What are the Main Privacy and Security Concerns of Customers?

A new report released by data privacy and security group Morrison and Foerster indicates the main privacy and security concerns of customers.

Don’t Ignore the Privacy and Security Concerns of Customers

If you ignore the privacy and security concerns of customers it is likely to have a significant effect on your bottom line.

A new report recently released by Morrison and Foerster suggests that consumers are even more concerned about their privacy than four years ago. Furthermore, many will take action if they feel their privacy is not protected. The survey indicates more than one in three consumers have switched companies they do business with due to privacy concerns, and one in five would switch after a breach of their personal data.

The company conducted a survey on 900 U.S. consumers in November, 2015. 35% of respondents said they had taken the decision switch companies or not buy products as a result of privacy concerns. When it came to a breach of personal information, 22% of individuals said they had taken the decision to stop purchasing products or had switched services as a result.

According to the report, more educated individuals and higher earners were the most likely to stop doing business with a company as a result of a data breach. 28% of respondents educated to college degree level or higher said they would make the switch after a data breach compared to 18% of individuals without a college degree.

For the upper income bracket, 33% said they stopped buying as a result of a data breach. That figure fell to 28% for the middle income bracket, and 17% for the low income bracket.

When the company conducted the survey back in 2011, 54% of consumers said that privacy concerns affected their decision to make a purchase. In 2015, 82% of consumers said that privacy concerns influenced their purchasing decisions.

Companies are not perfect, but consumers are intolerant of data breaches

In 2011, 16% of consumers believed no business was perfect, and were therefore likely to overlook privacy issues and data breaches, whereas in 2015 the figure had fallen to 9%.

The greatest concern is now the risk of identity theft, with the percentage of individuals worried about thieves stealing their identity jumping from 24% in 2011 to 52% in 2015.

The survey shows that not only must companies do more to earn the trust of consumers, they must also do more, and be seen to be doing more, to safeguard the data they store on consumers, especially Social Security numbers, passwords and personal IDs, payment card information, and user IDs, passwords and account information.

How to improve your security posture and prevent data breaches

It is essential to implement multi-layered security systems to prevent cyberattacks. For businesses, one of the biggest problems is how to stop employees from inadvertently compromising a network. Security training is therefore essential. Employees must be advised of security risks and given regular training to help avoid scams, malicious websites, and told how to identify phishing emails.

It is essential that risky behavior is eradicated. Internet and BYOD policies must be introduced that cover the acceptable uses of the devices, and the sites that are permitted to be accessed at work. However, not all employees will adhere to those policies. For maximum protection it is strongly advisable to implement a solution that reduces the risk of malware downloads.

A web filtering solution is essential I this regard. A web filter can block malicious websites and reduce the risk of malware infections, while also being configured to protect end users from malvertising.

A patch management policy must be implemented and software updates installed promptly to prevent zero-day security vulnerabilities from being exploited.

Anti-virus and anti-malware software must be used. A different engine for servers and end users is a wise precaution to maximize the probability of malware and viruses from being installed.

It is now an inevitability that a data breach will be suffered at some point in time, but reducing the likelihood of that happening is essential. It is important to pay attention to the privacy and security concerns of customers. Show consumers how dedicated you are to protecting their privacy, and implement a wide range of controls to prevent a data breach and you will reduce the risk of losing customers to better protected organizations.

Lenovo SHAREit Vulnerabilities Include Third Worst Password

Ask anyone to name a basic security protection to prevent hackers from gaining access to a device or network, and the use of a secure password would feature pretty high up that list. However, even a tech giant the size of Lenovo can fail to implement secure passwords. Recent Lenovo SHAREit vulnerabilities have been discovered, one of which involves the use of a hard-coded password that ranks as one of the easiest to guess.

Recently, SplashData published a list of the 25 worst passwords of 2015, and the one chosen by Lenovo is listed in position three between “password” and “qwerty.” To all intents and purposes, Lenovo may well not have bothered adding a password at all, such is the degree of security that the password offers. That password has also been hardcoded.

In fact, the company didn’t actually bother with adding a password at all in one of the new SHAREit vulnerabilities.

Four Lenovo SHAREit vulnerabilities have now been patche

Lenovo SHAREit is a free cross-platform file transfer tool that allows the sharing of files across multiple devices, including PCs, tablets and Smartphones. Perhaps unsurprisingly, given Lenovo has been found to be installing irremovable software via Rootkit and shipping its laptops with pre-installed spyware, some security vulnerabilities exist in its SHAREit software.

Four new Lenovo SHAREit vulnerabilities have been discovered showing some shocking security lapses by the Chinese laptop manufacturer. If the Lenoto SHAREit vulnerabilities are exploited, they could result in leaked information, integrity corruption, and security protocol bypasses, and be used for man-in-the-middle attacks.

The hardcoding of the password 12345678, listed as CVE-2016-1491 by Core Security, is shocking. Configure Lenovo ShareIt for Windows to receive files, and 12345678 is set as the password for a Wi-Fi hotspot. The password is always the same and any system with a Wi-Fi Network could connect.

According to Core Security, if the Wi-Fi network is on and connected, files can be browsed by performing an HTTP Request to the WebServer launched by Lenovo SHAREit, although they cannot be downloaded. (CVE-2016-1490).

The third vulnerability, named CVE-2016-1489, is the transfer of files in plain text via HTTP without encryption. A hacker could not only view those files but also modify the content.

The fourth SHAREit vulnerability, CVE-2016-1492, concerns SHAREit for Android. When configured to receive files, an open Wi-Fi HotSpot is created and no password is set. If a hacker were to connect, the transferred files could be intercepted.

Core Security did disclose the Lenovo SHAREit vulnerabilities privately in October last year to allow a patch to be developed. Now that the patch has been issued to plug the vulnerabilities, Core Security has published the details.

Irish Data Security Survey Reveals 2016 Data Security Concerns

An Irish data security survey conducted in December, 2015., has revealed that a third of Irish companies have suffered a data breach in the past 12 months, highlighting the need for Irish companies to improve their security posture.

ICS Irish data security survey indicates employees are the biggest risk

150 IT security professionals took part in the Irish Computer Society survey with 33% claiming their employer had suffered a data breach in the past 12 months. In 71% of cases, the data breaches occurred as a result of the actions of staff members.

Perhaps unsurprisingly given the number of inadvertent data breaches that had been caused by staff members, 45% of respondents cited employee negligence as being the biggest single data security threat they faced. Protecting networks from errors made by employees is going to be one the biggest security challenges faced by Irish IT professionals in 2016.

Other major security concerns highlighted by respondents included the increasing number of end user devices that are being used to store sensitive data, and the increasing threat of cyberattacks by hackers.

Improving security posture by tackling the issue of employee negligence

Employees are the weakest link in the security chain, but that is unlikely to change unless less technical members of staff are provided with training. It is essential that they are advised of the risk of cyberattacks and what they can personally do to lessen the chance of a data breach occurring. In many cases, some of the most fundamental data security measures are not so much ignored, but are just not understood by some members of staff.

It may be common knowledge for instance, that 123456 does not make a very secure password, that email attachments from strangers should not be opened, and links to funny videos of cats on social media networks might not turn out to be as innocuous as they seem.

Tackling the issue of (dare we say) employee data security stupidity is essential. It is far better to do this before a breach is suffered than afterwards. Proactive steps must be taken to improve understanding of cybersecurity risks, and what employees can do to reduce those risks.

ICS Irish data security survey respondents indicated the best way of improving data protection knowledge is by conducted formal training sessions. 57% of respondents said this was the best approach to deal with data security knowledge gaps.

Fortunately, the level of training being provided to staff is increasing, not only for end users but also data security staff. However, there is clearly still a long way to go. Only 56% of respondents said they had received the right level of training on how to achieve the objectives set up their organizations.

The full findings of the Irish data security survey will be made available at the Association of Data Protection Officers National Data Protection Conference, taking place on January 27/28 in Ballsbridge, Dublin.

FortiGuard SSH Backdoor Identified

A security vulnerability has been discovered with FortiGuard network firewall appliances that could potentially be exploited by hackers. Should the FortiGuard SSH backdoor be exploited, a hacker would be able to gain full administrative privileges to Fortinet security appliances.

FortiGuard SSH backdoor is an unintentional security vulnerability

The FortiGuard SSH backdoor was not been installed by hackers, but is an unintentional security vulnerability in the FortiOS operating system. The FortiGuard SSH backdoor was discovered this month by a third party security researcher. An exploit for the security vulnerability has already been published, making it imperative that all users of FortiGuard firewall appliances install the latest version of the operating system. All users must ensure that their devices are running on FortiGuard version 5.2 or above.

After the security vulnerability was announced Fortinet started an investigation to determine whether any other devices were affected. A statement released by Fortinet last week indicates that in addition to Fortinet FortiGuard, FortiAnalyzer, FortiCache, and FortiSwitch are also affected and contain the vulnerability.

In order to prevent the backdoor from being exploited users have been advised to upgrade to version 3.0.8 of FortiCache, version 3.3.3 of FortiSwitch, and versions 5.0.12 or 5.2.5 of FortiAnalyzer.

The FortiGuard SSH backdoor is a Secure Shell vulnerability. According to a Fortinet blog post, the security vulnerability has not been created by a malicious insider or outsider, but was an “unintentional consequence” of a feature of the operating system. The aim was to ensure “seamless access from an authorized FortiManager to registered FortiGate devices.” The vulnerability involves an undocumented account which has a hard-coded password.

If it is not possible for users to immediately upgrade to the latest OS, Fortinet advises using a manual get around, which involves disabling SSH access and switching to a web-based management interface until the OS can be upgraded.

Last month a security vulnerability was discovered in the ScreenOS operating system used by Juniper Networks. In that case, the backdoor had been inserted by a malicious insider or outsider. The code would allow a hacker to gain full administrative privileges to NetScreen firewall devices and view encrypted data sent via VPN networks.

Are You Protected Against Employee Data Theft?

Many companies have responded to the threat of data theft by hackers by using encryption. If hackers do break through the security perimeter and gain access to computers or networks, customer data will not be exposed. However, the same cannot be said of employee data. A new security report suggests employee data theft is rife, and that the personal information of employees is much more likely to be stolen that customer data.

Employee data theft is a real concern – Don’t forget to encrypt ALL sensitive data!

A recent study has shown that when it comes to protecting intellectual property and the personal information of employees, mid-sized companies around the world fail to use the same stringent measures that they apply to customer data.

The Sophos/Vanson Bourne study revealed that 43% of midsized companies – those employing between 100 and 2,000 members of staff – do not regularly encrypt human resources files. Human resources files usually contain sensitive information on employees: names, addresses, contact telephone numbers, dates of birth, emergency contact information, and government IDs such as Social Security numbers. These are exactly the kind of data sought by hackers. These data can easily be used to commit identity theft.

The survey was conducted on respondents from Australia, Canada, Japan, Malaysia, and the United States indicating this is a global problem.

In the United States, where ma high percentage of cyberattacks on midsized companies are taking place, 45% of companies appear not to be encrypting employee data, even though these companies face a high risk of employee data theft. Even financial data is left relatively unprotected. Almost a third of companies in the United States are not encrypting their financial data.

It is not a case of encryption not being implemented at all by midsized companies. In the United States for example, 43% of midsized companies use encryption to some degree, while 44% claim they widely encrypt data. The figures are understandably lower for small organizations, in a large part due to the cost of encryption. 38% of small businesses widely encrypted data. Half of larger organizations used encryption for most data.

Companies are not applying safeguards evenly and are leaving gaping security holes. It is not only the threat of employee data theft that is being underestimated. Many organizations are not encrypting data they send to the cloud. Only 47% claimed to encrypt “some files” sent to the cloud and just 39% encrypt all data sent to the cloud. However, 84% of respondents claimed to be worried about cloud security.

Why is encryption not being universally applied?

The survey probed respondents to find out why data encryption is not being used. Four out of ten organizations claimed this was due to budgetary constraints. Three out of ten said it was because of performance trade-offs and a similar number said it was an issue with how to actually encrypt data. Interestingly almost 20% of respondents claimed that encryption wasn’t actually effective at protecting sensitive data.

There is also a commonly held belief that encryption is complex, or cannot easily be implemented. While this was certainly the case a few years ago when full disk encryption was the only option, this is now no longer the case. Encryption technology has advanced considerably in recent years. Companies should therefore take a fresh look at encryption and take steps to prevent employee data theft and the exposure and theft of their intellectual property.

Hackers steal data for financial gain. Employee data theft should be a concern, as should the theft of intellectual property. These data have considerable value. It is not just customer data that can be used to commit fraud or be sold on the black market.

Web Filter Implementation Errors Blocking Important Content

There as a clear need for British libraries to implement web filtering solutions to restrict the content that can be accessed through library computers. However, as has been recently discovered, web filter implementation errors can all too easily result in important and valuable Internet content being blocked.

Web filter implementation errors damage public access to content sought by vulnerable users

Give a schoolboy a dictionary and it will not be long before the exact meaning of every cuss word will have been looked up. Provide totally free access to the Internet without the watchful eye of parents and it will not be long before access is used to access pornography and other objectionable content.

The anonymity afforded by library computers allows objectionable content to be accessed, such as pornography, ISIS propaganda, and other web content and imagery that has potential to cause harm. Libraries are an extremely valuable resource, but the type of information that can be accessed does need to be controlled, according to some local authorities at least.

The implementation of a web filtering solution was deemed to be an appropriate safeguard to prevent unsavory content from being accessed on library computers in Britain. The problem with using a web filter is how to prevent potentially damaging content from being accessed, while ensuring that those filters do not block access to acceptable content, especially content that many people may choose to access quite legitimately in a library. Content about sexual health for example.

Many vulnerable individuals may not be able to access sexual health information at home. The sites that are accessed may be seen by family members for example. A teenager may want information about contraception, abortion, or sexually transmitted diseases, yet be unable to search for the information they need at home. They may want to access resources produced for the LGBT community. A library is an ideal place for this important information to be obtained. Information that may prevent these individuals from coming to harm.

Data recently released by the Radical Librarians Collective indicates that web filter implementation errors have resulted in much of this important content being blocked, even though this is exactly the sort of content that libraries exist to provide. The problem is not the use of web filters, but web filter implementation errors and a lack of intelligent oversight, according to the collective.

Web filtering policies should be developed to allow anonymous unblocking of legitimate websites

Library officials have implemented web filtering solutions, but have done so with a top-down filtering policy. This has resulted in valuable and important content being blocked by the filters. The data came from a study of over 200 local authorities and showed content that should be permitted under acceptable use policies was being blocked.

If solutions are used to filter the Internet there will naturally be some websites that are accidentally blocked, just as some sites containing objectionable content may still be accessible. It may not be a case of web filter implementation errors being made. A web filter does require some fine-tuning and a few false positives and false negatives are to be expected. The problem in Britain appears to involve more than just a few websites, indicating web filer implementation errors have been made.

Another problem is that individuals trying to access blocked content do not request libraries to unblock websites out of embarrassment or fear.

When a web filter is used, it is vital that policies are developed to permit users to request access to a particular website if it can be legitimately viewed under the library’s allowable usage policy. However, due to the sensitive nature of some information, sexual health matters for instance, users should be able to make that request without fear of repercussions. Allowing requests to be submitted anonymously could help in this regard.