Does Your Business Conduct Regular Security Audits? Here Are 3 Tips

Security Audits

Thanks to the numerous security breaches in the news, the C-suite members of your business should be thinking about regular security audits. While size does matter, the more employees you have and the more data you generate, security audits are critical to the long-term stability of your business. And remember, no one is immune to a data breach.

Wondering where to start? Check physical security first. Then work your way in. The simplest way to steal data is to steal the device where it’s stored. You would be surprised by the number of businesses that don’t do the easy things. They forget to lock their windows or doors. They forget to set alarms, and if they have cameras, they forget to check to see if they’re in working order. These are all easy fixes.

Train your staff to question any stranger they don’t know who walks around your offices unescorted. You should have a plan in place that might include the distribution of an email to all employees to alert employees of new additions and also include details as to the location of a new employee’s desk/cubicle/office so they don’t get hassled.

Most employees assume – often incorrectly – that someone else will take action. I’ve heard stories of employees noticing strangers walking around, the employees do nothing, and laptops went missing. This could have been stopped.

Now let’s move to the inside – into COMPUTER NETWORKS:

For those of you who do not know what active directory is, according to Wikipedia, an Active Directory is “a directory service that Microsoft developed for Windows domain networks and is included in most Windows Server operating systems as a set of processes and services. An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network – assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.”

Active Directory is a powerful tool that any size business can run on a client/server environment to update who has access to what and to keep employees from accessing files and folders and other network objects that they should not have access to. This is referred to as “Least Privilege.”

Auditing Active Directory takes the team effort between HR and IT. The reason for this collaboration is so that the IT Department knows who has been fired, demoted, and/or promoted. These situations allow the IT Department to use Active Directory to make changes to file access or to delete employee accounts. One of the biggest problems that businesses encounter is when people leave. Too often, IT is unaware of the employee status change, and as a result, the accounts remain active – thereby allowing former employees to access files or a business Intranet after their departure/termination.

Now let’s look at something that requires almost daily attention: PASSWORD POLICIES:

Do you have a policy that forces employees to change their passwords on a monthly or quarterly basis? Depending on your business, your industry, your compliance requirements, and the type of data that your employees access, you might want to have them changed every thirty, sixty, or ninety days. This also can be achieved through Active Directory. You can force them to change their passwords. Changing passwords is also important for your vendors.

Another thing that’s easy to do and often overlooked is changing the default password settings that come on many (if not all) hardware devices. In all my years of working in the security industry, you’d be surprised by the number of times I’ve encountered devices that still have their default passwords active. Manufacturers do this as an ease-of-use issue. They would rather you be able to set up your new device easily – than force you to devise a complex password before you install it.

Don’t overlook PENETRATION TESTING:

Lastly, something that’s overlooked but should be done is to close all of the unused ports on your firewalls. With unused ports open, attackers have easy access to your network. They can start an attack through a routine called port scanning. They look for vulnerabilities through open ports. Port scanning is part of the “routine” to gather information about your company. This is called penetration testing. Attackers (although hopefully your business and tech experts first) try to penetrate the defenses of your business. Of course, there are many more complex ways to develop pen-testing programs, and in fact, some businesses specialize in pen-testing, but as a midsized business, tackle these areas either by yourself or with professional help — so that you’re better prepared for a possible data breach.

__________________
Image Credit: Ambro via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, Data Security, Management and Technology, Network Security | Tagged , , | Leave a comment

Address Books, Webmail and the Cloud

Emails in the Cloud

To All businesses Who Use Address Books on Webmail: stop and learn why your data may be at risk. Instead of Webmail, use a third-party email client such as Outlook or Thunderbird.

Recently, I was hacked. No one is immune – even those of us in the infosecurity field can get hacked. The situation occurred in an email account that I use for professional correspondence outside of my day job.

I have a client in the medical profession who uses Gmail for his email correspondence, and recently, the doctor was hacked. He keeps all of his patient email addresses as well as friends and family in the same account. One day, I received an email from him. There was nothing in the subject line, no salutation, and no content in the email whatsoever. The only thing in the body of the email was a link to a website.

The other items I noticed that caused immediate concern were in the TO line: all of the email addresses that received the email were visible. I had access – anyone had access for that matter – to every address in my client’s address book. And of course, there was a link to some unknown website.

Hopefully, no one fell for the ruse and clicked the link. At that time, the HIPAA compliance regulations had not fully taken effect because the doctor did not report the breach. But since he was a medical professional, there may have been penalties involved. I immediately emailed him and told him he’d been breached, and then, I called and also left a voice message – in the event that he could not access his email. A few days later when he returned from vacation, he called me and confirmed my diagnosis: yes, he had been breached.

I use a third-party application, Thunderbird. I do not include any addresses in my Webmail account. When my ISP discovered the breach, they shut down my account and notified me. Since none of my contacts were accessible as a result of the breach, none received the bogus email, and my personal brand remained intact.

It’s a lot easier for hackers to break into cloud-based email systems because there are far more vulnerabilities in them. Also, the ROI for breaking in is much higher due to the quantity of potential targets. The more people who visit the same place (for example, Yahoo! website to access Yahoo! mail or Google to access Gmail) to access their information, the more chances a hacker has of breaching an account and causing severe damage to a large number of users.

These days, everyone keeps some form of personal and professional data in the cloud. It makes life easier, and it makes access to data quicker. And you can access it from anywhere. But, as a midsize business, isn’t data protection more important than easier access to data? Add extra layers of protection to your data. Generate complex passwords for employees to use, and change them regularly. Also, make sure that the employees who have access to the data are the appropriate employees to access your data.

Society tends to take the ease-of-use path when it comes to security – making our jobs more difficult for those of us who work in security. While we’ve taken a giant leap backward in both security and privacy, one way to beat the hackers is to keep your email contacts off of Webmail…it will be one less worry if your webmail account gets breached.

____________
Image Credit: digitalart via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, Cloud Computing, Data Security, Disaster Recovery, Email | Tagged , , , , | Leave a comment

Does Your Business Fail the Customer Privacy Test?

online banking buttonI had a recent experience where my privacy was compromised, and based on the inaction by the company, I wonder how many experiences I encounter that are not as obvious.

I visited a local branch of a national financial institution to make a deposit (yes, I still walk into banks every now and then), and after I gave my endorsed check and deposit slip to the teller, he placed them face down into a clear plastic box that was in front of him. The box was in clear view of the customer opposite him (me). If the next customer did not make a deposit, no papers would go into the box to cover my items. Therefore, the next customer would be able to clearly see my endorsed signature AND my account number. Anyone with a good memory could leave the bank with my financial information.

I told the teller that I could see my signature and account number (important elements of my PII, or in other words, my Personally Identifiable Information) and that the next customer would also be able to see them, and the teller shrugged and said, “That’s the way we do things. Go see the manager.” So after my transaction, I found the manager and voiced my concern, and he said, “No one has ever complained before.” Well, I complained and said, do something now. The manager asked the teller to move the box to a different place in his work area, but the next time I visited the branch, the clear box was back in plain view.

Unfortunately, it does not surprise me that there is no widespread concern for privacy, not to mention security. But for a BANK, of all types of businesses to place a customer’s data on display is nearly criminal. I thought to myself, one customer may have his identity stolen and never realize that it was due to the bank’s procedure. But isn’t one person’s identity theft due to negligence even one person too many?

The craziness of this situation is that the solution is simple: either move the plastic box, or make it a solid color on three sides and leave it open facing the teller. At the very least, cover it after every customer interaction.

As anyone who works in the information security industry knows, it always comes down to ease-of-use versus security procedures. The process of creating and implementing security procedures and then training employees on those security procedures takes time, money, and expertise. Many businesses refuse to do any of it.

The branch’s top management could easily have fixed the issue before anything bad happened. What makes this situation scary is that the top management team knows (thanks to my comments), but they don’t care. The chance that someone MIGHT get their data stolen from this behavior may not be astronomical. But it IS possible.

How many complaints must there be before the bank takes any action? Five? Ten? One hundred, or more? Perhaps, there should be a #servicefail campaign on Twitter to get the bank’s corporate office to take notice.

So, as a midsize business, do you care about how your customer data is handled? Do you make sure that ONLY those who are supposed to access it, both internally and externally, can? Based on stories in the mainstream media, too many businesses turn a blind eye toward customer privacy because they think a breach won’t happen to them. Do you regularly check and see if your customer data is safe?

Let’s take this discussion into the online arena. What happens when data is not protected when conducting online banking? The heartbleed virus has made security socket layer (SSL) protection less secure than it used to be. Now, even though users see a small lock in the browser, the credentials (password user name) may still be at risk. Online banking has never been completely safe, and as long as people open email and click on links, there’s always the possibility for credential theft – that’s how a major retailer’s breach started.

If you’re not considering these issues and related solutions on a regular basis, you’re doing both your customers and your business a disservice. Don’t fail the customer privacy test.

Image Credit: Stuart Miles via FreeDigitalPhotos.net

 

IBM
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, Data Security, Online Security | Tagged , , , | Leave a comment

5 Ways to Prepare for Data Breaches – Before It’s Too Late

data breachI read a recent post that has stuck with me. The question raised was how do businesses, especially midsize businesses, budget for insider threats: “Midsize firms simply cannot afford data breaches, no matter what the cause. [But] a company that considers insider threats can take preventive steps. Employees may require access to sensitive information to remain productive, but ensuring that appropriate security steps are taken is KEY to keeping a firm running as smoothly as possible.”

While applying policies such as “least privilege” or “implicit deny” may help keep the accidental data breach from happening, these policies will not prevent internal personnel or vendors who are intent on breaching your network from doing so. This is why it’s critical that you conduct business with the mindset that a data breach could be right around the corner. It’s always better to be prepared rather than surprised, or put another way, proactive rather than reactive.

Here are five ways your business can approach day-to-day operations with this perspective in mind:

[1] BYOD
The reality is that you probably cannot do business without BYOD, or Bring Your Own Device to work. This means that employees are accessing sensitive corporate data on their smartphones, laptops, and tablets. The best way you can be proactive is to develop and distribute a BYOD policy and train employees on the policy. Police your employees because the data they’re accessing is your corporate gold. Have them sign an agreement that their device can be wiped or better yet, only allow access through a web portal. Don’t allow email or documents on devices.

[2] COMPLIANCE
Compliance issues should be on your mind. Is your company covered under Gramm-Leach Bliley Act (GLB), Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability & Accountability Act (HIPAA), or California Senate Bill 1386 (SB1386)? Does your company capture Personally Identifiable Information (PII)? Each requires compliance with different types of accountability, and each has its own set of stringent steps that a company must follow after a breach occurs. Be sure you’re up-to-date on the latest laws and rules so that your business is in compliance and not subject to a penalty or fine.

[3] SOCIAL MEDIA
Most employees use social networking sites for their personal use, but more and more are using their sites to talk about company business. Put your legal team to work and develop an easy-to-understand Social Media Policy. Distribute to your employees and train them with acceptable and unacceptable examples. In today’s social era, the best brand advocates are your employees, so give them social media tools to promote your brand – but educate them on how to use these tools that will benefit everyone without any surprises. You don’t want to wake up one morning only to discover that a Tweet, Facebook post, or Instagram image could put you out of business.

[4] TRANSPARENCY
If and when a breach happens, first alert law enforcement, if required. Then alert your customers, stakeholders, and the media – and do so immediately. Don’t sugarcoat the situation. Above all, don’t ignore the situation hoping that no one finds out. You know someone will discover the breach, and you certainly don’t want that individual to run to the nearest media outlet without your knowledge. It’s never a good surprise when you find your company featured on page one of a newspaper or on an online news site with a headline similar to “XYZ Company Knew About Its Breach Three Months Ago.”

[5] PRACTICE GOOD PATCH MANAGEMENT
Believe it or not, patch management is important for both internal and external threats. Vulnerabilities eventually evolve in software. The older a piece of software becomes, the greater the chance that hackers will discover vulnerabilities. Patch management helps alleviate this issue because as vulnerabilities are found, they are patched by the developer. An internal threat can bring a payload in-house through USB, DVD, or other bootable media that can attack a particular vulnerability. If a vulnerability is patched, there is one less attack surface for the hacker to try in his/her attempt to gain a foothold.

To quote Nick Bradley, “Success hinges upon promoting and supporting a risk-aware culture, where the importance of security informs every decision and procedure at every level of the company. That means secure procedures need to become second nature, much like locking the door behind you when you leave home.”

What else would you add to this list? Please chime in.

Inspiration for this post:
“Budgeting for Insider Threats” By Fellow IBM Blogger Marissa Tejada
http://www.midsizeinsider.com/en-us/article/budgeting-for-insider-threats

Image Credit: jscreationzs via FreeDigitalPhotos.net
IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, BYOD, Data Security, Disaster Recovery, Management and Technology, Network Security, Social Media | Tagged , , , | 1 Comment

Want a Competitive Advantage? Then Protect Your Customers’ Privacy

privacy

It seems as if we hear about a major data breach every day, whether it’s a government entity, hospital or other medical institution, or a large retail outlet. Whether the breach occurs due to malware or a lack of external protections, companies are getting sloppy with their data.

In today’s highly competitive environment, all companies need to be proactive when it comes to protecting their customers’ confidential data. But the reality is, many companies aren’t proactive. They act as if a data breach won’t happen to them. They aren’t willing to spend the money or allocate the personnel to implement data protection and disaster prevention plans.

But this is not the smart decision. Many in the technology arena as well as the business arena advocate for making privacy protection a priority. If a business makes it a priority, it will stand out from the competition – and create long-term customers.

In the words of David Hoffman, Global Privacy Officer at Intel, “The added value of privacy is intrinsic no matter where your company sits in the digital economy. From consumer goods manufacturers to healthcare services entities, any business will benefit from proactively tackling privacy issues in one of three primary ways: protecting your brand, offering a competitive advantage from integrating privacy and security features into products and services, and creating new products and services designed to protect personal data.”

And don’t be naïve to think that if you are a victim of a data breach, no one will find out. There’s a website specifically for this purpose. The Privacy Rights Clearinghouse features a Chronology of Data Breaches and is updated on a regular basis – sometimes daily. The site’s tagline is “Empowering Consumers. Protecting Privacy.” Once you take a look, you’ll think of breaches differently.

Here’s the link: http://www.privacyrights.org/data-breach/new

There’s no doubt that a security breach can have a long-lasting impact on your organization, but your response time and quality of response can determine if your customers remain customers or choose your competitors. Don’t give them the option. Show them by your actions and your interactions (email, snail mail, text, phone call, etc.) that you value their privacy and will go the extra mile to protect their data. Don’t become just another statistic.

Make sure to change all your default passwords on all your web-facing devices such as routers. You’d be surprised how many people leave ADMIN and PASSWORD as their default logins and passwords. If not changed, this makes it very easy to break in to a system.

In addition, use multiple anti-malware detection systems. Not only do you need your antivirus and anti-malware, but use a secondary source, such as, Malwarebytes. Never, and I repeat, never use a free antivirus solution. These tools don’t include a software firewall or anti-malware, so half of your system is left open to attack. The is one exception to the “no free rule,” and that’s Malwarebytes because it does only one thing AND it runs with your existing antivirus/anti-malware program.

Be sure that you turn on heuristic scanning in your antivirus software. Heuristic scanning uses behavior to find viruses, whereas, standard antivirus just uses signatures that the antivirus company sends you via download on a consistent basis.

To learn more about heuristics, here’s what Wikipedia says, “In computer science, artificial intelligence, and mathematical optimization, a heuristic is a technique designed for solving a problem more quickly when classic methods are too slow, or for finding an approximate solution when classic methods fail to find any exact solution. This is achieved by trading optimality, completeness, accuracy, or precision for speed. In a way, it can be considered a shortcut.”

“Many virus scanners use heuristic rules for detecting viruses and other forms of malware. Heuristic scanning looks for code and/or behavioral patterns indicative of a class or family of viruses, with different sets of rules for different viruses. If a file or executing process is observed to contain matching code patterns and/or to be performing that set of activities, then the scanner infers that the file is infected. The most advanced part of behavior-based heuristic scanning is that it can work against highly randomized polymorphic viruses, which simpler string scanning-only approaches cannot reliably detect. Heuristic scanning has the potential to detect many future viruses without requiring the virus to be detected somewhere, submitted to the virus scanner developer, analyzed, and a detection update for the scanner provided to the scanner’s users.

Here’s the link: http://en.wikipedia.org/wiki/Heuristic_%28computer_science%29

Check out the inspiration for this post:
“Privacy Is a Business Opportunity” by David Hoffman via Harvard Business Review:
http://blogs.hbr.org/2014/04/privacy-is-a-business-opportunity/
______________________
Image Credit: Stuart Miles via FreeDigitalPhotos.net

IBM
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, Data Security, Online Privacy, Privacy Rights | Tagged , , , | Leave a comment

Do Your Customers Want to Be Tracked?

Lock Up Customer Data

A major entertainment company recently made news when it announced a new tool available at its theme parks. Under the guise of making visits more “fun and easy,” theme park guests are now able to wear a type of bracelet or wrist band that essentially tracks a person’s every move.

Once a guest places the band on his or her wrist, he or she can be tracked by radio waves. Guests can be tracked walking into lines for attractions, standing in lines at restaurants, taking photos at kiosks throughout the theme parks, etc. The band can also serve as a virtual wallet once it has been connected to a credit card, and it can also serve as a room key at theme park resort hotels. Does this sound like a tool for big brother?

There is no denying that technical innovation moves society forward. But as I’ve written many times, it also attracts nefarious individuals who take advantage of the new technologies and twist them for their own purposes. Theme park guests shouldn’t immediately adopt new technologies because the media or travel industry experts issue a directive or sing amazing product praises. Instead, there should be beta testing with groups of users who test every conceivable situation where hackers could compromise the system.

This product announcement raises an important issue for many companies, especially midsize businesses. Do you launch products that access your customer data? Do you allocate resources for proper vetting? Do your new products provide access to sensitive information? If the answer to these questions is yes, what procedures are in place to provide protection?

In security, we always have to balance ease-of-use with security requirements. Unfortunately, most companies err toward the ease-of-use side of the spectrum. The reason is simple: companies are afraid to annoy and turn away customers because products are not easy to set up or activate. As a result, security takes a back seat, and vulnerabilities come to the forefront.

In the future, and not the too-distant future, hackers will be able to sit on a bench, and as people walk by, they will be able to harvest data. This data could include name, phone number, email address, contact info of friends and family, credit card data, etc.

Data is gold. You can buy it, sell it, and steal it. Some may even theorize that data is the currency of the 21st century. The moral of this story is, don’t launch new products without doing your due diligence. You should even hire white hat hackers to do your testing. Be proactive, not reactive.

Image Credit: Renjith Krishnan via FreeDigitalPhotos.net

IBM
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

 

wordpress blog stats
Posted in Bluetooth Technology, Cybersecurity, Data Security, Mobile Computing, Privacy Rights, Tech Equipment | Tagged , , , , , | 1 Comment

Backup Day is Every Day – Not Just Once a Year

backup

You may have heard the recent buzz in the tech world: “Don’t Be an April Fool. Be Prepared. Back up your files on March 31.”

According to Backblaze, 30% of people have never backed up their systems. That’s a staggering statistic when you think of the horrifying repercussions of not backing up, such as, recreating Word documents, recreating Excel spreadsheets, researching and verifying data online, losing tax returns, etc. This is why you need to back up your business data (and personal data including photos also) on a regular basis.

Data is the currency of any business – the details about customers and prospective customers. So imagine this scenario: one day, you walk into your office, and your data is gone. What would you do? Do you have a data recovery plan? Who would recreate the list of customers? Do you know all of the contact information for your customers?

Provided you have a complete backup of your data and your OS, this scenario would not be a nightmare and you would not spend thousands of dollars, or depending on the size of your business, possibly hundreds of thousands of dollars including personnel hours to recreate your database.

A few years ago, a client got a virus on his desktop computer, and it destroyed the hard drive. Since the virus couldn’t be removed, the machine was sent to the E-Trash heap. But thankfully, there was a backup. This client had all of his data stored on an external backup drive, and so after he got a new system, we were able to reload all of his software and all of his files, and within a couple of days, he was up and running as if nothing had happened. But if he hadn’t listened to my daily reminders about the importance of backing up, his situation would have had a very different and painful outcome.

So how often do you create a full backup or second copy of all your important files? Let’s not forget system recovery discs. Do you keep the second copy somewhere safe – not sitting next to your computer on your desk?

My mantra is: It’s not IF you lose your data, but WHEN. So back up often and on a regular basis. Set up Microsoft backup or Time Machine for Apple, or even back up to the Cloud. In fact, if you don’t set up an automatic backup, how about setting up a reminder on your smartphone calendar to back up every Friday? You’ll be glad you did.

The moral of this story: If you don’t back up, don’t be surprised if one day, your data “currency” is gone. No one likes to be data bankrupt.

____________________________

Inspiration for this post:
World Backup Day
http://www.worldbackupday.com/en/
and
http://blog.backblaze.com/2013/06/27/the-survey-says-apathy-is-winning-2/

Image Credit: Stuart Miles via FreeDigitalPhotos.net
IBM
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

 

wordpress blog stats
Posted in Business Process, Data Security, Disaster Recovery, Management and Technology, Network Security, Tech Equipment | Tagged , , | Leave a comment

Drones: The Next Great Hack

drone watching

As a kid, one of my favorite hobbies was flying radio control airplanes. Back in the day, we used to hang a colored flag off our antennas to notify other hobbyists what frequency we were on. If someone nearby had the same frequency, the person with the stronger transmitter could take over your airplane and crash it or fly it on a different route. The same is true today – but now, there are much more severe consequences than crashing a toy airplane. The toys may be new, but the technology isn’t.

So far, I have seen drones configured with cameras to show real estate (invasion of privacy), a Taser that was used on a person (personal safety), and a drone that was set up to steal smartphone data while the owner’s Wi-Fi was on (theft of personal data).

Encryption rules for these devices are nonexistent. From the research I’ve done, I’m disappointed to discover that NONE of the companies that sell drones mention encryption or security for any of their devices. There are no rules or regulations regarding drones, and as a result, they have become the true “Wild West” of toys.

Drones with cameras are especially dangerous, and here’s the problem. If the drone is taken over, the hacker has access to anything the drone’s pilot is looking at. This would be especially troubling in a law enforcement scenario. But predator drones used by the US military send video feeds unencrypted, so why should anyone else worry?

Drones that are connected by Wi-Fi are not safe either. A hacker has now released software to hijack commercial drones using simple software that is already available, as well as low cost hardware (a device called a Strawberry PI). (1) To use this hack, all one has to do is perform a Google search to find the correct Mac address for the drone. The hacker can then skyjack the drone and do whatever he or she wants with it. (2)

Six sites in Alaska, Nevada, New York, North Dakota, Texas, and Virginia have been chosen by the FCC to be drone testing sites. These are for commercial drones – not hobbyist drones.

Without encryption and oversight, both types of drones can be a danger to the public’s privacy. In addition, lack of an encrypted connection between the drone and the operator can be a danger to the public’s safety. A drone that has been hacked and taken over can create terrible scenarios, such as, drones intentionally crashing into crowds of people or open spaces where people congregate, surveillance and tracking of victims (for example, domestic abuse victims), and an increase in high-tech peeping Toms.

Technical innovation moves society forward, but at the same time, it also attracts nefarious individuals who take advantage of new technologies and twist them for their own purposes. The only way to stay ahead of the bad guys, at least, in the short term, is to mitigate the damage they can do. And for the devices, strong encryption is the only way to keep the bad guys at bay – at least for a little while. Without encryption, drones will become a target that will become too tempting for the bad guys.

Does your business have a use for drones, and if yes, what can you do to stay ahead of the bad guys? Be prepared, and devise strategies sooner rather than later.

Sources for this post:
(1) “Hacker Releases Software to Hijack Commercial Drones” by Bryant Jordan via Defense Tech
http://defensetech.org/2013/12/09/hacker-releases-software-to-hijack-commercial-drones

(2) SkyJack is a drone engineered to autonomously seek out, hack, and wirelessly take over other drones within Wi-Fi distance, creating an army of zombie drones under your control.
http://samy.pl/skyjack

Image Credit: debspoons via FreeDigitalPhotos.net.

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

 

wordpress blog stats
Posted in Data Security, Internet of Things, Privacy Rights, Tech Equipment | Tagged , , | Leave a comment

Who Protects Your Corporate Digital Footprint?

World Wide WebBusiness leaders must focus on many things every day. There are legal and compliance issues, personnel issues, product development issues, and much more. But in the era of Snowden vs. the NSA, Wikileaks, and a myriad of data breaches, who protects your corporate digital footprint?

There may be someone in your marketing or IT department who conducts regular web monitoring with either Google Alerts or Talkwalker Alerts (or even better, with both) on your company name or main brand name, but is there a report generated from the results? If yes, who sees the report, and what action is taken if something negative is found?

What happens when someone infringes on your company name, brand name, or tagline? Does your business have a procedure in place? Which department is responsible for taking action?

While most discussions center on hacking into and stealing your most sensitive information for fraudulent purposes, there is another issue that doesn’t garner the same level of attention: the issue of assuring the accuracy of your digital footprint.

According to Wikipedia, a “digital footprint” is defined as the “trail left by an entity’s interactions in a digital environment including its usage of TV, mobile phone, Internet, mobile web, and other devices…A digital footprint may include the recording of activities such as system login and logouts, visits to a web-page, accessed or created files, or emails and chat messages. Social networking sites record activities of individuals, and this usage of social media and roaming services captures data that includes interests, social groups, behaviors, and location. This data can be gathered and analyzed without a user’s awareness.”

Let’s not forget about cybersquatting, when someone with a nefarious intent reserves your company name and either holds it for ransom (translation: they demand an exorbitant amount of money to sell the URL to you) or they prefer to hold onto the URL and not sell it all. Even worse, they create an inappropriate site. Think of the site that’s similar to the URL of the White House – you’re asking for trouble if you click on it (note, the correct site is http://www.whitehouse.gov).

It’s critical to reserve your company and brand names – and all other permutations you can think of – across all major social media sites. That way, you won’t have to worry about waking up one morning with surprising news about your brand on some outlier social site with crazy details about your brand – that are totally false. Also, purchase all URLs that end in .com, .org., .net, as well as other suffixes with your company and brand name.

Visit these sites to check your company name or major brand name: http://knowem.com or http://namechk.com. Don’t forget to also check out and consider purchasing altered or frequently misspelled versions of your company name or brand. Above all, regularly monitor your digital footprint.

What’s your plan to protect your corporate digital footprint?

 

Source for this post:
Wikipedia: Digital Footprint: https://en.wikipedia.org/wiki/Digital_footprint

Image Credit: digitalart via FreeDigitalPhotos.net

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Cybersecurity, Disaster Recovery, Search Technology, Social Media | Tagged , | Leave a comment

Could Your Business Survive If Everyone Telecommuted?

telecommuter

While iPods and smartphones revolutionized the music and cell phone industries, could telecommuting totally revolutionize the workplace? This is a very interesting concept, but certainly, your industry will determine if this is possible. While some companies have stopped offering telecommuting as an option, others embrace it – but there are some security issues that cannot be ignored.

What happens if your employee decides to work at home either in a spare bedroom or a room set up as an office? There is appropriate lighting, ergonomic furniture, and efficient equipment including desktop computer, smartphone, printer, fax, copier, etc. Everything is fine until there’s an electrical surge, or the power goes out. While this sounds impossible, it is very possible, and in fact, has happened to me. When it happens at an office workplace, everyone is in the same boat from the CEO on down to the person who cleans out the lunch room refrigerator. All activity comes to a stop.

But when it happens at one employee’s home, it’s only the single employee who is impacted, and he/she cannot fix the problem. The electrical company must be called, or city employees get involved. This is not a small problem, but it impacts the employee’s ability to complete his/her projects.

Let’s consider the customer service function of your business. While you can ask a group of people to connect to your network with their phones and computers from home, how can you be sure your representatives all provide a consistent brand experience? What happens if one employee has a screaming child in the background? What happens if one employee is working in her kitchen, and the tea pot starts whistling? Or what happens if an employee starts arguing with a family member? All of these scenarios are possible and can interrupt the ability of your employee to do his or her job professionally.

To avoid the problematic family members, the employee grabs a laptop and smartphone and heads to a nearby coffee shop. This telecommuting concept that was designed to take place in a home office environment now relocates to a community-type environment full of possible distractions. Security now takes center stage because all data on both the smartphone and laptop are ripe for picking by hackers due to Wi-Fi access that may not be secure.

And returning to the customer service function, there is no possible way for the employee to take calls and speak over the noise in a public space.

Let’s now consider the security issues involved with telecommuting. In addition to all of the issues raised above, connecting to a corporate network can be a huge security risk if an employee doesn’t have virus/malware protection on his or her home machine or smartphone. What happens when the employee accesses company email from his or her device? There has been much chatter in the news lately about virus protection on smartphones, and Apple recently updated its operating system due to vulnerabilities. Android is known as the number one attacked OS today.

According to a Verizon study conducted in 2013, 95% of all breaches result when an employee unknowingly opens an email that contains malware or some other form of payload. According to Wikipedia, “In computer security, payload refers to the part of malware which performs a malicious action.” So how do you maintain ongoing training when employees are not in the office to attend those sessions?

What about that coffee shop down the street from an employee’s home? Should an employee conduct work from there? Who knows what wandering eyes (or competitors) could be sitting nearby ready to pounce on the data stored on the employee’s laptop? As a result, have a discussion reviewing Wi-Fi procedures for all employees who will telecommute. Go one step further and require employees to review the procedure document and sign that they have read it – perhaps, as part of the employee manual or as part of the onboarding process. This must be done BEFORE any employee is approved to use Wi-Fi and access corporate data.

The IT Department must be allowed to set up VPN access on devices owned and used by employees that will access corporate data in a Wi-Fi environment in order to protect the company.

And, before any employee becomes a telecommuter, written telecommuting policies must be presented to and discussed with the employee – and then signed by the employee. Otherwise, telecommuting shouldn’t be an option.

Does your business have a telecommuting policy?
___________________________

Sources for this post:

[1] Verizon 2013 Data Breach Investigations Report
http://www.verizonenterprise.com/DBIR/2013/download.xml

(2) Inspiration for this post: TELUS Aim to Have 70% of Employees Working Mobile by 2015
http://www.informationsecuritybuzz.com/telus-aim-70-employees-working-mobile-2015/

(3) Wikipedia: Payload (computing)

http://en.wikipedia.org/wiki/Payload_%28computing%29

Image Credit: Ambro via FreeDigitalPhotos.net

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, BYOD, Cybersecurity, Data Security, Mobile Computing, Network Security, Online Security, Tech Equipment, Telecommuting | Tagged , | Leave a comment