Monthly Archives: March 2016

Warning to HR Directors of Phishing Scam Seeking Employee W-2’s

W2

Peyton SmithWritten by:  Peyton Smith
Shareholder, Litigation Section, Labor & Employment Practice Group at Munsch Hardt Kopf & Harr PC

I was contacted this week by the Director of Human Resources for a technology client with a request for immediate assistance tied to a data breach that has unfortunately, becoming alarmingly too frequent during the first three months of 2016.   She had received an email from the President of her company at the end of her workday, noting that their senior leadership was working on salary, bonus and budget forecasting for their company and requesting that she send to him the W-2’s for key company personnel via PDF.  The email was written in his typical conversational style and was signed in the manner in which he signed all his internal emails.  Further, his reply email listed a return email address to his direct email account.  Before she sent the information or replied, she confirmed the email and signature block and verified with a Vice-President that she could forward the requested information.  Upon review of the email and messaging, the Vice-President authorized the production of the requested information and employee W-2’s. Feeling well protected, the HR Director sent the email and W-2’s requested.

The email was unfortunately a scam with a hacker who had copied the President’s email signature block, matched his communication and signature style, word-for-word, including creating a “ghost” over his correct email address to cloak the email address to appear to be for the intended recipient.  My client was fortunate since they caught the data breach quickly but the information was now in the hands of someone outside the company who clearly had less than honorable ideas with what to do with the information they had gathered. Furthermore, hundreds of employees now had their W-2 information, including their name, address, social security numbers and other confidential information, taken by a skilled hacker.

In addressing this issue with my client in recent days, we learned that this current phishing scam is incredibly popular right now.  The FBI and local law enforcement advised us that there have been more than 700 reported similar cases of hackers fraudulently securing employee W-2 information in the month of March 2016 alone. The hackers appear to be targeting companies with less than 3,000 employees and the email requesting W-2 and similar employee information is nearly always directed to the human resources contact at the targeted company. The IRS has recently released an alert warning employers of this scam and to alert them to be increasingly vigilant in protecting company and employee information.  (See  the following link as to the latest alert: https://www.irs.gov/uac/Newsroom/IRS-Alerts-Payroll-and-HR-Professionals-to-Phishing-Scheme-Involving-W2s)   “This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

If you have not yet done so, employers are strongly encouraged to implement a proactive plan to decrease the risk of unauthorized disclosure of such information.  Each state has different requirements for employee protection and penalties which might be levied against employers for failing to implement appropriate safeguards for protecting employee confidential information, as well as the notice requirements in the event a data breach occurs.  In the event that a data breach occurs and confidential employee information has been accessed by unauthorized parties, employers should immediately address the issue with more aggressive internal safeguards, contact legal counsel regarding how best to strategically address internal and external legal ramifications of the breach, notify law enforcement (local and the FBI’s Cyber Crimes Division), and inform the IRS of the fraudulent access to employee social security numbers.  Simultaneously, employers have a duty to promptly inform employees of the breach and what increased protections have been put in place to decrease the risk of future data breaches.

In light of these concerns and the increased risk of hacking personal information, employers are also encouraged to review current insurance policies and to consider whether to purchase cyber insurance coverage. Additional security software for utilization by the human resources and accounting department might be a wise and worthy investment to consider as a deterrent to hacking vulnerability.  With the increased efforts of hackers seeking W-2 and other personal employee information, prudent employers will partner with their legal counsel to address such concerns prior to being a hacking victim.  When considering best practices in protecting employee information, employers should follow the adage  “the best defense is a good offense”.

Peyton N. Smith is a Shareholder in the Labor & Employment and Business Litigation practice groups at Munsch Hardt Kopf & Harr, P.C. and is based in the firm’s Austin office.

Here’s How Hackers Stole $80 Million from Bangladesh Bank

hacking-bank

The recent cyber attack on Bangladesh’s central bank that let hackers stole over $80 Million from the institutes’ Federal Reserve bank account was reportedly caused due to the Malware installed on the Bank’s computer systems.
Few days ago, reports emerged of a group of unknown hackers that broke into Bangladesh’s central bank, obtained credentials needed for payment transfers from Federal Reserve Bank of New York and then transferred large sums to fraudulent accounts based in the Philippines and Sri Lanka.
The criminal group was able to steal a total value of about $81 Million from the Federal Reserve’s Bangladesh account through a series of fraudulent transactions, but a typo in some transaction prevented a further $850 Million Heist.
However, the question was still there:
 
How the Hackers managed to transfer $80 Million without leaving any Trace?
Security researchers from FireEye’s Mandiant forensics are helping the Dhaka investigators to investigate the cyber heist.
Investigators believe unknown hackers installed some type of malware in the Bangladesh central bank’s computer systems few weeks before the heist and watched how to withdraw money from its United States account, Reuters reports.
Although the malware type has not been identified, the malicious software likely included spying programs that let the group learn how money was processed, sent and received.
The malware in question could be a potential Remote Access Trojan (RAT) or a similar form of spyware that gave attackers the ability to gain remote control of the bank’s computer.
The investigators suspect the hack could have exploited a “zero-day” flaw as they are unknown to vendors as well.
After this, the hackers were able to steal the Bangladesh Bank’s credentials for the SWIFT messaging system, a highly secure financial messaging system utilized by banks worldwide to communicate with each other.

“SWIFT and the Central Bank of Bangladesh are working together to resolve an internal operational issue at the central bank,” Belgium-based SWIFT said in a statement Friday. “SWIFT’s core messaging services were not impacted by the issue and continued to work as normal.”

Security experts hope that the malware sample will be made available to the security researchers soon so that they can determine whether the sample was truly advanced, or if Bangladesh Central Bank’s security protection was not robust enough to prevent the hack.
The Bangladesh Bank discovered weaknesses in its systems, which could take years to repair the issues though the Federal bank has denied any system compromise.

 

No Matter Your Industry, It’s Time to Take Cybersecurity Seriously

Robert_HerjavecShark on ABC’s Shark Tank, Founder of Herjavec Group, Bestselling Author of You Don’t Have to Be a Shark

 

We’re seeing more breaches, more endpoints, more technology, more connectivity. The key word is MORE. Given this level of interactivity, cybersecurity has experienced a surge over the past five years and shows no signs of slowing down

Here are the top cybersecurity topics you should be speaking with your executive and IT teams about to support your emergency preparedness planning.

1. Ransomware: Holding your information hostage

Ransomware is a malicious software that allows hackers to access a company’s computers, encrypt information, and then demand payment in order to decrypt it. Vulnerabilities are often exploited in third-party software including Microsoft Office, Adobe and various graphic files. McAfee Labs reported 58% growth year over year in ransomware in Q2 2015 (~ 4 million samples). Herjavec Group does not advocate for paying out or negotiating during a ransomware attack. It is recommended that all organizations have an asset back-up strategy in the event they need to recover critical information.

Ask yourself: what is our asset back-up strategy? When was the last time we classified our assets or did an inventory of our critical information? Do our employees know what to do in the event their system is compromised?

2. Mobile Malware: Take control of your mobile devices.

Multiple best of breed vendors have reported an uptick in mobile malware as part of their 2016 predictions reports. Herjavec Group is focusing on the prevalence of these issues across Android devices in particular. The attack surface is growing as more individuals and corporate customers are adopting Android technology. Unfortunately in many instances, this operating system requires carrier updates in order to issue a new release. The lengthy lifecycle of each release provides ample opportunity for hackers to exploit existing vulnerabilities before the update occurs. To mitigate the risk, it is recommended that individuals ensure their mobile devices are up to date with the latest available operating systems information and files.

Ask yourself: do we understand the scope of the endpoints connected to our network? What is our BYOD policy and how do we ensure updates are pushed across our team?

3. Cloud: Is it time to move?

Moving assets and technologies to the cloud presents a scalable, cost-effective solution offering improved visibility, and the opportunity for proactive analysis. Unfortunately many organizations are challenged to advance cloud-based projects due to concerns over control, regulatory compliance, and overall security. To manage risk, we recommend developing a benchmark to measure cloud application usage on a regular basis (ex: track progress against risk targets, report cloud trust ratings quarterly, report new cloud services in use monthly). Herjavec Group offers various cloud consulting services including vulnerability assessments, web application testing, and penetration tests.

Ask yourself: Do you know what cloud technologies are being used in your environment? Do you know what good looks like? What metrics do you use to measure security and efficiency in the cloud? How frequently are you circulating these metrics?

4. Employee Awareness: Your employees are your biggest threat.

Spending on security technology is not sufficient as many reports indicate that employees and not firewalls are the No. 1 threat vector today. Organizations must consider how they are protecting their employees’ endpoints when they leave the corporate environment for business travel or to return home. It is anticipated that home networks will become targeted as hackers attempt to infiltrate corporate data being worked on remotely. You must also evaluate what training and awareness programs you offer to ensure your employees are invested in the protection of your organization’s vital assets. Herjavec Group can provide an outline of appropriate educational materials for your team or help administer a cybersecurity awareness seminar for your organization.

Ask yourself: when was the last time your team underwent security training? What access do your employees have to the internet within the workplace or from their connected mobile devices? What restrictions are in place?

In light of the dynamic and ever evolving cybersecurity landscape, it’s highly recommended that organizations have a security framework in place. When things go wrong, there is a tendency to panic and act irrationally. Developing a security framework and ensuring it’s communicated to all of the appropriate stakeholders within your organization can help maintain the sense of calm required to get your business back to standard operations as efficiently as possible. Here are the questions that need to be addressed by your Security Framework:

  • What happens when you hit the panic button (ie: will it work, who do you escalate to? What’s the disaster recovery plan?)
  • How many risks are being taken to run tech operations (ie: layers of security control, are all systems protected equally?)
  • Where and what is your sensitive data (ie: can you identify what has been lost in the event of a breach? Back up and recovery plans?)
  • Visit HerjavecGroup.com for more information on recommended cybersecurity discussion topics or to review Herjavec Group’s Ten Point Plan for security preparedness.

    To your success,

1-800 FLOWERS warns that hacker may have stolen customers’ personal info

Online florist failed to nip hackers in the bud

1800-flowers

1-800 FLOWERS has begun sending out data breach letters notifying customers that a hacker might have stolen their personal information.

In a letter sent by the New York-based flower and gift retailer to the California Department of Justice, 1-800 FLOWERS explains that it was first alerted to the incident back in February when customers began complaining of an issue on its website.

“Our customer service team received reports on Feb. 15, 2016 from several customers indicating that they were unable to complete their online orders. Our operations team initiated an investigation and identified signs of unauthorized access to the network that operates our e-commerce platform.”

Bibi Brown, vice president of customer experience for 1-800 FLOWERS goes on to explain the team has since determined that during a 33-hour period between February 15 and February 17, an unauthorized third party might have gained access to customers’ orders, which commonly include their personal information such as their name, address, email address, and payment card data.

letter

At this time, the floral retailer has not provided information on how the attacker might have succeeded in breaching its system. 1-800 FLOWERS has also not confirmed that any specific order information was affected.

There’s cause for some optimism, however.

Joseph Pititto, the company’s senior vice president, investor relations, told SCMagazine.com in an email that he has received no reports that any of the affected information has been incorporated into any sort of attack or other malicious campaign.

In this particular incident, it appears the worst case scenario would involve some compromised payment cards.

With that in mind, if you attempted to make a purchase with 1-800 FLOWERS during the affected 33-hour period, please take care to watch your credit transaction history carefully.

If you spot any suspicious charges, you should notify your bank or your card provider immediately. They can help you contest the charges, and in incidents such as these, they will be happy to send you a new card.

Raw Video: Men Place Card Skimmer on ATM Store Machine!

Just like that…..  card skimmer in place, taking but seconds

YouTubeGo Global With Williby** Miami Beach, Fla. — Watch as three men distract the store clerk and place card (reader) skimmer on ATM Point-of-Sale…

7 Tips From The FBI To Prepare Your Firm For A Cyber Attack

“In the past, the FBI wanted to operate in the shadows, but today’s Bureau is very different” said Jay F. Kramer, Supervisory Special Agent, Federal Bureau of Investigation, Cyber Division, New York Office. In an effort to make the FBI more approachable, Kramer recently provided an overview of the cybersecurity activities of the FBI at an event before hundreds of attorneys.

How does the FBI operate?

The Bureau investigates violations of federal law and significant threats to national security, making it uniquely situated to deal with today’s cybersecurity issues. In addition to being a law enforcement agency, the FBI is also a member of the US intelligence community. FBI’s mission is primarily domestic with 56 field offices across the United States, but it also has offices in 87 countries and shares intelligence and threats coming from overseas by distilling it down and packaging it at the lowest level classification possible to push it out to victims. These overseas relationships enable the Bureau to quickly respond to cyber threats by gaining access to servers, logs and data to help unravel some of these complicated cyber matters from around the world. “When it comes to cybersecurity, you’re never very far from an FBI office and from an actual person that can speak to you about issues that you’re having” Kramer said.

Here are some of the cybersecurity issues that the FBI is seeing:

    • Hacktivists use computers, beyond lawful means, to make political statements. These statements are typically about business practices they disapprove of. For example, “Anonymous”, a well-known hacktivist group, can shut down websites and social media accounts of targeted firms and individuals.
    • The US and businesses are systematically attacked by hackers sponsored by foreign governments for terrorism or to gain a competitive advantage.
    • Criminal enterprises use cyber to perpetuate old schemes, such as extortion. In the old days, organized crime would threaten the business owner directly, “Hey, listen, you’re either going to pay me or something’s going to happen here. There’s going to be a fire, brick going through your window. You’re going to be hurt personally”. With the advent of encryption technology, criminals can now gain a compromising foothold to lock down your systems. “The bad guy holds the private key to unlock it” said Kramer. Nowadays, the business owner gets an email that says “If you don’t give me 100 bitcoin, I’m going to delete your data.” The FBI doesn’t take a position on whether to pay the money or not, although it’s unlikely that the business will be able to defeat the encryption. So, the choice is to either pay or rely on back up data.
  • There are fraudsters who want to steal your personally identifiable information (PII) to empty out your bank account. More and more however, data has a value all of its own. Bad actors will infiltrate databases of client data with email addresses, home addresses, and phone numbers of your clients, and use that data to fuel billion dollar criminal enterprises such as spam campaigns, such as pop-up ads for bogus Viagra or heart medication or stock manipulation, such as pump and dump campaigns. There’s a whole underground economy of promoters and bad actors, who work in tandem and who need PII as the fuel for those fraudulent campaigns.
  • Industrial espionage for competitive advantage such as stealing product information that requires years of research. “You’d be horrified if you saw how much data is leaving the US every day from scientific firms, research firms, industrial firms, government contractors” said Kramer.

In summary, Kramer provided 7 tips to prepare your firm for a cyber-attack:

  1. Understand what your network looks like, even after all the mergers, acquisitions, and consolidations. Create a map of your networks and prepare a list of devices on the network and users on the network.
  2. Back up your data routinely and store it offsite.
  3. Know where your most important data is being held. Think about where it should be held and the protocols to gain access to that information.
  4. Develop policies for cybersecurity. What policies govern the use of data and networks by employees? Train your employees on use polices. Define where your logs and data are being held. List applications running on the network, including applications developed in house.
  5. Be aware that bad actors could be already be in your system right now and have been for a long time. Make sure your IT departments are aware of updates and are patching vulnerabilities in your systems.
  6. Develop a response plan in the event of an attack. Have a plan to work with your attorneys, PR firm, your Board of Directors. Have a team of forensic experts and outside firms available.
  7. And finally, establish a relationship with your local FBI office today, before there’s a cyber-attack

Obama’s Call for Encryption ‘Compromise’ Is Hypocritical

1457817377711230

Image: screengrab

During his keynote speech at South By Southwest, President Barack Obama addressed the ongoing debate over encryption. Although he declined to discuss the specifics of the San Bernardino case, in which Apple is currently fighting a court order to hack its own device, the president spoke in more general terms about privacy and security. Obama joined several other political figures in calling for the tech industry to enable expanded law enforcement access to encrypted data.

Obama also advocated for the use of encryption by the government, saying that the technology is crucial to preventing terrorism and protecting the financial and air traffic control systems. But the president argued argued that ordinary citizens also need to expect some intrusion into their phones in order to ensure a safe society. Obama compared the weakening of encryption to going through security at the airport—an intrusive process, but a necessary sacrifice for citizens to make. (Obama’s own devices are, of course, secured with strong encryption.) In his speech, Obama said:

So we’ve got two values, both of which are important. And the question we now have to ask is, if technologically it is possible to make an impenetrable device or system where the encryption is so strong that there’s no key. There’s no door at all. Then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot? What mechanisms do we have available to even do simple things like tax enforcement? Because if, in fact, you can’t crack that at all, government can’t get in, then everybody’s walking around with a Swiss bank account in their pocket. So there has to be some concession to the need to be able get into that information somehow.

Obama said the tech community should “balance these respective risks,” suggesting that the industry had not been proactive enough in compromising on encryption and that, if it failed to compromise, it risks being cut out of the conversation entirely by Congress. “I’m confident that this is something we can solve, but we’re going to need the tech community, software designers, people who care deeply about this stuff, to help us solve it,” Obama said. He added:

Because what will happen is, if everybody goes to their respective corners, and the tech community says, ‘You know what, either we have strong perfect encryption, or else it’s Big Brother and Orwellian world,’ what you’ll find is that after something really bad happens, the politics of this will swing and it will become sloppy and rushed and it will go through Congress in ways that have not been thought through. And then you really will have dangers to our civil liberties, because the people who understand this best and who care most about privacy and civil liberties have disengaged, or have taken a position that is not sustainable for the general public as a whole over time.

In Obama’s telling, the tech industry is painted as a spoiled child who runs back to his corner and disengages with the debate, snatching up his toys and taking them back to his mansion when he realizes he doesn’t like the way the game is being played. It’s a compelling image, and one that the industry, which is widely perceived as elitist and uninclusive, will have a tough time combatting.

But the industry has compromised on this issue, collaborating with law enforcement to provide access to data for criminal prosecutions. In the San Bernardino case, Apple has provided access to iCloud backups of the shooter’s phone and offered suggestions on how to create additional backups before it was revealed that the shooter’s iCloud password had been reset at the behest of the FBI.

Tech companies also routinely provide unencrypted metadata to law enforcement, which can provide a detailed portrait of a suspect’s life: where he’s been, where he is currently, who he communicates with, how regularly he communicates with others and how long the conversations last.

The government also wields a powerful investigative tool in CALEA (the Communications Assistance for Law Enforcement Act). CALEA compels service providers like AT&T and Verizon to build backdoors into their systems to allow for real-time monitoring of suspects by law enforcement.

Yet another instance of compromise is Apple’s encryption of iCloud. As security expert Jonathan Zdziarski pointed out in post on his blog, iCloud offers an example of the type of “warrant-friendly” encryption that Obama called for in his SXSW keynote.

“I suspect that the answer is going to come down to how do we create a system where the encryption is as strong as possible. The key is as secure as possible. It is accessible by the smallest number of people possible for a subset of issues that we agree are important,” Obama said. His suggestion for solving the encryption debate mirrors the solution Apple has already developed for securing iCloud data: that data is encrypted, but Apple maintains access so that it can comply with warrants.

But, Zdziarski notes, the 2014 hack of celebrities’ iCloud accounts illustrates the dangers of “compromise” encryption.

“The iCloud’s design for ‘warrant friendliness’ is precisely why the security of the system was also weak enough to allow hackers to break into these women’s accounts and steal all of their most private information,” Zdziarski wrote. “The data stored in iCloud is stored in a weaker way that allows Apple to service law enforcement requests, and as direct result of this, hackers not only could get into the same data, but did. And they did it using a pirated copy of a law enforcement tool—Elcomsoft Phone Breaker.”

Obama mentioned this particular concern in his speech. “Now, what folks who are on the encryption side will argue, is any key, whatsoever, even if it starts off as just being directed at one device, could end up being used on every device. That’s just the nature of these systems,” he said. “That is a technical question. I am not a software engineer. It is, I think, technically true, but I think it can be overstated.”

Obama is right—it’s technically true that any key can end up being used on every device.

The president isn’t the only politician to call for compromise on encryption and he certainly won’t be the last, but what the FBI is asking for in the San Bernardino case (and beyond it) isn’t compromise—it’s total compliance. Compromise suggests that tech companies and law enforcement agencies will meet in the middle, each conceding some of their demands in order to find common ground. The industry has made an effort to do so by providing metadata, real-time surveillance, and data backups to law enforcement.

But Obama’s comments suggest that none of this information is enough—encryption needs to be completely backdoored in order for there to be “compromise.” If the government refuses to acknowledge the concessions that have been made and continues to demand universal access to encrypted data while clinging onto strong encryption for itself, there is no compromise at all. It’s just the government getting exactly what it wants, snatching up all its toys and heading back to its mansion.

New Cyber Security Ideas for 2016

2016_Data

In the last 5 years, almost all businesses, big or small, have realized just how vulnerable they are to cyber-attacks. The astonishingly increasing number of attacks each year trouble corporate heads so much that they spend hours on end discussing their company’s cyber security system. The IT professionals and Chief Information Security Officers (CISOs) are even more troubled, for they keep seeing their efforts foiled by hackers.

The number of big corporations targeted in 2015 only goes to show that no one is completely safe. Wherever you look, there is an Ashley Madison data breach case or a Home Depot or JP Morgan Chase case story from the past year that will make you realize just how precarious security structures are. To help corporations beef up their security better in 2016, we discuss some new ideas.

  1. Being aware of the data stored

It is quite astonishing how many big firms do not have any idea what huge chunks of data in their systems are about. Technologies like the Internet of Things have a lot to contribute to this, but company data should be handled better. One must at least know what is stored in their systems. That would provide them an idea as to what data is of the most priority and what needs to be protected most against threats.

  1. Focus on protecting data

The most infamous cases of 2015 related to data breaches of global services and corporations. Yet, corporations think that beefing up their firewalls and security perimeters is the answer to such attacks. They couldn’t be less accurate. Attacks like these go to show that protecting your data is the main priority. Encrypting different clusters of data with secure mechanisms is vital to prevent data from being compromised easily should unauthorized personnel make it into corporate network.

  1. Address the Mobile threat

Many corporations use the idea of Bring Your Own Device, allowing employees to use their personal device in the workplace. It is always safe to assume that most employees do not take the necessary security measures for their mobile devices. This invariably puts corporate data on such devices at great risk. IT admins need to have better control over such devices. They need not have more control, but better control.

  1. Spread awareness

It is never a bad time to spread awareness among employees, however small or high ranking they are, about the different threats they face. Ignorance should never be doubted or disregarded, for it is always present around you. Interacting with employees regularly about the different threats present and sharing ideas about improving security are good practises.

  1. Take insider threat seriously

You might shell out millions of dollars trying to protect your network from outside threats only to be undone by one of your employees clicking on a wrong link and compromising some sensitive data on his or her system. Hackers regularly send malicious emails to many employees in a firm in hopes that one of them falls for it, and they quite frequently do. Encourage your employees to be more vigilant, for such emails can quite easily be spotted.

Conclusion

We saw in this article how some new ideas can aid companies in improving their security against attacks from hackers. These are just some suggestions, which can definitely be improved upon post further study and research into the matter.

3 Easy Techniques to Protect Your Data

Data_LockSome of the best firms use very simple techniques to protect their companies’ information. These techniques can be very efficient with not only securing company data but also your employee’s personal information as well. These may take some time and resources to set up initially, but you will thank yourself down the road.

First you want to implement some sort of yearly or bi-yearly security training program. Something interactive that will keep them involved and teach them the basics of security in the office. Using game-ology or animation in this training will insure that the information sticks with the employees. Not only will you remain compliant with a yearly security training program but you can insure awareness around the main cause of information leaks and breaches; humans.

Once this program is in place, you want to put it to the test. One of the best ways is to create a phishing campaign. This entails you sending out a fake email from a fake address with a false, clickable link that will record the number of users that click on this link. You can set up this campaign to log information like, clicks, openings of emails and even going as far as viewing the users that clicked the link then filled out an informational form about themselves. A phishing campaign is not to be used as a form of punishment but a teaching point about what “exactly” to look for in a phishing email.

Lastly is a step you should take into your own hands as a security professional. Utilize a tool like bit locker and/or Digital Guardian to monitoring what your employees are doing on the internet and help prepare for the worse situations. Having timely backups on all saved information is a plus incase you need to roll back changes on someone’s machine due to a malicious link that was accidently clicked.

Overall the best options, no matter how you do it, is to educate the people that handle sensitive information on best practices and then create assurances around them to protect in case of an accident. Remember in this industry it is not “if” but “when” a security event will take place.

5 Innocent Mistakes That Cause an IT Security Breach

Breach

Security breaches, also known as a safety violation, occur when a person or application illegally enters a confidential IT border. This could result in the hacking of unauthorized data, services, networks and applications that are highly critical.

Breaches can also cause bankruptcy and destroy a company’s reputation, which is why most businesses hire an IT solutions company. However, not all security breaches are intentional; mistakes can trigger a security violation, as well, and without any warning.

Here are five innocent mistakes that lead to an IT security breach.

Device Theft or Loss

A lost or stolen device like a smartphone or laptop causes 3.3 percent of confirmed security breaches and 15.3 percent of overall incidents.

People who forget their devices in a public place or vehicle have higher chances of losing their gadgets because of theft. Most of these cases are opportunistic and involve a huge number of public departments.

When the thief takes advantage of the device, he can access the person’s confidential images, videos, documents and business files without IT security measures in place.

Document Errors

Document-related errors are some of the common causes of a data breach. A few examples of these include forwarding sensitive information to incorrect recipients, publishing private data to public web servers, and carelessly disposing of confidential work data.

These events usually occur internally and accidentally. When this happens, hackers can use the stolen information as blackmail or as an asset to their group. They can also access bank accounts and other documents related to finance.

Weak and Stolen Credentials

Hacking is the biggest cause of security attacks, which is primarily instigated by weak passwords and stolen credentials. Employees who have access to password-protected files and applications should take caution when unlocking these documents, especially when the company asset contains confidential information.

If you are working on a public computer, avoid clicking on the “remember password” option, so that intruders won’t have the opportunity to access private accounts if your computer gets hacked.

Additionally, you should never leave your password in an open computer file or even written on a sticky note affixed to your desktop, as this can be used by an external actor like a service person to access the organization’s intranet.

At the same time, it is important that you create a strong, non-obvious password that includes numbers, symbols, and capital and lower-case letters. One of the most effective techniques is the Bruce Schneier Method, which takes a sentence and turns it into a strong password.

There are also password-generating sites and password managers that throw out efficient and strong passwords.

Internet Spyware

Did you know that over 50% of security breaches are caused by employees misusing access privileges? Whether maliciously or unwittingly, employees who naively click pop-up browsers or install a malicious application can welcome spyware on a company’s system.

Spyware is a type of malware that enters a computer without the knowledge of the owner to collect private information about internet interaction, keylogging, passwords and valuable data. Spyware can either be on a file you downloaded online or a malicious hard drive inserted on your desktop. This can also be found in unauthorized web searches and varying computer settings.

The risk of a security breach is very high with spyware but you can prevent this by generating a virus scanner and avoiding malicious websites and illegal downloads at work. Companies should also take the first step by implementing a spy trap, which is basically a filter for all work systems.

Vulnerable Systems and Applications

Using outdated software and web browsers can cause serious security concerns. Attack methods become more advanced each year, and hackers increase the number of ways that they can violate vulnerabilities like these.

When outdated systems regularly connect to the internet, they can submit valuable information online without the user knowing it.

You can prevent security breaches by taking note of these basic pointers.

  • Take care of your personal data, especially when on the road. Every time you bring your data on the go, you are opening yourself to a multitude of security risks. For example, when you access public Wi-Fi, you disseminate your information to the immediate public and to hackers who use meticulous processes to breach data. Avoid this by investing in a personal hotspot or by subscribing to your provider’s mobile data services.
  • Create strong passwords. Never create a password that contains basic personal information like your surname or birthday. Hackers can easily identify this and use it in your work and personal accounts. A strong password should be a combination of characters, numbers, and symbols. Apart from this, don’t use one password for every account you own. Although it may be easy to remember, it’s also easy to hack.
  • Be careful of file sharing. You share a number of important files every time you work with multiple clients. No matter how much you trust a colleague, you never know where he will use the data you shared. To prevent malicious use of relevant documents, make sure that the files you share with your clients are only for work purposes. If you share documents through a cloud, immediately delete the final ones after use.

The number of security breaches increases every year, but there are plenty ways to protect yourself and your company from this. Keeping your data secured is the most efficient way to prevent damaging security breaches.

 

About the Author: Vlad de Ramos has been in the IT industry for more than 22 years with focus on IT Management, Infrastructure Design and IT Security. Outside the field, he is also a professional business and life coach, a teacher and a change manager. Vlad has set his focus on IT security awareness in the Philippines and he is a certified information security professional, a certified ethical hacker and forensics investigator and a certified information systems auditor.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of TheDigitalAgeBlog.