How Reliable are Reports of Cybercrime?

Mar 20, 2012 | Cybersecurity News, Internet Security News, Web Filtering

The threat posed by hackers and online criminals is very real, but reports of instances of cybercrime may not be very reliable. When cyberattacks are announced the data can be used to estimate the current threat level. Unfortunately, not all cybercrimes are reported by companies, and even IT departments are often unaware that employees have become victims of phishing campaigns.

In certain industries, the reporting of cybersecurity incidents and data breaches is mandatory. Take the U.S healthcare industry for example. Legislation has been introduced – The Health Insurance Portability and Accountability Act (HIPAA) – which makes it a criminal offense not to report a breach of patient data. If an organization is discovered to have violated the HIPAA Breach Notification Rule, a heavy fine can be issued by the Department of Health and Human Services’ Office for Civil Rights.

The Federal Trade Commission and state attorneys general can also issue fines. Criminal charges can also be filed against individuals for willful neglect of HIPAA Rules. Consequently, it is in the best interests of organizations to report cybersecurity incidents. The data breach reports submitted to the OCR can therefore be relied upon to be reasonably accurate, and it is possible to build up an accurate picture of the state of data security for the healthcare industry.

However, not all industries are so well regulated. A similar data breach suffered by a software company or mining operation may see the organization keep the crime quiet. Announcing a security breach has potential to seriously tarnish a brand.

If you had a choice between one company that had suffered a data breach that exposed sensitive customer data, and one that had not, which company would you choose (all other things being equal)?

Should the reporting of cybersecurity breaches be mandatory for all businesses?

Many privacy and security professionals believe it is essential to report cyber threats and security breaches as the sharing of information can be invaluable in the fight against cyber crime. Intel sharing could make the difference between a threat being rapidly neutralized and many other organizations suffering data theft. This is an ethical responsibility. Should it also be a legal responsibility as well?

The United States has been proactive in the fight against Internet crime. The government and law enforcement agencies are well aware of the importance of sharing intelligence in order to tackle the increasing cybercrime threat.

In 2000, the Federal Bureau of Investigation, the National White Collar Crime Center, and the Bureau of Justice Assistance formed a task force which was dedicated to fight Internet crime. The Internet Crime Complaint Center (IC3) serves as a centralized hub that receives complaints about Internet crime and processes threat intel received from American citizens and U.S businesses. All leads received are passed on to the appropriate federal and state-level law enforcement agencies. The data received by IC3 has been instrumental in bringing thousands of Internet criminals and fraudsters to justice.

IC3 also ensures that individuals and companies suffering losses as a result of the actions of online fraudsters have someone to contact to report the crime. Other countries have started to develop task forces that perform a similar function. Victims of cyber crime are being given a single point of contact to report fraud, scams, identity theft and online extortion, and the intelligence gathered can be used to bring the perpetrators of these crimes to justice.

Harsh Penalties await Online Fraudsters and Cybercriminals

In the United States, online criminal activity carries stiff penalties. New legislation is introduced regularly to increase the punishments for individuals who turn to the Internet to commit crimes.  These include:

Spamming: Under the CAN-SPAM Act, spamming is punishable with a minimum fine of $11,000. Depending on the method used to send email spam, the penalties can be much more severe. The use of spambots to collect email addresses can result in jail time, as can the unauthorized use of a computer to send spam emails.

Hacking: Hacking is a federal crime that carries stiff penalties. These are linked to the seriousness of the crime, but a spell of up to 20 years is jail is possible, as well as very heavy fines.

Identity Theft: The penalty for identity theft has recently been increased, with individuals able to be sentenced to 5 years in jail. Aggravated identity theft sentences must be served consecutively to any other sentence issued.

Make sure employees are aware of procedures to follow if a security incident is suffered

Employees falling for phishing campaigns – if they are even aware that they have – may also choose not to report the incident to their managers or IT departments. Individuals may be worried about looking stupid or, worse still, losing their jobs.

However, it is essential that all potential security incidents are reported internally. Organizations should make sure the staff is aware that the reporting of security breaches, email scams and phishing campaigns is essential to protect the business. Internal security policies must exist, and members of staff must be made aware of the correct actions to take if they have fallen for a scam, revealed sensitive information, or have received a suspicious email. Oftentimes, fast action can make the difference between huge financial losses being suffered and the threat being neutralized before any damage is caused.

While law enforcement bodies may need to be alerted to instances of identity theft and phishing campaigns, employees should have a single person within their company to whom security incidents can be reported. Every employee in an organization must be made aware of the urgency required and the individuals who must be alerted to suspicious emails and potential criminal activity. If the staff is security aware and acts appropriately, major cybersecurity losses can be prevented.

Network Security: A Common Sense Approach is Required

Mar 13, 2012 | Cybersecurity Advice, Network Security

You can purchase the most sophisticated software, implement multi-layered security systems, conduct regular system scans and use a host of other security products to keep your network protected from cyberattacks. Unfortunately, all it takes is for one individual to accidentally install malware and all of your good work has been undone. That individual is likely to be one of your company’s employees, not a hacker.

Common sense is one of the best defenses

You may not be able to install defenses that offer 100% protection against intrusions, insider threats, and malicious software, but we are sure you do your best with the resources you have available. You should install software systems to protect your network, email system and web browsers, but it is all too easy to forget that one of the best ways of protecting a computer, or the network it is connected to, is to use common sense. Unfortunately, when it comes to internet and web security, many employees have very little. Consequently, they must be taught how to act appropriately.

Some employees think they have a very secure password, but oftentimes is nowhere near as secure as they believe. It doesn’t contain any special characters, it lacks capital letters, and while it does contain numbers, only a 1234 has been added on the end. If you do not instruct employees how to create secure passwords, they will not.

You must also inform them that they must not share passwords across platforms. Sure, it is a pain remembering lots of different passwords, but if one is compromised they all will be. A recent survey conducted by Trusteer, a provider of fraud protection systems, highlighted how common this practice is. Their survey revealed that 73% of computer users use the same password to access their online bank account as they do for other online services.

You may have installed a spam filter to reduce the risk of employees falling for a phishing email. The spam filter catches virtually all spam and dangerous emails, and places them in a quarantine folder. The risk of a malware infection via email will be reduced to the minimal level.

Then not just one, but a number of employees go into the quarantine folder, and open an excel spreadsheet that has been quarantined as it is actually malware. Sometimes common sense disappears entirely. One company discovered that is exactly how hackers managed to gain access to a corporate network in 2011.

Not all scams and phishing campaigns are easy to identify

Sometimes a clever campaign is devised by cybercriminals to phish for information. Social media websites contain many examples of these. The British Royal Wedding last year saw one cybercriminal launch an interesting campaign to help access accounts with two-factor authentication. The scam was launched on Facebook, and you may even have seen it, or something about it.

The page helped you create your “Royal Name”. All you needed to do was enter in the name of your first pet, your grandmother or grandfathers name, and the name of the street where you grew up. The result could have been Tiddles Arthur Beddington. Not a particularly amusing name it has to be said, but the creator of the campaign would find it funny. Not only would those answers be helpful when attempting to guess passwords, they are also the likely answers to security questions used to gain access to internet banking websites. If your password and login name had already been compromised, you could have just given full account access to a hacker.

The importance of providing common sense training on internet security

You either have some common sense or you don’t, but when it comes to internet security, there will always be one individual who appears to have none. Make sure all of your employees are trained on the basics of internet security. Some will not know to act in a secure manner online.