Category Archives: Cyber Security

Auto Dialers

Did you ever get a one-ring call? What are they and what are they after?

Here is how the scam works:

1. The Scammer sets up auto dialers to call as many people as possible, and will hangup after a single ring.

2. They use premium or overseas phone numbers that resemble a U.S number, for example, “232” goes to Sierra Leone.

3. They hope you call back and then play some music, because as long as you don’t hang up you will be charged a significant per-minute fee.

share this and never call back one-ring calls!

Stopping Cyberattacks

The key to stopping cyberattacks? Understanding your own systems before the hackers strike

Organisations struggle to monitor their networks because they often don’t know what’s there. And that allows hackers to sneak in under the radar

Cyberattacks targeting critical national infrastructure and other organisations could be stopped before they have any impact if the teams responsible for the security had a better understanding of their own networks.

That might sound like obvious advice, but in many cases, cyber-criminal and nation-state hackers have broken into corporate networks and remained there for a long time without being detected.

Some of these campaigns involve intrusions into critical infrastructure where malicious hackers could do damage that could have serious consequences.

But hackers have only been able to get into such as strong position because those responsible for defending networks don’t always have a full grasp on what they’re managing.

“That’s what people often misunderstand about attacks – they don’t happen at the speed of light, it often takes months or years to get the right level of access in a network and ultimately to be able to push the trigger and cause a destructive act,” says Dmitri Alperovitch, executive chairman at Silverado Policy Accelerator and co-founder and former CTO of CrowdStrike.

That means deep knowledge of your network and being able to detect any suspicious or unexpected behaviour can go a long way to detecting and stopping intrusions.

“Defence can work if you have time. If you’re looking inside your systems, hunting for adversaries and applying intelligence, you’re able to discover them even if they get in, before they do any damage,” Alperovitch adds.

Knowing what’s on the network has become even more crucial in recent years, as industrial environments have become increasingly connected with Internet of Things sensors and monitors.

The devices are useful to infrastructure providers because they allow better monitoring of systems for efficiency, maintenance and repair, but if not properly managed, they could be weak points for attackers to access the network.

“We need to be pro-actively testing,” says Annessa McKenzie, VP of IT and CSO at Calpine, an American power generation company.

“We need to grow more of that capability to go in with that confidence so that before there’s a breach, we at least have a basic understanding of this environment,” McKenzie explains. “Because when we go in completely blind, what should take days to respond takes weeks, sometimes months – and we never really understand what happened.”

Organisations should also try to think like hackers; by thinking about the network and how an attack could exploit it, security teams could uncover unexpected means that hackers could use to exploit the network.

“A lot of companies put in segmentation, monitoring, anti-virus – they’re not bad things – but I think too little focuses on what the attack is going to look like,” says Rob Lee, CEO and co-founder, Dragos, the industrial security provider that hosted the online discussion on securing critical infrastucture.

“Let’s work backwards. What kind of response do we want to have? Do we want to get the plant back up and running? Then we’re going to have to understand root cause analysis”.

By examining the network like this, Lee says, organisations responsible for industrial control systems can understand the requirements the network needs to ensure security – and by doing this, those responsible for critical infrastructure can help everyone by detailing what they find to the government.

“The ICS community has the ability to look at this backwards and educate the government on what that’s going to look like. That’s when the government can be impactful,” Lee adds.

With the right tools and expertise available, government intervention could help boost cybersecurity across critical infrastructure by providing an environment for organisations to share information about attacks and best practices for protecting networks.

“They could create a platform for companies to come together and exchange best practices and assistance and maybe even host some sort of joint public private response capability. That would help propel things along,” says Michael Chertoff, former United States Secretary of Homeland Security and co-founder and executive chairman of The Chertoff Group, a security and risk advisory firm.

He also suggests that liability for security shouldn’t just lie with infrastructure providers and other organisations, but the companies that build the specialist systems and connected parts used in these environments should also hold some responsibility if they’re found to be inherently insecure or vulnerable to cyberattacks.

“Right now, one of the arguments for manufacturers is ‘it isn’t our problem, we just give you the stuff, it’s on you’,” Chertoff says.

Through a combination of this and a good knowledge about what the network looks like, infrastructure and utilities providers in particular can go a long way to preventing themselves from falling foul of hacking campaigns and cyberattacks. But in many cases, there’s a long way to go before this is the case.

“The greatest advantage defenders have is if they know their environment better than an adversary – that’s not always true, unfortunately if the right tools and capabilities aren’t in the organisation,” says Alperovitch.

“But if they do, that’s when they have the high ground and detect an adversary and eject them before any damage is done”.

CCPA: Everything you need to know about California’s new Privacy law

The law goes into effect on Jan. 1, 2020.

The most sweeping data-privacy law in the country kicks in Jan. 1. The CCPA, short for the California Consumer Privacy Act, gives residents of the Golden State the right to learn what data companies collect about them. It also lets Californians ask companies to delete their data and not to sell it.

The full impact of these new rights isn’t entirely clear because the regulations used to enforce the law are still being finalized. Still, companies inside and outside California are already scrambling to become compliant so that they can continue to do business in the country’s most populous state.

Nearly two years in the making, CCPA has prompted other states to consider their own privacy laws, some of which have already passed. The law is often compared to the European Union’s General Data Protection Regulation, currently the benchmark for online privacy.

Here’s what you need to know about CCPA and how it will affect you.

Is this law a big deal?

Yes. Before it went into effect, companies weren’t legally required to tell you what data they’d collected and you had little say over what they did with it. Now, if you live in California, you’ll be able to ask them to delete it or refrain from selling it.  

What personal data does this cover?

CCPA covers all the stuff you might expect: your name, username, password, phone number and physical address. It also includes information used by companies to track your online behavior, such as IP addresses and device identifiers.

The law also covers information that can be used to characterize you, like race, religion, marital status, sexual orientation and status as a member of the military or veteran. It also covers biometric information like fingerprints or facial recognition data, your browsing history and location information.

Data found in public government documents is excluded, so companies can still learn if you’re married, for example. However, they have to collect that data directly from government records, not from other sources such as your social media accounts.

Can I tell Facebook and Google to get rid of my data now? 

Yes. In fact, some major tech companies, including Facebook and Google, already let you delete some or all of their data about you from their systems.

These tools might not do exactly what you’d expect, though. For example, Facebook has begun rolling out a feature that lets users “disconnect” the data it’s collected about your web browsing, but doesn’t fully delete it. Instead, it disassociates your name and profile from the data, which anonymizes it. Facebook then combines the data with other people’s, allowing it to monitor broader trends. 

CCPA still allows companies to use anonymized data. However, the law sets a high bar for separating your identity from the information, with the aim of stopping someone from re-identifying a person from the data.

What happens if companies don’t follow the law?

Businesses can be fined $2,500 per violation, or $7,500 if the violation is found to be intentional. That could mean big fines if the violations affect large groups of consumers. The California Attorney General is in charge of investigating companies suspected of violating the law.

Critics say companies will be able to get away with breaking the law because the attorney general doesn’t have the resources to catch every violation. Xavier Becera, the AG, has said publicly that his office isn’t equipped to fully enforce the law. He pushed for the passage of an amendment, which failed to pass, that would have let users sue companies directly.

The law gives Californians the right to sue businesses in one specific instance: if their personal information is lost in a data breach caused by a company’s negligence. Legal observers expect this to increase class action lawsuits against companies after they’re hit by hackers.

The law gives Californians the right to sue businesses in one specific instance: if their personal information is lost in a data breach caused by a company’s negligence. Legal observers expect this to increase class action lawsuits against companies after they’re hit by hackers.

Can I still use free services if I ask them not to collect my data?

Yes. The new law says companies can’t turn away users if they opt out of the sale of their data. However, the companies can give you a stripped-down version of their offerings if you go this route.

The point is to prevent companies from charging all users who don’t want their data sold. That would leave users who can’t afford a subscription in the lurch, forcing them to allow the sale of their data so they can use services we’ve all come to rely on to communicate and access information.

If companies want to charge users who opt out of the sale of their data, the law says they have to disclose how much a user’s data is worth.

I don’t live in California. Will this law affect me?

Almost assuredly. While you won’t enjoy the right to opt out of the sale of your data or ask companies to delete it, you’ll learn more about what companies are collecting about you. The law requires for-profit business to describe in their privacy policies and the categories of data they collect about users.

Many companies are likely to extend some of these rights to everyone. That way, they won’t have to fuss with deciding whether the law applies to you, and they won’t risk denying a user their rights under the law by mistake.

Finally, the state of California is often at the forefront of new forms of legislation, including plastic bag bans, animal welfare laws and worker protections. Once California passes a law, other states tend to consider following suit. California is the country’s largest market with nearly 40 million residents, and carries a lot of weight. Already, nine other states are considering similar laws, and Maine and Nevada have already passed narrower versions of privacy legislation.

How is this different from that other big privacy law, the GDPR?

GDPR applies to companies with users in the European Union, and it regulates how companies can collect the same kind of personal information as CCPA does. However, the European law puts some stricter controls on how companies must approach collecting user data.
First, GDPR requires companies to get consent to collect data or to have some other valid reason for collecting user information. Secondly, it requires companies to minimize the data collected. CCPA doesn’t require companies to go through these steps to collect personal information, so any limits on data collection will be imposed by individual users who make requests to delete and opt out.

I heard there might be a federal privacy law. Where does that stand?

After the California legislature passed CCPA, several major tech companies told federal lawmakers they would like to see one privacy law that covers the whole country. Legislators have submitted several different laws since then, and the Senate Commerce Committee held a hearing on two competing bills in December.

Several aspects of a federal bill are up for debate, including whether consumers should be able to sue companies directly for violations, and how much authority to give regulators who would enforce the law. 

Thank you Laura Hautala for the great breakdown of CCPA.

Holiday Scams to Watch for This Season

The holidays are roaring down on us, and we’re all looking to get the best deals as we shop online and explore cyber sales. Here at DSA Technologies, we want to help you avoid that “Nightmare Before Christmas” that could arise from a stolen card number or hacked personal data as a result of online shopping. We’ve all heard it. If it seems too good to be true, it probably is. There are many websites that offer as much as 60, 70, even 80% off during this time of year. Don’t be the one that enters your payment information to capture a quick special and find out days, weeks, possibly even months later that you’ve been phished. How can you make sure you’re as safe as possible? As we get ready for Cyber Monday specials and online shopping throughout the month of December, there are several tips we can offer for businesses and individuals alike.

The golden rule? Be careful what you click on
Make sure the site you are entering your personal information has HTTPS. It’s important to see the “S” after HTTP, but that still does not mean you’re out of the woods. According to research from Venafi, the number of typosquatting domains (which is a bait-and-switch lookalike URL) is 400% greater than the number of authentic retail domains. That’s right, the bad guys are coming up with “fake” domains that look like the real domain of vendors like Facebook, PayPal, Amazon, and many others. Be careful what you type, and make sure you see the correct URL when you’re going to a website.

Bogus Shipping Notices 
Households receive a deluge of packages as the holidays get closer. A message from UPS, FedEx, or Amazon that notifies you that there is a missing or delayed package can be easily glanced over and taken for granted. Most of the time the message will include a link for easy access. Don’t click on this link. It may take you to a bogus website or better yet, download a virus directly onto your computer. If you are expecting a package, go to the vendor’s website by typing in the correct URL and tracking your package from there.

Phishing Emails
This is getting to be one of the most common scamming attempts. It is any email with a link designed to get you to enter your personal information. You might see that this is a letter from Santa or a prize that you’ve won, encouraging you to click on a gift card offer or discount. Remember this saying: “just don’t click!”

Phone Scams
Phone scammers figure most people are going to be home over the holidays, and they double their efforts during this time. The short story is, they are trying to get your personal information over the phone. They can pretend to be any number of vendors, bank tellers, computer repair advisors, or support technicians. The solution is pretty simple: don’t give personal information to any caller you didn’t initiate a conversation with.

This is getting to be one of the most common scamming attempts. It is any email with a link designed to get you to enter your personal information. You might see that this is a letter from Santa or a prize that you’ve won, encouraging you to click on a gift card offer or discount. Remember this saying: “just don’t click!”

Phone Scams
Phone scammers figure most people are going to be home over the holidays, and they double their efforts during this time. The short story is, they are trying to get your personal information over the phone. They can pretend to be any number of vendors, bank tellers, computer repair advisors, or support technicians. The solution is pretty simple: don’t give personal information to any caller you didn’t initiate a conversation with.


Relatives in Distress
This tactic is commonly known as “Virtual Kidnapping Ransom Scam.” It can begin with a phone call saying your family member is being held captive or in trouble with the law in another country. The caller might allege that a child or grandchild has been kidnapped with someone screaming or yelling in the background. They will typically provide instructions to ensure a safe return of the family member. They will ask you for money and give you directions on who and where to wire the money. If this happens to you, take a deep breath and realize this could be a scam. Ask to talk to your family members being held, and if they don’t let you speak to them, ask them to identify your family members. Attempt to call or text your family members. To prepare for an event like this, have code words that can be used so you know it actually is a real event. Call your local law enforcement as soon as possible.

Fake Charities

Possibly one of the most unfortunate scams out there, fake charity requests can be heartbreaking. This may be a fake GoFundMe account for what you think is a good cause, a social media thread, or an email chain. They may be impersonating someone you know or a friend of a friend. They might impersonate a legitimate charity on the phone. If you receive a phone call, the best thing to do is tell the caller you will call them back. Wherever you see the request, be sure to look up the correct charity and call them to see if they contacted you, or have outreach campaigns in progress. It may take you a little more time, but remember, it’s better to be safe than sorry. We hope these simple tips can ensure your holiday stays merry and bright!

Top 5 Cyber Attacks You Should be Aware for Your Business

DSA Technologies works with a wide range of businesses, that face many of the same security challenges over and over. Most of these issues are preventable or can at least be mitigated with the right care and awareness. Here’s what the resident expert Michael Reese at DSA Technologies shared with being the most common problems that you should keep an eye out for.

  1. Phishing Schemes
    Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers. Nearly all successful cyber-attacks begin with a phishing scheme. These attacks are responsible for over $12 billion losses globally! Usually the attack is delivered in the form of an email and will demand that the victim go to a website and take immediate action. If the user clicks the link, they are sent to a fake website that imitates a real website. From here, they are asked to login. The criminal now has your information to cause more damage.
  2. Cloud Cyber Security Threats
    Cloud computing, or the use of an internet source to store information, has grown significantly. Most people assume that cloud storage is safe, but this isn’t necessarily the case. If your provider offers minimal security your sensitive data could be easily accessible to hackers. The amount of security your cloud server offers is usually in the terms and conditions. These can be muddy waters. Don’t be afraid to talk to an expert on how to navigate these threats.
  3. Ransomware/Malware Ransomware
    is like malware in that they are both criminal software used to take control of your computer and/or your information stored. Ransomware attacks are on the rise. Companies like DSA Technologies can help you build your line of defense through software against this type of attack. It’s estimated that an organization will fall victim to ransomware every 14 seconds in 2019. A single attack could leave you out of business for a week or more. Could you afford to be out of business that long?
  4. IoT (Internet of Things) What I call “Internet of Threats”
    IoT devices include internet enabled devices (i.e. iPhones, Amazon Alexa, Printers). There will be more than 20 billion IoT devices by 2020. How are the increasing amounts of data being secured? In most cases it’s not. There are manufacturers who have no security on their IoT devices, meaning anyone can access them. With so many devices being used, businesses should be aware of the security in place on IoT devices. Each device represents a different access point for attacks. With the rise of internet enabled devices the rise of attacks is inevitable. Ensure that your devices for your business are secure to protect sensitive data.
  5. Single Factor Passwords
    Single factor passwords are when you use a username and a passcode to log in. This is traditional and the method most websites maintain. Unfortunately, most passwords can be cracked in a matter of minutes. A second line of defense can help you and your business protect your data. An added defense line is the use of multi-step or two-step authentication passwords. This means that to log into your account, you can enter your password, but then a second step will require you to enter additional information, like a unique code sent to your cell phone. Having at least two steps make hacking your account more difficult in turn making your data less of an appealing target.

    DSA Technologies’ resident Cyber Security Expert, Michael Reese is there to assist businesses tighten their security.
    Visit DSA Technologies to learn more about how they can assist your business.

WiFi Finder app exposes 2 million network passwords!

“WiFi Finder” is a popular hotspot finder app that is used to locate free wifi spots nearby.  Unfortunately, the company utilized a database with minimal security to store information such as the Wi-Fi network name, its exact geolocation, its basic service set identifier (BSSID) and network password. All this data was stored in plain text. While the app developer claims the app only stores passwords for public hotspots, after a review of the data, countless home Wi-Fi networks were also discovered.

The biggest threat to free Wi-Fi security is the ability for the hacker to position himself between you and the connection point. So instead of talking directly with the hotspot, you’re sending your information to the hacker, who then relays it on. While working in this setup, the hacker has access to every piece of information you’re sending out on the Internet: important emails, credit card information and even security credentials to your business network. Once the hacker has that information, he can — at his leisure — access your systems as if he were you.

Utilizing free Wi-Fi in public locations is a major security risk, however, there may come a time when your only option is an unsecured, free, public WiFi hotspot, and your work simply cannot wait. If you must use public Wi-Fi there are a few steps you should take to stay safe (well….as safe as possible….because you shouldn’t use public Wi-Fi).

What to do:

  1.  Use a Virtual Private Network (VPN).
  2. Disable file sharing on your device.
  3. Log out of accounts when you are done.
  4. Only visit sites using HTTPS.
  5. Disable Wi-Fi auto-connect.
  6. Turn off Wi-Fi (and Bluetooth) when not in use.
  7. Access Web sites that do not hold sensitive or personally identifiable information (i.e. don’t do your banking while waiting for your flight).

While not all Wi-Fi is a security risk, without the right protection your personal information could become public information.

New bill would give parents an “Eraser Button” to delete kids data

.@NakedSecurity: New bill would give parents an ‘Eraser Button’ to delete kids’ data – The COPPA overhaul would ban targeting ads at kids under 13 and ad targeting based on race, socioeconomics or geolocation on kids under 15.

Two US senators on Tuesday proposed a major overhaul of the Children’s Online Privacy Protection Act (COPPA) that would give parents and kids an “Eraser Button” to wipe out personal information scooped up online on kids.

The bipartisan bill, put forward by Senators Edward J. Markey (D-Mass.) and Josh Hawley (R-Mo.), would also expand COPPA protection beyond its current coverage of children under 13 in order to protect kids up until the age of 15.

The COPPA update also packs an outright ban on targeting ads at children under 13 without parental consent, and from anyone up until the age of 15 without user consent. The bill also includes a “Digital Marketing Bill of Rights for Minors” that limits the collection of personal information on minors.

The proposed bill would also establish a first-of-its-kind Youth Privacy and Marketing Division at the Federal Trade Commission (FTC) that would be responsible for addressing the privacy of children and minors and marketing directed at them.

“Rampant and nonstop” marketing at kids

Markey said in a press release that COPPA will remain the “constitution for kids’ privacy online,” and that the senators’ proposed changes would introduce “an accompanying bill of rights.”

As it is, Markey said, marketing at kids nowadays is rampant and nonstop:

In 2019, children and adolescents’ every move is monitored online, and even the youngest are bombarded with advertising when they go online to do their homework, talk to friends, and play games. In the 21st century, we need to pass bipartisan and bicameral COPPA 2.0 legislation that puts children’s well-being at the top of Congress’s priority list. If we can agree on anything, it should be that children deserve strong and effective protections online.

The right of kids to be forgotten

The proposed law has the flavor of the EU General Protection Data Regulation (GDPR), what with the greater control it grants citizens over how their personal data is obtained, processed, and shared, as well as visibility into how and where that data is used.

The citizens, in this case, would be children and their parents, who would be entitled to get their hands on any personal information of the child or minor that’s been collected, “within a reasonable time” after making a request, without having to pay through the nose to get it, and in a form that a child or minor would find intelligible.

The bill also requires that online operators provide a “clear and prominent means” to correct, complete, amend, or erase any personal information about a child or minor that’s inaccurate: in other words, what the senators are calling an Eraser Button.

What would change?

These are the specific privacy protections that the bill would strengthen:

  • Prohibiting internet companies from collecting personal and location information from anyone under 13 without parental consent, and from anyone 13 to 15 years old without the user’s consent.
  • Banning targeted advertising directed at children.
  • Revising COPPA’s “actual knowledge” standard to a “constructive knowledge” standard for the definition of covered operators. Here’s a discussion of the difference.
  • Requiring online companies to explain the types of personal information collected, how that information is used and disclosed, and the policies for the collection of personal information.
  • Prohibiting the sale of internet-connected devices targeted towards children and minors unless they meet robust cybersecurity standards.
  • Requiring manufacturers of connected devices targeted to children and minors to prominently display on their packaging a privacy dashboard detailing how sensitive information is collected, transmitted, retained, used, and protected.

Recently, the FTC has been flexing its COPPA bicep like never before. Last week, video-streaming app TikTok agreed to pay a record $5.7 million fine for allegedly collecting names, email addresses, pictures and locations of children younger than 13 – all illegal under COPPA.

These tech companies know too much about our kids, and we don’t know what they’re doing with that data, Senator Hawley was quoted as saying in Markey’s press release:

Big tech companies know too much about our kids, and even as parents, we know too little about what they are doing with our kids’ personal data. It’s time to hold them accountable. Congress needs to get serious about keeping our children’s information safe, and it begins with safeguarding their digital footprint online.

“Landmark legislation”

Markey’s press release quoted multiple children’s rights campaigners who lauded the bill. One was Josh Golin, Executive Director, Campaign for Commercial-Free Children, who called it “landmark legislation.”

The Markey-Hawley bill rightly recognizes that the internet’s prevailing business model is harmful to young people. The bill’s strict limits on how kids’ data and can be collected, stored, and used – and its all-out ban on targeted ads for children under 13 – would give kids a chance to develop a healthy relationship with media without being ensnared by Big Tech’s surveillance and marketing apparatuses. We commend Senators 
Markey and Hawley for introducing this landmark legislation and urge Congress to act quickly to put children’s needs ahead of commercial interests.

Citrix admits attackers breached its network

.@NakedSecurity: Citrix admits attackers breached its network – what we know – On Friday, software giant Citrix issued a short statement admitting that hackers recently managed to get inside its internal network. According to a statement by chief information security officer Stan Black, the company was told of the attack by the FBI on 6 March, since when it had established that attackers had taken “business documents” […]


Citrix admits attackers breached its network – what we know
nakedsecurity.sophos.com


Those are NOT your grandchildren! FTC warns of new scam

Grandkid imposters are managing to finagle a skyrocketing amount of money out of people, the Federal Trade Commission (FTC) warned on Monday.

The FTC says that its Consumer Sentinel Network has noticed a “striking” increase in the median dollar amount that people 70 and older report losing to fraud. When they started to peel back the layers, the Commission found a number of stories that involve people of that age group having mailed “huge” amounts of cash to people who pretended to be their grandchildren.

People from all age groups report having fallen for phoney family and friends: the reported median loss for individuals is about $2,000, which is more than four times the median loss of $462 reported for all fraud types.

But that’s nothing compared with how much money is being bled out of the elderly: those who send cash reported median losses of a whopping $9,000. About one in four of the ripped-off elderly who report that they lost money to a family or friend imposter say that they sent cash: a far higher rate than the 1 in 25 of people who sent cash for all other frauds.

CBS News talked to one man who got scammed in a way that the FTC says is a common ploy.

Slick scripts

It started with a phone call one morning in April, Franc Stratton told the station. The caller pretended to be a public defender from Austin, Texas, who was calling to tell Stratton that his grandson had been in a car wreck, had been driving under the influence, and was now in jail.

Don’t be afraid, the imposter told Stratton: you can bail out your grandson by sending $8,500 in cash via FedEx. It didn’t raise flags for a good reason: Stratton had done exactly that for another family member in the past.

The cherry on top: the “attorney” briefly put Stratton’s “grandson” on the phone. The fake kid sounded injured, so Stratton drove to the bank to get the cash.

Stratton went so far as to go to a local FedEx to overnight the money to an Austin address. But later that night, he said, he and his wife looked at each other and said, Scam!

Fortunately, they came to their senses in time to call FedEx to have the package returned. He got his money back, but Stratton is still frustrated. Of all people, he should know better, he says: he’s retired now, after a career spent working in intelligence, first for the Air Force and later as a cybersecurity programmer.

That’s how slick the scammers are, with their meticulously prepared scripts, and it shows that they know exactly how to put people into a panicked state, where they’re likely to make bad decisions. Stratton said he fell for it “because of the way that they scripted it.”

I’m the last person, I thought, would ever fall for a scam like this.

The FTC says that Americans have lost $41 million in the scam this year: nearly twice as much as the $26 million lost the year before.

Self-defense for grandparents

These scams are growing more sophisticated as fraudsters do their homework, looking you and/or your grandkids up on social media to lace their scripts with personal details that make them all the more convincing.

Grandparents, no matter how savvy you are, you’ve got an Achilles heel: your love for your grandchildren. The fakers know exactly how to milk that for all it’s worth.

The FTC warns that they’ll pressure you into sending money before you’ve had time to think it through. The Commission offers this advice to keep the shysters from wringing your heart and your wallet:

  • Stop. Breathe. Check it out before you send a dime. Look up your grandkid’s phone number yourself, or call another family member.
  • Don’t overshare. Whatever you share publicly on social media becomes a weapon in the arsenals of scammers. The more personal details they know about you, the more convincing they can sound. It’s one of many reasons to be careful about what you share on social media.
  • Pass the information on to a friend. Even if you haven’t been targeted yourself, you probably know somebody who’s either already gotten a call like this or who will.
  • Report it. The FTC asks us all to please report these scams. US residents can do so online to the FTC. If you’re in the UK, report scams to ActionFraud.

Please report these scams. Doing so helps the authorities nail these imposters before they can victimize others.

Actions for Internal Audit on Cybersecurity, Data Risks

 

Cybersecurity and other data-related issues top the list of risks for heads of audit in 2019; here are key actions audit must take.

The number of cyberattacks continues to increase significantly as threat actors become more sophisticated and diversify their methods. It’s hardly surprisingly, then, that cybersecurity preparedness tops the list of internal audit priorities for 2019.

Other data and IT issues are also on the radar for internal audit, according to the Gartner Audit Plan Hot Spots. Cybersecurity topped the list of 2019’s 12 emerging risks, followed by data governance, third parties and data privacy.

“These risks, or hot spots, are the top-of-mind issues for business leaders who expect heads of internal audit to assess and mitigate them, as well as communicate their impact to organizations and stakeholders,” said Malcolm Murray, VP, Team Manager at Gartner.

What audit can do on cyberpreparedness

The Gartner 2019 Audit Key Risks and Priorities Survey shows that 77% of audit departments definitely plan to cover cybersecurity detection and prevention in audit activities during the next 12-18 months. Only 5% have no such activities planned. And yet, only 53% of audit departments are highly confident in their ability to provide assurance over cybersecurity detection and prevention risks.

Here are some steps audit can take to tackle cybersecurity preparedness:

  • Review device encryption on all devices, including mobile phones and laptops. Assess password strength and the use of multifactor identification.
  • Review access management policies and controls, and set user access and privileges by defined business needs. Swiftly amend access when roles change.
  • Review patch management policies, evaluating the average time from patch release to implementation and the frequency of updates. Make sure patches cover IoT devices.
  • Evaluate employee security training to ensure that the breadth, frequency and content is effective. Don’t forget to build awareness of common security threats such as phishing.
  • Participate in cyber working groups and committees to develop cybersecurity strategy and policies. Help determine how the organization identifies, assesses and mitigates cyberrisk and strengthens current cybersecurity controls.

Data governance

Big data increases the strategic importance of effective mechanisms to collect, use, store and manage organizational data, but many organizations still lack formal data governance frameworks and struggle to establish consistency across the organization. Few scale their programs effectively to meet the growing volume of data. Left unsolved, these governance challenges can lead to operational drag, delayed decision making and unnecessary duplication of efforts.

What audit can do:

  • Review the data assets inventory, which must include, at a minimum, the highest-value data assets of the organization. Assess the extent of both structured and unstructured data assets.
  • Review the classification of data and associated process and policies. Analyze how data will be retained and destroyed, encryption requirements and whether relevant categories of use have been established.
  • Participate in relevant working groups and committees to stay abreast of governance efforts and provide advisory input when frameworks are built.
  • Review data analytics training and talent assessments, identify skill gaps and plan how to fill them. Evaluate the content and availability of existing training.
  • Review the analytics tools inventory across the organization. Determine if IT has an approved vendor list for analytics tools and what efforts are being made to educate the business on the use of approved tools.

Third parties

Efforts to digitalize systems and processes add new, complex dimensions to third-party challenges that have been a perennial concern for organizations. Nearly 70% of chief audit executives reported third-party risk as one of their top concerns, but organizations still struggle to manage this risk. What audit can do:

  • Evaluate scenario analysis for strategic initiatives to analyze potential risks and outcomes associated with interdependent partners in the organization’s business ecosystem. Consider enterprise risk appetite and identify trigger events that would cause the organization to take corrective action.
  • Assess third-party contracts and compliance efforts, ensure contracts adequately stipulate information security, data privacy and nth-party requirements. Ensure there is monitoring of third-party adherence to contracts.
  • Investigate third-party regulatory requirements, assess how effectively senior management communicates regulatory updates across the business and how clearly it articulates requirements for third parties.
  • Evaluate the classification of third-party risk and confirm that the business conducts random checks of third parties to ensure classifications properly account for actual risk levels.

Data privacy

Companies today collect an unprecedented amount of personal information, and the costs of managing and protecting that data are rising. Seventy-seven percent of audit departments say data privacy will definitely be covered in audit activities in the next 12–18 months. What audit can do:

  • Review data protection training and ensure that employees at all levels complete the training. Include elements such as how to report a data breach and protocols for data sharing.
  • Assess current level of GDPR compliance and identify compliance gaps. Review data privacy policies to make sure the language is clear and customer consent is clearly stated.
  • Assess data access and storage. Make sure access to sensitive information is role-based and privileges are properly set and monitored.
  • Review data breach response plans. Evaluate how quickly the company identifies a breach and the mechanisms for notifying impacted consumers and regulators.
  • Assess data loss protection and review whether tools scan data at rest and in motion.