Category Archives: Information Security Awareness

Information Security – Who Needs It? Hospitals Do!

Photo courtesy of http://www.flickr.com/photos/shopxtreme/

Fraser Health Authority in British Columbia is the latest company to suffer an information security incident that could have been prevented. A laptop in their pulmonary function lab containing sensitive patient information was stolen resulting in 600 patients data being potentially compromised. Worse yet the laptop was not protected by encryption or password protected making the data readily available to the criminal.

 

Lessons Learned

  • Do not store sensitive data on laptops if a more secure mechanism is available
  • Utilize encryption when any sensitive data will reside on the machine and especially if you violate the rule listed above.
  • Utilize cable locks for all computer equipment to add a dimension of physical security and theft deterrence.
  • Implement audits to ensure compliance with any IT Security policies you have

Information Security Awareness – Educate, inform, secure

Photo courtesy of http://www.flickr.com/photos/septuagesima/

Photo courtesy of http://www.flickr.com/photos/septuagesima/

Educate your employees about information security or all the security tokens in the world won’t save you.

A company may have a decent size security budget and spend it effectively on firewalls and other protection devices but if you fail to educate your end-users all that investment can be for nothing. Hackers, spammers and other evil doers regularly target end-users because it is often the easiest method of attack and is extremely effective. Targeted spam emails and malicious web sites are two of the most common threats but it is important to implement a general awareness campaign that covers a wide range of information security issues from what makes a good password to the importance of physical security. Here are some of the important factors to consider when implementing an information security awareness program.

Be Consistent – Develop a weekly or monthly routine and stick to it. Send out the email on a consistent day so the user will come to expect it and perhaps even look forward to it if you follow the other recommended steps below. Always send it from the same account to minimize the likelihood for confusion which could assist targeted spam attempts.

Keep It Simple – Do not use overly technical language that will confuse or turn off users. Speak in the communications like you would talk in a conversation and

Do I not entertain you?  – Try to write in an interesting style and even use humor to keep your users entertained. Entertaining material is more likely to be read and absorbed then stuff that would put an insomniac to sleep.

Provide Examples – Many people learn best from examples and there are plenty of those readily available. Find a recent incident that demonstrates the point you are trying to make and it will make it more real and less theoretical. People listen more when they no others have fallen for a trick and are more likely to absorb the information.

Be relevant – Providing examples that they can use at both work and home is a great way to keep people interested. Examples include safe internet surfing, avoiding spam emails, and the importance of having up to date anti-virus signature files.

Consider Posters – Emails are great but they are often times easily ignored. Utilizing posters in high traffic areas in addition to email is a great way to mix it up and capture the attention of people who otherwise might not care.

Make it a job requirement – Security is only as strong as the weakest link. It is everyone’s responsibility to follow good information security practices and keep the company secure.

In the very near future we will be offering a weekly information security email newsletter so stay tuned and stay secure!

Information Security Crimes What Is The True Cost?

The true cost of what information security incidents cost businesses and the economy as a whole is impossible to quantify. Information security incidents often go unreported because many victims feel they will be hurt by negative publicity and be further punished. Other victims may never become aware that they have had an incident because they lack the proper security tools to detect the intrusion. A recent report by the Ponemom Institute and reviewed by Panda Security group showed the average cost of malware issues alone costs the average firm in the study millions of dollars a year.

Other notable findings from the study include:

  1. The average company experienced at least 50 successful malware attacks which is due to increasingly advanced malware and lack of comprehensive signature updates.
  2. It takes companies an average of 14 days to neutralize a cyber-attack at an average cost of $17,000 dollars per day. Check out our Top 10 tips on keeping your business secure to lesson your chances of becoming a victim.
  3. Malicious web sites are the most dangerous sources of cyber crime accounting for 90% of the volume of incidents. To lesson your chances of having an issue make sure you practice safe internet browsing and view only trusted sites to lesson your chances of having an issue.

Cyber-crime can affect any type of business as we have highlighted in our Who needs Information Security tidbits.  Stay informed and stay protected!

Online Fraud – What to do if you are a victim

You can become a victim of online fraud even if you have taken reasonable measures to protect yourself. The natural reaction to being victimized is to be angry but even though it is difficult to do it is best to think with a level head and follow these steps to minimize the damage to your financial health and begin the steps to recovery. Assembled below is a collection of the best advice from major banks and ftc.gov the leading source on responding to these type of incidents.

Stop the Bleeding

Contact your online bank and/and or credit card company (depending on what type of account you are dealing with) and report the incident. Close affected accounts and open new ones with unique identifiers and new passwords.

Contact your local police department and file a miscellaneous incident report to document the event. You are not doing this to necessarily catch the criminal (although that would be nice) but it is more for documentation purposes should you need backup from damage done to your credit or if your financial company is not offering restitution.

Contact one of the big 3 credit bureaus and place a fraud alert on your credit report.

  • Experian: 888-397-3742
  • Equifax: 800-525-6285
  • Trans Union: 800-680-7289

Assess the Damage

Review all of your affected accounts and document and formally document any issues. Follow-up with the financial institutions and document everything so you can show you took prudent measures if you ever have to (in case the companies are not responsive in compensating you for your loss)

Obtain a current credit report from annualcreditreport.com and review it thoroughly. If you notice any unauthorized accounts contact those businesses immediately and notify them on the phone and in writing immediately that they are fraudulent. The link provided above allows you access to a free annual credit report use it instead of freecreditreport.com, who may have catchy slogans but are looking to sign you up for a monthly fee for your credit report.

Live, Learn & Get Secure

Do some self reflection and try to determine the root cause for how you became a victim. Did you fall for an email phishing scam, click on an insecure website, fail to use anti-virus, or not patch your systems? Use this painful event as an opportunity to improve your approach to information security and review our top 10 information security items you need to do. (or better yet be proactive and do these steps to avoid becoming a victim)

Online Banking phishing scam – Information Security Awareness

I received this online banking phishing scam in my email account today so it provides a good example of what you need to be on the lookout for. This one was not ideally targeted for me since I do not bank at HSBC but no matter these type of scams impersonate all types of banks and online financial service accounts. If this had been from your bank what would you have done? If you clicked on it you would have likely been asked to provide your login and password information or your machine would have been infected with malware and in either scenario your account would be at extreme risk.

Here are some tips on dealing with phishing emails from banks or other financial companies requesting you to click on them:

1. Legitimate companies will not email you requesting you to take immediate action or threaten immediate suspension of your account. That is a threat that real businesses will not make so you should take that as a warning sign that this is a scam.

2. If you point your cursor over the intended link (but don’t click on it) you’ll notice it is often not the actual company it is pretending to be. I say often because there are techniques that will make it appear as such so do not use this as a fool proof measure.

3. If you do need to check on your account status never do it via an email link but instead do it from a saved link to the site that you know to be legitimate. In the example above that means having your own link to your HSBC account and not clicking on the link bait provided.

4. Always be skeptical of unsolicited emails and treat them as untrusted and revert to step 3 above for accessing sensitive accounts.

Don’t fall for the bait avoid phishing scams and keep your online accounts secure!

Backup Your Data – Tips for keeping your information secure

Backing up your data is one of those information security chores that we know is important but we often neglect to do, it is basically the cleaning your gutters of information security. Just as failing to clean gutters can lead to eventual roof leaks, failing to back up your data can lead to big problems should a natural or unnatural disaster occur. Disaster’s come in many forms varying from flood, theft, and electrical surges to malicious insiders or outsiders with a grudge against your business seeking to do harm.

Now that you are convinced that backing up your data is one of the most important steps you can take to ensure your business or personal files are protected how do you get started? Two items to consider are what are your Recovery Point and Recovery Time Objectives? Simply put a Recovery Point Objective guides you to frequency of backups while RecoveryTime Objectives determine a business risk based target for when the system must be operational again.

Examples

RPO – If your business Recovery Point Objective (RPO) is to lose at most a day’s worth of data you are fine performing daily backups that can recover you to the desired time. Likewise if it is a personal computer contains information that is only updated with photos and key documents on a weekly basis you are fine setting an RPO of one week.

RTO – If you perform a risk assessment and determine your Recovery Time Objective (RTO) is 3 days that means you must craft your backup and recovery program to allow system recovery within this time frame.

Data Backup Tips

  • Backup frequency should be determined by your Recovery Point Objective (RPO) and the importance of the data.
  • Automate your backups using scheduling software to ensure they happen regularly and to minimize the likelihood of human error
  • Store the backup sufficient distance away from the primary source of the data. This helps ensure that both copies of the data are not lost if you experience a fire, flood, or theft. Good ways to do this include using a secure online backup service, a professional physical backup service, or by storing physical drives or media in a bank safety deposit box
  • Verify that your technical support people are monitoring backup failure reports. Backups can fail for a wide variety of reasons so it is important to regularly monitor the success of backups.
  • The ultimate proof that your data can be recovered is to perform a restoration test. This will validate the backup is of good quality and that you are truly protected. It is recommended backups be tested annually at a minimum

Ways to backup your data:

1. Online Backup Services – Online backup is both cost effective and a convenient way to ensure the information is far enough away from your primary data source. For a business I recommend sticking with large reputable providers and avoiding free services that may not be there tomorrow. I will review online backup services in a future post but for now you can consider highly rated providers Mozy, IDrive or Amazon S3 storage services

2. External Hard drives – An external hard drive is a great way to conveniently store backups that are smaller in nature and then storing it in an off site location. I would consider getting 2 2 TB external hard drives that would enable you to set up a small off site rotation plan.

3. Recordable Cds/Dvds – A recordable DVD drive is a great way to make a portable backup that can be stored off-site in a bank safety deposit box or other secure location.

4. Magnetic Tape – Is cost effective for larger corporations with large volumes of data but for smaller businesses I recommend one of the options recommended above.

Password security – Tips to keep your passwords secure

A user name and password is still the most common method of controlling access to systems. Utilizing good password practices can make the difference between keeping your information secure and becoming a victim. Here are some important password tips:

1. Choose a password that is easily remembered by you but not easily guessable by others. The password should be a minimum of 8 characters and include at least one letter, number and symbol. Here is a link to a site with comprehensive password guidelines in case you are looking for even more detail and here is my example of a password that fits that criteria – HEN2!blue

2. Do not utilize the same password for all of your activities. I recommend having a standard password for non critical Internet sites and then a separate unique password you utilize for important systems at your home or office.

3. Do not write down your password and leave it in a place that others can see. Many security pros recommend to never write down a password at all but I will be practical and say if you need to write it down keep it locked in an area that only you have access to.

4. Do not disclose your password to others even if they ask for it (whether it be in an email, over the phone or in person). Hacker’s are crafty and often pose as a trusted person in an attempt to get you to lower your guard and give them the information they are looking for (known as social engineering)

5. Be extremely careful of saving your user name and password when given the option especially if you are not the sole user of your PC.

6. If you have advanced security needs or have an excessive number of passwords to remember I recommend utilizing a secure password management software package. Many options exist but two to consider are Roboform Pro and SurfSecret KeyPad. You can likely find some freely available password management software but be sure to read the licensing agreement if you plan on using for your business.

Follow the above steps to keep your passwords secure and help ensure you and your business are protected.