Cybersecurity Advice
Our cybersecurity advice section provides comprehensive information about the latest online security threats – not only the threats from unfiltered spam emails, but also the risks present on the Internet from malvertising and vulnerable websites onto which malware exploit kits may have been loaded by cybercriminals.
We also provide advice on the precautions that can be taken to heighten cybersecurity defenses and mitigate the risk of inadvertently downloading an infection. The message throughout all of our cybersecurity advice is to protect your network and WiFi systems with an email spam filter and web content control solution.
Jan 7, 2015 | Cybersecurity Advice, Cybersecurity News
To put it mildly, 2014 was bad year for many IT security professionals. The number of threats to network security increased significantly, more computer systems were breached than in previous years, and more confidential records exposed than in the previous 12 months.
The threat landscape is constantly changing, but 2014 saw incredible volumes of new malware released and a considerable number of zero day exploits succeed. Many IT security professional will be glad to see the back of 2014. Unfortunately, 2015 doesn’t look like it will be any better. Many predict it will even be worse.
2014 started badly with the discovery of a number of cyberattacks. Hackers had gained access to computer systems in 2013, or even earlier in many cases, but 2014 was when the attacks were discovered and a large volume of brown substance hit the fan.
The discoveries were shocking. Incomprehensible amounts of data had been compromised and listed for sale. The country was still reeling from the cyberattack on Target, and then came the announcement of mega data breaches at Neiman Marcus and Home Depot. P.F. Chang’s had customer credit card details exposed from 33 of its restaurants, JP Morgan was affected by a major data breach, as was Michael’s. The healthcare industry was also badly hit. Community Health Systems suffered a major data breach exposing 4.5 million records and even the U.S. Postal service was targeted. 800,000 employee records were exposed in that attack.
Then there was the attack on Sony. That data breach caused an incredible amount of damage, with the hacking group responsible not apparently looking for money. The attack was carried out by a group called “Guardians of the Peace,” supposedly located in North Korea and backed by Kim Jong-Un. As a result of the breach, Sony Pictures even stopped the Christmas release of the “The Interview” movie. The film parodied the North Korean leader and even depicted his death. The leader of the Democratic People’s Republic of Korea was reportedly none too happy about the film and the content of the movie was allegedly a motive behind the attack.
Now that “The Year of the Data Breach” (as it has been dubbed) has finally come to an end, it is a time to look forward to the New Year. Unfortunately, many industry experts have predicted an increase in the number of hacking incidents over the coming 12 months. 2015 is unlikely to be any better for IT security professionals.
The reason? Despite efforts being made by many organizations to address security vulnerabilities, many still exist. We are also no longer dealing with individual hackers operating out of bedrooms in their parents’ houses. International groups of hackers are targeting organizations in the United States and are receiving funding from foreign governments. Some of the world’s most talented hackers are being funded to attack the United States, U.K., and just about every other company in the Western world.
So with the increasing threat, how is it possible to defend against cyberattacks, block malware, and beat malicious insiders. Fortunately, there have been a number of lessons learned from the data breaches suffered in 2014. Security trends have been identified and it is possible to implement a range of security solutions to prevent corporate networks from attack. Being forewarned is being forearmed! Here are SpamTitan’s cybersecurity predictions for 2015
Cybersecurity Predictions for 2015
Expect more mega data breaches
The more data that is held by an organization, the bigger target it becomes. The aim of many hacking groups is not to obtain money, but to use cyberattacks to cause financial havoc. Successful cyberattacks cause companies to incur incredible losses and can affect the financial markets. The data breaches have a huge effect on the economy, one of the aims of foreign-government backed hacking groups. These attacks will not only continue; they are likely to get a lot worse.
Healthcare and education sectors will be major targets
Expect to see data breaches the like of which have never been seen before. The financial and retail sectors will continue to be targeted, but 2015 is likely to see healthcare and education hit particularly hard. Student and medical records are particularly valuable to cybercriminals. The data contained in medical and student records can be used to commit a multitude of fraud: medical fraud, insurance fraud, and tax fraud for example. Identities can be stolen allowing credit to be obtained in the victims’ names. Universities were targeted in 2014, as were healthcare institutions. Expect more of the same in 2015.
Email will continue to be used as an attack vector
Virtually everyone now has an email account. Many have a separate email address for work and for personal use. Email is one of the easiest ways of getting in contact with people, and spammers are well aware how easy it is to get an account holder to click on a link to a malicious website, or to open an email attachment that has been infected with malware.
Email is used to “phish” for sensitive information that allows criminals to gain access to credit card numbers and bank accounts. Computers and mobile phones can all too easily be compromised, and the potential rewards for criminals are high. Phishing emails and other spam and scam emails are expected to increase during 2015.
Vulnerabilities in web applications will be targeted
2014 saw a number of zero day vulnerabilities discovered in popular software applications and we can expect more of the same in 2015. There was Heartbleed, which was a potentially catastrophic vulnerability. Shellshock was also particularly worrisome. It is likely that these are just the tip of a very large iceberg.
At first it was thought that these security vulnerabilities had not been found and exploited by hackers. Unfortunately, this would appear not to be the case. The hack of healthcare provider Community Health Systems exposed 4.5 million patient records. It is believed that the cyberattack was made possible because of Heartbleed.
Attacks on mobile devices are likely to increase
Ownership of Smartphones and tablets has increased considerably and so has the volume of personal data stored on those devices. Smartphones permit the user to access email accounts, bank accounts and social media networks. Many people track their movements using the devices and record exercise data. If a device can be accessed, a considerable amount of personal data can be obtained.
Unfortunately, many of the applications downloaded to the devices contain numerous security vulnerabilities. Even the platforms themselves (Android and iOS) contain many security holes. Hackers and cybercriminals are well aware that mobile devices can contain a goldmine of data and, with the increasing popularity of Bring Your Own Device (BYOD) schemes, mobiles can even be used to launch attacks on corporate networks. Expect mobile devices to be implicated in more corporate security breaches and millions of users’ data to be plundered in 2015.
The threat landscape is constantly changing and there are more malicious attacks being reported than ever before. The seriousness of those attacks has also increased. Consequently, organizations must invest more heavily in network and cybersecurity defenses. The companies that fail to increase cybersecurity spending are likely to become the next targets.
Dec 15, 2013 | Cybersecurity Advice, Network Security, Web Filtering
Without anti-phishing controls in place, your organization is likely to face a high risk of end users falling for scams. How good do you think your employees are at spotting phishing emails?
How good are you at spotting phishing emails? Are you a Grammar-Nazi who can spot a misplaced semi-colon from 50 paces? Are you a former Spelling Bee champion or an amateur super-sleuth?
Sometimes phishing emails are so obviously fake they are laughable. You would think that a scammer who goes to the trouble of sending out millions of emails claiming to be from a reputable company would actually check the spelling of the company name. Many don’t. Error-ridden phishing emails are common, and they are easy to identify.
However, don’t believe for one second that all phishing campaigns are that easy to identify. I write about Internet security and I have nearly fallen for one in the past. Admittedly, it was a very convincing one and in the early days I was a little naïve!
I tell you this as even the security conscious can fall for phishing campaigns from time to time. Sometimes scams and phishing emails are virtually impossible to distinguish from legitimate emails. Unless a software security solution is used, it is all too easy to inadvertently become a victim.
It used to be a rarity to be emailed a phishing email that was convincing, free from errors, and looked like it had been sent by a legitimate company. Today, scammers are much wiser. They know that a little time spent preparing a campaign properly will result in far more clicks and even more victims.
When you consider the money that can potentially be made from targeting business users, investing some time into creating highly convincing campaigns is well worth the investment. Spending a few hours or even a couple of days on a campaign could make the difference between getting no clicks and netting millions of dollars. Unsurprisingly, email spammers have realized this.
Spear phishing emails are becoming increasingly common
IT security professionals will be well aware that their end-users will be sent phishing emails that can be identified with one eye closed. These emails are sent out randomly in the millions. Fake PayPal receipts, Better Business Bureau warnings, potential lawsuits, and requests for money to help victims of natural disasters. These emails are very common. Unfortunately, they claim many victims. If they didn’t, the spammers would stop sending them.
However, there has been an alarming rise in spear phishing emails in recent months. These are more worrying as they have been expertly written and use personal information gained from the recipient to convince them to click on a link or open an attachment. They can even appear as if they have been sent by a friend, or contain information that has been gained from a social media account.
Sometimes an email will be sent to a number of individuals in a company. Other times the email targets one person. In the case of the latter, these insidious emails can be highly effective. An attacker gains access to the target’s Facebook account, either by being accepted as a friend, viewing pages that have been indexed in the search engines, or by guessing passwords. Then information posted to the user’s account can be used to construct a convincing email.
For example, you attended a school function, such as a sports day, and you post some pictures to your Facebook account. If someone had access to your account or could view your pictures (a friend of a friend of a friend for example) and they then sent you an email with a JPEG attachment, would you be likely to open it if they said they enjoyed speaking to you at the event and said they had attached a great picture of your child? How about if they mentioned your son by name? All of that information could be easily gained from Facebook without even having your password!
Simple anti-phishing controls will protect your network from spear phishing campaigns
Fortunately, defending against well researched and expertly written phishing emails is not difficult. There are a number of anti-phishing controls that can be used to prevent the emails from being delivered, as well as controls to stop users from visiting phishing websites.
The first line of defense is to prevent the emails from being delivered. To do that you need to install a spam filter, such as that offered by SpamTitan. SpamTitan Anti-Spam solutions prevent 99.98% of spam and scam emails from being delivered. It is one of the best anti-phishing controls you can implement to protect your workers and network.
Secondly, all members of staff, from the CEO down, should receive security awareness training so they know how to identify a phishing email. Training need not involve day-long courses. A little information can go a very long way. It is better to have face to face training but an email explaining how a phishing email can be identified is better than nothing. Remember to put training to the test by sending staff members fake phishing emails to see how their training is being applied at work. This will identify the weakest links, and further training can be provided.
Thirdly, it is possible to block users from clicking links to malware-infected websites. Employ a web filter and these and other potentially dangerous links can be blocked. SpamTitan’s web filtering solutions are ideal for this.
Along with Anti-Virus software and Anti-malware protection, users can be properly protected by using anti-phishing controls. All small to medium businesses should use each of the above solutions to minimize risk. A little investment in anti-phishing security measures can safe a fortune in data breach remediation costs. It could also prevent ransomware and other potentially catastrophic malware infections.
Mar 3, 2013 | Cybersecurity Advice, Network Security, Web Filtering
Many people are willing to use the Internet to commit fraud. Identity thieves try to get website surfers to reveal their personal information, hackers break through defenses to steal credit card numbers and bank account information, and scammers head online in the tens of thousands. Saboteurs spread viruses and criminal gangs are using spear phishing campaigns to get the information they need to empty corporate bank accounts. The Internet can be a very dangerous place indeed.
There were more than 1 million victims of online identity fraud in 2012
A recent study conducted by market research firm Javelin Strategy and Research, indicates more than 1 million victims of identity fraud were created in 2012 than the previous year. That means one in three Americans have now become victims of online fraud. An incredible 12.6 million people have been affected by online fraud in the United States alone. In fact, a new victim of identity fraud is created every three seconds.
Cybercrime is extremely profitable. In 2012 alone, more than $21 billion was lost to cybercrime.
People are engaging in high risk activities online
One of the main reasons why we have experienced such a dramatic upturn in cases of identity fraud is a lack of security awareness. When connecting to the Internet, many individuals fail to realize they are entering a potentially dangerous place. Because of ignorance of the risks, many people fail to take precautions and do not protect themselves.
Would you walk down a street in New York City waving a big bundle of cash in front of you? Would you leave your credit card in a phone booth? Of course not. Yet people do equally risky things online. They provide their bank account details to criminals and enter their credit card details into online forms without checking whether the website is legitimate. They even store all of their intimate information on their laptops, Smartphones and tablets, and then leave those devices in cafes, unlocked automobiles, on trains and on buses.
These things can and do happen, but when it comes to online fraud, the biggest threat to security comes from social media websites.
Social media websites carry a major risk of identity fraud
Most of us have done it. Uploaded a photo to Facebook, posted intimate details of our personal lives, accepted a request from a “friend” we barely know. Some people post virtually every aspect of their lives online: What they had for breakfast or cooked for dinner, where they have been, who they bank with, etc. All of this information is incredibly valuable. Just ask Facebook. The company doesn’t charge users for having an account. Facebook makes money from selling your data to advertisers. They are not the only people who are interested to find out about you. Identity thieves also want your information.
It is easy to get a name from a social media account, also an address. Your birth date is not hard to obtain. What other information have you posted online since you joined Facebook and Twitter?
If someone had access to your accounts, do you think you would be an easy or hard target for an identity thief? How about the complexity of your password? Is that shared across websites? Is it easy to guess if someone knows the name of your pet? Or your child’s date of birth?
The fact is that most people are easy targets and engage in risky behavior. Even celebrities are major targets for hackers and thieves and have had their accounts hijacked. There is a lot of information in cyberspace about you that can easily be obtained by a hacker or criminal with a little time and a modicum of skill.
Fortunately, it doesn’t take much effort to protect yourself. All you need to do is adopt some basic “best practices” when using social media websites and while surfing the net.
Best practice tips to avoid becoming a victim of identity fraud
With a new case of identity fraud happening every three seconds it is vital that you take steps to protect your identity. Otherwise it will only be a matter of time before you become a victim. Possibly only 3 seconds!
Don’t reveal your private and confidential information on Facebook or Twitter
Think before posting. Does the information in your post reveal a little too much about you? Do you trust ALL of your Facebook friends? Do you even know the people who follow you on Twitter? Is your post appropriate for everyone on your friend list? Ask yourself these questions and make sure you use your restricted lists carefully and regularly check your Facebook privacy settings.
Have you made yourself an easy target?
Have you locked all of your devices with a password? Do you store passwords and login information on your computer? Are those files protected with a password? Do you ever access PayPal or your bank accounts via an insecure network? Do you always check that a website starts with https:// (not http://) before entering sensitive information? Remember, the Internet can be a dangerous place!
A Play Store mobile app is not necessarily safe
When you download an app to your mobile phone, do you read the list of data that you are giving that app access to? Do you trust the manufacturer of that app to keep your data secure? It is a pain reading all of the small print, but make sure you know what data you are potentially providing.
Your Smartphone is an encyclopedia of information
Be careful about the data you share online via your Smartphone, and for heaven sake don’t leave it anywhere where it can be stolen. In case of theft, you may compromise your entire email account, your WhatsApp conversations, access to your bank account and much more. Make sure you use a strong password, activate the lock function, don’t automatically connect to Wi-Fi networks and never leave Bluetooth on when it is not necessary.
Mobile phones are insecure
Be exceptionally careful about divulging any information via a mobile phone. That means text messages and phone calls, not only apps and Internet sites. Before disclosing information ask yourself why does the person or company need it? Who are they? How will your data be used? Are you volunteering data? If so, why?
How quickly would you know that you had become a victim of online fraud?
Do you check your bank account frequently? How about PayPal? Your credit card balance? How long would thieves have before you realized you had become a victim. It is not only financial information that can be used to commit fraud. Do you check your health insurance Explanation of Benefits (EoB) statements for signs of fraudulent insurance claims? Do you obtain free annual credit reports from Experian, Equifax and TransUnion?
It is easy to become a victim of online fraud but many people do not regularly check to find out if they have become a victim.
You have become a victim of online fraud! What do you do?
A quick response can limit the damage caused. Act fast.
- Call your bank and credit card provider and place a credit freeze on your accounts
- Change all of your passwords
- Report social media account hacking to the provider of the service
- Obtain credit reports to find out how badly you have been affected
Report all cases of online fraud to the relevant government and law enforcement agencies.
Jan 3, 2013 | Cybersecurity Advice, Network Security
It will probably come as no surprise to discover the use of personal devices at work carries significant network security risks. Chances are your company may even have a BYOD policy in place that permits the use of personal devices in the workplace.
In an effort to quantify the level of risk posed by the use of these devices, a survey was conducted by Virgin Business Media. Respondents were asked questions about BYOD and the potential pitfalls. Network security was one of the main worries, and alarmingly, 51% of respondents revealed they had already suffered a security breach as a result of personal devices being used to access corporate networks.
The number of devices connecting to the network has an impact on the level of risk faced. The more devices that are allowed to connect, the greater the risk of one of those devices being used by a hacker to launch an attack on the network. Small to medium sized businesses tended to suffer fewer breaches as a result. The survey suggests 25% fewer.
These figures should not be taken to mean that small businesses are unlikely to suffer a cyberattack or experience a security breach. The risk from mobile devices will be reduced, but cybercriminals are now attacking small businesses with increasing regularity. Small to medium sized businesses may not store such large volumes of data, and they may not be as valuable to criminals, but the security defenses used to protect networks are much easier to circumvent. SMEs also tend not to employ as highly skilled IT security staff as the likes of IBM, Facebook and Google.
Take a Proactive Approach to Internet and Email Security
Many small to medium sized enterprises only implement robust security controls after they have suffered a major security breach. Many CEOs believe that they will not be targeted by criminals and do not require particularly sophisticated defenses. Unfortunately, many attacks are random, so SMEs actually face the same threats as larger corporations. They may not be targeted by teams of foreign government-backed hackers, but they are at risk of attack by other hackers and Internet criminals.
The FBI and National White Collar Crime Center formed the Internet Crime Complaint Center (IC3) as a single point of contact for victims of internet crime. IC3 receives reports from businesses and individuals who have become victims of online criminals. In 2011, IC3 received over 400,000 separate complaints from small to medium sized companies that had become victims of online criminal activity. The threat of attack is actually very real.
Given the high risk and the increase in internet crime, business owners need to face the facts. It is no good burying your head in the sand and hoping that it will never happen. It is time to implement security defenses to ensure that it doesn’t.
You may not want to introduce BYOD and have to deal with the risks, but if you do want to leverage the benefits of personal mobile devices and want to enjoy the increase in efficiency and productivity that BYOD promises, you will have to make sure appropriate security measures are installed. Otherwise you could be making your network a lot easier to breach.
Dec 9, 2012 | Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security, Web Filtering
The festive period is almost upon us and, aside from having to deal with the wave of Christmas and New Year cybersecurity threats, it is a time to relax, reflect on the major security events of the year, and plan for 2013.
Lessons have been learned in 2012 and it is up to IT security professionals to ensure that the same mistakes are not made next year. 2013 is likely to see a wave of attacks, a great deal more threats, and many companies’ security defenses breached. Prepare adequately and your company is likely to avoid becoming another security breach statistic.
Online Security Threats from 2012
2012 was an exciting year, certainly as far as data mobility was concerned. Many companies have enjoyed the benefits that come from being able to access data from any location; on any device. Unfortunately, so have cybercriminals.
Widespread adoption of Bring Your Own Device (BYOD) schemes have made workforces much more productive, efficient, and happy. Unfortunately, mobile devices are being attacked with increasing regularity. Personal Smartphones, laptops, and tablets may represent the future of business, but they often lack the necessary security controls to ensure corporate networks remain protected. Cloud computing has also been adopted by many organizations, but not all have made sure their cloud applications are appropriately secured.
There has been an explosion in the number of social media websites. Use of the sites are more popular than ever before, and so are the threats from using the sites. As user numbers have increased, so have the types of malware being developed to exploit users of Facebook, Twitter, Pinterest and the myriad of other sites that have enjoyed an increase in popularity.
Up and coming platforms are being targeted as user numbers increase and established platforms such as Facebook and Twitter are honeypots for cybercriminals. Social media channels and mobile devices are likely to remain problematic for IT professionals charged with keeping their corporate networks secure. Unfortunately, IT security professionals have little control over personal devices, and it is very difficult to stop end users from using their social media accounts at work.
As cybercriminals start using new attack vectors with increasing regularity, security professionals must be alert to the new risks. Listed below are our security threat predictions for 2013. some of the trends that are likely to develop further over the course of the coming year.
Security Threat Predictions for 2013
SQL Injection attacks will continue to increase
There was a rise in the number of successful cyberattacks last year, many of which involved SQL injection – the use of Structured Query Language to gain access to corporate databases. Hackers were able to use this technique to hack into web servers and obtain user names and passwords from corporate databases.
Small to medium size companies are particularly vulnerable as they often do not have the resources available to address all vulnerabilities that can be exploited by SQL injection. However, even very large companies are at risk. In 2012, Wurm Online, a hugely popular online multi-player game, was hacked using SQL injection resulting in the site being taken offline. Yahoo Voices was also hacked using this technique and over 450,000 user logins were obtained by hackers. This attack was caused by “union-based SQL injection”. These attacks were made possible as basic web server mistakes had been made by the companies in question. Both attacks were avoidable.
Ransomware attacks will increase
The past 12 months have seen a rise in cyberattacks using ransomware. Users are fooled into installing malware on computers and networks which subsequently encrypts all company data. Company operations have ground to a halt, with no data accessible without a security key. Those keys will only be provided by the criminals if a ransom is paid. Companies have found they have no choice but to pay the criminals to unencrypt their data. In 2012, a number of hacked GoDaddy websites were discovered to be infecting users with ransomware.
Defenses against this type of malware must be improved. Install spam and web filters to prevent users from installing this malware, and ensure that all data is backed up and policies are developed to recover backed up files. A data breach response plan should be developed to ensure business-critical data is restored promptly.
Increase in amateur cybercriminals using attack toolkits
As we saw this year, you do not need to be a hacking genius to pull off a successful cyberattack. It is possible to rent an attack toolkit with a host of premium features to make it easy to use by virtually anyone. The Black Hole exploit kit is a good example.
Investment in these kits has helped improve their usability and many now include APIs, scriptable web services, reporting interfaces, and even mechanisms to protect the users of the toolkits. By improving the quality of the kits, talented computer programmers have been able to increase the number of individuals able to launch attacks on corporations. There is no shortage of takers, and the investment spent has been well rewarded. Expect more individuals to use these kits and the volume of email malware to increase.
Less damage from security vulnerability exploits
Security vulnerabilities are being discovered with increasing regularity and this is enabling security holes to be plugged before they can be exploited. Protection against exploits is also improving and the next 12 months is likely to see even more advancements in this area. A number of protections have already been developed and implemented to prevent attacks of this nature, such as address space layout randomization, sandboxing, data execution protection (DEP) and trusted boot mechanisms. It is expected to become harder for hackers to exploit security vulnerabilities, although the risk of attack will certainly not be eradicated.
New privacy and security challenges that need to be addressed
The rise in popularity of mobile devices, and the adoption of BYOD by many organizations, has seen data security risk increase substantially. Mobile devices contain numerous security flaws. The devices can be used to track victims with GPS systems and near field communication (NFC) allowing criminals to physically locate their targets. The growth in social media applications for mobile devices is likely to see even more devices compromised. Expect 2013 to see a wave of new attacks on mobile devices and security vulnerabilities in new technologies exploited.
Do you agree with our security threat predictions for 2013?
Dec 3, 2012 | Cybersecurity Advice, Internet Security News, Web Filtering
Small to Midsize Businesses (SMBs) have a lot to gain from joining the social media revolution, and even by allowing employees some personal Facetime at work. There are a number of drawbacks though, and some can be very serious.
Many SMBs are well aware of the potential risks as evidenced by a recent survey conducted by Forrester. Businesses were sent surveys as part of the security study and were asked about social media risk. It was named as one of the biggest security concerns.
If social media accounts are accessed at work, they pose a considerable risk to network security. There is a major risk of suffering a malware infection from social media websites. Accounts can be hijacked and there are issues with staff accessing inappropriate content or posting sensitive information about the company. Data leakage is a concern, and highly regulated industries face greater risks. Healthcare professionals could all too easily violate HIPAA rules.
With all of these serious risks, why would any business permit members of staff to access personal social media accounts at work? Why not just implement a zero tolerance policy, and take action against any employee found to be using social media sites at work? Better still, social media sites could be blocked entirely to prevent all employees from having a sneaky peek at their Facebook accounts!
There are benefits to be gained from allowing social media access in the workplace
Social media access by employees is not all bad news. There are many positive benefits to be gained from allowing staff a little time to access their Facebook, Twitter and LinkedIn accounts at work. Even some YouTube time can be very beneficial. Here are four reasons why a total ban on social media use at work is not necessarily the best option for employers.
A little social media access can improve the productivity of staff!
Employees may be seen to “waste” a little time each day accessing Facebook or other social media websites at work, but the time is not necessarily totally wasted. In fact, some downtime can improve the productivity of employees. How productive would you be if you worked 8 hours straight each day without taking a break? You may be able to do it for a few days each week, but burnout awaits those who try to do too much.
Recent research shows that allowing workers access to their social media accounts can actually increase productivity, and not just a little. A study conducted by the Harvard Business Review showed that productivity increases of 20-25% are possible with a little Facetime allowed each day. Employees can actually get answers to questions much more quickly by using social media and professional networking websites than trawling through websites!
LinkedIn can be used to find new staff members, or encourage the best people to apply for a job. If business accounts are opened and managed, it is much easier to connect with customers, and customer service standards can be improved. The cost of providing those services can also be reduced thanks to social media. The websites are also a great way of communicating with customers and staff.
Social media can give a business a competitive edge
There are reasons why the likes of Google and Facebook give their staff ping pong tables, napping chairs, video games and use bright and bold color schemes in their offices. They improve staff morale, they make employees happier at work and, consequently, staff complain less about having to work incredibly long hours.
OK, we are not saying you should turn your office into an amusement arcade, but allowing employees some time off to use social media sites is not that bad. It is a selling point as well, especially for Gen Y staff. They expect to be able to have some social media time at work.
You probably ban social media access at work, but your competitors might not. One of them almost certainly allows some Facetime at work. It could be the difference between attracting the best workers or just the mediocre ones!
Blocking access to social media websites is not easy
So you want to ban social media use at work. How do you plan to implement that ban? Just tell staff it is inappropriate to access the sites and then turn a blind eye to a little use? Get HR to bring employees in who access Twitter during work time? Purchase a web filter to block access?
A ban must be enforced, access to the sites needs to be monitored, and action taken against offenders. If you have a lapse in adherence to the policy, how will you deal with it? It could well be more trouble that it is worth!
If you operate a BYOD scheme and allow the use of personal laptops or tablets at work, you can’t ban employees from using their own devices to access social media websites outside of office hours. You will still need to implement policies covering use of the sites, even if they are blocked in the office.
Regardless of controls, if employees want to use social media, a ban will not stop them
Implementing a ban does not mean employees will stop using social media at work, it will just be harder to control. Even if you purchase a web filter, such as that offered by SpamTitan, and block access to the sites for all staff members, employees will still access their accounts if they want to. They will just use their Smartphones. You will then lose all control and it will be impossible to monitor how much time your employees are spending on the sites. In fact, a ban could well lead to employees taking more risks, or posting disparaging remarks about your company.
Instead of implementing a total ban, why not look for ways to leverage the use of social media websites, and develop policies to control usage. Even implement software solutions to minimize security risks and give you control over what is accessed via the websites.
Nov 13, 2012 | Cybersecurity Advice, Internet Security News
If you want to access the Internet, you will need a web browser. Unfortunately, the very program you use to gain access to the Net, access your email, and logon to social media sites and online bank accounts could be your downfall.
A vulnerability in Firefox, Safari, Chrome or IE could be placing your data straight into the hands of hackers. Cyber criminals can – and do – take advantage of out of date web browsers to steal data and gain access to computers, mobiles, laptops, and tablets.
It is therefore essential to ensure that your browser is kept up to date. Fail to install updates as soon as they are released and you could become the next data breach statistic.
Insecure web browsers could leave you exposed to a cyberattack
When you purchase a new device, chances are it will come with a browser preinstalled. You should bear in mind that when purchasing a new device, it is unlikely to come with the browser correctly configured, and you will most likely need to install the latest version. Updates are now being issued on a regular basis.
Fail to keep your browser up to date and tweak the security settings is a recipe for disaster. Out of date or insecure browsers can result in malware, spyware, ransomware, and viruses being installed on your device without your knowledge. Even your anti-virus software program may not pick up the infection.
Kaspersky Labs, one of the world’s leading providers of anti-virus software, has recently investigated browser security and has discovered almost a quarter of browsers are out of date. The company assessed the browsers of close to 10 million Internet users from all over the world in 2012, with the data drawn from the Cloud-based Kaspersky Security Network. Over 700 million browser launches were logged by Kaspersky during the period of study.
Kaspersky Labs browser study produces worrying results
Kaspersky Labs analyzed five different web browsers as part of the study and discovered 36 different versions in use. Only five versions were up to date and installed with the latest security patches. Users of Kaspersky Anti-virus solutions were reasonably well protected, with 77% using the latest version of their chosen browser. Unfortunately, 23% were using out of date versions, making them vulnerable to a cyber attack or malware infection. Worse still, 8.5% of test subjects were still using versions that had long since become obsolete. Millions of individuals are therefore at risk of succumbing to web-borne threats.
The process of upgrading a browser to the latest version is a quick and straightforward process, and will ensure the user is better protected against hackers. Why are users not upgrading their browsers? There are many possible answers. Simply putting it off and forgetting is one of the main reasons; however, some users are fearful that they might lose data or bookmarks by updating. Others are worried about losing some of the features they like. Sometimes, the new versions contain bugs and make viewing the Internet that little bit harder (at least initially).
Unfortunately, the reality is that failing to update a browser will leave you vulnerable. It is therefore not really a choice but a necessity, certainly if you care about the security of your device, data stored on it, and the network it connects to.
Sep 18, 2012 | Cybersecurity Advice, Internet Security News, Web Filtering
Unsurprisingly, the launch of the iPhone 5s has had seen people queuing outside Apple stores for hours upon end in the hope they will be one of the first to get a new Apple device. Apple aficionados do get excited about the launch of a new device, and the Apple iPhone 5s is no exception. The company has reportedly sold 2 million units, and that was in the first 24 hours after the release.
Interest in the devices has been so high that buying a new iPhone 5s means a long wait is required. Many early purchasers will have to wait a number of weeks before their new phone is delivered. Apple couldn’t make enough available for the launch. Unfortunately, cybercriminals are taking advantage and have launched a number of iPhone 5 phishing scams.
Many iPhone 5 phishing scams have now been launched
Cybercriminals also love Apple devices. In particular, the launch of a new Apple device. They take advantage of the hysteria and send huge volumes of spam and phishing emails to would-be purchasers, advising of special offers and discounts, must read information about the new device, and news of fake competitions. In the run up to the launch we have seen many new email scams aimed at Apple fans. Scammers have used the media hype surrounding the iPhone 5 launch to their advantage.
Apple knows how to launch a new product. Few companies do it better in fact. In the run up to the launch, only a limited amount of information on the device was issued. Just enough to get Apple fans salivating. As the launch date drew closer, more information was released. They built interest in their product, anticipation was high, and when the launch date arrived, the product sold by the million.
Scammers take advantage of the anticipation, supply shortages, and long wait times. Spam email campaigns have accompanied the launch of this year’s hottest new product, with a number of spam and phishing emails already captured by SpamTitan’s spam and web filtering software. Some of the iPhone 5 phishing scams include:
- Fake delivery notifications
- Phishing websites set up to coincide with the iPhone launch
- Fake special offers and discounts on the new iPhone 5s
- Bogus competitions to win a new iPhone
We are expecting many more over the coming weeks.
Not everyone is good at identifying a phishing email
If you are in charge of your company’s email security, or if you work in an IT department, you will probably have a very good understanding of spam and phishing emails and can probably identify even the most convincing campaign. Unfortunately, the same probably cannot be said of the end users in your company, many of whom will be so excited about the launch that they will click any email link about the new device.
There is a high risk of end users clicking on links to websites containing malware and of opening infected attachments. It is therefore a time to be ultra-cautious. If one employee falls for a scam, it will not just be their computer that is infected. They may inadvertently compromise your network.
In order to address the risk, employees must be warned about the new scams and training should be provided to make sure they know how to recognize spam, phishing emails and iPhone scams. Even if training has already been provided, it is a good time to send out some refresher emails. You may even want to test their knowledge and send out spoof phishing emails to find out just how many people click the links. This is the best way to determine if your training has been effective, and which employees need some extra tuition.
Have you fallen for one of the iPhone 5 phishing scams? Have you identified any new iPhone 5 phishing scams? Please let us know!
Jul 19, 2012 | Cybersecurity Advice, Internet Security News, Web Filtering
New research indicates the threat from phishing is growing at an alarming rate, with thousands of new malicious websites being created every week. Detection rates of new phishing sites are also increasing, thanks to new software introduced by the Anti-Phishing Working Group (APWG).
APWG is a pan-industrial not-for-profit organization dedicated to improving Internet security. The organization works alongside law enforcement to reduce identity theft and make it harder for online criminals to operate. One of the ways it achieves its aims is by finding new websites set up by cybercriminals to obtain login names, passwords and other sensitive information from Internet surfers.
A recent report issued by APWG shows an alarming rise in the number of new phishing websites, indicating cybercriminals are concentrating on this attack vector to obtain the data necessary to commit fraud and steal identities.
In the month of February alone, 56,859 new phishing websites were detected. This rate of detection has not been achieved since August 2009. February’s count of new phishing websites was 1% higher than the organization’s August 2009 figures. While this suggests there has been a major increase in cybercriminal activity, the company’s new detection software may account for the rise in detection. That said, the threat from phishing is certainly growing.
What does a phishing website look like?
The reason that phishing websites are so dangerous is they look exactly the same as legitimate websites. Criminals are investing a considerable amount of time and money into creating spoof sites that are highly convincing. Big brand name websites are now being spoofed, with Amazon and E-bay just two of the major retail sites that have had fake versions created to fool users.
It is not only the retail industry that is being affected. Criminals have created phishing websites that look the same as those of major banks and financial institutions. If users can be fooled for long enough to attempt to login to the websites, criminals will obtain their credentials and be able to make bank transfers. Huge sums of money can be transferred and withdrawn by criminals before the victims even realize.
The majority of the fake websites discovered by APWG were located in the United States. Over half of those websites used the brand names of large organizations to fool users into revealing their sensitive information. This is achieved by creating a website that looks very similar to the brand being spoofed, with the domain name also featuring the brand name.
Security software identifies phishing websites and neutralizes the threat
There may now be more phishing websites than ever before, but fortunately action is being taken. When new sites are identified, the companies hosting those sites are alerted and the websites are closed down. Hackers and other cyber criminals may be devising more sophisticated ways of obtaining sensitive information from businesses and consumers, but detection software is also becoming more sophisticated. Companies such as SpamTitan Technologies have devised software that can rapidly identify phishing websites, allowing the threat to be neutralized. However, the volume of these malicious sites is such that even with rapid identification, it is not possible to totally eliminate the threat they pose. All that can be done is to use a web filter to prevent Internet users from visiting these websites.
Employees are not reporting phishing emails and websites to their IT departments
Many companies have developed policies which require members of staff to report suspicious emails and websites to their IT departments. By sending a quick email, the IT department can ensure that the threat is neutralized. Unfortunately, despite these policies existing, they are not being followed by all members of staff.
SpamTitan conducted a survey earlier this year which revealed that 70% of organizations had suffered losses as a result of phishing and spear phishing emails that had not been reported to their IT department. If staff members receive security awareness training, and report attempted phishing attempts, the emails can be deleted promptly to neutralize the threat. A failure to report those emails is likely to see some members of staff fall for the scams.
Many of these phishing scams seek to obtain access to sensitive data in order to commit fraud against individuals. If criminals can gain access to a business network, they can potentially obtain sensitive information from the entire workforce. The loss of data and system downtime can cost companies millions of dollars. When customer or healthcare data is stolen, the costs of resolution can be even higher. Theft of customer and patient data can trigger a wave of class-action lawsuits and result in regulatory bodies issuing heavy financial penalties.
What is the solution?
The cost of data breach resolution is considerable, but it does not cost a small fortune to take proactive steps to reduce the likelihood of a data breach being suffered. If organizations are proactive and implement a range of security measures, the risk of cyberattacks and data breaches can be effectively managed.
It may not always be possible to prevent phishing emails from reaching inboxes, but it is essential that employees are security aware and know how to identify suspicious and malicious emails in case they are delivered. There must also be an easy way of reporting such emails so that prompt action can be taken to neutralize the threat.
What security measures can be implemented to reduce the risk of a data breach?
Robust, multi-layered security defenses can be implemented to protect data and networks from attack, although there is no single solution that will work for all organizations.
Some of the measures that can be implemented to keep networks and data secure include:
- Encrypt all customer, client and patient data stored on networks
- Devise a secure password policy and ensure that it is enforced
- Make sure users change their passwords every 3 months
- Conduct security awareness training
- Issue cybersecurity bulletins to alert employees to new risks
- Purchase a robust email spam filter to stop phishing emails from reaching inboxes
- Use web filtering to restrict the websites that can be visited by employees
- Perform regular risk assessments to identify new security vulnerabilities
- Ensure anti-virus and anti-malware solutions are installed on all devices connected to a network
- Make sure all software and virus/malware definitions are updated regularly
- Conduct periodic security audits to check for malware and viruses that have inadvertently been installed
Jul 10, 2012 | Cybersecurity Advice, Social Media
Social networking websites are here to stay. They may have been created to give people an easy way to stay in touch with friends, family and meet new people, but there are considerable benefits for businesses. In fact, any business that has not yet embraced the social media revolution is likely to be losing customers to competitors.
However, social media use at work does carry security risks and employees may spend a lot of their working day posting status updates, reading articles, and communicating with their contacts.
A study was recently conducted by Proskauer Rose that set out to explore some of the problems businesses are having with social media website use by employees. It would appear that social media access is not being effectively managed by some businesses, and employees are spending too much time accessing the likes of Facebook, LinkedIn, Twitter and Pinterest.
Key findings of the Proskauer Rose social media study
- Social media misuse was reported as being a problem for 43.4% of respondents
- 3% of companies have taken disciplinary action against employees for misusing social networks
- Surprisingly, 45% of companies do not have a social media or Internet policy covering usage at work
There are benefits to be gained from allowing employees to have some time each day to access the websites, should they wish to do so. Unfortunately, the drawbacks can outweigh the advantages if care is not taken and usage is not effectively managed.
In addition to time being spent on the websites instead of work being performed, there is a considerable risk to network security. Malware and phishing schemes are rife on social media networks. Then there is the issue of wasted bandwidth. On the plus side, employee productivity can be increased by allowing some time to access accounts each day, and businesses can harness the potential of social media and get closer to their customers.
Provided use is managed, the benefits can outweigh the disadvantages. The solution is to implement policies to control usage in addition to software solutions to block access if necessary.
Protecting networks from attack and controlling social media use at work
Simply implementing a ban on accessing the websites is rarely an effective strategy. Staff morale can fall, and end users will carry on accessing the websites if they want to. They may just use their Smartphones to do it instead. The best methods to use to keep networks secure and control access are:
Implement Web technology solutions to protect corporate networks
Many companies use a web filtering solution to prevent employees from accessing websites that are inappropriate for the workplace. Gambling websites for instance, pornography, and bans of file-sharing sites are common. It may be tempting to use web filters to block all social media websites as well, but this would prevent the company from maintaining a social media presence.
Some web filters offer much more granular controls. They can quickly and easily be configured to block certain user groups from accessing the websites.
SpamTitan Technologies offers such a solution. The web filter means that HR departments can work with IT to implement appropriate controls that allow employees some time to access the sites, while ensuring that the social media needs of the business can be met.
Role based settings can be implemented and can even be set by at an individual level. If misuse becomes a problem, an individual can lose the right to access the sites at work. If one employee misuses Facebook, the whole workforce, including those who use the sites responsibly, should not be penalized.
Implement an Internet and Social Media Usage Policy
Regardless of your decision on social media use at work, you must implement a policy to cover usage. Your policies should cover acceptable use of the Internet, the types of web content that cannot be viewed, and the repercussions for attempting to view objectionable or banned content. If you do not have policies in place, from a legal standpoint you may have difficulty taking action against individuals for inappropriate use.
It is important that Internet and social media restrictions are explained to staff members in terms of the risk they pose to the business. Restricting access is not only about ensuring time is spent productively. Cybercriminals are targeting businesses using malware, viruses and phishing campaigns. It is all also easy to inadvertently infect a computer with malware or become part of a botnet.
Develop policies to cover usage, explain the risks and they can be effectively managed without implementing an unpopular and counterproductive social media ban.
Jun 5, 2012 | Cybersecurity Advice
Someone posts a comment about you or your company that is slanderous, racist, or simply causes offense. It may be possible to sue them for their actions. This is nothing new of course. However, what about if that comment is posted anonymously? That does not necessarily mean you cannot file a lawsuit and sue the poster for damages. An Idaho politician is doing just that. Anonymity is no protection any more.
The Idaho Spokesman Review hosts a blog just like many newspapers. Blogs attract comments and sometimes spark heated debates between people with very different opinions. They attract visitors and are great for publicity, plus they have much a bigger reach than a newspaper. Sometimes comments are posted that cause offense.
One blog commenter recently posted comments that seriously offended politician Tina Jacobson, chair of the Kootenai County Republican Central Committee.
The comments, which were posted anonymously, are now the subject of a lawsuit in which Jacobson seeks $10,000 in damages. Only a couple of comments were posted by the person who identified themselves as “Almost a Bystander,” but that was enough for legal action to be taken. Jacobson had posted an article on the website and on February 14, 2012, the comments were added. They allege Jacobson had been embezzling funds: Serious allegations. The owners of the website promptly deleted the comments, together with the entire post.
Whatever happened to free speech?
The newspaper maintains that readers should be allowed to post comments on articles, and that it should not be necessary for individuals to identify themselves. The paper also does not believe that commenters should have their identities revealed if they have chosen to post anonymously.
If the newspaper continues to protect the identity of “Almost a Bystander,” it is probable that the paper will have to cover the cost and pay the damages. The case could well set a precedent, which could have a serious effect on other newspapers, blogs and websites that allow comments to be posted anonymously.
If the company hosts a website that allows social interaction, they may have to reveal the identities of anonymous comment posters. But to do that they would have to include that in their website terms and conditions. Revealing the identity of an anonymous individual could well result in that person suing the newspaper for damages. What do you think?
Is free speech a right only for people who choose to identify themselves?
Should a company be held responsible for comments posted by an individual who chooses to remain nameless?
Mar 13, 2012 | Cybersecurity Advice, Network Security
You can purchase the most sophisticated software, implement multi-layered security systems, conduct regular system scans and use a host of other security products to keep your network protected from cyberattacks. Unfortunately, all it takes is for one individual to accidentally install malware and all of your good work has been undone. That individual is likely to be one of your company’s employees, not a hacker.
Common sense is one of the best defenses
You may not be able to install defenses that offer 100% protection against intrusions, insider threats, and malicious software, but we are sure you do your best with the resources you have available. You should install software systems to protect your network, email system and web browsers, but it is all too easy to forget that one of the best ways of protecting a computer, or the network it is connected to, is to use common sense. Unfortunately, when it comes to internet and web security, many employees have very little. Consequently, they must be taught how to act appropriately.
Some employees think they have a very secure password, but oftentimes is nowhere near as secure as they believe. It doesn’t contain any special characters, it lacks capital letters, and while it does contain numbers, only a 1234 has been added on the end. If you do not instruct employees how to create secure passwords, they will not.
You must also inform them that they must not share passwords across platforms. Sure, it is a pain remembering lots of different passwords, but if one is compromised they all will be. A recent survey conducted by Trusteer, a provider of fraud protection systems, highlighted how common this practice is. Their survey revealed that 73% of computer users use the same password to access their online bank account as they do for other online services.
You may have installed a spam filter to reduce the risk of employees falling for a phishing email. The spam filter catches virtually all spam and dangerous emails, and places them in a quarantine folder. The risk of a malware infection via email will be reduced to the minimal level.
Then not just one, but a number of employees go into the quarantine folder, and open an excel spreadsheet that has been quarantined as it is actually malware. Sometimes common sense disappears entirely. One company discovered that is exactly how hackers managed to gain access to a corporate network in 2011.
Not all scams and phishing campaigns are easy to identify
Sometimes a clever campaign is devised by cybercriminals to phish for information. Social media websites contain many examples of these. The British Royal Wedding last year saw one cybercriminal launch an interesting campaign to help access accounts with two-factor authentication. The scam was launched on Facebook, and you may even have seen it, or something about it.
The page helped you create your “Royal Name”. All you needed to do was enter in the name of your first pet, your grandmother or grandfathers name, and the name of the street where you grew up. The result could have been Tiddles Arthur Beddington. Not a particularly amusing name it has to be said, but the creator of the campaign would find it funny. Not only would those answers be helpful when attempting to guess passwords, they are also the likely answers to security questions used to gain access to internet banking websites. If your password and login name had already been compromised, you could have just given full account access to a hacker.
The importance of providing common sense training on internet security
You either have some common sense or you don’t, but when it comes to internet security, there will always be one individual who appears to have none. Make sure all of your employees are trained on the basics of internet security. Some will not know to act in a secure manner online.
