The Global Risks Report 2016, your next suspense novel…

If you’re looking for a scary story, put down the latest spy novel and pick up the 11th edition of The Global Risks Report 2016, courtesy of the World Economic Forum.

The cyber attack threat takes center stage in North America, standing out as the most likely risk by far. The report reflects the perceptions of nearly 750 experts and decision-makers in the World Economic Forum’s constituencies surveyed in late 2015.

The risks perceived as the most likely to beset various regions this year include:

Social volatility
Interstate conflicts
Economic instability
The truth is that governments, businesses, organizations, and citizens in most parts of the world face pretty much the same dangers from cyber threats as their North American counterparts.

The Grant Thornton International Business Report 2015, for example, shows that cyber attacks are estimated to have cost Asia Pacific businesses $81 billion in the preceding 12 months, while firms in both the EU and North America saw revenue losses just over $60 billion.

Cascading Effects

Cyber dependency is a global trend in a world where digital businesses reside in increasingly connected, smarter and more automated environments.

That means that an entity’s risk is increasingly tied to that of other entities, making it harder for any single party to fully protect itself. This raises “the odds of a cyber attack with potential cascading effects across the cyber ecosystem,” the report states.

Consider also the impact of other risks that can lend more fuel to the cyber-attack flames. “Chronic and resurgent violence, conflicts, and economic and social volatility will remain prominent features of the current and future reality,” the report notes. Such conditions only make it easier for bad actors to gain new recruits to conduct cyber-attacks, be they criminal or terrorist in nature.

Raise Your Defenses

The World Economic Forum’s 2015 Executive Opinion Survey, out of 140 global economies, 18 put cyber-attacks on their list of top three risks and eight consider them a risk of highest concern for doing business. These are Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore, Switzerland, and the United States.

Growing awareness is a good thing, but improved readiness to face these attacks is even better. If there’s a happy ending to this scare story, it is that defenses can be improved, although organizations must first fully grasp the extent of their cyber-security risks and the investments required to better manage those risks and build resilience.

The Global Risks report recommends actions that businesses can take to better defend themselves, such as:

Fostering greater cooperation throughout their value chains
Sharing cyber breach data with law enforcement
Building up security for under-protected areas like machine-to-machine connections
It’s unlikely that every organization can prevent every cyber attack, but companies should emphasize methods to identify and effectively mitigate them by streamlining mechanisms for:

Early detection
Response and recovery
Rapid mitigation
Better manage the consequences
That sounds like a good plan to us, and hopefully it’s one that organizations of every stripe will waste no time putting into action.

Bring your Own Device

Whether it’s vacation season or not, the demand for mobility in business in general has been growing steadily, fueling the adoption of the Bring Your Own Device (BYOD) movement. If your business is ready to embrace the rewards of BYOD (think happier, more productive employees), it’s time to get serious about mitigating the risks that come along with allowing personal devices to access your company network.

Let’s explore BYOD’s evolution; take a look at the risks and rewards of embracing BYOD; and then take a deeper dive into how to balance it all so that you and your employees can enjoy the best of both worlds. If you want to see our interactive webinar where we discuss BYOD, visit our community post here.

BYOD 1.0

BYOD 1.0 is roughly defined as occurring from 2009 to 2012, but you could argue that it all started back in 2007 when more and more business professionals began switching from their BlackBerry® devices to the newly-introduced iPhones®. When BlackBerry ruled the business mobility scene, security was much easier for the Information Technology (IT) department.  IT purchased, distributed and managed the devices for employees. At this stage, IT only had to concern itself with protecting two things:

1) The device itself and any data stored on it. (Known as Mobile Device Management, or MDM.)

2) The connection between the device and the corporate network. (Known as Virtual Private Network, or VPN.)

While this may seem easy as compared to today’s BYOD challenges, it actually caused frustration for both IT and employees, and here’s why. With BYOD 1.0, it was all or nothing, meaning IT had to protect the entire device and any data and activity on it. There was no way to hone in on the company data and leave an employee’s personal data and activity alone.

Employee Complaints

Most people don’t want to have a phone for work and a phone for all the other times. It’s too much of a hassle! So what naturally happened was company-issued BlackBerries and other devices were used for both work and play. (As someone who had a BlackBerry back in the day, I’ll admit to this!) But that meant the company could invade your privacy whenever it wanted. And, if you left the company, the IT department would ‘wipe’ your device, so along with all your company data and applications went your personal data (photos, etc.) and apps. It’d all be gone.

IT Complaints

IT did not want to see any evil or hear any evil. In fact, IT did not want to be bothered with an employee’s personal data and apps! To them, this only introduced a new challenge: how to protect the device from potentially harmful web browsing by the employee.

In short, BYOD 1.0 left both employees and IT wanting. Enter BYOD 2.0.

BYOD 2.0

From about 2013 on, we’ve been living in the 2.0 version of BYOD. The biggest difference between BYOD 1.0 and BYOD 2.0 is the ability to provide security to only the company’s data, apps and network access and leave the employee’s personal data, web browsing and apps alone. This has been accomplished by changing the focus from device protection to application protection. Remember Mobile Device Management, or MDM, from 1.0? That has now been replaced by Mobile Application Management, or MAM. With BYOD 2.0, both groups are happy. Employees are no longer concerned with their company infringing on their privacy. IT is also happy because they can now focus making sure the business’ data, applications and network are all locked down and secure.

Weighing the Risks and the Rewards

If you want your staff to be happier and more productive, BYOD is definitely the way to go. Studies have shown:

  • Employees whose companies embrace BYOD work up to 20 additional hours per week, unpaid1.
  • 92 percent of these newly-mobile workers “enjoy their job flexibility” so much so that they are “content” with working the additional hours.
  • On top of that, 42 percent of business professionals would like “even greater flexibility for their working practices.”
  • Companies realize cost-savings in two ways: reducing or eliminating the capital expense of purchasing mobile devices and reducing or eliminating the monthly service costs.
  • When companies embrace BYOD, the IT department is re-branded as innovative and forward-thinking, which many times carries over to the entire organization’s brand.

Those are all positives, but here are the downsides:

  • 76 percent of business professionals believe that BYOD introduces serious risks2.
  • Only 39 are prepared to mitigate the risks.
  • 59 percent of organizations had increased malware infections over the past 12 months because of unsecured laptops, smartphones, and tablets.

Overcoming  ‘Different’ Challenges

Back in BYOD 1.0, there was typically one kind of device, from one vendor, serviced by one carrier. But that’s when IT bought, owned and managed everything. Now that employees are brining different brands of smartphones, tablets and laptops, which they purchased from different places, and running them on different carriers’ networks, the complexity has multiplied. While it may seem overwhelming, it doesn’t have to be. All you have to do is create what’s called dynamic policy enforcement which gives you flexible security over company data and applications.

Different Strokes for Different Folks

As with everything else in life, it all depends on who you are. Based on how complex your data storage and data center services are, you’ll require different types of mobile device security. Here’s a quick cheat sheet:

  •   Have a traditional data center set-up? Control access with a VPN gateway.
  •   Use an Infrastructure as a Service (IaaS) public cloud offering, (such as Amazon EC2)? Control access with a VPN  gateway and secure applications by hosting them on virtual servers.
  •   Use a Software as a Service (SaaS) offering? Skip the VPN but still enforce identification and authorization to access corporate data.

It’s no longer enough to secure the device itself. If employees are using their own devices to access your network, you need a solution that extends beyond data and apps on devices into wherever you store your company’s data, whether that be in cloud-based services such IaaS or SaaS, or in your own data center.  Look for a mobile device service provider who combines mobile and access management into one service. And look for a provider who can offer all the security you need, including authentication and authorization, data-at-rest security, and data-in-transit security, among others.

The Key Lessons

  • Determine your company’s BYOD goals before worrying about the risks.
  • Don’t let your employees become secret hackers.
  • If your IT team has no idea what harboring rootkits, keyloggers , data-at-rest and data-in-transit security are, hire an expert.

Your employees want to use their smartphones and other personal devices for two things: 1) they want to store and use your company data outside of work, and 2) they want to conduct business, which often requires accessing your company network and services (think email!). As you’ve seen, the rewards are great but the risks can be, too if you don’t know how to properly secure your company’s proprietary information and safeguard against employees accidentally introducing harmful malware into your network. Knowledge is power so they say, and it certainly rings true with BYOD. The more you know, the more you can balance the risks and rewards and reap all the benefits without worrying about the unwanted repercussions.

 

Sources:

1. 2012 Mobile Workforce Report from enterprise WiFi access firm iPass

2. Poneman Institute/Websense survey

9 Questions to Ask a Managed Security Provider

Once, managed security providers were small companies who offered select few larger companies the option to store their data remotely. Now, that market has grown into a widely utilized industry, where providers navigate security issues, compliance regulations, and the importance of data protection for you.

But with this burgeoning enterprise comes the difficulty of deciding between the many competent players. When choosing the company that will defend the security of your data and manage your ability to access it, it’s important to look closely at several aspects of each provider

Track Record. The ideal MSSP to handle your company’s sensitive data will be able to show a strong history of quality information management over a significant period of time.

  1. Response Time and Analysis. An MSSP must be able to easily determine security threats from false alarms. Your provider should be able to respond immediately after analyzing and interpreting large amounts of network security.
  2. Operation Centers. The best MSSP will have state-of-the-art security operations centers at multiple locations, allowing for cross-monitoring and double-checking compliance with security standards.
  3. Global Awareness. To really be prepared, security experts must be able to monitor threats to data not just domestically, but from around the world. International eyes and ears allow for proactive handling of threats and real-time alerts.
  4. High Level Management. Management personnel in the best MSSPs will often have backgrounds working in military, security, or government: an indicator of success.
  5. Range of Services. Particularly for larger businesses, MSSPs must be able to provide a variety of services, including real-time monitoring, firewall management, intrusion detection systems, virtual private networks, and more.
  6. Security Procedures. Ask for documented standards and policies that are in place, from handling of unusual operations to common threats. Look for an MSSP that offers a variety of notification options for optimal staff awareness.
  7. Third-Party Validation. Whatever these policies and procedures are, make sure that the MSSP has had them validated and certified by a third-party auditor.
  8. Range. For best brand-specific protection, find an MSSP that employs specialists who have certified experience working with a variety of security providers and in a wide range of products.
  9. Reporting. Detailed reporting is essential for a company to truly trust the MSSP. Be sure that the reports are based on information drawn from various platforms, include recommendations, are open about latest threats, and are clear about any security changes that have been made.

Your data is only as secure as the company trusted to protect it. Take your time and consider all aspects of the business and relevant details of your own company before deciding.

10 IT Security Questions Every Business Should Ask

 

In this face-paced, ever-changing, technological world, small and growing businesses must be prepared, now more than ever, to not only address the danger of cyber-security threats, but also to have the in-house expertise to implement information security programs that handle these types of issues. This means going far beyond simply having anti-virus software and creating strong passwords.

While this can sound overwhelming, every organization that intends to stay on top of and serious about security should take this into consideration. To help you get started, we outline 10 simple questions to ask yourself when establishing a strong foundation for information security programs:

1. Has responsibility and accountability been assigned for IT security and data privacy? As a business, there should always be someone in place who is designated (and qualified) as the IT Security Officer (ISO).

2. Have you identified, and do you understand, all regulations and standards that apply to you? A sampling of standards includes, but is not limited to:

  • Sarbanes Oxley (SOX)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA),
  • Payment Card Industry Data Security Standard (PCI-DSS)

3. Do you have documented information security policies and procedures? Doing so will help you define goals for the organization in regards to information security, as well as provide an outline for how your organization will meet these goals.

4. When looking to prevent security breaches and fraud, how do you monitor the systems you have in place? If you haven’t already done so, start implementing network intrusion detection systems that regularly review system logs and activities. This will allow you to investigate any suspicious activity before it becomes a big problem.

5. If a security or data breach were to take place, do you have a response plan in place? Data and security breaches often blindside people and organizations, and make it difficult to respond in an efficient matter. Having a detailed, emergency plan in place will not only allow you to act quickly and with confidence, but will also provide a blueprint for how to manage:

  • Containment
  • Investigation
  • Legal actions
  • Public relations

6. Do you have a patch management strategy, and if so, what does it look like? A thorough and comprehensive patch management process allows businesses to protect themselves from newly discovered threats – both internally and externally. It is important to note that in order for this to be effective, all software and systems should be covered.

7.  Do you perform initial and periodic security checks on new vendors?
In order to stay ensured that your data is being adequately protected by your vendors, it’s always a good idea to review the security controls they have in place. If gaps are found, you can then take action to correct them before damage is done.

8. Have you identified and protected all sensitive data? 
As a business, always identify any and all sensitive or confidential data, make note of where it is stored, and look into the adequacy of the processes protecting the data.

9. Have all high-risk technology systems been identified? Utilize a basic IT risk assessment and focus your resources on high-risk areas to help you evaluate your security control efforts.

10. Do your employees receive adequate security training? Unfortunately, some of the most common security breaches are a result of employees accidentally divulging sensitive information. Continual security awareness training and testing will not only protect your systems, but also help your employees identify and avoid attackers utilizing social engineering techniques.

Three ways to improve your personal cyber safety

By Gavin Reid, Vice President/Threat Intelligence, Lancope

For National Cyber Security Awareness month there a couple of relatively easy-to-do things that I highly recommend if you want to improve your personal cyber safety. These important protections are easily available but not well documented.

One of the biggest cyber security problems impacting users today is the reuse of easy to guess passwords across multiple sites. All it takes is for one site to be compromised and the hackers can then use your password to log into others. This process is often automated and run against all sites. To help combat that ensure that you have a *unique*! password for each site. No one can remember multiple unique complex passwords so invest in using a tool like roboform or 1password to manage these passwords and keep them safe. Once you have installed a good password manager go back to each site you use and replace your common password of “petname123″ and let the password manager create a long and complex password for you like “yott2&uv0ugs7.” Save that password and go on to change the next one. Set a complex password that you DO remember for your password manager. It’s only one and it can be recalled from memory.

Don’t be afraid of the cloud! Losing all of your newly-created complex passwords to a hard drive crash would be a terrible loss. Make sure you sync your password file in the cloud to be able to access them across multiple devices (phones, tablets, laptops) and always have a backup. Roboform has its own cloud storage built in and 1password uses Dropbox or iCloud. Your passwords are encrypted withAES encryption so even if someone somehow broke into the cloud provider and stole your password list, they cannot decrypt your passwords without the one complex password you committed to memory.

The next step to ensure you won’t be an easy victim is to set up two-factor authentication for some sites that are more important to your personal cyber security like Gmail, eBay and PayPal.

Gmail
You may not have thought about it, but your personal Gmail account ties many things together. For example if you use Gmail as your email address for your Amazon account, if someone hacks your Gmail they can force a password change to access your Amazon account. Similarly, your bank and many other systems may use your email as a way to allow for password resets.

Criminals can also use your Gmail account to send out legitimate looking email requests for emergency help to all the people in your address book like the email below:

Hi,

How you doing? I made a trip to London (United Kingdom) unannounced some days back, Unfortunately i got mugged at gun point last night! All cash, Credit card and phone were stolen, i got messed up in another country, stranded in London, fortunately passport was back in our hotel room. It was a bitter experience and i was hurt on my right hand, but would be fine. I am sending you this message cos i don’t want anyone to panic, i want you to keep it that way for now!

My return flight leaves in a few hours but Im having troubles sorting out the hotel bills, wondering if you could loan me some money to sort out the hotel bills and also take a cab to the airport about ($1,550). I have been to the police and embassy here, but they aren’t helping issues, I have limited means of getting out of here, i have canceled my credit cards already and made a police report, I wont get a new credit card number till I get back home! So I could really use your help.

You can contact the hotel management through this telephone number (+449444045232), you could wire whatever you can spare to my name and hotel address via Western union:

Name: John Hastings
Location: 201 Bunaby Street, Chelsea,
Greater London
SW10 0PL.
United Kingdom

Your Gmail account plays an important part in your overall internet safety. It is very important you set a strong password and enable two-factor authentication. Here is how to do it:

  • Login to your Gmail account then go-to the following URL
    https://www.google.com/landing/2step/
  • Click on “Get Started” then “Start Setup.” Enter the number for your phone and verify the number by entering the numeric code that Google sends to the phone by either text message or voice call.

GmailTwoFactor

  • You can also choose to use the smart phone app Google Authenticator, which you would register through the same wizard shown above. To install Google Authenticator click here for iOS or here for Android. Either way works and will stop people from easily taking over your personal email (and of course your online identity!).

PayPal and eBay
If you use either of these services, they are high-value target accounts for crime. PayPal is especially problematic as it links directly (in most cases) to your bank account. EBay accounts, on the other hand, are often hijacked then used fraudulently to sell nonexistent items, leaving the account owner to work out the mess. I highly recommend you protect yourself by setting up two-factor authentication for both accounts.

Setup instructions for PayPal:

Go to https://www.paypal.com/us/cgi-bin/webscr?cmd=_register-security-key-mobile

PayPalSecurity

This will give you the option to set up a secondary authentication method. You have three choices, pay a small amount and they will ship you a small fob that will provide one-time passwords to use as a secondary authentication for your account (i.e. a hacker can’t get into your account by just guessing your password or resetting it). The second choice is a more convenient one if you have a smartphone. You can download the Symantec VIP Access program for smartphones. Or you can just have PayPal send messages to your mobile like we did with Gmail.

When you get the token software installed on your smartphone, authenticate it to your PayPal account and register its unique ID. Now when anyone wants to use your PayPal account, they will have to have both your username and password and the one-time token password your phone or fob would generate. Note: you can also tie this token to your eBay account.

There was a lot of work to do to get to this stage. It is unfortunate that this process is obscure and not built-in or easier to enable. I am sorry to say that there is one more step if you use Gmail with any applications that auto-check email. I have several, such as the Microsoft Outlook client for Mac. These applications do the authentication automatically. For convenience with only a small security risk I can use Gmail to set up application- or device-specific passwords. These fixed passwords can ONLY be used by the same app on the same device. You can do this by editing the “authorizing applications & sites” button in the Gmail account settings.

When you click edit, it will force another authentication then allow you to set up, manage and track application-specific passwords.

So that’s it. I wish it was easier, but these are a couple of steps that can make your internet identity much harder to abuse.

In Cloud We Trust – Cloud Security

Network Security 4

We’ve all heard it before: “If you move to the cloud, all of your data will be at risk!”

Countless studies have shown that cloud security is the major factor standing in the way of cloud adoption. While in some cases companies are right to be wary, like most things, not all cloud providers are created equal. In fact, the security a company experiences with the cloud solely depends on the provider chosen. It’s wrong to lump all cloud providers together and assume a general opinion on cloud security, whether that opinion is good or bad. Just as some companies currently have better in-house security than others, some cloud providers view security as a larger priority than others. And the word security is all-encompassing, referring to physical and network security, as well as compliance.

Physical Security

A great cloud provider will have multiple physical security measures in place. Look for providers that can offer the following: full credential-limited access to data centers, key card protocols, biometric scanning systems, exterior security systems, on-premises security guards, digital surveillance and recording, secured cages, around-the-clock interior and exterior surveillance monitor access, and employees that have undergone multiple, thorough background security checks. This isn’t asking too much. These are the things that will protect your information. The best facilities will also include environmental controls such as redundant HVAC systems, circulated and filtered air, and fire suppression systems.

Network Security

A reliable cloud provider should be able to guarantee geographical diversity of data center locations as well as full redundancy. With these steps in place, companies can ensure that in the event of a disaster, their business-critical data and applications will be safe and accessible, even if one of the data centers is affected. Look for in-flight and at-rest encryption, strong firewalls, password protection and around-the-clock monitoring. Make your provider prove itself, and ensure that it can demonstrate strict and accurate Service Level Agreements.

Compliance

Today, more and more industries have regulations and standards to meet. “Compliance” is an extremely important word for businesses in all industries, as it refers to the laws that are in place for security and privacy purposes. Your cloud provider should meet, if not exceed, large compliance laws such as HIPAA, PCI DSS, and Sarbanes-Oxley. Whether or not your company needs to meet these regulations, you want a cloud provider that understands and follows the top compliance laws because this demonstrates that they are knowledgeable and trustworthy.

The reality of today is this: cloud computing is a growing, important technology that is being adopted by the majority of businesses. In order to remain relevant and modern, cloud is the way to go. By no means should you risk your company’s security to do so, but you should work to find a provider that is trustworthy and can offer excellent physical and network security for your data. You have to remember that cloud providers are businesses too – they put loads of money into ensuring that their customers information is secure. For the most part, they aren’t willing to risk their reputation and customers for lesser security. As long as you take the appropriate steps to ensure you’re working with a legitimate, secure provider, the cloud is ‘absolutely a viable and intelligent option for your organization. And when you make the move, you’ll experience better security than you ever had in-house.

Business IT: It’s all in the Fundamentals

Here are some basics in Business IT Security. It is almost like football :

  1. Block and Tackle- your safety depends on it.
  2. Have an Executable Plan and Stick to it.
  3. Don’t get Juked

Like they say, “Everything else is commentary, go learn it!”.

Security: Blocking and Tackling

While there’s no such thing as an IT environment that is 100 percent secure, taking fundamental steps to assess and  harden IT systems is the basic “blocking and tackling” of IT security that removes the root cause of the vast majority of breaches. These steps include:

» Assess and inventory configurations on all servers and devices, and compare the results to some under-stood, recognized security standard (like CIS, NIST, or ISO 27001)

» Gain immediate, real-time insight into any changes to the files, configurations items and states that define this security standard

Blocking and tackling for security professionals means going back to basics and eliminating the “easy ins” preyed on by attackers, like open ports and unused services, the use of default or easily guessed administrator passwords, or improperly configured firewalls.

Blocking and tackling for IT security teams also means keeping continuous watch on these systems, to detect the clues that indicate attacks in progress, like security controls disabled by anti-forensic activities, oddly elevated permissions or unexpected changes to critical files.

Security configuration management solutions are built to make these issues visible to IT security professionals, and to give them the information and tools they need to manage them in the most automated way possible.