Small Businesses Will Remain a Target in 2017

By | January 20th, 2017|Business Security|

CSIDAs we enter 2017, small businesses remain a prime target for hackers and criminal schemes. Last year, countless headlines reported on nationwide DDoS attacks, complex ransomware, and repeated hacks. These attacks, as well as phishing attempts, malware, and even simple human error, can compromise a thriving business – regardless of its size.

In our own survey, we found that while the majority (58 percent) of small businesses know to be vigilant and proactive about cyber attacks, most are not taking proactive measures to combat these threats. These companies are also not allocating budgets for risk mitigation and response services. The reason is surprising. Of the companies we surveyed, 51 percent were not aware that they were storing at-risk data, although many were collecting email addresses, billing addresses, Social Security numbers, and credit/debit card numbers. This data, belonging to customers and employees, can be easily compromised by malicious activity.

Last year, to help businesses of all sizes and stages protect their sensitive information, we launched our white-labeled Small Business Monitoring product. This service includes two features: Defense and Restoration.

To help defend against threats, our proprietary dark web surveillance technology, CyberAgent, monitors for compromised business information and alerts the business if we find a match to employee credentials, company URLs and domains. If compromised, users will have access to our CSID specialists who can assist with restoration for a wide range of identity theft types. Our case workers are CITRMS, FCRA, and FACTA certified.

This year, take action to help keep your business, employees, and customers safe from cyber threats. To learn more about our small business product, visit csid.com/sb.

To stay up to date with all CSID news, be sure to follow us on Facebook, Twitter and LinkedIn.

How Companies Can Stay Secure When Introducing BYOD Policies

By | September 23rd, 2016|Business Security|

CSIDBring your own device (BYOD) policies continue to grow in popularity. Employees and employers alike are enjoying the flexibility of using their own devices for work, so much so that we’re starting to see the workplace itself evolve. While we’ve seen many benefits to these policies (productivity, cost savings), it’s important to note that creating a BYOD policy without security in mind may put company data at risk.

BYOD policies may mean an increased risk for employee error. For example, a recent survey found around 40 percent of respondents said they never change their passwords on devices except when prompted to do so. Forty percent also said they use the same passwords across multiple websites. Such poor employee password habits can leave the door wide open for criminals, as we demonstrated last year, when hackers were able to infiltrate our fictional small business, Jomoco, in less than an hour.

However, a thorough understanding of the strengths, preferences and limitations of the average employee can address these security gaps. Here are best practices and recommended tools to implement effective BYOD security measures for your company:

BYOD best practices:

  • Develop a BYOD policy in partnership with IT, risk management, and legal counsel. Keep an open line of communication with IT so they can quickly communicate new and emerging threats of which employees should be aware of.
  • Educate employees on BYOD security best practices regularly. It should never be assumed that your employees understand all the guidelines spelled out in your policy.
  • Require your employees to create long, strong and unique passwords, and encourage employees to take advantage of two-factor authentication wherever possible.
  • Require that employees password protect their mobile device if it hosts company information.
  • Require your employees to update their software on devices when prompted. These updates typically address security vulnerabilities.
  • Require that employees quickly report any lost or stolen devices. Swift response allows you to mitigate the risk of sensitive information falling into the wrong hands.

BYOD tools:

  • Use a secure alternative to open Wi-Fi networks. Provide employees with access to a VPN or hotspot.
  • Create and provide standard antivirus, anti-malware protection for all types of devices.
  • Consider enlisting the support of a proactive monitoring service for your company. By proactively monitoring for employee credentials on the dark web, businesses can determine when an employee’s personal information may have been compromised.

As a closing thought, always keep in mind that threats are constantly evolving, so a good BYOD policy is never complete. Just like any business process, BYOD polices should be reviewed and updated on a regular basis.

To stay up to date with all business security news, be sure to follow us on FacebookTwitter and LinkedIn.

 

Cybersecurity Tips for Working Remotely

By | September 16th, 2016|Business Security|

CSIDFor 3.7 million Americans, waking up and logging onto a computer from the comfort of their home marks the start to their workday. According to Global Workplace Analytics’ 2016 study, 50 percent of the US workforce is now permitted the luxury to partially telework during the workweek. This trend continues to edge toward the norm. In fact, the ability to work remotely, for the greater, non-self-employed population, has grown 103 percent since 2005.

While more opportunities to work remotely may reflect the emerging modern workplace, there are several factors employers and employees should weigh and discuss to ensure security is top of mind.

If your job allows employees to work remotely, consider the following:

Employees: Protect Your Home

  • Use strong, cryptic passwords on all of your work and personal accounts. Resist the urge to duplicate passwords.
  • Use two-factor authentication whenever offered for both work and personal accounts.
  • Personal and work devices should be equipped with the latest antivirus software, web filtering, firewalls, and encryption. Always make sure your devices and software have the most up-to-date versions to help safeguard information.
  • Work with your company’s IT department to set up a virtual private network, or VPN, to add another layer of security to your home’s internet.

Employees: Working Elsewhere

  • Employees should keep personal and work devices password protected in the event they are stolen or misplaced.
  • Avoid accessing sensitive company accounts on public Wi-Fi or unsecured networks. Public Wi-Fi can increase the risks of signal sniffing and compromise personal accounts, as well as professional networks. Many hackers set up accounts that mimic the names of frequented locations, hoping to steal from unknowing users. Consider using a VPN to access company data, or using your cell phone as a hotspot.
  • Be aware of your surroundings. Consider a screen protector and make sure sensitive calls are made in private.

Employers: Create a Cybersecurity Policy for All Employees
To help foster a conversation and environment committed to cybersecurity, organizations should create a cybersecurity policy and make staff training and security education a priority. In a recent episode of Firewall Chats, Michael Kaiser, executive director at the National Cyber Security Alliance, discussed creating a culture of cybersecurity at work.

“[Policies need] to be reinforced,” Kaiser said. “It can’t be a one and done kind of thing. It has to really be periodic. … Reminding people of the value of the information that an organization holds and the responsibility they have to protect it. When people give you their information, they expect you to protect it.”

To create a cybersecurity policy:

  • First, identify the security risks and threats that may affect your business
  • Develop clear policies and procedures for all employees, whether on-site or off-site
  • Train all employees on your new (or existing) cybersecurity policies
  • Create and maintain a process to help reward policy followers and address offenders
  • Define and address third party and vendor risks
  • Work closely with your IT department to detect and address unauthorized activity

Creating a culture of cybersecurity will help safeguard employees and company data, regardless of where they work. Employees, do you have the ability to work remotely? Are you aware of the security steps needed to help keep your company safe? Share your experiences on Facebook, Twitter and LinkedIn.

 

Survey: How Prepared are Small Business Owners for Cyber Attacks?

By | May 5th, 2016|Business Security, Research and Reports|

Small Business InfographicWe recently partnered with Research Now to conduct a survey of 150 small business owners throughout the United States to get a sense of how this population is approaching risk mitigation and response. The key takeaway? Small businesses are more at risk than they think, and are not taking proactive steps or allocating budget to defend against cyber attacks.

Small businesses are concerned about cyber attacks, but not allocating budget for risk mitigation  
The majority of businesses (58%) are in fact worried about cyber attacks, but 51% of these businesses are not allocating any budget at all to risk mitigation. Why? Over half of small businesses (53%) feel they don’t store any valuable data. The reality:

  • 68% store email addresses
  • 64% store phone numbers
  • 54% store billing addresses
  • 48% store home addresses
  • 24% store SSNs
  • 20% store credit/debit card numbers

This points to a significant educational disconnect for small businesses when it comes to understanding what personally identifiable information (PII) is and how vulnerable they really are. As with the Jomoco case study, it took one business email address to take down the entire business.

Other highlights from the survey:

  • 31% of small businesses are not taking any proactive measures to mitigate cyber risk
  • Only 24% of small businesses that are not allocating budget for cyber attacks feel they are well prepared to handle an attack
  • Only 12% of small businesses have a breach preparedness plan in place

Awareness, education, monitoring and response
It will take collaboration between the security industry and public and private sectors to help bring security best practices from the back burner to top-of-mind for small business owners. These groups must become aware of the unique threats facing their business, and learn how they can help mitigate risk. Some recommendations: monitor business information to stay ahead of cyber threats, bake-in cyber security best practices to your business plan and corporate culture, and have a breach preparedness plan in place to minimize the impact of a breach.

Today, we launched the Small Business Monitoring product to help small businesses tackle cyber threat. For more information on this service, visit csid.com/sb.

Download the infographic here.

Stay up to date with all CSID news and reports by following us on Facebook, Twitter and LinkedIn.

CSID Launches Small Business Monitoring Product to Mitigate Risk of Cyber Threats

By | May 5th, 2016|Business Security, Company News|

Cyber criminals are targeting attacks towards small businesses more than ever before. In fact, Symantec reported over 43% of spear phishing attacks and 60% of all attacks in 2014 were directed towards small and midsize companies in its 2015 Internet Security Threat Report.

To combat this growing trend, we’re excited to today announce the launch of CSID’s Small Business Monitoring product, a new white-labeled service that will include full-scale protection and restoration for small businesses in the United States and across the globe. The service, hosted on our IMC platform, will include dark web surveillance of compromised business information and business identity restoration services.

Features of the Small Business Monitoring product include:

  • Defense: CyberAgent, CSID’s proprietary dark web surveillance technology monitors the depths of the web  for compromised business information, and alerts businesses to employee credentials and the appearance of company URL’s and domains.
  • Restoration: Users will have access to CSID specialists who can help them to determine if data found to be compromised has resulted in an identity theft event, and guide them through any necessary restoration activities. CSID’s case workers can assist with restoration activities for a wide range of identity theft types, and are CITRMS, FCRA, and FACTA certified.

Here’s what CSID Vice President of Product and Marketing, Bryan Hjelm, had to say about the news:

“Small businesses are an especially vulnerable population; they have more money, accounts, activity and risk than individuals, but less ability to defend themselves than enterprises. Small Business Monitoring will provide the vital, full suite of services small businesses need to help protect their assets from the risk of cyber attacks, and help them if something happens.”

We recently conducted a survey that found a significant disconnect between small businesses’ concern around cyber security, and action taken for risk mitigation. For a summary of those findings and our whitepaper visit www.csid.com/sbsurvey.

For more information on the small business product, visit csid.com/sb.

To stay up to date with all CSID news, be sure to follow us on Facebook, Twitter and LinkedIn.

Snapchat’s Phishing Attack: A Reminder That Security Starts with Employee Education

By | March 2nd, 2016|Business Security, Industry News, Malware and Scams|

EducateSnapchat, the popular ephemeral messaging application, just announced a phishing attack that has compromised the identities of a number of its current and former employees.

According to a blog post from the company, Snapchat’s payroll department was targeted by an isolated phishing scam, where a scammer impersonated the company’s chief executive officer and asked for employee payroll information. The email was not recognized as a scam and as a result, personal information about some current and former employees was disclosed.

Snapchat has not revealed the specific information that was released, but because it is sensitive payroll information, it could likely include everything from salary data and Social Security numbers, to bank details and addresses.

The frequency of phishing attacks continues to rise, and even unsophisticated hackers now have access to the tools needed to orchestrate an attack. According to a report from PhishLabs, “basic, even free, phishing kits now contain a variety of clever functions, as well as obfuscation and anti-analysis techniques.” While more sophisticated attackers are selling phishing kits for anywhere between $1 and $50, others are making them freely available.

In 2015, the FBI coined the term “business email compromise” to describe the growing category of phishing attacks targeting American companies. As of August 2015, the Bureau estimated that “since 2013, the total dollar losses to American companies exceeded $740 million, while only hitting around 7,000 targets. When international victims are added in, the losses total $1.2 billion.”

As with the case of Snapchat, attackers frequently impersonate executives from the company in order to hack in to company networks. These attacks are often difficult to detect. It’s essential that companies invest time in educating their employees on safe email practices, including:

  • Using strong, unique passwords and enable two-factor authentication whenever possible
  • Keeping all systems up-to-date with the latest security patches and updates
  • Avoiding sharing sensitive information over email, or utilizing code words to verify that the person requesting the information is indeed that person and not an attacker
  • Not clicking on any suspicious links
  • Deploying SPAM filters

How are you keeping your company safe from phishing attacks? We’d love to hear from you–connect with us on Facebook, Twitter or LinkedIn.

Firewall Chats, S.2, Ep. 1: Protecting Your Digital Life

By | February 23rd, 2016|Business Security, Firewall Chats|

DigitalIn just a few short weeks, South by Southwest will descend upon downtown Austin, Texas. The Interactive portion of the conference is lauded for highlighting the most current privacy and security issues, drawing thousands of thought leaders to our backyard. In Firewall Chat’s second season, we decided to highlight some of these key thinkers whose SXSW panels focus on issues that are putting our identities and personal data at risk.

In our first episode this season, we had the pleasure of speaking with Nuala O’Connor, president and CEO of the Center for Democracy and Technology. O’Connor is a SXSW veteran and plans to discuss the notion of the “digital self,” as well as policy, legal and personal boundaries in her upcoming session, “Protecting the Digital You” on Sunday, March 13.

“I think many of us know the very significant privacy issues that we all face in both leveraging and using the best of technology,” said O’Connor, who previously cut her teeth at Amazon and General Electric. “But we also need to make sure we have a safe space to be individual, to be creative, and to be private.”

In her role with the Center for Technology and Democracy, O’Connor petitions for the rights of the individual in our digital world, including privacy and free expression. She also works alongside companies, governments and citizens to create and adopt thoughtful digital policies – including data destruction.

“Companies need to be transparent about what data is being collected, when and why,” said O’Connor. “[And] data has a half-life at some point. Too much data is not helpful to endeavors at hand. Companies need relevant data to help them get their job done, [but] collecting it all and deciding what to do with it later is not an acceptable answer.”

Despite the heated conversations around big data, privacy and security, O’Connor believes we are only at the inception of what’s to come.

“I think there are great days ahead,” she said. “I think the potential for technology to change lives in healthcare and education and the environment [is huge]. We’re still at the beginning [of the Internet]. I think everyone gets a voice in helping build it the right way, but hopefully always with the rights of the individual at heart.”

Listen to the entire episode at www.CSID.com/FirewallChats. And let us know your feedback on our Firewall Chats social channels on Twitter and Facebook.

Save the Date: Our next episode will air on Tuesday, March 1, and feature SXSW speaker Olga Raskin on biometric data. You don’t want to miss it!

The Worst Passwords of 2015

By | January 22nd, 2016|Business Security, Industry News|

PasswordsIn our line of defense against hackers, our passwords may be the first – or last – hurdle between malicious cybercriminals and our most sensitive information. Unique, complex logins should be used to protect our emails, social networks, bank accounts, shopping transactions and more. It is important to take great care crafting these passwords; however, the majority of Americans do not.

Each January, password management firm SplashData compiles and shares a list of the worst logins from the year prior. In 2015, the firm examined more than two million passwords that were leaked and breached.

Holding fast at first and second place are “123456” and “password,” respectively. Both passwords have topped SplashData’s list for the past five years. In addition to thoughtless, keyboard-lazy passwords (like “111111” and “qwerty”), sports and pop culture references were also overused. “Football” was number seven on SplashData’s list, with “baseball” close behind at number 10. The Force also had a hand in some of the worst passwords of 2015, driving “princess,” “solo,” and “starwars” up the Top 25 list.

“As we see on the list, using common sports and pop culture terms is also a bad idea,” said Morgan Slain, CEO of SplashData. “We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”

If your password(s) appear on this list, make a resolution to change them right now.

For the strongest passwords:

  • Make sure your combinations are at least 12 characters long, and are a cryptic combination of letters and numbers.
  • Take care to avoid your name, birthday, or pet’s name.
  • Create a unique password for each site.
  • Change your passwords a few times a year, and especially after being notified after a breach.
  • Implement two-factor authentication for sites whenever possible.

Did your password make the “worst” list? Will you change it? We’d love to hear what you think. Weigh in with us on FacebookTwitter or LinkedIn.

Firewall Chats, Ep. 5: Scams, Malware, and Phishing Attempts

By | December 15th, 2015|Business Security, Firewall Chats|

MalwareToday airs the final episode in our pilot podcast series! To wind down the last few days of 2015, we sat down with Adam Dolby, Encap Security’s vice president of business development.

Prior to joining Encap Security, Dolby was focused on banking, ATM networks, and card processing. His expertise lies within multi-factor authentication, security, and electronic financial services, which is why we wanted to discuss the tricks, traps, scams and malware that consumers face daily.

Did you know, according to Get Cyber Safe, roughly 156 million phishing emails are sent each day? Of that, 16 million make it through filters. Half are opened. In the end, 80,000 people fall victim to scams and share personal information with cyber criminals.

“Bad guys will cast a fairly wide net–the wider the net, the better for them,” Dolby said. “They see who ends up in it at the end. … While the online community has come [far], when you can still trick 80,000 people, a day, into giving away their credentials that means we have a really long way to go.”

Malicious emails aren’t the only danger to businesses and consumers.

“Malware, to me, is the real threat.” Dolby said. “Malware is a form of computer program designed specifically to steal your login credentials.”

Dolby said there were 255,000 new malware variants every single day in 2014.

Our guest also shared that long gone are the days when hackers were individuals, hiding in basements. Now these scams and hacks are part of sophisticated, organized attacks.

In our episode, Dolby shares tips to be aware of these scams, the cost of data breaches, two-factor authentication, and how businesses can better protect their employees and customers.

“It’s up to you to protect your identity,” Dolby said. “Be prepared for the when, not the if.”

You can listen to the entire episode, as well as our past podcast episodes, at www.csid.com/firewallchats. Thanks for listening!

Questions? Comments? A topic you’d like to see us tackle next year? Reach out to us on Twitter and Facebook to let us know!

Ransomware in Review

By | November 24th, 2015|Business Security, Malware and Scams|

RansomwareOne of the scariest cyber security trends of 2015 was the evolution and uptick of ransomware attacks. Ransomware is a type of malware that, once installed on user’s device, will block access to the device until a ransom is paid to the cyber criminal to unlock and remove the malware. The FBI recently reported that Cryptowall, a popular strain of ransomware, netted cyber criminals more than $18 million between 2014 and 2015.

It is true that ransomware campaigns have continuously netted their owners large amounts of profit, and have become highly attractive to the fraud community. However, this rise in prominence has also led to an increase in focus by the anti-virus industry, whose job it is to mitigate the major threats seen in the underground world.

This is why ransomware has evolved drastically over the past 12 to 18 months. Cyber criminals have realized that that the security industry is capable of developing various countermeasures to software-based threats, so simply locking devices for a ransom is easily mitigated and prevented. As a result, cyber criminals have taken ransomware a step further and moved to file encryption, which is much more difficult to resolve via anti-virus software. By implementing file encryption, cyber criminals can ensure that users cannot simply apply a patch and undo the damage done to their device. Affected users are forced to deal directly with the cyber criminal if they have any desire to recover the encrypted information, increasing the probability of an affected user paying the ransom rather than going to a security vendor for help.

Countermeasures to this new approach to ransomware are in the works. Businesses can focus on monitoring network traffic to identify anomalous requests or physical devices to identify suspicious activities on devices, activities like file system access and injection into remote processes. However, these countermeasures are a product of businesses catching up to the cyber criminals. The underground community will always be coming up with new ideas and attack methodologies. They innovate at a faster pace than the business world and are constantly focused on designing new methods to steal anything that can be sold or used for financial gain. It’s up to businesses and consumers to understand these issues and utilize the best tools available to secure themselves and their devices.

As always, let us know your thoughts on FacebookTwitter or LinkedIn.

Load More Posts