Tag Archives: data security

Cyber Criminals Could Hold Your Data Hostage

Password theft, identity theft, ransomware – in an age where hacking has become the career of choice for tech-savvy criminals, data protection must be a top priority for CPOs.

“Cyber criminals don’t need to even leave their house to do damage,” says Craig Hancock, cybersecurity expert and Executive Director of Telstra Service Operations. “One breach of trust and the consequences can be irreparable. These days, the traditional idea of criminals – think balaclavas, weaponry, a getaway car – has moved off the streets and into cyberspace.”

Are you prepared for cyber criminals? Do you have your business information secured? How do you manage the confidential information of your customers? And what do you have in place to mitigate risk?

Hancock will deliver a cybersecurity update at the upcoming 10th Asia-Pacific CPO Forum, where he’ll demonstrate how frighteningly easy it is to steal data from a computer by showing a live hack. “I’m planning on showing the group how easy it can be to hack a business, with basic tools and knowledge. I want to make sure everyone is aware about what goes on in the world of cybersecurity threats, and give them some understanding of what they should be doing to help mitigate these threats.”

“Mitigate” is a key word here, as Hancock predicts the cybersecurity challenge faced by businesses and organisations will continue to grow year on year. Notably, he says that any organisation offering a fix-all solution to “solve” your cybersecurity challenge should be avoided.

“It’s an ongoing challenge – cybersecurity has evolved enormously from five years ago, and is likely to look entirely different again by 2020. There’s no single ‘fix’ and there are plenty of bright, shiny objects to distract your security team. You would be wise to put in place some basic, common-sense measures and controls and partner with an organisation that understands the extent of the threat.”

What are the risks?

Cybercrime can be initiated through your head office, at weak point in your supply chain, or even through IoT-enabled devices with low-level protection. Among the types of crime that can take place, Hancock mentions:

  • Password theft: with the obvious prize being the password or access code to users’ bank accounts.
  • Identity theft: a customer’s date of birth and other key information (such as health records) enables criminals to assume their identity, or to sell on this information to others. This can be very expensive for the company that has suffered the breach.
  • Ransomware: Hackers can lock your company’s data in an encrypted vault and demand a ransom for its release. A famous example of this occurred last year when a cyberattack on a Los Angeles hospital left doctors locked out of patient records for over a week, with the hackers demanding a ransom of $3.7 million in Bitcoin.

Telstra’s Craig Hancock will deliver a cybersecurity update at PIVOT: The Faculty’s 10th Annual Asia Pacific CPO Forum.

Are Employees the Weak Link in Company Cyber Security?

Are your employees leaving the door open for cyber attacks? Here’s how to help them reduce the cyber security threat.

employees weak link

Employees are a significant risk to their employer’s cyber security according to research by specialist global executive search and interim management company Norrie Johnston Recruitment (NJR).

The research forms part of NJR’s cyber security report, ‘How real is the threat and how can you reduce your risk‘. The report shows that:

  • 23 per cent of employees use the same password for different work applications.
  • 17 per cent write down their passwords.
  • 16 per cent work while connected to public Wi-Fi networks.
  • 15 per cent access social media sites on their work PCs.

Such bad habits and a lack of awareness about security mean that employees are inadvertently leaving companies’ cyber doors wide open to attack.

This research is supported by a report which incorporates the advice from fifteen experts in the field. In it, Benny Czarny, Founder of OPSWAT, discusses the top tips to avoid massive data breaches.

With Sony recently setting aside $15M to investigate the reasons for, and remediate the damage caused by, last year’s data breach, many of our customers—from large enterprises to small business—are wondering what they need to do to make sure they aren’t the next big data breach headline.

The good news is that most data breaches can be prevented by taking a common sense approach, coupled with some key IT security adjustments.

1. Employees’ security training is an absolute necessity. 

I cannot emphasise this point enough, as your network is only as safe as your most gullible employee. Even the most sophisticated security systems can be compromised by human error. The Sony breach started with phishing attacks.

And people still also use USB devices from unknown sources, which is allegedly how the Stuxnet worm was delivered.

2. Access to executable files should be limited to those who need them to complete their duties. 

Many threats are borne via self-extracting files. Therefore, limiting the number of employees who are allowed to receive this file type limits your exposure.

Your IT department absolutely needs the ability to work with executable files. Bob in accounting? Not so much!

3. MS Office documents and PDFs are common attack vectors. 

Vulnerabilities are identified in MS Office and Adobe Reader on a regular basis. While patches are typically released very quickly, if the patches are not applied in a timely fashion the vulnerability can still be exploited.

As an everyday precaution, document sanitisation is recommended to remove embedded threats in documents.

4. Data workflow audits are essential. 

Data can enter your organisation through many different points – email, FTP, external memory device, etc. Identifying your organisation’s entry points and taking steps to secure them is a critical step in avoiding data breaches.

At a minimum, scanning incoming and outgoing email attachments for viruses and threats, and implementing a secure file transfer solution, should be considered.

5. Store sensitive data in separate locations. 

Simple data segregation could have mitigated the impact of the Sony breach. The hack exposed both internal communications and unreleased video files.

Had the videos and emails been stored on two separate systems some of the damages may have been prevented.

6. Internal and external penetration tests are critical. 

Internal testing is a valuable tool, but hiring an outside party to attempt to breach your network will identify security holes your team may have missed.

7. Keep your security architecture confidential. 

You may be excited about your innovative networking solution or new cloud-based storage system, but think twice about making any of that information public!

8. Remember that traffic generated internally to your security system may still be suspect. 

For example, the Sony malware connected to an internal security system to impersonate legitimate traffic to disguise its malicious nature.

9. Multilayer defence is needed. 

I like to describe defence in depth by comparing it to the defence systems you might see at a castle. It could be defended by a large stone wall, followed by a deep moat, followed by a draw-bridge, followed by an iron gate, etc.

A single layer of defence is not sufficient for your data. It must be protected by multiple systems working in parallel. That way if one layer is breached your data is not exposed.

10. Finding your weakest security link is your top priority. 

Every office has one, and it will vary wildly from organisation to organisation. It might be the employee with their passwords taped to their monitor. It might be the deprecated Linux server everyone seems to have forgotten about.

You might not be looking for those weak links, but rest assured that cyber attackers are. The question is: Who will find them first?”

To read more useful and practical insights into topics including how to assess the scale of your risk level and managing the immediate aftermath of a security breach, download the full report.