Stop Cyber-Pickpockets From Stealing Your Data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.baselinemag.com/security/stop-cyber-pickpockets-from-stealing-your-data.html

The sad reality for many corporate security professionals is this: Workers
simply don’t apply the same vigilance to protecting corporate information
as they do for their own personal information.

Workers who carefully shield their ATM screen while entering a PIN may make
no attempt to cover their keyboard when logging into a work email account
from a laptop in a public place. Or they may not think twice about leaving
network log-in information taped to a computer monitor at work.

Similarly, workers who shred personal documents containing sensitive bank,
credit card or medical information may be less cautious when handling
sensitive corporate information. This could include reviewing corporate
earnings information in view of potential onlookers while on a train ride
home, or leaving a USB drive that contains details of a new product launch
sitting on a hotel room table while attending a conference.

The fact of the matter is that a corporation’s ideas and closely guarded
information can be targeted and "pickpocketed" just the way our personal
information and valuables can. Especially as companies continue to spend
record amounts on cyber-security—reaching an estimated all-time high of
$75.4 billion this year—cyber-attackers will seek new weaknesses to
exploit. That includes targeting employees who have access to their
company's networks and valuable information.

The challenge is clear: How can you get employees to break bad habits and
protect corporate information with the same diligence they use for their
personal information?

Assign Value

Employees are more likely to help protect your company’s intellectual
property and other sensitive data if they understand what’s at stake. So,
if possible, attach a dollar figure to projects, such as the revenue
anticipated from a new product introduction or the potential financial
impact of a pending acquisition. Understanding the larger financial
implications can help employees comprehend the greater value of their work,
which should motivate them to protect it from malicious outsiders.

Given the highly collaborative nature of today’s businesses, this awareness
campaign should extend beyond the executive level to reach all stakeholders
who access and handle sensitive information. They include marketing,
accounting, research and purchasing professionals, as well as third-party
organizations.

Identify Environmental Risks

Your employees work in a range of different environments, each of which can
contain different threats to your sensitive information.

A growing number of businesses are using open-office floor plans to help
drive employee collaboration. But these working environments also offer
little privacy and may be susceptible to visual hacking, which is the
unauthorized viewing or obtaining of sensitive, personal or private
information for unauthorized use.

Fewer physical barriers can give a vendor, cleaning person or even a
malicious employee more opportunities to view or capture sensitive
information, whether it’s displayed on an employee’s screen or left out on
a desk in hard-copy form.

The risks extend well beyond the confines of your offices. Employees who
can access company networks and sensitive information using a laptop or
mobile device also risk falling prey to hackers—whether they are on their
daily train commute, working remotely from an airport or coffee shop, or
attending a conference.

A risk assessment can help you identify the various risks encountered in
different environments, whether inside or outside your company’s walls.

Implement Changes

After conducting an assessment, the proper policy and technology changes
can be put in place.

For example, it is generally a good policy for IT departments to give
workers a loaner computer and perhaps even a loaner phone when they travel.
Using these “clean” devices may help limit the information available to
cyber-hackers and visual hackers in case a device is compromised, lost or
stolen.

Policies should also be in place for workers traveling or working in
regions where the expectation for privacy can be significantly lower than
it is in the United States and other industrialized countries. The FBI has
developed a number of warnings and recommendations to help workers protect
company information when working abroad. These include:

· Be aware that your conversations may not be private or secure.

· Don’t leave electronic devices unattended.

· Clear your Internet browser’s cache, cookies, history and temporary
Internet files.

· Avoid having non-company computers log on to your company’s network.

· Don’t allow foreign electronic devices to connect to your computer or
phone.

· Know that wireless and other communications may be intercepted.

Mobile workers should also be instructed to disable Bluetooth and WiFi when
they’re not in use. As the U.S. Computer Emergency Readiness Team pointed
out, mobile devices become discoverable to malicious individuals when
Bluetooth is enabled. Attackers can also use WiFi access, especially around
public WiFi hotspots, to intercept unencrypted data.

Beyond policies, a number of basic tools can help protect information in
both public and private settings. One safeguard that every company can and
should immediately begin using is a privacy filter. These devices are easy
to use—they slide right over a computer screen or apply to a mobile device
screen via an adhesive—and help maintain workers’ visual privacy by
blocking the angled views of potential onlookers.

While none of these changes will prevent a cyber-security incident, each
helps promote the goal of keeping your sensitive information private.

Reinforce Through Training

We learn the importance of protecting our personal and financial
information throughout our lives—from family and friends, from news stories
about data breaches, and from the banks and other organizations that handle
our data. But the same can’t be said about our work lives.

For many workers, education about the importance of protecting corporate
information begins and ends with the employee orientation. As a result,
protecting information simply isn’t a top-of-mind priority for them.

A strong commitment to training can change that. At the very least, workers
should receive annual training about the proper handling and protection of
company information. Additional training should also be provided as
policies change and new tools are introduced, and prior to major company
events, such as new product introductions, or mergers and acquisitions.

Changing employee behavior can be difficult, even with regular training.
It’s important that you reinforce training through additional awareness and
internal communications efforts. Company executives command authority among
workers and can be especially effective contributors to these efforts, such
as through employee memos or videos.

Training should also extend to your consultants and other third-party
agencies. The outside organizations you work with may already have
nondisclosure agreements in place, but do you know the steps they’re taking
to enforce those agreements?

For example, some consultants rely on their ability to promote their work
with one client to secure work for another. But that shouldn’t come at the
expense of your company’s sensitive information. You need to examine their
policies and methods to ensure that their privacy efforts align with your
expectations.

Protecting Your Assets

Your employees are your most valuable assets. Unfortunately, malicious
individuals know this. Like pickpockets roaming the bustling tourist areas
of Paris or Amsterdam, hackers are hiding in plain sight waiting for the
right opportunity to pounce.

Don’t let your employees be easy victims. Inform, equip and empower them to
be vigilant guardians of your company’s most important, closely held ideas
and information.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!