An Expert Guide to Securing Sensitive Data: 34 Experts Reveal the Biggest Mistakes Companies Make with Data Security

Digital Guardian, October, 8, 2014

“The #1 biggest mistake companies make when it comes to securing sensitive data”

Keeping sensitive information secure from theft and vulnerability in today’s digital world isn’t as easy as putting a lock on the file cabinet – especially with the widespread adoption of cloud computing. And even if you take every precaution with your online accounts and identifying information, there are many ways that information can land in another individual or company’s data management systems, where it can then somehow be made vulnerable.

At Digital Guardian we specialize in helping businesses manage and secure various types of company data. Our top priority is helping our customers keep their sensitive data where it belongs and as secure as possible. To get a better picture of the current state of enterprise data protection we interviewed data security experts on what matters most when securing sensitive data.

To do this, we asked 34 data security experts to answer this question including Jonathan Gossels. Click here to read the full article.

Jonathan Gossels

The biggest mistake companies make when it comes to securing sensitive data is…

The lack of understanding where their sensitive data resides because they have not set policies to systematically and consistently categorize their data, and consequently, they don’t have controls in place to ensure that all categories of data are handled appropriately.

For example, if a company has a policy that says any data set that contains personally identifying information is considered to be “sensitive” and has to be encrypted both in transit across a network and at rest, and the company has implemented technical controls to enforce that policy, it is very likely that the data set is safe.

There is also a user education dimension to this problem – users need to understand the sensitivity of the data they work with and their role in keeping it safe. In many cases, this involves educating users about what not to do.

For example, access to payroll data is usually restricted to those employees that process the payroll and those that review it. This is usually done within a payroll application that has built-in security and access controls. Payroll data and similar data sets should NEVER be downloaded onto an unsecure laptop, thereby undermining all the required controls. As in a very public data breach that occurred a few years ago, when this laptop was lost, millions found themselves risk for identity theft.

The best way to secure sensitive data is to do the basics well (like blocking and tackling in football). Understand what is sensitive in your data, set rules for handling it, implement technical controls to ensure it is actually handled properly, and educate your users about their role in keeping it safe.

Jonathan Gossels is the President of SystemExperts, a network security consulting firm specializing in IT security and compliance.

How Do I Secure Sensitive Data?

How do I secure sensitive data?  The first step is knowing where your sensitive data resides. Second is having set policies to systematically and consistently categorize the data and having controls in place to ensure that all categories of data are handled appropriately.

For example, if a company had a policy that said that any dataset that contain personally identifying information was considered to be “sensitive” and had to be encrypted both in transit across a network and at rest and it implemented technical controls to enforce that policy, the likelihood is that that data set is safe.

There is also a user education dimension to this problem; users need to understand the sensitivity of the data they work with and their role in keeping it safe.  In many cases this involves educating users about what not to do. For example, access to payroll data is usually restricted to those employees that process the payroll and those that review it.  This is usually done within a payroll application that has built in security and access controls.  Payroll data and similar datasets should NEVER be downloaded onto an insecure laptop, thereby undermining all the required controls.  As in a very public data breach that occurred a few years ago, when this laptop was lost millions found themselves risk for identity theft.

The best way to secure sensitive data is to do the basics well (like blocking and tackling in football). Understand what is sensitive in your data, set rules for handling it, implement technical controls to ensure it is actually handled properly, and educate your users about their role in keeping it safe.

 

7 more security tips for mobile users (Part II)

Joe Stangarone, writer,  MRCs Cup of Joe Blog, September 9, 2014

Summary: Users have notoriously bad security habits. The problem is, many of these users are now bringing their personal devices–and their poor security habits–into the workplace. Learn how these users can better protect themselves (and your data) with these simple tips.

Every time a list of user passwords gets leaked, we’re reminded of one scary fact: Users have horrible security habits. For example, can you guess the most popular password in 2013?

“123456.”

But wait, it gets worse. The next two most popular passwords: “password” and “12345678.” Yes, user security habits are that bad. Why is this becoming such a problem?

Well, these users–the same ones who feel that “123456” is a good password–are now bringing their personal devices into the workplace. Many even use their personal devices for work-related tasks.

Along with these devices, what else do they bring to your business? Their poor security habits. What happens if they store sensitive data on their devices? What happens if they use unauthorized devices for business? Without proper security habits, this could cause problems for your company. These problems could range from minor inconveniences to major security breaches.

So, how can users improve their security habits, and better protect your company data? As this is such a broad topic, we split it into two articles. In the first article, we outlined 7 important security tips for users. Today, let’s explore 7 more advanced (but still important) security tips that will help protect users and your company data.

1. Encrypt your data

Here’s a great question to ask: What happens WHEN you lose your mobile device? As mentioned in the first article, password protecting your phone is the first line of defense.

But, what happens if an attacker manages to access your device’s memory or SD card? If left unencrypted, your data is free for the taking.

“I’d recommend smartphone users encrypt their data; Android has this by default and you can choose to do the entire phone or just what is stored on an external SD card,” says Brandon Ackroyd, Head of Customer Insight atTigerMobiles.com. “The data is scrambled and only if the right password is entered is it decrypted. Apple allow this too, and emails, texts etc are already encrypted if you have a passcode switched on. You can take it a step further and encrypt the entire phone with use of a third party app.”

2. Back up your data

Most people don’t think about data backups until they need it–when they’ve lost their device or their data. But by then, it’s already too late. Any data that’s only stored on the device itself is at risk if not backed up.

photo credit: FutUndBeidl via photopin cc

“NQ Mobile’s survey showed that the number one thing that frightened people when it came to the valuable data on their phones was losing their contacts – yes, even more than having their photos or videos get posted publicly,” says Gavin Kim, President, International and Chief Commercial Officer of NQ Mobile. “And similar to locking your phone, this is an easy problem to fix. If your device doesn’t come with backup capabilities, download a backup app from a reputable app store or your wireless carrier. This way, if the worst happens, this is one less thing to worry about.”

3. Watch for Vishing and Smishing

By now, most people are familiar with “phishing” scams. Would-be attackers send fake emails hoping to trick their suspects into sharing personal data. While most consumers know not to click on questionable email links, we must now protect ourselves against similar threats: Vishing and Smishing.

“While basically no one falls for email phishing schemes, we all let our guard down when it comes to text messages and phone calls,” says Kim. “And scammers have taken note, responding with vishing (voice phishing) and smishing (SMS Phishing) schemes. Common cons include bogus websites that target travelers through enticing offers for events and attractions and even fake phone calls from your bank where the faux representative collects personal information then uses that to wreak havoc on your financial well-being. Combat these threats by treating your smartphone as you would your computer – don’t open questionable links, verify the url you go to is the url that you think, let poor grammar and misspellings be red flags, and don’t respond to unsolicited requests for personal information no matter what the Caller ID or email address shows.”

4. Double Check the URL field

URL redirects are a common tool for attackers. They display a seemingly harmless URL, which redirects you to a different site once selected. While easily detected on a PC, the small screen size of a mobile device make them prime targets.

“Be sure that the mobile site you are on is in fact the correct mobile site,” says Steve Pao, GM of Security Business at Barracuda. “Mobile phone internet browsers do not display the entirety of the URL, leading users to believe that the first snippet of the URL is taking them to the correct landing page. This isn’t always the case. Targeted spear phishing attacks that look like legit social sites can ask you to enter your user name and passwords as if you were logged out, and now have your sign on information.

Mobile users are often times multi-tasking with their phones in one hand and doing something else with their other, not paying attention to what’s going on on screen. In turn, people accidentally click through an in-app purchase or click on a ads that could take them to a compromised site. Best thing is to pay attention to what it is that you do on your phones. Mobile malware is picking up traction and is becoming more advanced. Don’t think because you are on your phone that you are invincible. Proceed with caution.”

5. Understand where your data lives

As cloud-based storage services become integrated into mobile devices, we face a problem. More and more, users don’t know where their data lives. Many unwittingly place sensitive data on the cloud, thinking it’s only stored on their device. Are they storing sensitive corporate data in an insecure cloud service? Does that service meet business security requirements?

photo credit: FutUndBeidl via photopin cc

“It is important for business users to understand where and how their data is being stored,” says Paul Hill, consultant with SystemExperts. “It is important for a business to be able to respond to e-Discovery requests, be able to ensure data is properly retained and destroyed when appropriate, and ensure proper access controls are applied. Many applications are now integrated with a variety of consumer-grade cloud storage services that may not meet all business requirements. It can be difficult for some users to understand where data is being stored, and what data may be available to third parties. If the business doesn’t provide a list of approved software and services, users should consult with their managers or their IT department to learn about the risks and make an informed decision.”

6. Use different passwords across sites

While more of a general security tip, it’s one that you can’t ignore: Avoid universal passwords. Your password must vary from service to service. Why? Well, what happens if hackers access your email password? Can they use that same password for your bank account? How about your social sites? Using different passwords limits your risk in the event of a data breach.

“If you’re using cloud backup services – use different passwords rather than having one universal password that you use for everything,” says Ackroyd. “If hackers or an unscrupulous individual get a password for one service, then they’re going to use it to try access others too.”

7. Use restrictive browser and app settings

Sometimes malware or spyware takes advantage of common browser holes to work their way into your device. If using your device for sensitive business tasks, enable the highest security setting possible. It may limit your abilities, but will help protect you against malware that relies on lax browser settings.

“Use the most restrictive of your phone’s settings for apps and Internet access,” says Kevin D. Murray – CPP, CISM, Director of Murray Associates. “Some phones will even flag the activity and warn you if the program tries to do more than it has been given permission to do.”

6 Popular E-Commerce PCI DSS Compliance Myths Explained

by Daniel Humphries, Managing Editor for IT Security research firmSoftware AdviceAugust 27, 2014

PCI DSS compliance applies to any business that accepts credit cards, whether they’re e-commerce or physical merchants. After all, just because your storefront is made of pixels and not brick-and-mortar doesn’t mean the PCI council is any less interested in how you secure your customers’ sensitive data.

But PCI DSS is complex, and lots of businesses struggle with compliance. Recently, we explored common PCI DSS audit failure points. In this article, we’ll dig into some of the myths and misconceptions surrounding PCI and e-commerce specifically—and, with the help of five leading compliance and security experts, explore how businesses can remediate those issues as they arise.

Myth #1: I’ve Outsourced Data, So I’ve Outsourced Compliance

The PCI council recommends that you segregate sensitive cardholder data to reduce the scope of compliance. If your business is online-only, then you can take the principle of “reducing scope” much further than a physical merchant, by outsourcing a lot of the “heavy lifting” to a specialized e-commerce platform.

In this scenario, third-party solution providers supply you with all the PCI-compliant tools you need to build your site, including hosting and even processes payments for you. Since they’re handling all the sensitive information, the burden of compliance falls on their shoulders, and you, the merchant, can sleep easy—right?

Well, not quite, says Jeff VanSickel, a senior consultant at IT security consultancy SystemExperts: “Even though you outsource, you still have the responsibility, as the merchant, to make sure that the payment processing company is PCI-compliant, and to check every year that they continue to be PCI-compliant.”

Clauses in a contract such as, “‘Payment processor must demonstrate on an annual basis that they are PCI-compliant with respect to services’…are the bare minimum,” says VanSickel. “If I’m an [online retailer], I want them to demonstrate to me a little bit more than that.”

To read about the additional PCI DSS Compliance Myths, click here for the full article.

Surviving a Breach

The Target breach is making many in the IT security field take a closer look at their company’s information security and compliance practices. I’d like to share here some of the questions and answers from a recent media interview looking at “How to Survive a Breach.”

1. Are most companies prepared for a cyber breach?

We find that many companies are not fully prepared to detect and respond to a breach. The companies who have not implemented a well-thought-out and documented logging and monitoring program cannot detect a breach – and hence will not be able to pro-actively react. This leaves the company in a high risk position, in that it will have to react to notifications from its partners, vendors and customers (not very pro-active).

During the Target breach, a monitoring system detected the breach. However, the monitoring alert was not reacted to because the system was not fully implemented.

For incident response, companies that are highly regulated are better prepared than companies that are not. It should be noted that companies that capture, process and store customer Personally Identifiable Information (PII) are required by most states to have incident management processes in place to notify customers of breaches. Most companies do not appear to be aware of the state requirements, and therefore handle breaches in more of an ad hoc fashion without having any formally documented incident response policies or plans.

2. What can a company do to prepare themselves for a cyber breach?

This first step is to establish and implement the ability to quickly detect a breach, with a strong Logging and Monitoring Program.

The next critical item is to establish and implement a process to react to identified security events, escalate to executive management, and notify customers, media and partners as appropriate.

3. Who should be in charge of managing the Incident Management Program?

There are many types of incidents (e.g., disgruntled worker with a gun, bomb scare, cyber breach) and there are many groups within a company that should be involved with the different required decisions that come up over the course of an incident. The program should define a core cross-functional group responsible for the overall process, generally including:

  • Executive Management
  • Legal
  • Public Relations (for controlling media attention)
  • Information Security
  • Information Technology (for technology-related incidents)
  • Human Resources (for personnel-related incidents)
  • Facilities (for facility-related incidents)

A single group should champion the incident management process to ensure that:

  • General staff are educated about identifying and reporting suspicious events
  • The process is adequately documented and readily available to the members of the incident response team, which may be different for each incident.
  • Staff (that would be selected to address an incident) are trained in the incident response process

4. What are the general compliance requirements associated with an Incident Management Program?

The Payment Card Industry Data Security Standard (PCI-DSS) mandates:

  • Security incident response and escalation procedures
  • An incident response plan
  • Annual testing of the incident response plan
  • Personnel be available 24/7 to respond to alerts
  • Training on breach response responsibilities
  • Linkage from security monitoring systems
  • A process to evolve the incident response process

The Health Insurance Portability and Accountability Act (HIPAA) mandates:

  • That a Security incident process be in place
  • A documented set of procedures to identify, respond to, mitigate, and document security incidents and their outcomes
  • That a breach notification process be in place to notify impacted individuals, the media and the Secretary of DHHS upon the discovery of a breach of Protected Health Information (PHI)
  • That the company enforce a breach notification process over its business associates

For Financial Institutions, that must comply with the Gramm-Leach-Bliley Act (GLBA), the institution must implement response programs that specify actions to be taken when the institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies

5. What will a breach cost a company, in terms of money, reputation, and continued ability to do business?

I would point to the Ponemon Institute, as they provide numerous studies on the impact of breaches. For example, a couple weeks ago, Ponemon published the Fourth Annual Benchmark Study on Patient Privacy & Data Security.

 

Don’t Forget the Basics to Protect Against Security Threats and Your Online Reputation

Jessica Merritt of Online Reputation Management  recently asked the question —  what are the biggest security threats facing companies today and how do they have the potential to effect reputation? In her article – click here – she identifies 9 tips to protect against security threats and compromised reputations. While one of my tips was included in her article, I’d like to add the following advice to help companies protect  against a cyber attack:

When it comes to information security many organizations, no matter their size, lose sight of the basics. Performing the proper due diligence around the “basics” can provide a solid foundation for advancement in computer resources and protection against the hacks and breaches.

Paraphrasing Kevin Mitnick from his 2000 testimony to the U.S. Senate Committeeon Governmental Affairs (14 years ago), companies spend millions of dollars on the“solution,” to only ignore the weakest link in the security chain – the human factor.

Many of the hacks and breaches (social media, credit card, etc) I would surmise arefrom missing the basics, including security awareness and training for the end-user. It is not uncommon these days to walk into a small shop/office where the employees are surfing the Internet, checking Facebook and their personal email, on the same system that they will swipe your credit card on when you check out. Providing basic user awareness in a fun and positive way can go a long way.

The “basics” – such as requiring strong passwords, monitoring, disabling and filtering unnecessary services, and least privileged account access are still being missed today. How we implement these items is relative to our business.

Implementing these “basics” takes resources and discipline, so it is not an effort to be taken lightly. Often these basics get swept under the rug and forgotten about – a server is built with extraneous services available and/or developer’s administrative credentials are left on that box when it goes into production. It’s these “basic” things that add up and present risk to an organization.

7 Security Tips for Mobile Users

Joe Stangarone, writer,  MRCs Cup of Joe Blog, August 12, 2014

Summary: As smartphone usage grows in the business, many users still don’t understand proper security practices. If not addressed, this problem could put their (and your company’s) sensitive data at risk. Learn how your users can better protect themselves from mobile security threats. 

The rise of smartphone and tablets in the business opens up a new world of opportunity. We’ve seen businesses use them for all sorts of tasks. For instance, we’ve seen businesses use smartphones to:

  • improve productivity,
  • automate manual processes,
  • improve data accessibility,
  • and much more

But, besides all these benefits, smartphones create something else: new security risks.

As more employees adopt smartphones, many still aren’t aware of proper security practices. If not addressed, this problem could put your sensitive corporate data at risk.

Today, let’s uncover some mobile security tips that could help you avoid a security breach. Now, this is a broad topic, so I’m breaking it up into two articles. We’ll cover some security tips now, and the rest in an upcoming article. Sounds good? Alright, here are 7 security tips for mobile users:

1. Be wary of public WiFi (and bluetooth)

Public WiFI hotspots are convenient…but insecure. Here’s a good rule of thumb when using public WiFi: Assume someone is watching.

Does that sound a little paranoid? Consider this: A few years back, researchers created a Firefox plugin called “Firesheep.” They built it to highlight the security risks of public WiFi. What does it do? Firesheep lets anyone watch your activity on an unencrypted network (like public WiFi). No hacking skills needed.

That should make you think twice before pulling up sensitive information on a public network.

2. Use a VPN

So, should you avoid all public WiFi? Not necessarily. If you must use public WiFi, protect yourself with a Virtual Private Network (VPN). As explained below, a VPN installed on the device will help protect you from the risks of public hotspots.

3. Secure your device with a password

Here’s a shocking statistic: 3.1 million American consumers were victims of smartphone theft last year. That number will rise this year.

What’s worse: Most consumers still do not lock their phones. They don’t use passwords, pass codes, unlock patterns, etc… What does that mean? If their phones are ever stolen, the thief has instant access to everything on the device.

4. Use Lock/locate/wipe software

The best security advice: Assume your phone will get lost or stolen. How will you get it back? How will you ensure that your (or the company’s) sensitive data isn’t compromised? As explained below, you must be able to remotely locate or wipe your phone if necessary.

“Devices should be configured so that they can be remotely locked, located and wiped in the event of loss or theft,” says Paul Hill, Consultant with SystemExperts. “All staff should be taught to promptly report a loss or theft so that the device can be remotely locked, wiped, or located, in a timely manner.”

5. Don’t store sensitive corporate data on the device

Even if you take the above precautions, a determined thief could still access data on a phone with the right tools. The best defense: Don’t store sensitive corporate data on your device in the first place.

What does this mean for the business? How do you give employees access to the data they need while maintaining security?

6. Be cautious with apps

Going one step further, you should approach every app download with caution–even those from reputable app stores. Why? Once installed on your phone, apps can access most everything on the device. Carefully inspect how much access an app requires before installing it. The app’s access requirements might surprise you.

7. Use anti-malware software

As smartphones become more popular, the amount of smartphone-specific malware grows. We’ve reached a point where our phones need malware protection almost as much as our PCs.

Expert Recommendations for Protecting Your Company from a Cyber Attack — and a Compromised Reputation

Online Reputation Management — Jessica Merritt, August 2014

With such serious security risks threatening every organization’s reputation, it’s clear that companies can benefit from tight security. And we’ve seen that even companies like Target that may think they have security under control still have serious room for improvement. How do security experts recommend that companies protect against security threats and compromised reputations? Read on for their recommendations: 

  • Give security the attention it deserves: “When a company’s reputation is at stake, it’s a grave error to treat security as a mere compliance checkbox,” says Maler. Perhaps the most important step to better security is realizing that it’s likely you can always do better.
  • Get help from customers: Maler recommends instilling confidence and better security simultaneously by getting customers involved. “Better security doesn’t have to impose new inconveniences on customers if you weave contextual factors into user interactions, such as treating the use of previously unseen devices or surprising combinations of time, place, and task as more suspicious,” she says. “You can even ally with your legitimate customers to be on the lookout for bad actors by letting them configure the ability to receive notifications of account activity as it happens.”
  • Secure networks, no matter what: “Whether you’re 500 employees strong or just a two-man operation, it is always important to work over a secure network,” insists Vysk Communications CEO and cofounder Victor Cocchia. “In the office, Wi-Fi connections should be placed behind the company firewall. When mobile, always use a Virtual Private Network (VPN) connection when signing in to any outside or unknown Wi-Fi system. You can setup your own VPN for as little as $199.” He recommends that instead of using public cloud services like Dropbox or Google Drive, companies should utilize VPN and private servers.
  • Make customer privacy a priority: Cocchia recommends that companies implement and enforce robust privacy policies and practices. This includes Secure Sockets Layer (SSL) certificates, and policies against discussing or transferring data like passwords, company financials, and credit card numbers over non-secure channels such as email, text, or Skype.
  • Add multiple layers of authentication: Missouri University of Science and Technology professor of computer science Dr. Sanjay Madria encourages organizations to think beyond login and password access. He points out that many companies still use only one level of authentication, and while many are now adding multiple levels, they still have a long way to go.
  • Boost employee security training: Employees are often the first line of defense (or access) for hackers. Roth shares that businesses need to educate employees. After all, security tools are only as good as the people using them. “Tell employees to not open up shady e-mails, or to hover over any links to make sure they are going to the right place,” says Roth. “Don’t download attachments and files from e-mails you are not aware of. When you are online, be sure to only visit safe sites and always have your antivirus and firewalls up to date.”
  • Insist that company devices remain secureSystemExperts consultant Jason Rhykert points out, “It is not uncommon these days to walk into a small shop/office where the employees are surfing the Internet, checking Facebook and their personal email, on the same system that they will swipe your credit card on when you check out.” This is clearly a security risk — and one that must be contained.
  • Use adequate firewalls to protect sites: Roth warns that a free software firewall is not enough. Major firewall protection should be used, and it’s important that patches are installed and up to date on all of your servers. Roth also encourages companies to keep as much information disconnected from the Internet as possible.
  • Don’t overlook the basics: Rhykert encourages companies to not forget about basic security protocols. He insists that companies need to cover basic but essential issues like end user awareness, strong passwords, how to spot phishing/vishing attacks, disabling/filtering unnecessary services, patches, the concept of least privileged, and change control.

See more at Online Reputation Management. 

 

Will security problems kill the cloud as we know it?

The cloud is here to stay. The industry continues to strive for understanding of the myriad of security concerns and develop methodologies for evaluating the risks. Existing, mature, security frameworks continue to provide a strong basis for evaluating the risk but there are a small number of additional issues that should be evaluated when performing an assessment.

When making a decision about whether or not to use a specific cloud service for a specific purpose a risk assessment should be performed. Hopefully, when it comes time to make the evaluation the project has specified what types of data will be exposed to the cloud service. If a business already has mature data information classification and handling policies, it may be easy to determine if the cloud service meets the basic data handling requirements. For example, what encryption algorithms are supported, where does the data get encrypted during the data flow, and what are the transmission protocols.

However, when evaluating the security of a cloud service vendor many other factors must be considered. For example:

  • What are the hiring and termination practices of the service provider?
  • Are background checks performed?
  • How quickly and thoroughly is employee access terminated when an employee departs the service provider?

It is also important to understand how the service provider manages physical security to its data centers. Many companies have used the ISO 27002 (Information technology – Security techniques – Code of practice for information security management) standard to evaluate the security of cloud service vendors before making a decision to use the service offering. This does provide an excellent basis for evaluating a cloud service provider. However there are some issues it does not address.

Many cloud storage / storage providers perform some data mining on customer data or metadata. This is one topic not covered by ISO 27002 but understanding what data may be collected, mined, and sold to third parties should be considered when evaluating the risk.

Another topic not addressed by ISO 27002 is that issues that may arise as the result of subpoenas and eDiscovery. In a traditional data center environment, the subpoenas will be served to the company that collected the data. That means the company will receive notice of the investigation and have a chance the challenge the order. However, when using a cloud service provider, the provider is more likely to receive the subpoena or administrative order. In many cases, the company that collected or created the data will not be performed, and the cloud service provider likely has little if any incentive to challenge the order. Some companies may actually consider this a positive aspect of using cloud services, while for others this may be a critical concern that prevents cloud adoption.

The Cloud Security Alliance (CSA) has also developed the Cloud Controls Matrix (CCM) as a means of evaluating the security of cloud service providers. It covers many of the same topics as ISO 27002, but it is written to specifically focus on cloud services. The CSA announced the most recent version (3.0.1) of CCM on July 16, 2014. The CSA also released version 3.0.1 of the Consensus Assessments Initiatives Questionnaire (CAIQ) on the same day. The CAIQ is a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. The questions are based off of security controls found in the CCM.

Tips for Minimizing IT Security Risks at Work

The unfortunate reality is that you are at the same risk level at work as you are anyplace else. In other words, you should protect yourself at work as if you are using a public Wi-Fi at the local coffee shop. Why is that? Email phishing and infected websites (e.g., with ransomware) are two of the most prevalent types of Internet security risks.

Most of the things that you can do to protect yourself are simple, common sense actions that you can easily control: Internet security is not really about complex, expensive or pervasive technology. Unfortunately, the bad guys prey on the fact that most people won’t follow these simple rules.

Here are some basic yet effective tips on helping to protect both you and your employer:

  • Keep your browser up to date with the latest installations
  • Don’t click on links in emails that you are not absolutely sure are safe
  • Use antivirus products that have URL safe lists and block known harmful sites
  • If you are making an online purchase, never enter your credit card unless you see that the site uses SSL (i.e., HTTPS) to keep your credit card secure while the data transits the Internet
  • An up to date browser has everything you will need to browse the Internet. If a web site asks you to download something, the general rule is DON’T
  • In email remember the most basic principle of all: no business or organization that you already have a relationship with is going to ask you for sensitive or private information. If an email is asking you for anything like that, it is likely an attempt to steal your identity
  • This one will make your eyes roll, but it’s true: use strong passwords and change them periodically