BreachExchange mailing list archives
Stop Cyber-Pickpockets From Stealing Your Data
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 16 Oct 2015 13:43:58 -0600
http://www.baselinemag.com/security/stop-cyber-pickpockets-from-stealing-your-data.html The sad reality for many corporate security professionals is this: Workers simply don’t apply the same vigilance to protecting corporate information as they do for their own personal information. Workers who carefully shield their ATM screen while entering a PIN may make no attempt to cover their keyboard when logging into a work email account from a laptop in a public place. Or they may not think twice about leaving network log-in information taped to a computer monitor at work. Similarly, workers who shred personal documents containing sensitive bank, credit card or medical information may be less cautious when handling sensitive corporate information. This could include reviewing corporate earnings information in view of potential onlookers while on a train ride home, or leaving a USB drive that contains details of a new product launch sitting on a hotel room table while attending a conference. The fact of the matter is that a corporation’s ideas and closely guarded information can be targeted and "pickpocketed" just the way our personal information and valuables can. Especially as companies continue to spend record amounts on cyber-security—reaching an estimated all-time high of $75.4 billion this year—cyber-attackers will seek new weaknesses to exploit. That includes targeting employees who have access to their company's networks and valuable information. The challenge is clear: How can you get employees to break bad habits and protect corporate information with the same diligence they use for their personal information? Assign Value Employees are more likely to help protect your company’s intellectual property and other sensitive data if they understand what’s at stake. So, if possible, attach a dollar figure to projects, such as the revenue anticipated from a new product introduction or the potential financial impact of a pending acquisition. Understanding the larger financial implications can help employees comprehend the greater value of their work, which should motivate them to protect it from malicious outsiders. Given the highly collaborative nature of today’s businesses, this awareness campaign should extend beyond the executive level to reach all stakeholders who access and handle sensitive information. They include marketing, accounting, research and purchasing professionals, as well as third-party organizations. Identify Environmental Risks Your employees work in a range of different environments, each of which can contain different threats to your sensitive information. A growing number of businesses are using open-office floor plans to help drive employee collaboration. But these working environments also offer little privacy and may be susceptible to visual hacking, which is the unauthorized viewing or obtaining of sensitive, personal or private information for unauthorized use. Fewer physical barriers can give a vendor, cleaning person or even a malicious employee more opportunities to view or capture sensitive information, whether it’s displayed on an employee’s screen or left out on a desk in hard-copy form. The risks extend well beyond the confines of your offices. Employees who can access company networks and sensitive information using a laptop or mobile device also risk falling prey to hackers—whether they are on their daily train commute, working remotely from an airport or coffee shop, or attending a conference. A risk assessment can help you identify the various risks encountered in different environments, whether inside or outside your company’s walls. Implement Changes After conducting an assessment, the proper policy and technology changes can be put in place. For example, it is generally a good policy for IT departments to give workers a loaner computer and perhaps even a loaner phone when they travel. Using these “clean” devices may help limit the information available to cyber-hackers and visual hackers in case a device is compromised, lost or stolen. Policies should also be in place for workers traveling or working in regions where the expectation for privacy can be significantly lower than it is in the United States and other industrialized countries. The FBI has developed a number of warnings and recommendations to help workers protect company information when working abroad. These include: · Be aware that your conversations may not be private or secure. · Don’t leave electronic devices unattended. · Clear your Internet browser’s cache, cookies, history and temporary Internet files. · Avoid having non-company computers log on to your company’s network. · Don’t allow foreign electronic devices to connect to your computer or phone. · Know that wireless and other communications may be intercepted. Mobile workers should also be instructed to disable Bluetooth and WiFi when they’re not in use. As the U.S. Computer Emergency Readiness Team pointed out, mobile devices become discoverable to malicious individuals when Bluetooth is enabled. Attackers can also use WiFi access, especially around public WiFi hotspots, to intercept unencrypted data. Beyond policies, a number of basic tools can help protect information in both public and private settings. One safeguard that every company can and should immediately begin using is a privacy filter. These devices are easy to use—they slide right over a computer screen or apply to a mobile device screen via an adhesive—and help maintain workers’ visual privacy by blocking the angled views of potential onlookers. While none of these changes will prevent a cyber-security incident, each helps promote the goal of keeping your sensitive information private. Reinforce Through Training We learn the importance of protecting our personal and financial information throughout our lives—from family and friends, from news stories about data breaches, and from the banks and other organizations that handle our data. But the same can’t be said about our work lives. For many workers, education about the importance of protecting corporate information begins and ends with the employee orientation. As a result, protecting information simply isn’t a top-of-mind priority for them. A strong commitment to training can change that. At the very least, workers should receive annual training about the proper handling and protection of company information. Additional training should also be provided as policies change and new tools are introduced, and prior to major company events, such as new product introductions, or mergers and acquisitions. Changing employee behavior can be difficult, even with regular training. It’s important that you reinforce training through additional awareness and internal communications efforts. Company executives command authority among workers and can be especially effective contributors to these efforts, such as through employee memos or videos. Training should also extend to your consultants and other third-party agencies. The outside organizations you work with may already have nondisclosure agreements in place, but do you know the steps they’re taking to enforce those agreements? For example, some consultants rely on their ability to promote their work with one client to secure work for another. But that shouldn’t come at the expense of your company’s sensitive information. You need to examine their policies and methods to ensure that their privacy efforts align with your expectations. Protecting Your Assets Your employees are your most valuable assets. Unfortunately, malicious individuals know this. Like pickpockets roaming the bustling tourist areas of Paris or Amsterdam, hackers are hiding in plain sight waiting for the right opportunity to pounce. Don’t let your employees be easy victims. Inform, equip and empower them to be vigilant guardians of your company’s most important, closely held ideas and information.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Stop Cyber-Pickpockets From Stealing Your Data Audrey McNeil (Oct 19)