Employers overlook a key ally in preventing cyberattacks: HR departments

by Caroline Hroncich, associate editor, Employee Benefit News, September 24, 2018

Everyone gets them — an email message that looks exactly like it came from a co-worker or a supervisor. It may come with a link that asks an employee to log in with a company username and password. To the untrained eye it seems harmless.

But employees need to think twice before they click, warns Monica Minkel, senior vice president and regional director of insurance brokerage and consulting firm USI Insurance Services. These are the kinds of scams, she says, that lead to major cybersecurity breaches — and major headaches for employers.

“These claims are like spider webs,” she says. “It’s one thing that happens that leads to about 10 other things that happen.”

The number of attacks on company computer systems is on the rise. The average number of security breaches per year increased by 27.4% in 2017, according to a report from Accenture. But by the time an attack occurs, it may be too late. Discussion on preventing a cyberattack should happen before the breach even occurs, experts say, and human resource departments need to play a key role in preventing these attacks.

Traditionally, new hires are required to complete an HR-facilitated cybersecurity training during their first few weeks in the office. But a single onboarding training session is not enough anymore, experts say.

A small mistake by an unsuspecting employee is often at the center of a major security breach, says Jon Gossels, president and CEO of IT compliance and security consulting services company SystemExperts.

But Gossels says the “fundamental problem” is that many employers still don’t view cybersecurity as a HR issue, and too many place most of the burden on IT. But in reality, cybersecurity is a business-wide problem, he says, and shouldn’t just be concentrated in IT.

“It’s the human side of things that inevitably breaks down,” he says.

Having a solid employee training program in place can help prevent a cyberattack, Gossels says. Employees may not understand why, for example, you shouldn’t take important company data home, he says, and these kinds of things should be thoroughly demonstrated in training.

“It’s important not to just tell people the rules, but to explain why,” he says.

To read the entire article, click here.

How to Protect Your Security Online

I was recently asked a series of questions about how to protect your security online. I’d like to share the answers here – and please feel free to reach out if you have any comments.

1. How can you create the best passwords that are hacker-proof but easy to remember?  

The best passwords aren’t words, but phrases. Pick something that you won’t forget and has personal meaning, but an outsider would have no way of knowing – line from a favorite song, inside family joke (e.g., “sneeze your brains are dusty” or “get a horse” or “people like macadamia nuts”), opening line from favorite book (e.g. “Call me Ishmael,” “Arma virumque canō,” “Mr. and Mrs. Dursley, of number four Privet Drive”).

Of course, you can abbreviate and substitute numbers and special characters to make the pass phrase more obscure – G3t@h0rs3 for “get a horse.”

2. If you can’t remember your passwords, what’s a safe way to store them?

There are many commercial and free password storage tools available. For most people, simply storing them in a (low tech) paper notebook or a simple text document with an innocuous file name is sufficient. Security professionals hate Security by Obscurity instead of real security controls in corporate settings, but for a personal system, who would know that the file name “Grandma’s Easter Recipes” is actually your list of passwords?

3. What is a safe way to answer security questions (i.e. when they ask for your pet’s name, or the school you went to, etc.) that hackers wouldn’t be able to guess?

You should always answer these questions truthfully, so you will know the correct answer if need to reset a password or access an account. But don’t choose challenge questions that are based on publicly available information or that a hacker can answer with a few keystrokes, such as “mother’s maiden name.” Most challenge-response authentication tools on major web sites offer a selection of questions. First pet name, favorite food, childhood friend’s name – these are all great choices because they are things only you would know, but will never forget.

4. How can you protect credit cards from “e-pickpockets?”

Protecting your credit cards is REALLY important. There are two issues here: theft and identity theft.

First, designate a single credit card you will use only for online purchases. That way, it will be obvious if there are fraudulent charges when you review the monthly statement.Second, to guard against identity theft, we need a tiny technical lesson here. Every web site has an address, or URL. We know them as cnn.com, accuweather.com, etc. The full URL in your web browser looks like http://www.google.com. Before you ever enter a credit card number (or any other sensitive information) on a website, look for the URL to start with https:// – the “s” is for secure transmission. https://www.amazon.com means that the information you submit will be encrypted in transit over the Internet and not vulnerable. 

5. What’s an easy way to tell if an ATM has been compromised?

It can be difficult, but there are ways to tell if an ATM has been compromised. When you step up to the ATM, pull and jiggle the card reader to see if it moves more than it should. Some thieves will cover the official card reader with a fake replica to skim your card number without you knowing. You can also look for any suspicious objects on or near the ATM that might contain a spy camera to watch you enter your PIN number. Lastly, avoid using ATMs outside or in dimly lit areas – they are much easier for a thief to hack. Your best bet is always an ATM located inside a bank branch.

6. Is there any way to keep your Facebook photos from being stolen to make a fake account?

This is called social engineering, and it’s hard to prevent outright. Anyone you have granted access to your Facebook or other social media accounts can technically copy any of your photos and other content. So, be smart about what you post on social media, especially if your account is public. If you are worried about a particular image being stolen or used inappropriately, you can also use Google’s “Reverse Image Search” to see if it’s been posted anywhere else on the web. The tool is available at https://images.google.com – click the camera icon that says “Search by Image” and paste the image you’d like to search for.

How Do You Define Success for a Cyber Security Team?

Is it risk reduction? Training employees? Fighting back against targeted attacks?

The easy answer to this question is to build a comprehensive and mature Security Program. The difficult part is identifying every critical component that make this a success. Remembering that any security program is only as strong as the weakest link, you must build layers of security that act as both active barriers and safety nets that complement each other. Five of these components are listed below:

  1. Executive Support – All programs are doomed to fail without the full support and financial backing at the highest level. Be sure to define and clearly explain what is considered to be Best Practice and how this directly affects the business.
  2. Experience – While training and security awareness is valuable, there is no substitute for experience. Bring in at least one expert who has real hands on experience to guide and mentor the team.
  3. Plan – Build a detailed three-year plan. Use this for communication, financial and project planning, but most importantly, this can help you measure progress and eventual “success.”
  4. Align to a Security Framework – Choose between one of the leading frameworks such as ISO, NIST, or equivalent. These frameworks not only define specific controls that must be in place for any program, but also help to measure the effectiveness of your program.
  5. Test – Now that you have the core security components in place, have the network layer scanned, as well as the application layer with both static and dynamic scans. This is not a one-time event as new vulnerabilities are created and altered every single day.  Again, this is an excellent measure of success that can be used to provide specific evidence for the executive team, which in turn, will be needed to maintain and enhance your successful cyber security program.

Q&A On Reconstructing Data After a Disaster

I was recently asked about best practices for a business to reconstruct its data after a disaster by John Edwards, TechTarget. John included my tip noting that once a disaster involving data loss is identified, you must act fast to preserve your environment to prevent further damage, and to protect the archived data itself. Here are some addition tips for reconstructing data after a disaster:

1.What’s the best way for a business to reconstruct its data after a disaster?

When a disaster involves data loss, it is often difficult to be sure of what data was destroyed or corrupted.  Unless of course, there is complete data loss or incidents involving Ransomware or encryption. For that reason, it is often best to conduct a complete restore of the device or server affected using an image.

2. How should the process be handled if the data is stored on various platforms?

The process should not vary greatly based on the platform alone, however, the restore options will vary slightly.

3. How can reconstructed data be verified for accuracy?

Assuming technical solutions to verify accuracy, such as Checksum are not available, the best method to verify accuracy is the manual comparison of the restored data against the transaction logs.

4. What steps should be taken if some critical data is missing?

During any restore process, it is very likely that some amount of data will be lost.  This can be minimized by near real-time replication. However, no method will ensure complete restoration of data in all situations.  Gaps in data must be recreated using the transaction logs noted in step 2.

5. What are the biggest mistakes business make while reconstructing data?

It would be a mistake to assume that file level restores will correct an incident.  For example, during a virus attack, it may appear that the target was a single file, folder or user.  In reality, the target may be much bigger, and a seed may have been embedded to inflict wide spread damage during a timed event.  Many times, the only way to rid the network of all damage is to image restore back to a specific date and time prior to the incident.

6. Do you have anything else you would like to add?

Redundant and geographically disperse backups provide many benefits and options.  Having the ability to file level restore or image restore provides great flexibility, while also providing a second copy of the data if back up data is also affected by the disaster.

Survey: Small construction companies lukewarm on tech investment

by , author, Construction DIVE, February 28, 2018

Dive Brief:

  • A recent customer survey from small business funding siteKabbage revealed that fewer than 35% of small construction companies planned to make investments at some level this year in technologies that could help their businesses and further bring them into the digital age.
  • More than 65% of contractors who responded to the study did not have a plan to invest in tools like big data solutions or mobile technologies, and the same percentage was either neutral, against or not likely to spend more than 20% on social media advertising.
  • Kabbage also found that even with well-publicized cyber attacks and other computer-related crimes, not even 40% of small construction firms planned to invest in cybersecurity. More than 50% of the contractors surveyed, however, answered that they plann to streamline their operations in 2018 by getting rid of paper and manual processes.

Dive Insight:

The construction industry as a whole is starting to shake the “slow adopter of technology” label, but surveys like the one from Kabbage indicate that there is a category of contractor that still is resistant to technology no matter the benefits or the protections it could provide.

Executives of small companies may believe that cyber criminals only target big contractors, but that’s not the case. Todd O’Boyle, formerly with Precipient and now director of product management at WatchGuard Technologies, told Construction Dive that small and mid-sized businesses also are at risk of a cyber attack. No matter their size, construction companies, he said, tend to be high-cash-flow businesses, making them perfect targets for cyber criminals. Jonathan Gossels, president and CEO of SystemExperts, added even the smallest construction business has something of value to criminals.

And while small construction companies might not have the cloud setups or integrated systems that larger businesses do, many of their employees use tablets and smartphones to help them conduct business, which leaves those firms open to cyber attacks. For example, phishing emails only need one person to click on one link to give criminals access to confidential information.

To better protect company data, attorney Michelle Schaap of Chiesa Shahinian & Giantomasi said contractors should at the very least keep their firewalls and anti-virus software up to date (although that’s no guarantee that new malware can’t make it through those protections). Schaap said contractors should also partition information so that if one device comes under attack from a virus or a scam, the rest of the company’s devises and digital technologies aren’t affected.

How to Prevent a Ransomware Attack

It is always better to be proactively prepared and prevent ransomware attacks than having to react after an attack occurs. Paying the ransom is not recommended.

Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections. The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and McAfee – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Steps you can take to prevent a ransomware outbreak:

  • Require all devices to have active, up to date antivirus software installed that cannot be disabled by the end user.
  • Educate all users about the risks of ransomware and appropriate use of email.
  • Educate your users about how to view file extensions and which file extensions can potentially cause problems.
  • Do not let users be local administrators and/or run email or web browsers as an administrator or privileged account.

Steps you should take to prepare for a ransomware outbreak:

  • Ensure that you have working backups that can be used to restore all critical or essential data.
  • Test your restoration processes, know how to long a restoration will take.
  • Ensure that the backup system is segregated from users so that if a user’s machine is infected with ransomware, it cannot spread to the backups.
  • Educate your users about how to report an outbreak of ransomware and what steps they should take right away.

Steps you should take after an attack occurs:

  • Eradicate the infection.
  • Restore from backups.
  • If the backups are encrypted or destroyed by the ransomware, check to see if the keys to decrypt your data are  available from a free source, rather than attempting to pay the ransom.

The Crypto Sheriff link will help the people behind the NoMoreRansom.org site check whether there is a solution available. If there is, the site will provide you with the link to download the decryption solution. See https://www.nomoreransom.org/crypto-sheriff.php?lang=en.

Of course, if the NoMoreRansom.org site is not able to decrypt your files and you are unable to restore your files from backup, you have to assess the risk of actually paying the ransom. Remember that paying the ransom may not result in the restoration of your files. But for some companies, the choice is to cease business forever, or pay the ransom. It is much better to have all of the preventative and recover controls in place before ending up facing such a decision.

Protecting Systems and Data for a Traveling Workforce is Crucial

by Samuel Greengard, writer, Security Roundtable, January 24, 2018

Mobility is at the center of today’s enterprise. Employees rely on smartphones, tablets, and personal computers to access data anywhere and at any time. It’s no news flash that these devices are now a critical piece of the enterprise productivity scheme. Yet, all the gain doesn’t come without some pain: employees carrying devices and data wherever they go—and sending and receiving data and files over the air—dramatically increases the odds of a security breach.

“There are enormous risks associated with the loss of data and information,” said Benson Chan, senior partner for Strategy of Things, a Hayward, California, technology-consulting firm. “Today’s business environment makes it very easy for data to be lost, stolen, or otherwise compromised.” This encompasses everything from how people use and store laptops on business trips to how, when, and where they use public Wi-Fi networks and personal devices.

What this all means is that it’s essential to create a framework for protection. According to Paul Hill, a senior consultant at SystemsExperts Corporation in Sudbury, Massachusetts, a program must focus on three key areas: device configurations, physical security, and the use of networks. “Companies should provide detailed guidance on the acceptable use of mobile devices to all traveling workers,” he explained. “The guidance should be based on the perceived risk resulting from the type of data that travelling workers might access, could have stored on the device, and where they travel.”

Risky business

There’s certainly no shortage of news reports about laptops and data being lost or stolen. These incidents not only pose a threat by exposing the data on the device, they can lead to further breaches or break-ins. They might also lead to legal problems. For example, in 2015, EMC and Hartford Hospital agreed to pay US$90,000 to the state of Connecticut over the theft of an unencrypted laptop that was stolen from an EMC employee’s home. It compromised personal data for 8,883 residents of the state.

Data thieves also intercept data over the air and establish free Wi-Fi networks—sometimes with SSIDs that trick users into thinking they are legitimate networks—to take advantage of harried travelers. Yet, even a legitimate network at a hotel or coffee shop represents real-world risks. Anyone with access to the password can lurk on the network, view activity, and use specialized software to steal data. A password and login simply aren’t adequate for ensuring security and privacy.

According to Terry Young, senior product marketing manager, at Palo Alto Networks: “Today, the risks come from many directions.”

Secure Horizons

Here’s how your enterprise can better protect devices and data when employees hit the road:

Focus on device configuration. IT teams should ensure that all devices require a password, pass phrase, or PIN access, Hill said. In addition, mobile devices must have full system or full disk encryption enabled. These devices should have malware protection installed and the systems should be configured so that end users cannot shut them off or modify the security software in any way. It’s also wise to require the use of a virtual private network (VPN). “A VPN adds another layer of security,” Chan said.

Provide protection for devices. A growing problem, Young noted, is a lack of protection on mobile devices. This is particularly a problem on Android devices, which come in hundreds of different models. “We are witnessing an uptick in malicious activity on the Android platform,” she said. Not only can devices wind up compromised, but hackers and attackers can worm their way into an enterprise network and unleash spyware, ransomware, and other threats. In some cases, attackers might use Android phones to propagate Windows malware. “It’s critical to use malware protection and monitor devices and activity,” Young added.

Address physical security. Many problems occur because workers fail to follow basic precautions and protocols when they are working outside the office. One fundamental safeguard is avoiding business centers and kiosks at hotels, airports, and other locations.

Hill noted that several other critical precautions are important: make sure devices are locked in the trunk of rental vehicles; always place mobile devices in carry-on luggage; power down devices at international borders; and inform corporate security if an agent demands a login or forces an employee to disclose a password. Chan said that a privacy shield is essential on airplanes and other public locations. “People should always be aware that someone sitting next to them could be a competitor or a thief.”

Keep an eye on Wi-Fi. Wireless technology also represents real-world risks.“Employees should be extremely cautious about using hotel networks or public Wi-Fi hotspots,” Hill warned. Airline Wi-Fi is also a serious security concern, since it’s a public network. “In general, these networks should only be used in conjunction with a company VPN.

However, a VPN does not mitigate all threats when using these networks. Employees should be trained in what to be suspicious of and how to identify a valid SSID.” One way to avoid the problem altogether is to supply employees with a Mi-Fi connection option or ensure that they use a personal hotspot through their mobile phone. If an organization opts for the latter, it’s crucial to configure devices with a strong password.

Likewise, it’s important to ensure that Internet of Things (IoT) devices and personal accessories are properly configured. Bluetooth is especially vulnerable. “Companies should provide employees with guidance on the acceptable use of Bluetooth devices, acceptable profiles, and how to properly configure devices securely,” Hill said.

Forward thinking

A traveling workforce represents the classic challenge of balancing productivity and security, Chan concluded. What’s more, as the use of mobile devices has become pervasive—and the cloud has entered the picture—the goal of protecting sensitive data has become more difficult.

Securing devices starts with establishing clear policies and strong controls. Organizations frequently benefit by using mobile device management (MDM) software that can track, oversee, and wipe lost or stolen devices. “But technology and processes are not a silver bullet,” Chan warned. “Organizations still face a basic problem: If someone decides to bypass controls, whether intentionally or unintentionally, they have created a gap.” He suggests adopting a balanced approach that focuses on three things: technology, policies, and education. “In many cases, security gaps occur because someone is simply trying to get their work done and they require Internet access.”

It’s also important to conduct audits and keep an eye on evolving technology. In the end, according to Chan, good security practices are as much about behavior as they are controls and enforcement. “People must understand what puts data at risk and when they are engaging in risky activity. If something is extremely sensitive, then it’s wise to ensure that you’re on a secure network and using encryption or take it offline.”

Why Phishing and Social Engineering Continue to be so Popular

Phishing and social engineering continue precisely because they are so effective!

Sophisticated User: If you are the vice president of customer service and you receive an email purportedly from the Better Business Bureau that contains a link to Complaint #67587 about one of your products, how do you not click through on that embedded link?

Unsophisticated User: If you are an 80-something grandmother and a scary red screen pops up on your browser that looks superficially like it is from Microsoft and telling you that your system has been compromised, how do you not click on the embedded URL?

My brother has a great sense of humor, but knows nothing about computer security. It takes discipline not to click on the embedded links he sends from my work computer to a joke or video even though I completely trust the source.

Here are a few tips to follow:

  1. Develop an appropriate use policy that spells out how corporate IT resource can and cannot be used. For example, don’t visit shady web sites at work.
  1. Don’t click on embedded hyperlinks in an incoming email message from someone you don’t know and trust. Too often, it is a malware vector.
  1. Don’t share passwords – IT should  set minimum password quality standards.
  1. Don’t ever download software onto a work machine when a web site request you to do so – your browser has all the software you need. Let the IT professionals take care of any software updates or upgrades.
  1. Don’t copy data from a controlled production environment (like and HR application or accounting system) to an uncontrolled device like a thumb drive or to a spreadsheet.
  1. Employee security awareness must be a compulsory part of onboarding every employee and those responsibilities should be formally acknowledged annually.

Increasing Threat of Cyber Attacks: How Cyber Security has Shifted

Following are answers from a recent interview looking at the threat of cyberattacks and how cyber security has increased in recent years.

Q. What’s driving the shift in cyber security?

A. As the world becomes more digitally connected with a wide variety of available technologies and options, the need to secure the data has increased dramatically. The attack vectors or means to compromise the networks and their controls have outpaced the security community’s ability to analyze and protect their networks. Gaps or single layers of security have enabled hackers to bypass controls.

For many, such as the elderly, technology is a new concept, which puts them at risk to be easily fooled into providing the keys to access their data. Detection of these events are often very slow or even non-existent.

On a larger scale, the bar has been raised. Hackers in the past may have been content with the challenge of what they could get into. Today, success is often measured by the amount of financial or even political damage one can inflict.

Hackers today work as a group more often. They share their methods and tools and communicate extremely well in their own network. This has enabled a larger number of hackers to become extremely proficient in a much short period of time.

Q. How do we define the severity of a cyber attack? Is it the type of data stolen, number of people affected?

A. There is no one best answer to this since the impact of an attack affects everyone in very different ways.   A single event could be small in size, but have a devastating impact to an organization. The Reputational Risk to a firm can prove to be more costly than a Denial of Service attack, which takes them offline for a period of time. How quickly and effectively a company reacts to the attack can be the difference in how the severity of the attack is measured and perceived.

Q. What type of proactive steps can firms take to protect their client’s data?

A. Know your data (classification). What is highly sensitive, such as PII (Personally Identifiable Information), PHI (Protected Health Information), and financial data (Credit Cards, etc.) including where it is stored. How you protect that set of data is more critical and expensive than the protection of public data. Know how it is transmitted and to where. If it is EU data, ensure that you consider the new GDPR requirements. Know what your access points are and how they are protected. Have the controls tested by a qualified professional who is aware of the many methods to compromise those controls. Finally, use a “Risk Based” approach to determine what resources are needed to apply the appropriate level of controls.

Q. When evaluating cyber security solutions, what do firms need to look for?

A. Define your most critical needs and consider everything. The answer may not always be a technical solution.

Never overlook the most basic layer of protection such as your own employees. Provide appropriate Security Awareness training and test the effectiveness of that training. Their online behavior is your first level of defense.

Ensure that you “discover” what data you have and where it is stored. Is it still needed, or can it be securely destroyed. Analyze who has access and more importantly, who needs to retain it using Role Based Access Control (RBAC). Implement periodic reviews of your access controls, policies and procedures. Develop comprehensive Disaster Recovery and Business Continuation plans and test them annually.

After confirmation of the effectiveness of your security program and implementation of “Best Practices,” you will be in the best position to determine the need for new technology solutions to close any gaps that have been identified through this process.

Q. Will the threat of cyber attack decrease as firms invest more in defending against them?

A. If you define cyber threat as the possibility to attack, disrupt, access, steal or damage data, unfortunately no. The “threat” will always exist and will only grow in complexity. How well we communicate, educated and protect our valuable data will be the measurement of how well we defend it.

What are the five most critical steps to take during the first 48 hours post data breach?

1. Protect – The first and most important (time sensitive) step is to protect your environment and prevent additional damage and/or data loss.  This could be as simple as disconnecting from any wired and wireless networks.  Also disconnect any local backup drives that could overwrite previously archived data.

2. Communicate – It is vital to notify others in your organization of the suspected attack to prevent the spread. Remember, most breaches are not “IT Issues” and require the full cooperation of your entire organization. Review and execute your Business Continuation Plan and Emergency Notification Systems.  Obviously, this means Breach Management must be an essential part of these plans.  If the incident appears to be wide spread and rapidly spreading, it may be best to remove all connectivity within your network to ensure the protection of all connected devices.

3. Preserve – If the attack occurred on a local PC, disconnect from all networks as noted above but avoid powering the PC off and seek professional advice.  Forensic evidence contained in volatile memory (RAM) may be lost if the device is powered down.  Contact network support and ensure that any SIEM tools or system logs are preserved by removing any scheduled purge or reuse of media.  This data could be the key to identifying the root cause of the incident.

4. Legal – Notify legal that a breach is suspected. They should advise you regarding chain of custody requirements that will ensure that any evidence found is admissible in court.  It is important that they review and understand federal, state and local laws and how this may apply to the specific incident.  They should also review client contractual obligations regarding notification of breach events and the notification period, which is typically 24 – 48 hours.  In most cases, notification is only required for clients that are directly affected by a breach.

5. Recover – Ensure that all affected users and service accounts change their passwords to something “strong and complex”.  The apparent damage may have been an encrypted drive, but the real target may have been stolen ID and password credentials, especially privileged accounts (Admin).  Take no chances.  Additionally, with many attacks such as Petya, a full restore may be your best or only option to recover your devices.  It is always recommended that your company maintain a “gold image” of your desktop configuration and ensure that users avoid saving data to local drives since this data is rarely backed up.  It is recommended that affected systems be restored using the image since a hacker could have “planted the seeds” for a future attack on the device.  Remember to patch both PC’s and Servers with OS level and Anti-Virus updates prior to connecting to the production environment.  This is a critical step to avoid further damage as many companies learned during the WannaCry and Petya incidents.  Initiate new backups after your environment is confirmed to be clean, ensuring that old backups are not overwritten.  Take time to review the root cause of the incident and how it could have been prevented or contained.  Review and adjust all controls to prevent future outbreaks.  

Remember, security is everyone’s responsibility, so this is a great time to review and reissue your Security Awareness program, which should be completed at least annually by your entire organization.