Tag Archives: Cybersecurity

Only 18% of IT Pros Confident in Current Password Risk Management

Posted on by

Many are having trouble maintaining the security of their employees’ log-in information, resulting in serious risks to their networks and private information. According to a recent LastPass and VansonBourne survey of 750 IT and security professionals in the United States, United Kingdom, France, Germany, Australia and Singapore, only 18% feel their company’s current access security is “fully secure and does not require improvement.” Risk management professionals have a significant role to play in determining how their organizations handle these risks and protect their data.

Some of the biggest ways that employees’ poor password management creates potential security threats to organizations’ data, according to the security professionals surveyed, are password reuse (according to 67%), weak passwords (65%), and not changing default passwords (36%), according to the security professionals surveyed. Nearly all respondents (95%) said that the risks that come along with using passwords create threats to the organization.

Given the importance of strong login information, companies often attempt to implement password rules to reduce security risks, such as requiring employees to choose complex passwords and change them frequently. However, these issues can lead to frustrations for both IT staff and employees. According to the LastPass/VansonBourne survey, the top frustrations for IT are employees reusing passwords for multiple applications, forgetting their passwords, and the time it takes to manage the company’s passwords. Employees are frustrated by having to regularly change their passwords, remember multiple passwords, and type long and complicated passwords.

The rapid increase in the number of employees working from home due to the COVID-19 pandemic has also exacerbated the risks, given a corresponding surge in cyberattacks on remote workers since March. Many employees are now working on home networks that may not have the protections that office networks offer, their passwords may not follow the stringent guidelines their companies would normally require, and they may store their passwords in less secure ways. In fact, Entrust Datacard released a survey showing that 42% of employees working from home kept passwords by physically writing them down, while 34% saved them in their phones and 27% kept them on their computers. The survey also found that almost 20% of employees reused passwords across multiple systems, which could make it easier for malicious actors to compromise those systems.

Maintaining Secure Logins

There are ways for risk professionals to help protect their companies’ systems and data. Experts recommend mandatory cybersecurity training for all employees, including instructions on how to choose adequate passwords, how often to change them and how to avoid cyber threats like phishing and malware.

There are also technological ways that risk managers can help secure their organizations’ passwords. As a first step, the National Institute for Standards and Technology (NIST) recommends that organizations ensure that employees’ passwords do not match those exposed in previous data breaches.

buy cipro online healthdirectionsinc.com/flash/swf/cipro.html no prescription pharmacy

There are publicly available services online that allow users to check whether email addresses and passwords have been compromised in breaches.

Additionally, the NIST recommends that employers restrict passwords to those that are not dictionary words, are not made up of repeated or sequential characters (such as 11111 or 12345 or qwerty), and do not contain specifics like the company’s name or the user’s name. NIST also suggests using multi-factor authentication (MFA), which would require employees to provide their login and password as well as a second piece of information, biometric data, or a physical device like a security key to verify their identity and log in.

With so many passwords to remember, a password manager—a program that stores and creates multiple complex passwords—may also be a good choice for organizations to protect their systems.

buy hydroxychloroquine online healthdirectionsinc.com/flash/swf/hydroxychloroquine.html no prescription pharmacy

Like all security precautions, password managers are not perfect. While still recommending their use, the Electronic Frontier Foundation warns that “using a password manager creates a single point of failure,” “password managers are an obvious target for adversaries” and “research suggests that many password managers have vulnerabilities.
buy tretiva online healthdirectionsinc.com/flash/swf/tretiva.html no prescription pharmacy

While a password manager or single sign-on technology can have benefits like faster authentication and letting employees remember fewer passwords, they also have downsides. The IT professionals surveyed by LastPass cited “the initial financial investment required to migrate to such solution,” “the regulations around the storage of the data required,” and “the initial time required to migrate to new types of methods” as the biggest challenges about using this technology. Additionally, 74% surveyed said that they thought employees at their companies would likely prefer to continue using passwords over passwordless methods because it was more familiar.

3 Tips for CCPA Enforcement During COVID-19

Posted on by

As we move into the second half of 2020 and the California Consumer Privacy Act (CCPA) is officially enforced, we are also in the midst of a global crisis that was not properly on the radar when the regulation was enacted in January. Organizations are now being tasked with CCPA compliance in an unexpected remote work environment, with more personal data available online than ever before. And some organizations have the added privacy challenge of contact tracing practices or applications being used internally to monitor employee health.

Even in the remote work environment, relevant companies must ensure that they are informing customers and staff about what data they are collecting, options for which personal details are being gathered, the right to say no and opt out of data collection, the right to request deletion of their information, and equal pricing despite their privacy selections.

Many businesses are still struggling to implement these guidelines and are attempting to avoid significant penalties, all while meeting uptime demands. Below are some tips from security and technology industry experts for the best ways to implement CCPA compliance:

Rely on Data Privacy Regulation Experts 

There is increasing uncertainty around many businesses’ futures, and therefore, it is critical to turn to data privacy regulation experts for advice, guidance and technological support. 

“With exponential amounts of enterprise data only increasing, ensuring data privacy involves layered, complex challenges for any business. From a cloud hosting perspective, meeting evolving compliance and privacy regulations, such as the CCPA law which is just beginning to be enforced, is one of those layers. One of the most important steps organizations can take to guarantee they are on the right path towards compliance is to rely on hosting providers that have teams experienced with privacy law regulations,” said Lex Boost, CEO of Leaseweb USA.  

While it may be tempting to rely on internal teams during the economic downturn, employee burnout in already resource-strapped IT and security teams could cost the companies more in talent loss and potential breaches/fines. Thus, companies should evaluate external providers.

Boost also said, “These providers can guide the process needed to guarantee data is managed within current and upcoming privacy regulations, allowing organizations to focus on maximizing data usage and the experience for their customers.”

Have the Right Cybersecurity Measures in Place 

Proper cybersecurity measures are often major components for achieving compliance with a variety of regulations, but especially the CCPA, which is focused on protecting sensitive data and users’ privacy rights. With major hacks making recent headlines at companies like Twitter, and ransomware attacks that threaten to exfiltrate and leak private data on the rise, companies should be on high alert.

“Nobody is safe from an attack leaking personal information, and it’s absolutely essential that correct cyber measures are in place to secure privileged accounts, in particular, as thoroughly as possible. With more information online and spread out than ever before, hackers not only have the ability to scam people, but also undoubtedly have access to private messages, security information, and other personal data,” said Torsten George, cybersecurity evangelist at Centrify.  

On top of increasing breach risks, many companies’ distributed workforces are making security preparedness even more complex. But there are solutions, according to George: “To protect organizations during this transitional remote working phase and the implementation of CCPA, it’s imperative to provide your IT administration teams, outsourced IT, and third-party vendors with secure, granular access to critical infrastructure resources regardless of location and without the hassles of a virtual private network (VPN). Privileged access management solutions can both maintain compliance and enable secure remote access to on-premises and cloud-based infrastructures, securing all administrative access with risk-aware, multi-factor authentication (MFA), and maintaining the level of compliance CCPA requires.”

Look Toward the Future 

The CCPA currently protects Californian’s privacy rights, but many legal and security experts think this could inspire a similar regulation at the federal level if it is successful.

“The CCPA is the first law of its kind in the United States, and it could set a precedent for other states. And because it applies to most companies who do business with individuals residing in California, the sweeping new law promises to have a major impact on the privacy landscape not only in California, but the entire country. The passage of a cohesive U.S. federal privacy law, one that will preempt state laws, is gaining momentum. It has strong bipartisan congressional support, and several large companies from a variety of industry sectors have come out in favor of it, some even releasing their own proposals. There are draft bills in circulation,” said Wendy Foote, senior contracts manager at WhiteHat Security.

Foote also advised, “With a new class of representatives sworn into Congress in 2019 and the CCPA effectively putting a deadline on the debate and officially being enforced in July, there may finally be a national resolution to the U.S. consumer data privacy problem. However, the likelihood of it passing in the very near future is slim. A single privacy framework must include flexibility and scalability to accommodate differences in size, complexity, and data needs of companies that will be subject to the law.”

It will take several months of negotiation for lawmakers to agree upon how the federal law would be implemented. While companies wait for the passage of a national privacy law and for it to take effect, they must continue to monitor developments in both state and federal privacy law and adapt as necessary.

Consumer privacy will continue to evolve, particularly in the time of COVID-19. Because of this, newer laws and regulations, like the European Union’s GDPR and the CCPA, must be flexible and evolve over time too.

Preventing Paycheck Protection Program Loan Scams

Posted on by

The COVID-19 pandemic and subsequent shutdowns have meant perilous times for small businesses across the country, with many shutting down temporarily or even permanently. As part of the U.S. government’s efforts to forestall bankruptcies and layoffs, Congress allocated hundreds of billions of dollars for the Paycheck Protection Program (PPP). Small businesses can apply for loans from the U.S. Small Business Association (SBA), which the SBA will forgive if the receiving business meets certain criteria, like “if all of the company’s employees are kept on the payroll for eight weeks and the money from the loan is used to pay for rent, mortgage interest, utilities or payroll.”

The program has helped many businesses, but also left many stranded and desperate when they could not qualify for the loans. According to the Wall Street Journal, as of this week, the government has disbursed “4.6 million loans worth more than $513 billion.” But some businesses were forced to return the funds when they discovered they could not open soon enough to meet the eight-week deadline, and some did not even bother applying because they did not meet the criteria. The program has also faced criticism for not providing enough funds, and when larger and/or publicly traded companies (like restaurant chain Ruth’s Chris) received loans.

As with many other government programs that award payouts and may have confusing or labyrinthine application and approval processes (such as Social Security payments or tax refunds), scammers have targeted desperate businesses trying to access PPP funds. Online identity verification service Social Catfish recently published guidelines for avoiding PPP-related scams that small businesses are facing, including phishing and robocall scams.

As Risk Management recently reported, phishing scams—in which criminals use fraudulent emails to trick users into clicking malicious links or divulging sensitive personal information—have proliferated since the start of the COVID-19 pandemic, often specifically targeting pandemic-related concerns. According to Social Catfish, online scammers have been using emails posing as the SBA inviting the recipient to apply for a PPP loan, then installing malware or stealing any information provided. With this information, scammers can then pose as a business to apply for loans or steal funds.

Scammers may also try to contact businesses by phone, either in person or by robocall, asking for confidential information or demanding a fee for their PPP application, even promising faster processing after the payment. Similar to the IRS, the SBA does not call PPP applicants for information, and there are no fees associated with PPP applications. Businesses applying for PPP loans may also encounter fake companies claiming that they facilitate applications, which scammers then use to steal the confidential information victims provide.

 To avoid being scammed, Social Catfish recommended that businesses interested in applying for PPP loans do their due diligence by following the steps below:

  • Don’t pay for a PPP Loan application. The SBA doesn’t require payment to fill out and submit a PPP Loan application. If someone is charging you to fill out an application, chances are its a scam.
  • Don’t give your information in response to any suspicious email, text, or phone call. The SBA will not email you out of the blue to fill out a PPP Loan application. If someone is emailing you out of the blue to fill out an application and to give them your information, chances are they are trying to scam you.
  • Verify the lender before applying for the loan. Only lenders approved by the SBA can administer PPP Loans. To find out if the lender you are applying with is approved to distribute PPP Loans, click here.
  • Don’t click on links in emails. The links in the emails are often filled with viruses and malware that will infect your computer and steal your personal information. They also spoof the application so that you’ll have to give out your personal or business’ confidential information.
  • Don’t reply back to any text or email you don’t know. Replying back to them with your personal or company’s confidential information may lead to you getting scammed. The SBA will not email you encouraging you to apply for the loan, you would have to look for the loan yourself.

Spotting Coronavirus-Related Phishing Emails

Posted on by

Amid widespread public concern and constantly evolving news about the COVID-19 pandemic, cybercriminals are finding new fodder for phishing campaigns. With the eagerness for new information about the coronavirus outbreak, distraction during disruption, and the disorienting shift to remote work for many, employees may be particularly susceptible to falling for these schemes right now.

Some of these phishing emails play off companies having employees work from home to launch credential-stealing attacks. Such phishing campaigns may impersonate IT teams or may direct recipients to fake login pages to access work networks or accounts remotely. See the screenshot at right for an example. Email security firm Mimecast’s Threat Intel team reported seeing over 300 examples of such a campaign using a fake OneDrive login.

“We see that threat actors are keeping up with the daily developments concerning the coronavirus,” said Mimecast’s Threat Intel team. “As the pandemic continues to spread and more and more people are made to work from home, we are seeing more phishing emails that are trying to trick users into giving their credentials through a faked login page. Threat actors are actively utilizing this pandemic to attempt to compromise individual’s accounts and organization’s networks. The potential for human error will inevitably increase in the coming weeks and we expect to see more of these phishing attempts in the coming days and weeks.”

Other phishing scams purport to be new updates from government authorities or public health organizations, directing recipients to click malicious links for updates on the spread of the COVID-19 pandemic, new containment measures ordered by governments, or local advisories. Last month, the World Health Organization warned that some criminals were spoofing WHO officials to send fraudulent emails, and Kaspersky Labs reportedly found emails spoofing the CDC asking for Bitcoin donations to help fund a coronavirus vaccine. Some other phishing emails include malicious attachments purporting to be tips for protecting yourself from the coronavirus or maps of the outbreak, for example, but actually contain malware.

“We are living in a heightened time of cyberrisk,” said David Simpson, Virginia Tech professor and former chief of the Federal Communications Commission’s Public Safety and Homeland Security Bureau. “Cybercriminals will take advantage of public fear and due diligence health measures to generate coronavirus-themed phishing attacks. We should be aware of unsolicited COVID-19 emails with specious links or attachments.”

To help employees detect these scams, check out the following infographic from Cofense’s Phishing Defense Center for tips on spotting coronavirus-related phishing emails: