Posts

Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data

Do you have employees who bring mobile phones to work and use those devices on the corporate network? Do they store company data on these “Bring Your Own Devices (BYOD)”?? Does your company have a policy in place for this?

First, the moment a person brings in their personal phone to work, there is a fusion of personal and business tasks that occur. And, equally as bad, company issued devices are used for personal use as much, if not more than the employees own devices. Not sure you believe this? Here are some stats:

A recent survey asked 2,000 office workers about their habit of using their personal mobile devices at work. Here’s what it found:

  • 73% of people admit to downloading personal apps to tablets they got from their company.
  • 62% of people admit to downloading personal apps to mobile phones they got from their company.
  • 45% of people admit to downloading personal apps to notebooks they got from their company.
  • The people who were most likely to do this were in the 25 to 38-year-old age group.
  • 90% of people use their personal mobile devices to conduct business for work.

As you can see, a lot of people are using their mobile devices on the job, and this could not only put your company data at risk, but also the data associated with your clients. Do you have a plan to minimize or even totally prevent how much sensitive company data is wide open to hackers?

Solutions to Keep Sensitive Business Information Safe

Decision makers and business owners should always consider their personal devices as equal to any business device. You definitely don’t want your sensitive company information out there, and this information is often contained on your personal mobile or laptop device. Here are some things that you can do to keep this information safe:

Give Your Staff Information About Phishing Scams

Phishing is a method that cybercriminals use to steal data from companies. Studies show that it is extremely easy for even the smartest employees to fall for these tricks. Here’s how they work: a staff member gets an email with a sense of urgency. Inside the email is a link. The body of the email encourages the reader to click the link. When they do, they are taken to a website that either installs a virus onto the network or tricks the employee into giving out important company information.

Inform Your Staff that the Bad Guys Might Pose as Someone They Know

Even if you tell your staff about phishing, they can still get tricked into clicking an email link. How? Because the bad guys make these emails really convincing. Hackers do their research, and they are often skilled in the principles of influence and the psychology of persuasion. So, they can easily create fake emails that look like they come from your CEO or a vendor, someone your staff trusts. With this in mind, it might be best to create a policy where employees are no longer allowed to click email links. Pick up the phone to confirm that whatever an email is requesting, that the person who sent it is legitimate.

Teach Employees that Freebies aren’t Always Goodies

A lot of hackers use the promise of something free to get clicks. Make sure your staff knows to never click on an email link promising a freebie of any kind.

Don’t Buy Apps from Third-Party Sources

Apps are quite popular, and there are many that can help to boost productivity in a business setting. However, Apple devices that are “jailbroken” or Android devices that are “rooted” are outside of the walled garden of their respective stores and susceptible to malicious viruses. Make sure your employees know that they should never buy an app from a third-party source. Only use the official Apple App Store or the Google Play Store.

Always Protect Devices

It’s also important that you advise your employees to keep their devices protected with a password. These devices are easy to steal since they are so small. If there is no password, there is nothing stopping a bad guy from getting into them and accessing all of the accounts that are currently logged into the device.

Install a Wipe Function on All Mobile Devices Used for Business

You should also require all employees to have a “wipe” function on their phones. Even if they are only doing something simple, like checking their work email on their personal mobile device, it could get into the wrong hands. With the “wipe” function, the entire phone can be cleared remotely. You should also require employees to use the setting that erases the phone after a set number of password attempts.

Require that All Mobile Devices on the Company Network Use Anti-Virus Software

It’s also important, especially in the case of Android devices, that all mobile devices on the network have some type of anti-virus software.

Do Not Allow Any Jailbroken Devices on Your Company’s Network

Jailbroken devices are much more vulnerable to viruses and other malware. So, never allow an employee with a jailbroken phone to connect to your network.

All Employees Should Activate Update Alerts

One of the easiest ways to keep mobile devices safe is to keep them updated. So, make sure that all employees have update alerts enabled, and make sure that they are updating their devices when prompted or automatically.

Teach Employees About the Dangers of Public Wi-Fi

Finally, make sure your staff knows the dangers of using public Wi-Fi. Public Wi-Fi connections are not secure, so when connected, your devices are pretty open. That means, if you are doing things that are sensitive, such as logging into company accounting records, a hacker can easily follow. Instead, urge employees to use a VPN. These services are inexpensive and they encrypt data so hackers can’t access it.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Top 12 Tips to Destroy Your Sensitive Data

Believe it or not, you just can’t shred too much. If you aren’t destroying your sensitive data, my best advice is for you to start now. There are people out there who make a living diving into dumpsters in search of credit card info, bank account number, mortgage statements, and medical bills; all things they can use to steal your identity.  

Here are 12 tips that you can use to help you destroy your sensitive data:

  1. Buy a shredder. That said, I don’t own a shredder. I’ll explain shortly. There are a number of different brands and models out there. Some even shred CDs. This is important if you keep your documents saved on a computer, which you then saved to a CD. Don’t, however, try to shred a CD in a shredder that isn’t equipped to do this job. You will definitely break it.
  2. Skip a “strip-cut” shredder. These shredders produce strips that can be re-constructed. You would be surprised by how many people don’t mind putting these pieces together after finding them in trash. Yes, again, people will go through dumpsters to find this information. Watch the movie “Argo” and you’ll see what I mean.
  3. Shred as small as you can using a cross cut shredder. The smaller the pieces, the more difficult it is to put documents together again. If the pieces are large enough, there are even computer programs that you can use to recreate the documents.
  4. Fill a large cardboard box with your shreddables. You can do this all in one day, or allow the box to fill up over time.
  5. When the box is full, burn it. This way, you are sure the information is gone. Of course, make sure that your municipality allows burning.
  6. You should also shred and destroy items that could get you robbed. For instance, if you buy a huge flat screen television, don’t put the box on your curb. Instead, destroy, shred, or burn that box. If it’s on the curb, it’s like an invitation for thieves to come right in.
  7. Shred all of your documents, including any paper with account numbers or financial information.
  8. Shred credit card receipts, property tax statements, voided checks, anything with a Social Security number, and envelopes with your name and address.
  9. Talk to your accountant to see if they have any other suggestions on what you should shred and what you should store.
  10. Shred anything that can be used to scam you or anyone. Meaning if the data found in the trash or dumpster could be used in a lie, over the phone, in a call to you or a client to get MORE sensitive information, (like a prescription bottle) then shred it.
  11. Try to buy a shredder in person, not online. Why? Because you want to see it and how it shreds, if possible. If do buy a shredder online, make sure to read the reviews. You want to make sure that you are buying one that is high quality.
  12. Don’t bother with a shredder. I have so much to shred (and you should too) that I use a professional document shredding service.

I talked to Harold Paicopolos at Highland Shredding, a Boston Area, (North shore, Woburn Ma) on demand, on-site and drop off shredding service. Harold said “Most businesses have shredding that needs to be done regularly. We provide free shredding bins placed in your office. You simply place all documents to be shredded in the secure bin. Your private information gets properly destroyed, avoiding unnecessary exposure.”

Does your local service offer that? Shredding myself takes too much time. And I know at least with Highlands equipment (check your local service to compare) their equipment randomly rips and tears the documents with a special system of 42 rotating knives. It then compacts the shredded material into very small pieces. Unlike strip shredding, this process is the most secure because no reconstruction can occur.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Second Hand and Discarded Devices Lead to Identity Theft

A new study was just released by the National Association for Information Destruction. What did it find? Astonishingly, about 40% of all digital devices that are found on the second-hand market had personal information left on them. These include tablets, mobile phones, and hard drives.

The market for second hand items is large, and it’s a good way to find a decent mobile device or computer for a good price. However, many times, people don’t take the time to make sure all their personal information is gone. Some don’t even understand that the data is there. This might include passwords, usernames, company information, tax details, and even credit card data.  What’s even more frightening is that this study used simple methods to get the data off the devices. Who knows what could be found if experts, or hackers, got their hands on them. It wouldn’t be surprising to know they found a lot more.

Here are some ways to make sure your devices are totally clean before getting rid of them on the second-hand marketplace:

  • Back It Up – Before doing anything, back up your device.
  • Wipe It – Simply hitting the delete button or reformatting a hard drive isn’t’ enough. Instead, the device has to be fully wiped. For PCs, consider Active KillDisk. For Macs, there is a built in OS X Disk Utility. For phones and tablets, do a factory reset, and then a program called Blancco Mobile.
  • Destroy It – If you can’t wipe it for some reason, it’s probably not worth the risk. Instead, destroy the device. Who knows, it might be quite fun to take a sledge hammer to your old PC’s hard drive, right? If nothing else, it’s a good stress reliever!
  • Recycle It – You can also recycle your old devices, just make sure that the company is legitimate and trustworthy. The company should be part of the e-Stewards or R2, Responsible Recycling, programs. But destroy the hard drive first.

Record It – Finally, make sure to document any donation you make with a receipt. This can be used as a deduction on your taxes and might add a bit to your next tax return.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Study Shows Millennials Choose Convenience Over Security

To those of us consider Tom Cruise the movie star of our day or even Grunge as the music we grew up with, looking at millennials, and the way they view life, is fascinating. These “kids” or young adults, many are brilliant. They really do define “disruption”.

However, that doesn’t mean that this tech savvy generation is always right. In fact, a new study shows just the opposite when it comes to internet safety. Though, they can also teach us a few things and are definitely up to speed on the value of “authentication” (which leads to accountability).

Anyway…South by Southwest, or SXSW, is a festival and conference that is held each year in Austin, TX. This year, a survey was done with some good AND scary results. The company that did the survey, SureID, found that 83% of millennials that were asked believed that convenience is more important than safety. That’s not good. But this is not the only interesting finding, however. On a positive note, the study also found the following:

  • About 96% want to have the ability to verify their identity online, which would ensure it was safe from hackers.
  • About 60% put more value on time than they do their money or safety.
  • 79% are less likely to buy something from a person who can’t prove their identity.
  • 70% feel more comfortable interacting with a person online if they can verify that other person’s identity.
  • 91% say they believe that companies “definitely” or “maybe” do background checks on those who work for them. These include on-demand food delivery and ridesharing. However, most companies do not do this.

What does this information tell us? It says that we are very close to seeing a shift in the way millennials are viewing their identities, as well as how they view the people and businesses they interact with.

Millennials have a need to want to better verify another person’s identity. To support this, just look at dating apps. Approximately 88% of people using them find the idea of verifying the identity of the people they might see offsite as appealing. It’s similar with ride sharing, where about 75% of millennials want to know, without a doubt, who is driving them around.

We live in a world today that is more connected than ever before. These days, as much as 30% of the population is working as freelancers, or in another type of independent work. In many cases, this work is evolving from small gigs to large and efficient marketplaces. Thus, the need for extra security and transparency is extremely important. Sometimes, technology helps us act too comfortably with people we don’t really know, and the study shows that having people prove whom they are will help to create higher levels of trust.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Security training: the Human Being is impossible to fix

As long as humans sit at computer screens, there will always be infected computers. There’s just no end to people being duped into clicking links that download viruses.

12DA report at theregister.co.uk explains how subjects, unaware they were guinea pigs, fell for a phishing experiment.

  • Subjects were sent an FB message or e-mail from an unfamiliar sender, though 16 percent of the subjects who ultimately clicked reported they knew the sender.
  • The sender announced they had images from a New Year’s Eve party but not to share them.
  • 43.5% clicked the FB message link and one-quarter clicked the e-mail link.
  • Many of the subjects denied making these clicks, but most who admitted it named curiosity as the reason.
  • 5% claimed they thought their browser would protect them from an attack.

Obviously, there will always be that percentage of the human population who will allow curiosity to preside over common sense and logic. The idea of simply never, never, ever clicking a link inside an e-mail is an impossible feat for them—perhaps more difficult than quitting smoking or losing 50 pounds.

This is the battle that businesses have with their employees, which is how businesses get hacked into and massive data breaches result.

However, says the report, rigid training of employees may backfire because valid e-mails may be ignored—though it seems that there has to be a way for companies to get around this—perhaps a phone call to the sender for verification if the company is small. For large businesses, maybe executives could just resort to the old-fashioned method of reaching out to employees; how was this done before the World Wide Web was invented?

Digital signing of e-mails has been suggested, but this, too, has a loophole: some employees misinterpreting the signatures.

Nevertheless, security training is not all for nothing; ongoing training with staged phishing e-mails has been proven, through research, to make a big difference. Unfortunately, there will always exist those people who just can’t say “No” to something as mundane as images from a New Year’s Eve party from a sender they’ve never even heard of.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Three ways to beef up security when backing up to the cloud

Disasters happen every day. Crashing hard drives, failing storage devices and even burglaries could have a significant negative impact on your business, especially if that data is lost forever. You can avoid these problems by backing up your data.

Backing up means keeping copies of your important business data in several places and on multiple devices. For example, if you saved data on your home PC and it crashes, you’ll still be able to access the information because you made backups.

A great way to protect your files is by backing up to the cloud. Cloud backup services like Carbonite allow you to store data at a location off-site. You accomplish this by uploading the data online via proprietary software.

Cloud backup providers have a reputation for being safe and secure. But you can’t be too careful. Here are a few ways to beef up security even more when you use a cloud backup system:

  • Before backing up to the cloud, take stock of what data is currently in your local backup storage. Make sure that all of this data is searchable, categorized and filed correctly.
  • Consider taking the data you have and encrypting it locally, on your own hard drive before backing up to the cloud. Most cloud backup solutions – including Carbonite – provide high-quality data encryption when you back up your files. But encrypting the data locally can add an additional layer of security. Just remember to store your decryption key someplace other than on the computer you used to encrypt the files. This way, if something happens to the computer, you’ll still be able to access your files after you recover them from the cloud.
  • Create a password for the cloud account that will be difficult for any hacker to guess. However, make sure that it’s also easy for you to remember. The best passwords are a combination of numbers, letters and symbols.

Cloud backups are convenient and have a good record when it comes to keeping your data safe. It doesn’t require the purchase of additional equipment or the use of more energy. You can also restore data from anywhere, to any computer, as long as there is an Internet connection available.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

How much is your Data worth online?

Cyber crime sure does pay, according to a report at Intel Security blogs.mcafee.com. There’s a boom in cyber stores that specialize in selling stolen data. In fact, this is getting so big that different kinds of hot data are being packaged—kind of like going to the supermarket and seeing how different meats or cheeses are in their own separate packages.

10DHere are some packages available on the Dark Net:

  • Credit/debit card data
  • Stealth bank transfer services
  • Bank account login credentials
  • Enterprise network login credentials
  • Online payment service login credentials

This list is not complete, either. McAfee Labs researchers did some digging and came up with some pricing.

The most in-demand type of data is probably credit/debit card, continues the blogs.mcafee.com report. The price goes up when more bits of sub-data come with the stolen data, such as the victim’s birthdate, SSN and bank account ID number. So for instance, let’s take U.S. prices:

  • Basic: $5-$8
  • With bank ID#: $15
  • With “fullzinfo” (lots more info like account password and username): $30
  • Prices in the U.K., Canada and Australia are higher across the board.

So if all you purchase is the “basic,” you have enough information to make online purchases—and can keep doing this until the card maxes out or the victim reports the unauthorized charges.

However, the “fullzinfo” will allow the thief to get into the account and change information, thwarting the victim’s attempts to get things resolved.

How much do bank login credentials cost?

  • It depends on the balance.
  • $2,200 balance: $190 for just the login information
  • For the ability to transfer funds to U.S. banks: $500 to $1,200, depending on the balance.

Online premium content services offer a variety of services, and the login credentials to these are also for sale:

  • Video streaming: $0.55 to $1
  • Cable channel streaming: $7.50
  • Professional sports streaming: $15

There are so many different kinds of accounts out there, such as hotel loyalty programs and auction. These, too, are up for sale on the underground Internet. Accounts such as these have the thief posing as the victim while carrying out online purchases.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Data security policies need teeth to be effective

Bottom line: If you have a data security policy in place, you need to make sure that it’s up to date and contains all of the necessary elements to make it effective. Here are 10 essential items that should be incorporated into all security policies:

4H1. Manage employee email

Many data breaches occur due to an employee’s misuse of email. These negligent acts can be limited by laying out clear standards related to email and data. For starters, make sure employees do not click on links or open attachments from strangers because this could easily lead to a ransomware attack.

2. Comply with software licenses and copyrights

Some organizations are pretty lax in keeping up with the copyrights and licensing of the software they use, but this is an obligation. Failing to do so could put your company at risk.

3. Address security best practices

You should be addressing the security awareness of your staff by ensuring that they are aware of security best practices for security training, testing and awareness.

4. Alert employees to the risk of using social media

All of your staff should be aware of the risks associated with social media, and consider a social media policy for your company. For example, divulging the wrong information on a social media site could lead to a data breach. Social media policy should be created in line with the security best practices.

5. Manage company-owned devices

Many employees use mobile devices in the workplace, and this opens you up to threats. You must have a formal policy in place to ensure mobile devices are used correctly. Requiring all staff to be responsible with their devices and to password protect their devices should be the minimum requirements.

6. Use password management policies

You also want to make sure that your staff is following a password policy. Passwords should be complex, never shared and changed often.

7. Have an approval process in place for employee-owned devices

With more employees than ever before using personal mobile devices for work, it is imperative that you put policies in place to protect your company’s data. Consider putting a policy in place which mandating an approval process for anyone who wants to use a mobile device at work.

8. Report all security incidents

Any time there is an incident, such as malware found on the network, a report should be made and the event should be investigated immediately by the IT team.

9. Track employee Internet use

Most staff members will use the Internet at work without much thought, but this could be dangerous. Try to establish some limits for employee Internet use for both safety and productivity.

10. Safeguard your data with a privacy policy

Finally, make sure that all staff members understand your company’s privacy policy. Make sure that data is used correctly and within the confines of the law.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses.

2016 Information Security Predictions

No bones about it, 2016 is sure to see some spectacular, news-chomping data breaches, predicts many in infosec. If you thought 2015 was interesting, get your seatbelt and helmet on and prepare for lift off…

4WWearable Devices

Cyber crooks don’t care what kind of data is in that little device strapped around your upper arm while you exercise, but they’ll want to target it as a passageway to your smartphone. Think of wearables as conduits to your personal life.

Firmware/Hardware

No doubt, assaults on firmware and hardware are sure to happen.

Ransomware

Not only will this kind of attack continue, but an offshoot of it—“I will infect someone’s device with ransomware for you for a reasonable price”—will likely expand.

The Cloud

Let’s not forget about cloud services, which are protected by security structures that cyber thieves will want to attack. The result could mean wide-scale disruption for a business.

The Weak Links

A company’s weakest links are often their employees when it comes to cybersecurity. Companies will try harder than ever to put in place the best security systems and hire the best security personnel in their never-ending quest for fending off attacks—but the weak links will remain, and cyber crooks know this. You can bet that many attacks will be driven towards employees’ home systems as portals to the company’s network.

Linked Stolen Data

The black market for stolen data will be even more inviting to crooks because the data will be in sets linked together.

Cars, et al

Let’s hope that 2016 (or any year, actually) won’t be the year that a cyber punk deliberately crashes an Internet connected van carrying a junior high school’s soccer team. Security experts, working with automakers, will crack down on protection strategies to keep cyber attacks at bay.

Threat Intelligence Sharing

Businesses and security vendors will do more sharing of threat intelligence. In time, it may be feasible for the government to get involved with sharing this intelligence. Best practices will need hardcore revisions.

Transaction Interception

It’s possible: Your paycheck, that’s been directly deposited into your bank for years, suddenly starts getting deposited into a different account—that belonging to a cyber thief. Snatching control of a transaction (“integrity attack”) means that the thief will be able to steal your money or a big business’s money.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

11 Ways to Mitigate Insider Security Threats

Companies are constantly attacked by hackers, but what if those attacks come from the inside? More companies than ever before are dealing with insider security threats.Here are 11 steps that all organizations should take to mitigate these threats and protect important company data:11D

  1. Always encrypt your data If you want to minimize the impact of an insider threat, always encrypt data. Not all employees need access to all data and encryption adds another layer of protection.
  2. Know the different types of insider threatsThere are different types of insider threats. Some are malicious, and some are simply due to negligence. Malicious threats may be identified by employee behavior, such as attempting to hoard data. In this case, additional security controls can be an effective solution.
  3. Do background checks before hiringBefore you hire a new employee, make sure you are doing background checks. Not only will this show any suspicious history, it can stop you from hiring any criminals or those associated with your competitors. Personality tests can also red flag the propensity for malicious behavior.
  4. Educate your staffEducating your staff on best practices for network security is imperative. It is much easier for employees to use this information if they are aware of the consequences of negligent behavior.
  5. Use monitoring solutionsThere are monitoring solutions that you can use, such as application, identity and device data, which can be an invaluable resource for tracking down the source of any insider attack.
  6. Use proper termination practicesJust as you want to be careful when hiring new employees, when terminating employees, you also must use proper practices. This includes revoking access to networks and paying attention to employee actions on the network in the days before they leave.
  7. Go beyond the IT departmentThough your IT department is a valuable resource, it cannot be your only defense against insider threats. Make sure you are using a number of programs and several departments to form a team against the possibility of threats.
  8. Consider access controlsAccess controls may help to deter both malicious and negligent threats. This also makes it more difficult to access data.
  9. Have checks and balances for all staff and systemsIt is also important to ensure there are checks and balances in place, i.e. having more than one person with access to a system, tracking that usage and banning shared usernames and passwords.
  10. Analyze network logsYou should collect, store and regularly analyze all of your network logs, and make sure it’s known that you do this. This will show the staff that you are watching what they are doing, making them less likely to attempt an insider attack.
  11. Back up your data Employees may be malicious or more likely they make big mistakes. And when they do, you’d sleep better at night knowing you have redundant, secure cloud based backup to keep your business up and running.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. See him discussing identity theft prevention.Disclosures.