The Global Risks Report 2016, your next suspense novel…

If you’re looking for a scary story, put down the latest spy novel and pick up the 11th edition of The Global Risks Report 2016, courtesy of the World Economic Forum.

The cyber attack threat takes center stage in North America, standing out as the most likely risk by far. The report reflects the perceptions of nearly 750 experts and decision-makers in the World Economic Forum’s constituencies surveyed in late 2015.

The risks perceived as the most likely to beset various regions this year include:

Social volatility
Interstate conflicts
Economic instability
The truth is that governments, businesses, organizations, and citizens in most parts of the world face pretty much the same dangers from cyber threats as their North American counterparts.

The Grant Thornton International Business Report 2015, for example, shows that cyber attacks are estimated to have cost Asia Pacific businesses $81 billion in the preceding 12 months, while firms in both the EU and North America saw revenue losses just over $60 billion.

Cascading Effects

Cyber dependency is a global trend in a world where digital businesses reside in increasingly connected, smarter and more automated environments.

That means that an entity’s risk is increasingly tied to that of other entities, making it harder for any single party to fully protect itself. This raises “the odds of a cyber attack with potential cascading effects across the cyber ecosystem,” the report states.

Consider also the impact of other risks that can lend more fuel to the cyber-attack flames. “Chronic and resurgent violence, conflicts, and economic and social volatility will remain prominent features of the current and future reality,” the report notes. Such conditions only make it easier for bad actors to gain new recruits to conduct cyber-attacks, be they criminal or terrorist in nature.

Raise Your Defenses

The World Economic Forum’s 2015 Executive Opinion Survey, out of 140 global economies, 18 put cyber-attacks on their list of top three risks and eight consider them a risk of highest concern for doing business. These are Estonia, Germany, Japan, Malaysia, the Netherlands, Singapore, Switzerland, and the United States.

Growing awareness is a good thing, but improved readiness to face these attacks is even better. If there’s a happy ending to this scare story, it is that defenses can be improved, although organizations must first fully grasp the extent of their cyber-security risks and the investments required to better manage those risks and build resilience.

The Global Risks report recommends actions that businesses can take to better defend themselves, such as:

Fostering greater cooperation throughout their value chains
Sharing cyber breach data with law enforcement
Building up security for under-protected areas like machine-to-machine connections
It’s unlikely that every organization can prevent every cyber attack, but companies should emphasize methods to identify and effectively mitigate them by streamlining mechanisms for:

Early detection
Response and recovery
Rapid mitigation
Better manage the consequences
That sounds like a good plan to us, and hopefully it’s one that organizations of every stripe will waste no time putting into action.

Is the Cloud Secure?

 

There seems to be a common misconception about the cloud not being secure. Organizations are worried that by utilizing the cloud, they risk compromising important company information and confidential data. This could not be further from the truth. In fact, the cloud adds security to your environment and workspace. It is more secure than using your laptop! A global study of more than 4,000 organizations done by the Ponemon Institute Thales e-Security found that using the cloud for processing and storing critical data is almost an inevitable solution. More than half of all participants responded that their organizations already transfer sensitive or confidential data to the cloud while only 11% say that their organization has no plans of doing so. This is down from 19% two years earlier (Forbes).

Think of cloud security in terms of accidentally downloading a virus. When you do so on you work laptop, there is a good chance it will corrupt all your important files and information. You will then notice your computer running slowly and your private data is now compromised. However, if you were to download the same virus on your virtual laptop, the same thing should happen, right? Actually, that is wrong. As soon as you are aware that you have a virus, you can have your administrator pull your desktop back in time to before the virus was downloaded. Literally, you have the ability to revert back in time to the previous “image” of your desktop. You’re no longer vulnerable to that virus and your private data is no longer being compromised.

2When Sony Pictures Entertainment experienced a cyber-attack around the release of their movie “The Interview”, a hard and expensive lesson was learned. Not only were Sony’s eyes opened to the other security requirements for their industry, but businesses began considering the costs of managing and securing their information in-house rather than utilizing the cloud. The cyber-attack on Sony cost them around $100 million, not including the loss incurred by the hit to their reputation. They’ve had to invest an abundance of time and energy into rebuilding and diagnosing what really caused the security breach. The unending amount of fees they face such as responding to investigations from the Federal Trade Commission and Securities and Exchange Commission, and potentially state attorneys general, will definitely add up and put a financial burden on the company. It also caused an insurmountable loss of good-will for Sony. They also lost valuable information like strategic planning and trade secrets that affect a corporation’s profits. The hackers got ahold of confidential personnel records of its employees and various embarrassing emails from executives, all of which endangered Sony’s relationships with employees, talent, contractors and vendors (Logicworks).

Had Sony been utilizing cloud services, the situation would not have unfolded in the detrimental way that it did. Their valuable information would not have been lost as it would have been stored safely in the cloud. With the extensive security placed within the cloud, hackers would not have been able to access any of their confidential personnel records. This would have ultimately avoided the situation and saved Sony from the losses that occurred.

More and more organizations are moving to the cloud, and rightly so. The security only continues to improve and the risks of in-house assets continue to rise. Forbes says that 47% of marketing departments will have 60% or more of their applications on a cloud platform in two years. This year will be the year that the doubts of cloud security will be put to rest. Don’t put yourself in a Sony situation.

4 Myths About Mobility in the Workplace

small-business-lender

The use of mobile devices for business can no longer be ignored. It’s changing the way business is done and that’s proving to be a positive thing. While many organizations have taken this development in stride, others are turning a blind eye to the inevitability of business mobility. Research and statistics show that technology brings many advantages to the table, and70% of professionals will work via smart, mobile devices by 2018. Why leave your professionals in the dust? Let’s debunk some of the major myths regarding mobility in the workplace.

Myth #1: Your employees will be less productive.

Today, your employees will actually be less productive if they’re chained to one location, without the option for mobility. The fact of the matter is that work productivity is a management problem, not a technology problem. 90% of business communications stretch far beyond the local workplace – so why limit employees to that local workplace? Imagine that an employee has to leave the office for a meeting or to make a sale. It’s counterproductive for that employee to head back to the office to complete and submit a form, and it’s not good for your customer service if employees in the field can’t access necessary data or complete deals on the spot. Business mobility strategies actually save time and can ultimately increase sales by giving employees the tools they need to make quick decisions. These capabilities also improve a business’ reputation.

64% of employees conduct some sort of business after hours at home. The magic of cloud computing and mobile devices is that they allow people to complete business tasks from any location, at any time. This actually increases productivity, allowing your employees to produce the same quality of work while away on a business trip or otherwise working remotely.

Myth #2: Mobility will make your business less secure.

Of course, as with most technology, there is risk associated with business mobility. But, as with most technology, risk can be addressed.

As you implement mobility into your business, you simply need to focus on risk management and security. By paying attention to Mobile Device Management, analytics, encryption, authentication and strict policies, you can implement a mobile strategy in a risk-free way.

Many studies show that employees are already using smart devices for work, with or without company approval. Rather than ignoring this fact or expecting to put a stop to this trend, address it by creating a company-wide policy. This should include the acceptable use of devices, security measures, technical standards, etc. Check out this article for guidelines on how to do BYOD the right way. This can (and probably should) be something that employees are required to sign off on. It should also be accessible to employees at all times.

Though employee policies tend to fall to the Human Resources department, this is a process that should include the IT team and others with a knowledge of technology and mobility. By combining policies with training on the importance of data security and user diligence, the risk of business mobility becomes no greater than that of other business initiatives.

Myth #3: All mobile devices are the same.

You may be thinking, “Well of course they’re not all the same,” but too many businesses today are treating all devices equally. People use different devices for different reasons. Compare the typical use of a laptop vs. smartphone vs. tablet. Of course there is overlap, but one policy won’t necessarily cover the essentials for all of these devices. They might each require unique management strategies, so a business should address that when moving forward with a mobility strategy.

Myth #4: Business mobility is optional.

The fact is that mobility is a huge part of the business world already. Almost 1/3 of enterprise data is accessed through mobile devices today. Organizations ignoring this fact might find themselves falling behind. Today, a great business strategy practically requires a mobility strategy, as it factors into employee productivity, company collaboration, business profits, customer service, marketing and much more. And any business expecting to grow will need to give employees the ability to access business data on the go. The trend towards mobility is driven by a desire for greater productivity and flexibility. To ignore it would be counterproductive for a business.

Don’t let your business down. Mobility in the workplace is important. By debunking these popular myths, we hope to help businesses adopt a mobility strategy that is both effective and safe.

Keep Your Hacker Hands Out of My Phone System

If you are an OfficeSuite Phone customer and read the New York Times article Phone Hackers Dial and Redial to Steal Billions you might be in a panic, worried how to protect your business from such a scam.

But don’t worry, Broadview has your back.

Protect your business from hackers and fraud.

Fraud prevention starts by protecting your business phone system.

The scam or hack mentioned in the article involves people calling into a phone system’s voicemail service to make outbound calls. While this feature is convenient for some, it poses a huge risk as most passwords are easy to guess (more on that below).

So hackers call into the phone system, automatically try different passwords until they get through and then make calls to premium toll phone numbers (900) or other phone numbers to rack up charges.

Broadview decided years ago to cut this off by simply eliminating the not often used “call out” feature, thus thwarting the hackers.

We also recommend that OfficeSuite Phone customers update their “Permission profiles” by turning off any calling permissions that employees do not need or should not have, especially when the office is closed.

There was another problem years ago of overnight cleaning crews racking up international calls while working without much oversight. Companies were surprised to see lots of unusual international calls on their bill and were again worried about hackers.

With the OfficeSuite Phone service you can turn off any type of call, except emergency, during “closed” hours. Plus you can define “closed” hours differently for different people or groups with our Business Hours function. This is especially useful if you have multiple shifts during the day.

Finally, it is always recommended to change passwords at least once a year. We offer passwords up to 10 digits which are significantly harder for hackers to crack than four digits. We also recommend not using easy to remember passwords like 1111 or 1234.

What can you learn from the VTech breach

The breach of VTech by an unknown cyber-criminal continues to escalate. After initial reports of a breach exposing personally identifiable data of it’s customers (despite VTech’s statement otherwise), the hacker released a limited set of personal messages and photos from VTech customers to prove a near-complete compromise.

It’s been a bad week for VTech. Make no mistake, VTech is the victim of a crime. However the more immediate issue is the potential fallout for their customers and their children. And it’s here that VTech’s initial response has made things worse not better. Thankfully, they’ve adjusted course in the last 24 hrs and are being more open with information.

Let’s learn from this. Here’s what you can do as a defender to make sure your organization is better prepared to handle a breach.

Communicate Openly

The time to figure out your post-breach communications plan is now. When you’re dealing with the fallout from a breach, you want to be able to implement a step-by-step plan that is appropriate for the situation.

Here’s a basic outline of what you’re going to need;

  • An open and honest email to customers that contains;
    • specifics of the data that was stolen
    • contact information to speak to someone fully informed of the situation and ready to respond immediately to their concerns (e.g., customer care)
    • an apology
    • a timeline for future communications
  • A press release that contains;
    • specifics of the data that was stolen
    • the steps you’ve taken to inform your customers
    • a media contact for comment and additional information
  • An open and honest communication to stakeholders that contains;
    • specifics of the data that was stolen
    • what is know so far about the mechanics of the breach
    • the steps you’ve already taken in response
    • the steps you plan to take
    • who is the lead for communications
  • A public URL that you can use to gather information (like an FAQ)
    • this should be constantly updated as the situation evolves
    • use this as the default resource to send everyone to
    • don’t hide this away on a corporate site. Make sure it’s visible where your customers visit

These items should be written ahead of time in a customizable template. Remember this is in addition to the internal response that you’ll require.

When you realize that you’ve been hacked, here are the steps you need to take to effectively communicate;

  • acknowledge that there has been a breach and that you’re actively investigating it
  • identify and inform affected customers
  • publish the public URL for general awareness
  • inform and brief stakeholders
  • issue a press release with critical information and a point of contact

All of these should be written in a tone that is clear and apologetic. Don’t needlessly muddy the waters (e.g., VTech’s re-definition of personally identifiable information), try to deflect blame, or raise the point that your a victim too. You can provide an explanation and get into the specifics of how this happened afterwards.

The immediate goal is to reduce the impact of the breach.

This means ensuring that your customers have the necessary information as quickly as possible. If they need to take action of some sort (cancel credit cards, change account credentials, etc.), you want them to be made aware so they can reduce the chances of something bad happening.

Act Decisively

Once you start to respond to an incident, the process has 5 key steps;

  1. detect
  2. analyze
  3. contain
  4. eradicate
  5. recovery

These steps are bookended by “prepare” and “improve/learn” and together these steps form the foundation of a solid incident response (IR) process.

Most often, the biggest challenges are faced in the “contain” step. This is often when the IR team is faced with tough decisions that directly impact the business.

VTech issued the following update on their FAQ 01-Dec-2015;

“As a precautionary measure, we have suspended Learning Lodge, the Kid Connect network and the following websites temporarily whilst we conduct a thorough security assessment.”

This is not something that any organization ever wants to have to write. But it’s 100% the right call despite the potential impact to the bottom line.

When is the right time to make this type of call? There’s no firm rule. It’s a judgement call based on the information you have at the time.

What you can do to make this easier is to work out possible scenarios ahead of time. This is an extremely difficult exercise to work through as it assumes your other work in defending the organization has failed. But it’s critical to work through these scenarios in theory and in practice (called a game day) in order to write a playbook for IR.

Part of this exercise is to determine who in the organization has the required authority to make the decision to shut down services. Hopefully you never have to make that call. But if you reach that point, you need to know who to call.

All of the processes you have in place with your security practice work towards never having to make a call to shutdown services. If you’re hacked and you have to make that call, you’re far better off working from the playbook you wrote ahead of time instead of calling an audible.

Know Your Exposure

The most important thing you can do now to reduce the impact of being hacked is to review the data your are collecting and storing. By creating an inventory of the type of data you have, it is much easier to evaluate the risk you’re facing.

With the list in hand, you want to run through a very simple exercise. Put each data point on it’s own sticky note. Use the stickies to combine various data points to create different points of view.

The goal of this play on usability card sorting is to find which data points pose more risk to your business when they are linked to other data points.

If we take the VTech example, their app store requires a billing address, the social app links parents and children, and the messaging server temporarily stores photos and private messages. Individually each of these data points poses a risk. Combined, that risk escalates dramatically.

Mapping out all possible connection between all of the data points you collect & store let’s you better identify risks and set the appropriate mitigations.

Those mitigation could entail;

  • not storing the data at all
  • isolating the data in separate backend systems
  • ensuring that your monitoring practice is looking for warning signs of data aggregation

Until you map out the entire landscape of data you store & collect, you won’t know what level of risk you’re facing. Without that knowledge, how can you formulate an effective defence?

Prepare For The Worst

No one wants to be hacked. It’s a security team’s worst nightmare. You can reduce the impact of a breach by taking steps now.

  • Set out a communications plan. Create a few templates for key communications so you can fill in the details during the incident in order to reduce your response time
  • Practice and planning are key. Work through possible response scenarios ahead of time. Practice them. Make sure you know who has the authority to suspend services if you need to take dramatic steps to contain a breach
  • Know what data you are collecting and where you store it. Understand how those data points can be combined and how those combination affect the risk (and value) of the data. Add additional protections as appropriate

When you’re focusing on keeping the lights on or, worse, getting them back on. The last thing you want to do is to shoot from the hip. Writing out a clear playbook for all aspects of incident response is the key to a successful response.

9 Questions to Ask a Managed Security Provider

Once, managed security providers were small companies who offered select few larger companies the option to store their data remotely. Now, that market has grown into a widely utilized industry, where providers navigate security issues, compliance regulations, and the importance of data protection for you.

But with this burgeoning enterprise comes the difficulty of deciding between the many competent players. When choosing the company that will defend the security of your data and manage your ability to access it, it’s important to look closely at several aspects of each provider

Track Record. The ideal MSSP to handle your company’s sensitive data will be able to show a strong history of quality information management over a significant period of time.

  1. Response Time and Analysis. An MSSP must be able to easily determine security threats from false alarms. Your provider should be able to respond immediately after analyzing and interpreting large amounts of network security.
  2. Operation Centers. The best MSSP will have state-of-the-art security operations centers at multiple locations, allowing for cross-monitoring and double-checking compliance with security standards.
  3. Global Awareness. To really be prepared, security experts must be able to monitor threats to data not just domestically, but from around the world. International eyes and ears allow for proactive handling of threats and real-time alerts.
  4. High Level Management. Management personnel in the best MSSPs will often have backgrounds working in military, security, or government: an indicator of success.
  5. Range of Services. Particularly for larger businesses, MSSPs must be able to provide a variety of services, including real-time monitoring, firewall management, intrusion detection systems, virtual private networks, and more.
  6. Security Procedures. Ask for documented standards and policies that are in place, from handling of unusual operations to common threats. Look for an MSSP that offers a variety of notification options for optimal staff awareness.
  7. Third-Party Validation. Whatever these policies and procedures are, make sure that the MSSP has had them validated and certified by a third-party auditor.
  8. Range. For best brand-specific protection, find an MSSP that employs specialists who have certified experience working with a variety of security providers and in a wide range of products.
  9. Reporting. Detailed reporting is essential for a company to truly trust the MSSP. Be sure that the reports are based on information drawn from various platforms, include recommendations, are open about latest threats, and are clear about any security changes that have been made.

Your data is only as secure as the company trusted to protect it. Take your time and consider all aspects of the business and relevant details of your own company before deciding.

10 IT Security Questions Every Business Should Ask

 

In this face-paced, ever-changing, technological world, small and growing businesses must be prepared, now more than ever, to not only address the danger of cyber-security threats, but also to have the in-house expertise to implement information security programs that handle these types of issues. This means going far beyond simply having anti-virus software and creating strong passwords.

While this can sound overwhelming, every organization that intends to stay on top of and serious about security should take this into consideration. To help you get started, we outline 10 simple questions to ask yourself when establishing a strong foundation for information security programs:

1. Has responsibility and accountability been assigned for IT security and data privacy? As a business, there should always be someone in place who is designated (and qualified) as the IT Security Officer (ISO).

2. Have you identified, and do you understand, all regulations and standards that apply to you? A sampling of standards includes, but is not limited to:

  • Sarbanes Oxley (SOX)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA),
  • Payment Card Industry Data Security Standard (PCI-DSS)

3. Do you have documented information security policies and procedures? Doing so will help you define goals for the organization in regards to information security, as well as provide an outline for how your organization will meet these goals.

4. When looking to prevent security breaches and fraud, how do you monitor the systems you have in place? If you haven’t already done so, start implementing network intrusion detection systems that regularly review system logs and activities. This will allow you to investigate any suspicious activity before it becomes a big problem.

5. If a security or data breach were to take place, do you have a response plan in place? Data and security breaches often blindside people and organizations, and make it difficult to respond in an efficient matter. Having a detailed, emergency plan in place will not only allow you to act quickly and with confidence, but will also provide a blueprint for how to manage:

  • Containment
  • Investigation
  • Legal actions
  • Public relations

6. Do you have a patch management strategy, and if so, what does it look like? A thorough and comprehensive patch management process allows businesses to protect themselves from newly discovered threats – both internally and externally. It is important to note that in order for this to be effective, all software and systems should be covered.

7.  Do you perform initial and periodic security checks on new vendors?
In order to stay ensured that your data is being adequately protected by your vendors, it’s always a good idea to review the security controls they have in place. If gaps are found, you can then take action to correct them before damage is done.

8. Have you identified and protected all sensitive data? 
As a business, always identify any and all sensitive or confidential data, make note of where it is stored, and look into the adequacy of the processes protecting the data.

9. Have all high-risk technology systems been identified? Utilize a basic IT risk assessment and focus your resources on high-risk areas to help you evaluate your security control efforts.

10. Do your employees receive adequate security training? Unfortunately, some of the most common security breaches are a result of employees accidentally divulging sensitive information. Continual security awareness training and testing will not only protect your systems, but also help your employees identify and avoid attackers utilizing social engineering techniques.

How to Protect your Business from Cyber Crimes

When you hear about major cyber crimes such as the Home Depot and Target security breaches, you probably can’t help but to worry about the security of your own business. Cyber criminals seek out sensitive data, and every business is at risk. But just like you put a security system on your home or an alarm on your car, you can put a metaphorical security fence around your business’s data, too.

The best way to protect yourself, of course, is to identify potential risks and combat them. Here are a few ways you can do that.

Issue: Crimeware. Also known as malware, these are essentially viruses that infiltrate your systems, compromising servers, desktops, and data.
Protection: Ensure you have installed up-to-date anti-virus and anti-malware programs, browsers, and firewalls. Block your systems from Java browser plugins and implement configuration-change monitoring.

Issue: Employee or insider abuse of privileges.
Protection: Require logins for every aspect of your data and keep track of these. Review user accounts so that you can identify abnormal behavior. Audit accounts regularly and monitor any data transfers that go outside of your organization.

Issue: Espionage – the infiltration and gathering of data from outsiders.
Protection: Ensure that all software is patched, especially in areas of weakness, and that anti-virus software is up-to-date.  Keep track of data analytics and train your employees to recognize abnormalities. Make use of secure cloud-based office phones and cloud-based servers to properly track network and application activity – this will help you to better identify inconsistencies.

Issue: POS intrusions, or the access of POS systems by outsiders.
Protection: Limit or ban the access of POS systems from third parties. Enforce the use of password access and keep track of all logins. Limit or prevent the use of POS systems to browse the web or perform any other non-work-related tasks.

Issue: Card skimmers, or the collection of credit card or other payment data. Once a customer has their card skimmed via your company’s data, it’s unlikely that they’ll trust payment with your company again.
Protection: Train employees to spot suspicious behavior and regularly inspect credit card swipers at any brick-and-mortar sale location. Install tamper-evident controls and safety measures such as mirrors on ATMs.

Issue: Other errors
Protection: Have a third-party company manage or maintain your cloud servers if your business doesn’t have the capacity to train your existing IT team. Encrypt all data. Stay on top of software or business system updates and keep all employees in the loop to avoid any application misuses or data breaches.

What is the Cost of a Cyber Attack?

Even as we shift our focus more and more toward tech security, it’s not perfect (and it’s unlikely that it ever will be). Even major corporations are at risk for – and have fallen victim to, quite recently – security breaches, whether it was in the form of leaked credit card information, hacked e-mails, or any other form of information compromise. A breach in cyber security is a threat to profits, to customer loyalty, and to the business’s security in general. Let’s take a closer look at what it means if your company’s virtual data isn’t secure.

The Average Loss per Cyber Attack is $3,220,000
…Not to mention that that number is higher in the United States. Here in the US, a major company can lose out on $5,850,000 when it suffers a major attack, which is the highest average net loss in the world. Germany pulls in second at $4,740,000 lost on average, and not even France or the UK can compare.

The Cost of Additional IT Security is Nothing in Comparison to Potential Losses
Obviously, the only way to prevent these massive losses due to cyber-attacks is to increase cyber security. The problem is that most companies don’t want to make this investment, as it sometimes comes with a bit pricetag. What these companies don’t realize is that, according to IBM, a stronger security presence could save a company up to $14 per lost data record. Bigger amounts of data compromised means bigger losses – but effectively, this means that the average company could increase their IT spending by $330,000 and still break even should there be an attack.

Companies Spend the Least on Data Center Systems
It’s plain to see that the digital world’s economy has grown at a staggering rate, thanks to the rise of mobile devices and cloud-based services. However, not many companies are investing on bigger, better data center systems. Telecom services rake in 8 times more revenue per year than data center systems; however, investing in better data center systems could mean investing in better security. Hopefully there is an upward trend to come.

Certain Industries Feel it the Worst
Every industry is at risk for data breaches, but a few are the biggest targets: banking, retail, IT, and hospitality. It seems that education, transportation, and entertainment, on the other hand, are the least at risk. Whether your business is in any of these industries should play a role in how seriously you’re taking cyber security.