weakest link, making the small business workforce a crucial link in the security chain. Raising employee awareness is essential. Educate them about the dangers of phishing and falling for other common scams. Be sure they know what to do if they think they might have clicked on a malware-laden link or mistakenly provided information on a clone website.

3. Focus resources in the right areas

Like their larger counterparts, small businesses often hold enormous amounts of data. Trying to deploy an impenetrable fortress around all of it would be prohibitively expensive. Instead, identify the information that is most sensitive -- and most valuable -- and focus security resources in those areas. Consumer data (payment data and personally identifiable information such as Social Security numbers, names, addresses, birth dates, etc.) and employee data should be among the files afforded the highest level of protection.

Strong security doesn't have to be prohibitively expensive. Encryption technology is often free or very low cost, so look for opportunities to use it. By encrypting sensitive datasets, a stolen laptop or lost thumb drive will still be an annoyance but it may not result in a breach.

4. Invest in cyber insurance with coverage that matches your business risk profile.

Because the financial implications associated with even a minor breach are significant, small businesses must consider mitigating their risks by adding a cyber insurance policy. Coverage is available that helps pay costs related to forensic investigations, customer notification, reputation management and even legal counsel. Some policies also provide access to experts who can help the business evaluate its risks and address potential vulnerabilities.

Adam Levin is a consumer advocate with more than 30 years of experience in security, privacy, personal finance, real estate and government service. A former director of the New Jersey Division of Consumer Affairs, Levin is chairman and founder of IDT911 and co-founder of Credit.com. He is also the author of "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves."

Source : https://www.entrepreneur.com/article/276221

Categorized in Business Research

No business is completely safe from security vulnerabilities. Just look at Target, Home Depot and TJ Maxx. While these well-known companies may seem like a more attractive target for hackers, the businesses flying under the radar face the same, if not more, threats from cyber attackers looking to cause mayhem in a company.

To help small- and midsize-businesses stay protected, we asked tech experts what the biggest security risk these companies face and how they can defend against them.

Here is what they had to say:

Cyber attackers don't discriminate:

Small and midsize businesses often make a philosophical mistake right off the bat: They assume they are too small to be relevant to hackers. I can promise you that cyber attackers believe in equal opportunity for targets.

So while larger companies often opt for corporate-owned devices, there are many products available on a per-seat basis that will work to secure proprietary data even when accessed by personally-owned devices. This is where SMBs need to focus: on the protection of their data. Even if your strategy is not as comprehensive (or expensive) as those in place at a federal agency or a massive corporation, building roadblocks on the way to exposed plaintext information is a necessary tactic to discourage hackers. Otherwise you’re an easy mark.

-- Ray Potter, CEO of SafeLogic, a company providing security, encryption and FIPS validation products to applications

Security flaws are everywhere

Right now a lot of the challenges arise from how networked and interconnected the modern marketplace is. Social media is a great example of a technology and business advancement that has brought businesses closer to customers and clients while also increasing business risk.

As employees engage in sales and networking across social networks, new pathways into the business open up and cyber criminals know how to exploit them. One of the most effective actions businesses can take to reduce the risks that come from our interconnected marketplace is to provide knowledge. Many users do not understand how cyber criminals leverage social tools and technologies to gain access to businesses and their data. A simple weekly update from IT on threats and how to avoid them is an important way to ensure your user base is well informed and avoiding risky online activity. It empowers your employees to be accountable for security, and incorporates them into your security solution.

-- Anna Frazzetto, Chief Digital Technology Officer and SVP at Harvey Nash, an IT recruiting firm

It comes back to the data

Protecting sensitive data from hackers should be the top priority for businesses of all sizes. These threats can come in the form of phishing and malware that seek to infiltrate the corporate network, endpoints and the cloud applications employees use. To mitigate against these threats:

Update patches as they become available

Use security products that protect the entire IT stack – the device, operating system, application, network, cloud and data layers
Train employees to have security awareness
-- Pravin Kothari, founder and CEO of CipherCloud, an enterprise cloud security company

People are a liability

People remain the biggest security risk to any sized organization, including SMBs. As threats become more sophisticated, even careful employees may find themselves victims of phishing or accidentally opening attachments with viruses. The best defense is ensuring that staff get consistent education to keep security at the top of mind. Security training for all employees really should start on day one.

The other large issue I see is organizations maintaining a legacy security posture, or original security plan. It’s not enough to configure the firewall and walk away. Every organization should consider bringing in a third party to get a vulnerability assessment. Even if you have a dedicated security team, a second set of eyeballs will help identify risks and start working towards remediation.

-- Cortney Thompson, Chief Technology Officer of Green House Data, an environmentally conscious data center service

Imbalance in security

The fastest growing threat are sophisticated phishing attacks, which, when not identified and stopped promptly, can lead to a loss of business.

Business needs to be smart about balancing in-house security resources and building a strong team, while also leveraging third-party security services. There are a number of third-party security services, many of them are SaaS based, that don’t require investments in hardware and are generally easier to deploy.

Perhaps the most important thing is to treat security threats seriously and to proactively assess your security measures. Many companies don’t take security seriously enough until something bad happens. It is generally a lot more expensive to clean up after a security breach, than addressing it proactively.

-- Arne Josefsberg, Chief Information Officer of GoDaddy, an Internet domain registrar and web hosting company

Source:  https://www.entrepreneur.com/article/275737

Categorized in Others

 

Imagine a criminal breaks into your home but doesn't steal anything or cause any damage. Instead, they photograph your personal belongings and valuables and later that day hand-deliver a letter with those pictures and a message: "Pay me a large sum of cash now, and I will tell you how I got in."

Cybercriminals are doing the equivalent of just that: Hacking into corporations to shake down businesses for upward of $30,000 when they find vulnerabilities, a new report from IBM Security revealed.

The firm has traced more than 30 cases over the past year across all industries, and at least one company has paid up. One case involved a large retailer with an e-commerce presence, said John Kuhn, senior threat researcher at IBM Security.

 

Though some companies operate bug bounty programs — rewarding hackers for revealing vulnerabilities — in these cases, the victims had no such program.

"This activity is all being done under the disguise of pretending to be a "good guy" when in reality, it is pure extortion," said Kuhn.

Researchers have dubbed the practice "bug poaching."

Here's how it typically works. The attacker finds and exploits web vulnerabilities on an organization's website. The main method of attack — known as SQL injection — involves the hacker injecting code into the website which allows them to download the database, said Kuhn.

 

Once the attacker has obtained sensitive data or personally identifiable information, they pull it down and store it, then place it in a cloud storage service. They then send an email to the victim with links to the stolen information — proof they have it — and demand cash to disclose the vulnerability or "bug."

Though the attacker does not always make explicit threats to expose the data or attack the organization directly, there is no doubt of the threatening nature of the emails. Hackers often include statements along the lines of, "Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for living, not for fun," said the report.

"This does not negate the fact that the attacker stole the organization's data and placed it online, where others could potentially find it, or where it can be released," said Kuhn.Trusting unknown parties to secure sensitive corporate data — particularly those who breached a company's security systems without permission — is inadvisable, said Kuhn. And, of course, there are no guarantees when dealing with these criminals so even when companies pay up, there is still a chance the attacker will just release the data.

 

Organizations that fall victim to this type of attack should should gather all relevant information from emails and servers and then contact law enforcement, said Kuhn.

Here are some measures companies can take to avoid becoming a victim, according to IBM Security: 1) Run regular vulnerability scans on all websites and systems. 2) Do penetration testing to help find vulnerabilities before criminals do. 3) Use intrusion prevention systems and web application firewalls. 4) Test and audit all web application code before deploying it. 5) Use technology to monitor data and detect anomalies.

Source:  http://www.cnbc.com/2016/05/27/the-disturbing-new-way-hackers-are-shaking-down-big-business.html

 

 

 

 

Categorized in Internet Privacy

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media

Book Your Seat for Webinar - GET 70% OFF FOR MEMBERS ONLY      Register Now