Cybersecurity Attacks have given CEOs a Rude Awakening

Unfortunately, IT security professionals have to deal with business managers. This is a problem that will never go away, but there is some good news. They may still be intent of slashing budgets and increasing the productivity of the workforce, but they are less keen about slashing IT department budgets. Many are now suggesting increases in operational budgets to deal with the increased risk of attack.

We are also finally seeing CEOs making the decision to implement good security measures to protect against malicious insiders and hackers. The days of having “good enough” security measures may finally be coming to an end. Attitudes on cybersecurity are changing at last, in no small part due to the cost of not doing so being hammered home. Highly publicized cyberattacks have helped in this regard. So have reports of stock prices tumbling after security breaches are suffered.

It is not only lone hackers that are attempting to break through firewalls and cybersecurity defenses. Groups of incredibly talented hackers are being recruited by nation states and are being put to work on highly sophisticated hacks on U.S. enterprises. With the backing of nation states, the threat level increases considerably. Robust defenses must be implemented to repel the attacks. Any organization that implements minimal cybersecurity defenses may as well place an advertisement in the Washington post inviting hackers to attack.

Cybersecurity attacks have been receiving a lot more press, in no small part due to the huge volume of data that hackers have been able to obtain. Corporate secrets, company accounts, information on personnel, customer data, medical records, Social security numbers, and much more have all been obtained. This information is subsequently sold to the highest bidder or, in some cases, simply posted online for all to see.

The potential damage caused can be catastrophic. Many small to medium sized businesses would not be able to survive such an attack, and even enterprise organizations feel the effect. The threat from these attacks has seen a much needed change in attitudes of the upper management and, while IT departments are not yet given all the money they need, the situation is certainly improving.

A recent survey conducted by ESG research suggests information security situational awareness and strategy is something that business leaders are getting much more involved with, according to 29% of respondents. This is a major improvement year on year. Furthermore, 40% of respondents said that over the past year, the executive management has become “somewhat more engaged” with these matters.

As more mega data breaches are reported in the news, and the true cost of resolving security incidents is calculated, we can expect engagement to increase more. Bigger IT security budgets should also be allocated to improve protection.  

Avoid Legal Liability and Web Threats by Investing in Internet Security

It is now possible to search the internet more securely and also avoid objectionable content without having to install a web filtering solution or parental controls. Google has added greater protection to its search engine to filter out undesirable webpages. Users of Google.com will no longer have the option of choosing a moderate level of content. The choice is now a yes or no. They can “filter explicit content” or not, and account holders can also lock the setting in place.

This will undoubtedly please many parents who will be able to easily add a filter to prevent their children from being displayed content of an adult nature, but not everyone is happy. The news broke via Reddit and many internet users have reacted angrily over the censorship that is now placed on searches by Google SafeSearch.

Google SafeSearch is not sufficient protection for businesses, schools and colleges

The major search engines are well aware that there are a lot of websites containing adult or otherwise explicit content on the Internet and most now offer an option to filter search results to prevent certain sites from being displayed. When set to their various safe modes, they will limit the search results for general search terms. This is fine for home use but it is not sufficient protection for schools, colleges and business use.

The function can be used of course, but it will need to be set on each individual computer or browser, and the controls are easy to navigate around. They will only prevent content from inadvertently being displayed in the search results. If a student or member of staff wants to access explicit content, it is easy to bypass the controls or turn them off.

Oftentimes these filters are overactive and prevent some legitimate websites from being displayed. It may not be possible for students or teachers to view classic literature or works of art. Some will be deemed to be sexually explicit. The answer in this case is not to use the search engine functions to filter content, but to employ a powerful web filtering solution such as WebTitan.

WebTitan allows a system administrator to fine tune the web filter to ensure that adult and other objectionable content cannot be viewed on a school, college or business network. There is no bypassing the controls. The sites will not be viewable. The filter is highly flexible and can be fine-tuned with ease to suit an organization’s needs. System administrators will also be able to see who is attempting access to certain websites that are not permitted under Internet usage policies.

This will not only protect students and employees from viewing content that is inappropriate; it will also help employers avoid legal action.

It is not just an individual that faces legal action from inappropriate online activity

If an employee accesses illegal content, that individual is likely to face criminal charges. However, an employer who does not take steps to prevent the content from being viewed could face legal action. Criminal charges may not be filed, but it is possible claims for damages will be filed.

A court case in New Jersey has highlighted the risk. In the case of Doe v. XYC Corp., a company was sued for damages after an innocent third party discovered child pornography images on a work computer. An employee of the company had downloaded them and was dealt with accordingly, but a legal case was filed against the employer none the less.

The employer may not always be found to be liable, but it is possible that legal claims will be filed. The negative publicity from such a case can be particularly damaging for a company. Questions will be asked about why efforts were not made to prevent that sort of content from being viewable in the workplace.

If you want to play it safe and have total control over what your employees/students can access via a work or college computer, a web filtering solution should be employed. You should not rely on the search engines to filter out explicit content.

Data Security Threat Predictions for 2013

The festive period is almost upon us and, aside from having to deal with the wave of Christmas and New Year cybersecurity threats, it is a time to relax, reflect on the major security events of the year, and plan for 2013.

Lessons have been learned in 2012 and it is up to IT security professionals to ensure that the same mistakes are not made next year. 2013 is likely to see a wave of attacks, a great deal more threats, and many companies’ security defenses breached. Prepare adequately and your company is likely to avoid becoming another security breach statistic.

Online Security Threats from 2012

2012 was an exciting year, certainly as far as data mobility was concerned. Many companies have enjoyed the benefits that come from being able to access data from any location; on any device. Unfortunately, so have cybercriminals.

Widespread adoption of Bring Your Own Device (BYOD) schemes have made workforces much more productive, efficient, and happy. Unfortunately, mobile devices are being attacked with increasing regularity. Personal Smartphones, laptops, and tablets may represent the future of business, but they often lack the necessary security controls to ensure corporate networks remain protected. Cloud computing has also been adopted by many organizations, but not all have made sure their cloud applications are appropriately secured.

There has been an explosion in the number of social media websites. Use of the sites are more popular than ever before, and so are the threats from using the sites. As user numbers have increased, so have the types of malware being developed to exploit users of Facebook, Twitter, Pinterest and the myriad of other sites that have enjoyed an increase in popularity.

Up and coming platforms are being targeted as user numbers increase and established platforms such as Facebook and Twitter are honeypots for cybercriminals. Social media channels and mobile devices are likely to remain problematic for IT professionals charged with keeping their corporate networks secure. Unfortunately, IT security professionals have little control over personal devices, and it is very difficult to stop end users from using their social media accounts at work.

As cybercriminals start using new attack vectors with increasing regularity, security professionals must be alert to the new risks. Listed below are our security threat predictions for 2013. some of the trends that are likely to develop further over the course of the coming year.

Security Threat Predictions for 2013

SQL Injection attacks will continue to increase

There was a rise in the number of successful cyberattacks last year, many of which involved SQL injection – the use of Structured Query Language to gain access to corporate databases. Hackers were able to use this technique to hack into web servers and obtain user names and passwords from corporate databases.

Small to medium size companies are particularly vulnerable as they often do not have the resources available to address all vulnerabilities that can be exploited by SQL injection. However, even very large companies are at risk. In 2012, Wurm Online, a hugely popular online multi-player game, was hacked using SQL injection resulting in the site being taken offline. Yahoo Voices was also hacked using this technique and over 450,000 user logins were obtained by hackers. This attack was caused by “union-based SQL injection”. These attacks were made possible as basic web server mistakes had been made by the companies in question. Both attacks were avoidable.

Ransomware attacks will increase

The past 12 months have seen a rise in cyberattacks using ransomware. Users are fooled into installing malware on computers and networks which subsequently encrypts all company data. Company operations have ground to a halt, with no data accessible without a security key. Those keys will only be provided by the criminals if a ransom is paid. Companies have found they have no choice but to pay the criminals to unencrypt their data. In 2012, a number of hacked GoDaddy websites were discovered to be infecting users with ransomware.

Defenses against this type of malware must be improved. Install spam and web filters to prevent users from installing this malware, and ensure that all data is backed up and policies are developed to recover backed up files. A data breach response plan should be developed to ensure business-critical data is restored promptly.

Increase in amateur cybercriminals using attack toolkits

As we saw this year, you do not need to be a hacking genius to pull off a successful cyberattack. It is possible to rent an attack toolkit with a host of premium features to make it easy to use by virtually anyone. The Black Hole exploit kit is a good example.

Investment in these kits has helped improve their usability and many now include APIs, scriptable web services, reporting interfaces, and even mechanisms to protect the users of the toolkits. By improving the quality of the kits, talented computer programmers have been able to increase the number of individuals able to launch attacks on corporations. There is no shortage of takers, and the investment spent has been well rewarded. Expect more individuals to use these kits and the volume of email malware to increase.

Less damage from security vulnerability exploits

Security vulnerabilities are being discovered with increasing regularity and this is enabling security holes to be plugged before they can be exploited. Protection against exploits is also improving and the next 12 months is likely to see even more advancements in this area. A number of protections have already been developed and implemented to prevent attacks of this nature, such as address space layout randomization, sandboxing, data execution protection (DEP) and trusted boot mechanisms. It is expected to become harder for hackers to exploit security vulnerabilities, although the risk of attack will certainly not be eradicated.

New privacy and security challenges that need to be addressed

The rise in popularity of mobile devices, and the adoption of BYOD by many organizations, has seen data security risk increase substantially. Mobile devices contain numerous security flaws. The devices can be used to track victims with GPS systems and near field communication (NFC) allowing criminals to physically locate their targets. The growth in social media applications for mobile devices is likely to see even more devices compromised. Expect 2013 to see a wave of new attacks on mobile devices and security vulnerabilities in new technologies exploited.

Do you agree with our security threat predictions for 2013?

SMBs Beware: Social Media Use Can Cost you Dearly!

Small to Midsize Businesses (SMBs) have a lot to gain from joining the social media revolution, and even by allowing employees some personal Facetime at work. There are a number of drawbacks though, and some can be very serious.

Many SMBs are well aware of the potential risks as evidenced by a recent survey conducted by Forrester. Businesses were sent surveys as part of the security study and were asked about social media risk. It was named as one of the biggest security concerns.

If social media accounts are accessed at work, they pose a considerable risk to network security. There is a major risk of suffering a malware infection from social media websites. Accounts can be hijacked and there are issues with staff accessing inappropriate content or posting sensitive information about the company. Data leakage is a concern, and highly regulated industries face greater risks. Healthcare professionals could all too easily violate HIPAA rules.

With all of these serious risks, why would any business permit members of staff to access personal social media accounts at work? Why not just implement a zero tolerance policy, and take action against any employee found to be using social media sites at work? Better still, social media sites could be blocked entirely to prevent all employees from having a sneaky peek at their Facebook accounts!

There are benefits to be gained from allowing social media access in the workplace

Social media access by employees is not all bad news. There are many positive benefits to be gained from allowing staff a little time to access their Facebook, Twitter and LinkedIn accounts at work. Even some YouTube time can be very beneficial. Here are four reasons why a total ban on social media use at work is not necessarily the best option for employers.

A little social media access can improve the productivity of staff!

Employees may be seen to “waste” a little time each day accessing Facebook or other social media websites at work, but the time is not necessarily totally wasted. In fact, some downtime can improve the productivity of employees. How productive would you be if you worked 8 hours straight each day without taking a break? You may be able to do it for a few days each week, but burnout awaits those who try to do too much.

Recent research shows that allowing workers access to their social media accounts can actually increase productivity, and not just a little. A study conducted by the Harvard Business Review showed that productivity increases of 20-25% are possible with a little Facetime allowed each day. Employees can actually get answers to questions much more quickly by using social media and professional networking websites than trawling through websites!

LinkedIn can be used to find new staff members, or encourage the best people to apply for a job. If business accounts are opened and managed, it is much easier to connect with customers, and customer service standards can be improved. The cost of providing those services can also be reduced thanks to social media. The websites are also a great way of communicating with customers and staff.

Social media can give a business a competitive edge

There are reasons why the likes of Google and Facebook give their staff ping pong tables, napping chairs, video games and use bright and bold color schemes in their offices. They improve staff morale, they make employees happier at work and, consequently, staff complain less about having to work incredibly long hours.

OK, we are not saying you should turn your office into an amusement arcade, but allowing employees some time off to use social media sites is not that bad. It is a selling point as well, especially for Gen Y staff. They expect to be able to have some social media time at work.

You probably ban social media access at work, but your competitors might not. One of them almost certainly allows some Facetime at work. It could be the difference between attracting the best workers or just the mediocre ones!

Blocking access to social media websites is not easy

So you want to ban social media use at work. How do you plan to implement that ban? Just tell staff it is inappropriate to access the sites and then turn a blind eye to a little use? Get HR to bring employees in who access Twitter during work time? Purchase a web filter to block access?

A ban must be enforced, access to the sites needs to be monitored, and action taken against offenders. If you have a lapse in adherence to the policy, how will you deal with it? It could well be more trouble that it is worth!

If you operate a BYOD scheme and allow the use of personal laptops or tablets at work, you can’t ban employees from using their own devices to access social media websites outside of office hours. You will still need to implement policies covering use of the sites, even if they are blocked in the office.

Regardless of controls, if employees want to use social media, a ban will not stop them

Implementing a ban does not mean employees will stop using social media at work, it will just be harder to control. Even if you purchase a web filter, such as that offered by SpamTitan, and block access to the sites for all staff members, employees will still access their accounts if they want to. They will just use their Smartphones. You will then lose all control and it will be impossible to monitor how much time your employees are spending on the sites. In fact, a ban could well lead to employees taking more risks, or posting disparaging remarks about your company.

Instead of implementing a total ban, why not look for ways to leverage the use of social media websites, and develop policies to control usage. Even implement software solutions to minimize security risks and give you control over what is accessed via the websites.