Category: Cybersecurity

14 Jun 2019

Thinking Inside the Box: Addressing Internal Cyber Vulnerabilities

In cybersecurity, it’s easy to become obsessed over external malicious factors and lose sight of the whole picture which includes internal vulnerabilities. When it comes to cybersecurity, the best defense includes shoring up your internal defenses because many critical vulnerabilities are too close to home for comfort.

What is an internal cyber vulnerability?

A vulnerability is a flaw in a system that exposes the system to risk of attack. In cybersecurity, these vulnerabilities can be related to the computer systems and processes and procedures you use. While you may know famous software vulnerabilities like Heartbleed and WannaCry, internal vulnerabilities can be much more mundane. For example, someone leaving the default password on a router or assuming your employees know how to recognize spear phishing attacks can lead to a lot of heartache for a chief information security officer.

As they say in sports, “The best defense is a good offense.” In this case, a good offense includes taking a proactive approach to identifying and fixing vulnerabilities, which we’ll cover next.

How to identify cyber vulnerabilities in enterprise-level organizations

Before you can identify cyber vulnerabilities, you must have a clear idea of your organizational assets, including intellectual property. Frédéric Virmont, a seasoned cybersecurity expert, says, “You have to identify what’s critical for the business: servers, applications, everything. Once you identify those critical assets, then you can make a plan to secure them and ensure they’re maintained with security patches.”

After identifying your critical business assets, you can expose and triage any vulnerabilities through various security tools—and then patch them up.

Put staff on your list of organizational assets as cyber vulnerabilities include accidental and intentional insider attacks by employees.

Six ways to reduce internal cyber vulnerabilities with pre-emptive measures

1) Encrypt data and communications – Protect your data while it’s in transit and at rest with a user-friendly encryption solution. Billions of emails are sent every day and without encryption each one represents a security risk. And in 2018, 4.8 billion records were stolen during breaches and less than three per cent of those records were encrypted.

2) Teach employees about cybersecurity – A recent PwC report in the US found that 32 percent of respondents consider insider threats more costly and damaging than external incidents. Because employees are on the frontline of cybersecurity, it’s essential to educate them about the importance of using security programs and processes and how to identify and report suspicious incidents. Cybercrime is increasingly sophisticated—especially social engineering and spear phishing—which is why regular and effective cybersecurity training is necessary for all staff.

3) Beef up your security policies – Make sure your policies support your security efforts. Some of the best practices include:

  • Limiting user access through assigning appropriate permissions to non-IT employees
  • Setting appropriate guidelines for creating strong passwords or enforcing two-factor authentication
  • Limiting Internet usage by defining or controlling what type of content can be viewed
  • Defining file storage locations for employees and denying usage of USB drives or personal cloud storage
  • Choosing policy-based encryption with flexible delivery methods for communications
  • Effective vetting of third-party vendors

4) Have an up-to-date disaster recovery plan – A disaster recovery plan allows all staff to act swiftly—using prepared strategy—when disaster strikes. This way, organizational efforts can go towards closing the vulnerability and monitoring it, rather than trying to figure out what to do in the middle of a crisis.

5) Don’t migrate vulnerabilities to the cloud – While there are many benefits to offloading on-premise servers and applications to the cloud, organizations must avoid bringing along existing vulnerabilities with them. Implementing security tools prior to cloud migration is essential.

6) Communicate effectively with the board – Since they may not always understand the technical assets, many boards shy away from cybersecurity risk management. Instead of communicating about tech specs, talk to the board about the cost of not implementing security measures, return on investment trends and reputation management with clients. Raphael Narezzi suggests talking to the board of directors like this, “It can be a cost today, but I guarantee you, the scenario we see when a board acts before an event, is a completely different scenario than when they don’t act at all.”

The benefits of closing internal vulnerabilities

Closing internal vulnerabilities takes time, resources and expertise and is now part of the cost of doing business. But there are benefits. As mentioned above, data security results in customer-centric benefits such as building reputation and digital trust and helps pave the way for competitive differentiators.

Closing internal vulnerabilities takes time, resources and expertise and is now part of the cost of doing business. But there are benefits with a solid return on investment. A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization can expect a seven-month payback period and slash $2.7M off their bottom line by employing our flexible OneWorld encryption solution. Get the full Forrester Total Economic Impact™ study of OneWorld now.

With so much at risk, isn’t it time to shore up your vulnerabilities?

At Echoworx, encryption is all we do. Our OneWorld encryption platform and cloud security services are a natural extension to existing security programs and offer a wide range of flexible options for secure message delivery. You can learn more about the ROI of Echoworx OneWorld encryption here.

By: Randy Yu, Senior Manager Technical Operations & Support, Echoworx

04 Jun 2019

Encryption Mosaic: The New Diverse World of Secure Communications

Dial back the clock several million years and you find a crowded ocean of creatures surrounding lush green lands devoid of any vertebrate activity. Then one fish walked out of the sea and changed our terrestrial course forever. But did this ambitious fish have revolutionary intent? Certainly not – instead focusing on more immediate needs of food and new territory.

The same can be said about contemporary demands for secure digital communications. While digital communications enable transcendence from the world of paper mail, making the sending and receiving of information instantaneous, they inadvertently make our most-precious personal details more exposed and more open. And, with no way to turn back the clock, the case for encryption protection of sensitive information grows – and evolves.

But, as more and more industries migrate online, we are beginning to see that this brave new digital world is not one-size-fits-all – especially when it comes to secure digital communications. From different customers to different jurisdictional regulations protecting them, an encryption solution needs to be as flexible as the diverse array of organizations it serves.

Here are key points to consider in determining the factors affecting secure communications, why needs are so diverse and where exactly you might start placing your organization in the encryption mosaic:

1) Regulatory fines with sharp-teeth

Where an organization is located can influence how much they are expected to protect their data. In Denmark, for example, encryption is now mandatory for all communications containing the personal data of Danish citizens under its jurisdiction, according to its own interpretation of the General Data Protection Regulation (GDPR) affecting EU country members. Failure to comply with the GDPR, and other similar regulatory bodies or laws, like Canada’s recently-updated Personal Information Protection and Electronic Documents Act (PIPEDA), for example, can lead to devastating fines and even more devasting brand damage.

Echoworx recognizes that not all countries protect the personal data and the privacy of their citizens the same. To help prevent prying bureaucratic eyes or to avoid non-compliance with jurisdictional regulations, Echoworx’s cloud-based encryption solutions are available on AWS Cloud in 13 countries. We also have SOC2 and ICO-certified data centres in the US, UK, Germany, Ireland, Mexico and Canada, ensuring all sensitive data stays close to home.

2) Different industries – different business cases

While organizations operating in the banks, financial services and insurance (BFSI) realm were the first wholesale adopters of encrypted communications, the technology is exponentially permeating through to other industries. According to a recent Ponemon study, for example, manufacturing and services organizations are beginning to crack into the encryption market – accounting for 12 and 11 per cent respectively.

And, as new industries begin to implement encrypted secure communications, so does demand rise for a flexible encryption solution to adapt to different business use cases. At Echoworx, for example, we offer a cloud-based scalable encryption solution featuring multiple secure user-friendly delivery methods to fit any business process.

Learn more about the different ways you can send secure information with Echoworx.

3) Users are changing

From mobile banking to Generation Z, how users send information and what exactly they are willing to send is changing at a rapid clip. Today’s users are tech-savvy and quick to provide personal details but even quicker to move on if an organization mishandles their data. They demand instantaneous communication and a streamlined user experience with organizations they work with. To avoid going the way of the dodo bird, you need to go above and beyond to make sure they come first – all while ensuring that their sensitive personal data is protected.

With Echoworx, you can tailor every aspect of your encryption experience to put your customers first – from the way they access a secure message to something as simple as the ability to brand. And, to further avoid any negating situations affecting user experience, Echoworx offers services in 22 languages for all our flexible delivery methods – ensuring nothing is lost in translation.

Explore these different delivery methods here.

4) Encryption isn’t just an IT issue anymore

From headline-grabbing data breaches to something as simple as customer experience, encryption is no longer a backroom IT issue – it’s a business issue. But implementing an encryption program isn’t as simple as adopting a solution and flipping a switch. There needs to be a universal internal change of culture at most organizations. For example, while 50 per cent of CEOs are concerned most about possible detrimental impacts to user experience when adopting a security solution, 88 per cent of IT professionals view encryption as costly, difficult and a constraint on business productivity.

Echoworx works with companies to ensure encryption solutions are as non-intrusive and as streamlined as possible – from deployment to the end user. In our capacity as a third-party encryption provider, we support our clients, reducing the additional strain of user help queries, and, with nearly two-decades’ worth experience in the encryption market, we can adapt to any business case.

Learn more about working with Echoworx.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

Sources:

  • Ponemon Global Encryption Trends Study – April 2018
03 May 2019
how to make a business case for encryption

How to Make a Business Case for Encryption

Worldwide, more than 290 billion emails are sent every day. In enterprise-level organizations, digital communication is a competitive advantage over snail mail because it’s faster, cheaper and easier to deploy. But cost savings can disappear the instant an organization experiences a data or privacy breach, which is all too common. In 2018, 4.8 billion records were stolen during breaches—that’s more than 9,000 per minute—and less than three per cent of those records were encrypted.

Today, we’ll do a quick review of two reasons email encryption is business-critical and what to look for in an encryption provider if your organization would like to minimize risks and costs associated with keeping email secure.

Why email encryption is critical in business: the high cost of losing trust

If your organization collects, manages and disperses personal information, it’s essential to deploy user-friendly encryption to secure that data as it flows through email. Of course, it’s the right thing to do, but it’s also what customers want and expect. For example, 87 per cent of CEOs invest in cybersecurity specifically to build customer trust—because once you lose trust, you lose the customer. When customer trust and satisfaction is tied into data security, it’s easy to see how email encryption no longer fits into the nice-to-have category. It’s now essential.

Why email encryption is critical in business: compliance & avoiding fines

Implementing an encryption solution also helps you keep government hands—mandated by legislation—out of your pockets.

If your organization doesn’t protect data from being intercepted on route, the fines can be substantial. Just one year in after launch of the General Data Protection Regulation (GDPR) in the EU, for example, and we are already seeing massive fines – like the €50M fine Google was ordered to pay at the beginning of 2018 for GDPR violations.

In Canada, under the newly-updated Personal Information Protection and Electronic Documents Act (PIPEDA), it’s now mandatory to report data breaches, with non-compliance fines going as high as $100,000.

With privacy legislation expanding—California, New York and even Qatar, among many others, have created their own guidelines—organizations can no longer afford to ignore email encryption for private data. Privacy legislation now has teeth and the fines are steep.

There’s no question that taking care of your business means encryption. The next thing to do is work with an encryption provider who understands your needs and addresses them effectively.

Finding an encryption provider that works for you

Global information security spending, as a whole, is set to exceed $124B in 2019, according to a recent Gartner report —which means your organization has a lot of choice when it comes to encryption solutions. This choice is good but can also lead to overwhelm and poor decisions. For example, if an organization has an encryption solution in place, but it’s not widely used, it can mean they didn’t choose an encryption provider that could meet their needs and guide them through the process. We don’t want that to happen to you, so we put together a list of things to look for in an email encryption provider.

Seven things to look for in an enterprise-level encryption provider:

  1. Proven track record – Ask how long the provider has been working in encryption. At Echoworx, for example, we understand the risks of email management because we’ve been providing encryption solutions for almost two decades.
  2. Solutions that go beyond out-of-the-box encryption – While out-of-the-box encryption is much better than zero encryption, look for a provider that can counsel you on solutions based on your needs. Many enterprise-level organizations require flexible delivery and policy-based encryption options—which go beyond the box.
  3. Cloud solutions that reduce overhead – Sending encrypted messages simply costs more when you run a legacy on-premise encryption solution. Costs include hardware and physical on-premise servers and staff to run them. Look for a third-party encryption provider that allows you to upload your secure communications to the cloud, offload support queries, gain access to encryption experts, save money and put less burden on your IT resources.
  4. Data centres around the world – Worldwide data centres allow users to deploy communications within their jurisdictions and within regulatory compliance. For example, at Echoworx, we have data centres in six countries: Germany, Ireland, the United Kingdom, Canada, Mexico and the United States. This helps cut costs, maintain compliance and cuts down on deployment time.
  5. Reputation management – Every time a piece of sensitive information leaves an organization’s digital perimeter, it puts a company’s reputation at-risk. An encryption provider should understand this risk and offer solutions like full brand alignment in multiple languages to support a seamless end-user experience.
  6. Systems that support dynamic scaling – Can your provider’s encryption solution scale dynamically as email demand on the system fluctuates from day to day or even hour to hour—and accommodate increased demand without delay? Is your system available in AWS Cloud in 13 countries?
  7. Vetted partners for peace of mind – Do you trust your provider to handle your data securely and responsibly? At Echoworx, we subject our business to regular audits. We are proud to be: SOC2 Certified, Web Trust Certified, a Microsoft Root Certificate Member and an Apple Root Certificate Member.

One last thing to look for in an encryption provider: a track record of positive return on investment (ROI).

A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization using Echoworx’s OneWorld encryption platform can expect an ROI of 155 per cent—with upwards of $2.7M in cost-mitigating benefits. This same study showed that using OneWorld’s self-service support options—like automatic password resets—increases call centre productivity, removes the need for additional overhead and can save enterprise-level organizations almost $320K over three years.

Get the full Forrester Total Economic Impact™ study of OneWorld now.

As you can see, the cost of unencrypted email communications is high and the risk too great. Isn’t it time you found a trusted encryption provider that can meet the needs of your business and customers?

By: Beverly Barrett, Director, Channel Management, Echoworx

24 Apr 2019
Five ways to minimize the risk of insider threats

Insider Cyber Threats? Closer to Home than You Think!

For enterprise-level organizations, it’s no longer enough to protect data and systems from nefarious external agents. Organizations must also implement defensive measures to protect themselves from something much closer to home: insider threats.

Internal cyber attacks happen inadvertently or on purpose. We want to share the four types of insider threats and some defensive measures that help organizations reduce the risk of these threats.

Two types of accidental insider attacks

Instead of jumping into a zero-trust environment that’s so restrictive it hampers productivity and user-experience, remember that most of your employees and trusted partners do not have malicious intent. Inadvertent or unintended insider attacks happen because the insider is oblivious or negligent.

An oblivious attack is when someone with access to company information is compromised by an outside agent but doesn’t realize it. This can happen when someone leaves a company device unattended or uses unencrypted Wi-Fi on a company device.

A negligent attack is when someone bypasses a security protocol, often to speed up a work process or because of a lack of knowledge about the security protocol. When employees lack proper security training, they’re more vulnerable to phishing and spear phishing attempts.

Two types of intentional insider attacks

The two primary types of intentional insider attacks come from malicious and professional attackers.

A malicious attack comes from an insider who becomes disgruntled and goes rogue to get even with the company for a real or imagined offense. This could involve stealing data or sabotaging a company network or system.

A professional attack comes from an insider who is a career thief. This involves exploiting system vulnerabilities for profit.

External attacks through the inside

 While blunt force attacks remain a common threat at the gates of any firewall, there are also ways for malicious actors to attack your company through the inside. Called social engineering attacks, a hacker might impersonate someone at an organization via stolen credentials, stolen information or supply chain attack. A smart air conditioning unit, for example, might be connected to an organization network, creating a third-party backdoor vulnerability bypassing frontline defenses.

Five ways to minimize the risk of insider threats

With all these foxes in the hen house, organizations are wise to take a defensive approach to insider threats.

  1. Get the Board on board – Even in 2019, it’s common for boards to not ask about or understand cybersecurity. Rafael Narezzi, a prominent Cyber Security Strategist, suggests that everyone on the Board of Directors must “understand what [cybersecurity] is. Not in deep technical talk but the consequences for the business if they don’t act.” When the Board and senior leadership team understands the cost and consequences of cyber threats, there will be more support for cybersecurity initiatives.This lack of attention is more common than you’d probably guess. PwC’s Global Economic Crime and Fraud Survey 2018 found that less than half of surveyed organizations had conducted a cybercrime risk assessment. This is despite cybercrime being one of the top three most reported frauds!

 

  1. Use an effective and user-friendly encryption solution – It’s imperative that organizational data is secured because so many insiders have access to it and sending that sensitive information to clients, vendors and partners is a regular part of doing business.Features to look for in an enterprise-level encryption solution include:
  • Automatic encryption policies that apply encryption under defined circumstances (such as when certain information or keywords appear in an email).
  • Multiple flexible delivery methods for different types of secure encrypted communications that allow the sender to control how a message is sent and whether to include features like a time limit.
  • Easy and frictionless user experience for employees and customers.With a frictionless user experience—for example, with the Echoworx One World encryption platform—employees are less likely to bypass security protocols because they’re built into regular workflows and don’t make security a burden for senders or recipients.In addition to reducing risks to insider threats, there are financial benefits to adopting a flexible, frictionless encryption solution. A recent Forrester Total Economic Impact™ study, for example, revealed that a typical enterprise-level organization can enjoy $2.7M in cost-mitigating benefits through employing our flexible OneWorld encryption solution.  Get the full Forrester Total Economic Impact™ study of OneWorld now.
  1. Educate staff on cybersecurity – Even though employees know why they shouldn’t open attachments and click links from strange emails or use “p@ssw0rd” as a password, they’re still vulnerable to attacks because cybercrime is increasingly sophisticated. To change that, make sure all employees take part in regular and effective cybersecurity training that helps them understand why it’s important, how to implement security measures at work and how to spot sophisticated phishing and spear phishing scams.Training can include tests and tricks. A good trick involves sending a fake phishing attempt to staff to reinforce real-world lessons from the cybersecurity training.
  1. Build security into all products and processes from the start – Train developer teams to create products that are secure by design. Frédéric Virmont, a cybersecurity industry expert, says, “Security is like quality; it must be from the beginning to the end of the life cycle. For developers, now we have tools where they can code and check security along the way. If you wait until the end of the product, it’s too late. Once the house is built, it’s too late to add emergency exits.”This idea includes permissions architecture. A non-secure design gives all users access to more data than necessary. To be security minded, create a permissions architecture that gives access based on needs and roles. For example, the chief marketing officer wouldn’t have the same permissions as customer service agents.
  2. Make cybersecurity the path of least resistance for all users – Like it or not, we do what’s easy. For organizations, this means that overly-complex data security protocols hamper adoption. Because cybersecurity methods only work when staff and customers use them, user-experience must always be considered and prioritized.Going back to the encryption example above, we’ve found that a lot of internal users are reluctant to send encrypted emails because they don’t know how to encrypt them or don’t like the spammy look for their recipient. These are two unnecessary barriers that get in the way of frictionless security and set the stage perfectly for negligent insider attacks.

Insider threats are real and a recent PwC report in the US found that 32 per cent of respondents consider insider threats costlier and more damaging than external incidents.

By taking a security approach that involves a frictionless encryption solution, security by design (and the path of least resistance) and effective education for staff and the Board of Directors, your organization can minimize risks associated with malicious and unintentional insider attacks.

Given all of the above, is why at Echoworx, encryption is all we do. Our OneWorld encryption platform and cloud security services are a natural extension to existing security programs and offers a wide range of flexible options for secure message delivery. You can learn more about the benefits of Echoworx OneWorld encryption here.

By: Brian Au, IT Specialist, Echoworx


sources:

https://www.pwc.com/gx/en/services/advisory/forensics/economic-crime-survey.html

15 Feb 2019
cyber security your competitive advantage

Can cybersecurity be a competitive edge?

In the old days, before organizations became customer-obsessed and held off-site leadership events to drill down on their value proposition, information security was simple. There was the CIO and a few stewards of the air-conditioned server room which was invisible to the non-IT eye. Back then, cybersecurity operated in the shadows and it worked just fine … until it didn’t.

Fast forward to today when cyber security is front and centre for senior leadership, boards, customers and partners. All these stakeholders can tell you what Target is now famous for: a customer data breach that cost the company over $200 million[i] to resolve.

And in an increasingly-competitive business landscape, forward-thinking organizations are integrating information security into business processes to avoid becoming the next cautionary tale on the six o’clock news.

Enough to make organizations WannaCry: Evolving cybersecurity threats

The continuously evolving cybersecurity threats organizations face include malicious security breaches and attacks, accidental breaches initiated from well-intentioned employees and known governmental surveillance. Ironically, as businesses benefit from connected infrastructure networks (think of advances in supply chain management, for example), that connectedness also increases the risk of security threats—because attacks can spread across connected networks so quickly.

CIOs and chief security officers are no longer alone at the table advocating for better privacy and data security measures but there’s still room for improvement. The 2018 Global State of Information Security Survey report found that only 40 per cent of corporate boards participate in their organization’s security strategy.[ii]

But perhaps the biggest threat of all is a lingering notion that cyber security is an IT problem. It’s not an IT problem. It’s a business problem. Unfortunately, most business leaders don’t understand the nuts and bolts of data security and digital threats which can make it more difficult to address the issue.

Security specialists may get more traction at the leadership and board level by framing cybersecurity as a competitive edge. That’s not finessing the facts considering that 92 per cent of organizations surveyed through the EY 2018-19 Global Information Security Survey called their information security insufficient.[iii] 92 per cent!

Four ways cyber security investment helps organizations gain a competitive edge:

  1.  Reduces compliance risks and fines – Legislation such as the GDPR, HIPAA and PIPEDA affects the way companies do business and fines can be substantial. Did you know that GDPR violations can cost up to $20 million or four per cent annual turnover (whichever is greater)?[iv] Since EU citizens are covered under the GDPR even when they’re out of the EU, international companies can stay on the right side of compliance by using proactive policy-based email encryption measures that automatically apply protection to predetermined groups of users (e.g., EU citizens).
  1. Reduces unnecessary cost – The average cost of a single data breach is $3.6 million (USD).[v] But Target’s breach cost 55 times that much which is why a cybersecurity strategy that protects the downside is so valuable. For example, investing in a flexible encryption platform means encryption can be automated to accommodate any business situation and keep data secure—without any hassle.
  1. Protects the company brand – Inadvertently allowing malicious entities or hackers to access your customers’ personal information is a quick way to reduce or eliminate their trust in you. Imagine how long it will take Equifax to win back the trust of 147 million Americans after the 2017 breach. Investing in proactive cybersecurity measures, like encryption, helps you preserve the fragile relationship that is the reality of digital trust.

 

  1. Delivers a value proposition for your customers – Your customers may not be able to keep up with the ever-evolving world of cybersecurity, but they expect protection to be a built-in feature of doing business with you. Proactive cybersecurity measures make conducting online business safer and more reliable which saves customers time, streamlines their experience and delivers real value to them.

 

Quick tip: Make your competitive edge easy to use

An information security program likely has multiple lines of defense, including encryption, authorization and data integrity measures, but these systems and processes only work if people use them. We encourage you to implement cybersecurity systems and processes that are easy for employees and customers to use. Because even when cybersecurity is top of mind, most employees and customers won’t be inconvenienced for the sake of security.

By Alex Loo, VP of Operations at Echoworx

——–

[i] https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031

[ii] https://www.pwc.com/us/en/cybersecurity/assets/pwc-2018-gsiss-strengthening-digital-society-against-cyber-shocks.pdf

[iii] https://www.ey.com/Publication/vwLUAssets/ey-global-information-security-survey-2018-19/$FILE/ey-global-information-security-survey-2018-19.pdf

[iv] https://www.echoworx.com/project/encryption-in-the-gdpr/

[v] https://www.ey.com/en_gl/advisory/global-information-security-survey-2018-2019

28 Dec 2018

New Year? New Information Security Challenges!

As we head into the New Year, we reflect on the trials, tribulations and challenges faced over the past year – before outlining specific resolutions to these problems. In the world of information security, these improvements are usually within the realms of identifying threats, preventing cybersecurity issues and staying on top of the latest and greatest in data protection technology.

And what a busy year it’s been! From the introduction of new privacy-building legislature, like the GDPR or California’s AB 375, to new privacy-destroying laws, like Australia’s new encryption laws calling for data backdoors, it’s been quite the rollercoaster. We’ve also seen data breaches and instances of ransomware bring even the massive corporate conglomerates, like Marriot, to their knees.

So what is to be done in 2019?

The unfortunate reality of the world of information security is that new threats, new scams and new malicious actors to worry about seem to pop up every day. Staying atop this constant morphing information is enough to drive someone nuts. And the consequences of falling behind can be detrimental to your business, your reputation and, ultimately, your customers.

This past year, our Distinguished Software Engineer at Echoworx, Slava Ivanov, has made it his mission to gather and coagulate the latest cybersecurity tricks and tips into a concise serial 101 document of definitions. From lighter topics, like the newly emerged Japanese ‘posterior authentication’ technology, which grants access to a system or machine via ‘butt prints,’ to more serious information security issues, like spearfishing, to data protection issues, like blowfish cryptography used in encryption, Slava’s index of terms offers an excellent primer to anyone starting research on a term.

So, before you formalize your organization’s New Years resolutions this year, consider a quick glance at Slava’s ‘Information Security 101’ to see if there is something you missed in 2018!

Click here to browse last year’s top trending information security terms and definitions.

By Nicholas Sawarna, Sr. Content Marketing Specialist, Echoworx

11 Dec 2018
Australia demands encryption backdoors

Trouble in Oz: Australia’s New Controversial Data Backdoors

Dangerous privacy precedents are now being set in Australia – a nation traditionally known for its dedication to Commonwealth democratic stability. As of December 2018, Australia has newly-minted legislature under its belt which allows their intelligence and law enforcement to demand backdoor access into the sensitive encrypted data of target organizations.

As other friendly governments take note of this new development, this legislature might signal the beginning of dark times for digital privacy and the way we store and share sensitive information.

But first – a little background:

Since their inception, members of the so-called ‘Five Eyes,’ a collective body of intelligence and law enforcement organizations hailing from the UK, the US, Canada, New Zealand and Australia, have been lobbying for more access to their citizens for years. Gaining access to private citizen data represented a unique opportunity to not only keep an eye on those few amongst us with malicious intent – but also represented another opportunity to control and manage their populaces.

In recent history, this has manifested itself in digital ways – from legislature, like the US Government’s PATRIOT Act or the UK’s more-recent Investigatory Powers Act, to the use of dangerous euphemisms, like “responsible encryption.” Sensitive digital data is a treasure trove to the Five Eyes and they have been salivating for years at the prospect of getting in.

Backdoors are still doors

In layman’s terms, the new privacy legislature passed by in Australian Parliament demands that third-party digital service providers create backdoors through which state organizations may access end-to-end encrypted information when prompted. While they can make these requests formally to an organization, it’s worth noting they also now have the power to demand individuals at target organizations, from Sally the CEO to Bill in IT, provide this backdoor access upon request.

And these demands have serious teeth.

If an organization refuses a request by an Australian Government body, like a law enforcement agency, they face millions of dollars in fines. Individuals who fail to comply face jail time.

Sound scary?

It gets worse.

There’s a global impact of these new privacy laws

As a member of the Five Eyes, Australia is a major player in the global intelligence community. Not only does this country, and their legislature, help set a considerable part of the bar of what is acceptable for government intelligence agencies to do – but they also have created a dangerous precedent which might spread other members of the Five Eyes collective.

The danger of testing the depth of a river with both feet

An unintended consequence of creating these backdoors is the new potential vulnerabilities they pose to the Australian Government organizations who demanded them. While they claim to have solved major issues of national security, with their new ability to spy on their own citizens, the Australian Government has ironically created dangerous vulnerabilities in their own systems available for exploitation by malicious agents.

What can be done?

At Echoworx, and throughout the cybersecurity community, we firmly believe in the protection of encrypted data. Without the ability to send and receive confidential data via digital platforms, everyone’s privacy is at risk, and what’s worse, we could be opening doors to the very criminals we’re trying to stop.

By Derek Christiansen, Engagement Manager, Echoworx

25 Oct 2018
Moving PGP to the cloud

Moving Your PGP to the Cloud? Here’s What You Need to Know

Is PGP encryption part of your secure messaging strategy? Are you currently hosting this system on-premise? Ever thought about moving your PGP email encryption to the cloud? It may sound daunting, but, with the right tools and services, moving to the cloud is an investment to consider for you and your customers.

An on-premise PGP system is resource intensive, and requires software installed on your workstation and servers. The demand on your IT department can be considerable – migrating it to the cloud can take a lot of strain off your staff.

Here are a few points to consider if you are thinking of making the move:

Email encryption should be more than just adequate

We have a responsibility to protect the sensitive messages that we send, and we need to do it in a way that doesn’t get in the way of doing business.

An effective email encryption solution has five main qualities:

  • It is easy to implement
  • It can scale to keep up with growing demands and sudden bursts in email volumes
  • It is feature rich, standards-based and current, supporting encryption technologies widely used today
  • It is jurisdictionally aware, so messages sent from the EU, for example, aren’t stored in or sent through the U.S. or other jurisdictions which might compromise compliance with GDPR rules
  • It is operated securely by a trusted vendor which is dedicated to security

Legacy systems shouldn’t stop you moving to the cloud

Moving an on-premise PGP system to the cloud is not only possible, these legacy systems can actually be migrated without disruption, a critical business consideration if your organization sends large numbers of secure messages daily. And you gain access to additional secure delivery methods, like the ability to send messages via web portal, and additional features, like the ability to custom brand encrypted messages.

Key management without the management

According to the thirteenth encryption study commissioned by Thales to the Ponemon Institute, key management continues to be a major pain-point for 57 per cent of organizations. And many of these organizations report they continue to manually manage their key process. This is not a new stat. In fact, key management has remained a consistent pain-point year over year! Moving to the cloud allows you to simplify your key management process – and automate it.

Why use Security as a Service?

In today’s climate, businesses must scale quickly to meet everchanging demands. Security threats are always evolving, and technology continues to transform at a rapid pace. New developments such as mobile computing, the Internet of Things, Software as a Service and Infrastructure as a Service are leading to fundamental changes in the way businesses operate.

Working with a cloud Security as a Service provider can bring many benefits. Sheila Jordan, CIO at Symantec, for example, points out that while IT and technology investments can be used to operate and grow a company, the list of tasks to be performed will always be greater than the resources and funds available. IT is often seen as an easy place to cut costs, and in response, CIOs “must prioritize the demands that most directly affect the profitability and financial goals of the company.” CIOs are responsible not only for protecting data, but also for helping companies use that data to generate actionable insights. Moving to the cloud lets organizations track and report in real time.[1]

Thinking about Security as a Service? Here are some questions to consider:

  • What is your risk profile?
  • Is there a specific crisis you’re responding to?
  • Do you have a clear plan in place?

 

Once the decision to move to the cloud has been made, choose your vendor carefully. Don’t look for a single point solution: if you do, you might find that the solution you’ve chosen has quickly become obsolete or is not the sole focus of a bigger product. Look to your new partner to educate and train your teams and guide your company through the process. Most importantly, get to know the team you’ll be working with, as good relationships can make the difference when dealing with a crisis.

Sheila Jordan from Symantec puts it best: “When you work with a partner that understands your business and where you are headed, they can offer global support and solutions that will grow with your organization. The right partners will always be customer-focused, doing everything in their power to drive your company forward.”

See how easy it is to migrate your PGP to the cloud.

By Christian Peel, VP Engineering, Echoworx

———

[1] Sheila Jordan, “Security as a Service,” in Canadian Cybersecurity 2018: An Anthology of CIO/CISO Enterprise-Level Perspectives, ed. Ajay K. Sood (Toronto: CLX Forum, 2018), 23-45.

27 Sep 2018
cybersecurity audits

Why Are Cybersecurity Audits Important?

The cybersecurity environment is changing. Rates of malicious email and malware continue to rise, and new threats are emerging. Meanwhile, ransomware attacks have become so common that targeted attack groups are now using them as decoys to provide cover for more serious forms of attack.

In a sea of constantly-evolving cyber threats, can your company stay afloat?

If you think a firewall is all you need to consider when assessing the cybersecurity of your digital perimeter – probably not. After all, cyber attacks are now a question of when, not if, and no one solution is going to solve all the problems. This is where having a second opinion can go a long way in understanding the contemporary cybersecurity landscape of threats, available defenses, third-party risk and new regulations.

Enter the cybersecurity audit.

Why conduct cybersecurity audits?

Cybersecurity is a complex web of systems and processes that must evolve in response to threats. And third-party cybersecurity audits help bring clarity and insight. In some organizations, there may be a lack of awareness of how often security policies should be reviewed, and why. IT departments may not have the tools they need to ensure systems are secure. Worse, they might not realize this! And even when cybersecurity is a key element of organizational culture, focus on business scorecards and metrics can keep attention on the past, on threats already faced. Instead, companies must look to the future, to anticipate the threats that have not yet emerged – taking the proactive cybersecurity measures of privacy by design.

How will cybersecurity audits help you?

There are four main reasons why your company will benefit from cybersecurity audits.

  1. They provide knowledge and validation. Audit providers have extensive experience and offer best practices to strengthen company programs. Auditors have training in new regulations (such as the GDPR). They can ensure systems and processes meet current regulatory standards. Auditors can also flag potential issues and suggest improvements.
  2. They offer neutral and objective evaluations of programs. Objective assessments also provide the best picture of how attractive a company might be to hackers.
  3. Third party audits can be more accurate. Because auditors are not directly associated with the company, they may have a more precise view of the entire organizational structure, including BYOD and mobile devices that might not be an official part of an organization’s workflow.
  4. They help validate your privacy policies to prospective third-party partners. And vice-versa.

What does a cybersecurity audit look for?

Assessment of cybersecurity requires specific technical skills. Auditors must examine server configurations, conduct penetration testing and review security event management rule sets.[1] Not every IT department has individuals with the skills and knowledge to perform these tasks.

In addition, there are complex regulations regarding data protections and privacy, and your organization must follow these regulations in every jurisdiction in which it does business. The recently-passed GDPR, for example, requires that data breaches involving data from EU residents to be publicly disclosed within 72 hours. Will your company recognize that such a breach has occurred? How well does your company keep personally identifiable information (PII) secure? Your company collects data – is it accessible to your partners, suppliers, or customers? Do your contracts specify how vendors and distributors will handle this data? Do these organizations have systems in place to keep your data secure?

Why are cybersecurity audits important?

A recent PWC report says 87 per cent of global CEOs believe investing in cybersecurity is important for building trust with customers. Yet less than half of businesses worldwide are conducting audits of the third-parties which handle their collected personal data. In other words, there is a 54 per cent chance an organization collecting personal data is not sure whether this data is being adequately protected – despite their CEOs expressing the importance of doing so.

If a company believes in protecting personal data, or, in the very least, wants to avoid an expensive data breach, they must do their due diligence when choosing third-party providers. This is why conducting cybersecurity audits is so important. An organization needs to know where and how their data is stored because, at the end of the day, any organization which collects personal data is ultimately responsible for any data protection claims – claims which transfer to third-parties.

We practice what we preach!

At Echoworx, we breathe encryption and work every day to help enterprise organizations protect their sensitive data in transit. It only makes sense that we’d invest in the highest levels of cybersecurity. That’s why our entire organization, top to bottom, is scrutinized by third-party auditors regularly to ensure airtight data protection – and we’re proud of our SOC2 and Web Trust certifications!

See our cybersecurity qualifications for yourself!

By Alex Loo, VP of Operations, Echoworx

———

[1] http://www.isaca.org/Knowledge-Center/Research/Documents/Auditing-Cyber-Security_whp_eng_0217.pdf?regnum=463832

14 Sep 2018
Is your business vulnerable to cybersecurity threats?

Is Your Business Vulnerable to Cybersecurity Threats?

In 2017, Deloitte was ranked the best cybersecurity consultant in the world for the fifth year in a row. But later that year, news emerged that Deloitte itself was the victim of an ongoing hack that had lasted nearly a full year.[1]

How could this dramatic reversal have happened so quickly?

Any enterprise is vulnerable to cyberattack. The bigger the company, the bigger the target. For most companies it’s only a matter of time.

Hackers aim to steal sensitive data such as corporate secrets, personal data and intellectual property. Hackers also launch sabotage attacks. The financial damage to the global economy exceeds $575 billion annually—more than the GDP of many countries.

How vulnerable is your business?

Cybersecurity = constant vigilance

Here are some cybersecurity vulnerabilities to watch for:

  • Security misconfiguration. This is the most common and dangerous flaw because it relies on exploiting some simple computing errors, such as running outdated software, using factory default settings and passwords, and using default accounts.
  • Buffer overflows. When an application attempts to put more data into a buffer than it can hold, the buffer overflows. This can let an attacker overwrite memory blocks to corrupt data, crash programs, or install malicious code. These attacks are common and hard to uncover, but are also more difficult to exploit than an injection vulnerability attack.
  • Sensitive data exposure. This refers to any instance of a hacker gaining access to sensitive data, either directly from a system, or as it is in transit between a user and a server. The most direct flaw that can be exploited is a lack of encryption, or encryption that is compromised by weak passwords or lack of multi-factor authentication. Every organization that manages sensitive data may be vulnerable to this type of attack.
  • Broken authentication and session management. Exposed accounts, passwords, or session IDs represent leaks or flaws in authentication procedures. Hackers use these to take over accounts and impersonate legitimate users.
  • Outdated security software or infrastructure. Older equipment doesn’t readily support modern applications, and it isn’t easily protected against current threats.

 

The threat from hackers is only growing as sophisticated techniques become more widespread. The most recent breach level report  shows that an average of over seven million records were lost or stolen every day in 2017 – that’s 82 records a second! And of these hundreds of millions of cybersecurity incidents, only four per cent are considered ‘secure breaches,’ meaning the data stolen was protected with encryption. Over a quarter of these breaches occurred in healthcare.

The newest form of cyberattack is crypto-jacking. Also known as coin-mining, this is the unauthorized use of computers to mine cryptocurrency. Hackers plant code on a target computer using malicious links in emails or infected websites. Symantec reports that coin-mining activity increased by 34,000% during 2017, and that detection of coin miners increased by 8,500%. At the end of 2017 coin-mining activity was also detected on mobile devices, and it will likely grow in this space as well.

Defending your business

While no system is 100% safe from attack, strong encryption is an effective defense tool against hacking.

Keep these tips in mind:

  • Encrypt all sensitive information that hackers or cybercriminals could access.
  • Keep login credentials confidential and protected with passwords.
  • Use multi-factor authentication whenever possible.
  • Practicing strong password hashing.


We use the cloud. That’s safe, right?

Cloud computing doesn’t protect you from risk. As Sandra Liepkalns, CISO at LoyaltyOne points out, data still must be stored physically, and “the cloud” just means that you’re using off-site servers. Do you know where those servers are? If your servers are in the United States, do they have the proper credentials to handle GDPR-protected information from Europe? And what about physical threats? Are the servers located in areas prone to flooding or forest fires? What about hurricanes? Or earthquakes?

At the end of the day, every organization is responsible for protecting customer data. After all, it’s not a matter of if your organization will be breached, but when. Don’t be caught unprepared! Minimize the risks and make security integral to all your systems and processes.

By Randy Yu, Manager of Deployment at Echoworx

———–

[1] https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails

25 Jan 2018
Echoworx | Email Encryption Solutions | How bad is bad? Mexico's threat landscape

How bad is bad? Mexico’s threat landscape

Mexico is one of the fastest growing economies in the world, focused in employing technology to spur businesses forward. But this dependency on technology comes with a dark side – businesses are significantly more vulnerable to cyber threats and data breaches.

Mexico has been attracting the attention of malicious cyber threat performers. The attraction is largely thanks to its growing regional and global geo-strategic significance, coupled with the nation’s increasing economic and financial wealth.

According to recent studies, Mexican organizations are facing similar threats to those operating in the world’s most developed economies. Mexico ranks second in Latin America – just behind Brazil – for the most cyberattacks, with the banking, retail, and telecommunications sectors targeted most.

Serious time of reckoning

The occurrence of cybercriminal activity in Mexico, the diversity of financial institutions, and the sector’s growing capital value are all targeting factors. Criminal groups, clearly capable, besieged the Mexican financial sector by compromising ATMs and defrauding bank customers on a significant scale. Less sophisticated attacks, such as the use of banking Trojans, ransomware, and POS malware, are widespread and pose a significant threat.

Key vulnerabilities observed in Mexico’s cyber landscape are a lack of a cybersecurity culture, old-fashioned system configurations, and obsolete versions of software applications. The right to privacy along with protection of personal information for both individuals and corporations is an extremely relevant issue for international organizations and the public sector. If cybersecurity is not strengthened, more businesses in Mexico will become exposed.

If Mexico wants to be a pioneer of data rights, the new infrastructure must effectively adapt to changes in the way information is transmitted around the world and they must comply not just with national and regional directives, but with international protection of information practices.

The question arises

Is your business at crossroads? Shoulder the costs of increasing defenses or become increasingly susceptible to the risk of attacks!

Sound choice would be to migrate towards a proactive model by incorporating security checkpoints opposed to a reactive model. Having the right security measures in place could prove to be a differentiator in edging out competitors.

A positive drift

According to PwC Mexico, “91% of Mexican companies have prioritized cybersecurity in their organizations and Mexico is the country with the most investment in cybersecurity in Latin America.” The financial sector has led the way in this area, followed by telecommunications, both of which are Mexico’s most globalized economic sectors.

Here is where the Government of Mexico should work closely in conjunction with private firms. The benefits of furthering research on the issue of data protection would be mutually beneficial, keeping the focus on creating a sustainable and securely growing economy.

Echoworx has responded to Mexico’s data security demands by setting up our advanced encryption platform OneWorld within a local data center near Mexico City. This expansion has been fueled by the increasing demand from multinational enterprises operating in Mexico to process and protect their sensitive information locally.

With our agile email encryption platform, it’s easier than ever for organizations to be compliant, maintain brand reputation, build customer trust, and gain a competitive edge – while maximizing the protection of their confidential communications, intellectual property, and other sensitive data.

Mexico is touted to be among the global leaders in digital transactions, and with security being of paramount concern safeguarding communications must be a top priority. As a leader in email encryption, Echoworx is focused on strengthening cybersecurity by collaborating with various equally passionate stakeholders to safeguard the collaboration and communication of sensitive information throughout Mexico.

Let’s connect
Our team will be at InfoSecurity Mexico at the Centro Citibanamex in Mexico this May. If you plan to be in town, you’ll find the Echoworx team in booth #209We will be presenting real use cases of how organizations are gaining value by integrating encryption into their business processes, while securing communications. Stop by, join us for a chat!

By Christian Peel, ‎VP Customer Engineering, Echoworx

05 Jan 2018
Echoworx | Email Encryption Solutions | Spectre and Meltdown attacks, think the sky is falling?

Spectre and Meltdown attacks, think the sky is falling?

Like most companies, Echoworx is aware of the recently announced vulnerabilities impacting most modern microprocessors.  We wanted to take a minute to provide the following guidance on the Spectre and Meltdown attacks to ensure awareness of the issues and to inform you on the steps that Echoworx is taking to address them.

What are these attacks?

Spectre is actually two different vulnerabilities, and Meltdown is one.  Both of these attacks exploit features of ‘modern’ microprocessors called ‘speculative execution’.   Speculative Execution is a technique of prefetching data and pre-executing instructions in case they are needed.   Basically if they are not needed, there are still remnants of the data in memory which can be read by other processes.

The Meltdown attack is the worst of the two in that it can reveal all of the computers memory, not just a few bits and pieces of it.  Meltdown is also easier to exploit.  Fortunately Meltdown is also easier to patch against.  Spectre on the other hand is harder to exploit, reveals less, but is harder to address through patches.  There are patches out for specific known exploits.

What is affected by these attacks?

“Modern” isn’t so modern… at least not in computer terms.   Basically any Intel processor built since about 1995 would be impacted.  Intel, AMD, ARM, processors and others are also impacted to varying extents.  There are some reports that certain processors are not exposed to all of the vulnerabilities, but it is unclear if this is proven to be so, or just hasn’t been accomplished yet. It would be best to err on the side of caution.

What should you as an individual do on your personal devices?

You should always keep up to date with patches, and this case is no different.   There are patches for Linux, Microsoft (Windows, Edge, IE), Apple (MacOS, iOS, tvOS, Safari), Android, Firefox, Chrome, and likely many other applications.  Applying these will help to protect you.

You should also make sure that your Anti-Virus/Internet Security software is up to date.   Microsoft has announced that their fixes might have compatibility issues with some anti-virus software.   The patch for windows will not install if you have an outdated AV or one that is incompatible.  I would update the AV software first, and then apply the MS patch.

Be aware that some of the fixes to this issue could cause a performance impact.  There are some pretty wild estimates of how bad of an impact there could be, but the vendors I have seen have so far reported minimal impacts.  For example, Apple reports a maximum of 2.5% against 1 benchmark for these fixes.

By David Broad CISSP, Information Security and Audit Lead, Echoworx

04 Oct 2017
Safe Communications

Is Your Company Practicing Safe … Relationships?

Thank you to all the media who helped us spread the important message of practicing safe communications! They didn’t have to. They had a choice of hundreds to cover but they chose our story. When Trust Matters – Security is Critical.

Getting Personal: In the News

Media Post | Oct 5, 2017 |
People Are More Likely To Share Info In Emails Than On Dates: Study

LittleThings Oct 3, 2017 |
Study Shows That Americans Trust Computers With Personal Information More Than New People

MensHealth | Sept 28, 2017 | 
You Probably Trust Your Computer Way More Than You Trust Your Girlfriend

EBL News | Sept 28, 2017 | 
We trust the internet more than new lovers

Yahoo News | Sept 27, 2017 |
We Reveal More On Social Media Than On A Date

USA Today | Sept 27, 2017 |
We trust the internet more than new lovers

New York Post | Sept 26, 2017 |
Americans trust the internet more than new lovers

MSN Sept 26, 2017 |
Americans trust the internet more than new lovers

InfoSecurity Nov 28, 2016 | 
What Role Does Privacy Play in Your Digital Transformation Strategy?

08 Sep 2017
Echoworx | Email Encryption Solutions | Privacy by Design - or by Disaster?

Privacy by Design – or by Disaster?

Got any European business? If you do, the GDPR could trigger fines of 20 million euros against you after May 25, 2018, unless you’ve built the highest levels of privacy protections into your systems.

The General Data Protection Regulation (GDPR) protects individuals’ privacy and human rights, and comes into effect in May. It applies to EU-based companies, plus overseas companies doing business in the EU. The scope covers a broad range of personal data, for example, names, email addresses, social media, bank details or computer IP addresses.

For companies that don’t meet the GDPR, there are fines as high as 20 million euros or up to 4 percent of your annual worldwide profits – a big bite out of your bottom line. The good news is that there is a directive to guide you, known as Privacy by Design, or “PbD”.

Privacy by Design
Meeting GDPR means following the seven PbD principles that are included almost verbatim in the regulation.

  1. Proactive not reactive; preventative not remedial Think of this as “privacy by design or disaster.” If you build appropriate privacy, encryption and overall cybersecurity into your products and services, you’re less likely to have the disaster-side breach that means fines, class-action lawsuits, and damage to your reputation.
  1. Privacy as the default setting Most people don’t read EULAs or the lengthy legal documents from financial institutions. Make your offerings easier to use by defaulting to the highest levels of privacy and encryption, and ask clearly for specific permission to use the customer’s data for anything other than what they intend. For example, keep opt-in boxes empty so the distracted end-user doesn’t give permission by accident.
  1. Privacy embedded into design How well are your apps and data-management systems encrypted? This needs to be a default, no-choice, built-in fact of all of your data architecture.
  1. Full functionality – positive-sum, not zero-sum There’s an argument that full security and full privacy are not compatible, but it’s wrong – strong encryption lets you have both. What’s more, when your clients and customers know you’re using it, they’ll have a higher level of trust for you, and be more willing to share their data.
  1. End-to-end security – full lifecycle protection With your system designed to respect and maintain privacy at every touch, what happens when you’re done with the data? From the moment a customer gives their name, to the closing of the account, you need to ensure their data is securely managed, and eventually, destroyed.
  1. Visibility and transparency – keep it open Be able to demonstrate that you are using the data as it’s intended at every step. But you also need to be willing to share all the data you’ve collected about someone with that individual, because the data belongs to them. And being able to see it means they can correct inaccuracies, making it much more useful to you.
  1. Respect for user privacy – keep it user-centric Being user-centric means that your company and data architects are proactive about protecting customer privacy. But incorporating strong data encryption and overall cybersecurity isn’t just about being safe. The investment in these technologies and practices will foster the respect and trust of your customers, which is a good thing no matter where you do business.

Still have questions? Watch our webinar, along with Privacy by Design creator Dr. Ann Cavoukian, for an in-depth understanding on how to prepare for the GDPR. 

 By Alex Loo, VP Operations, Echoworx

19 Jul 2017
Echoworx | Email Encryption Solutions | Prime Targets for Cyber Criminals

Prime Targets for Cyber Criminals

Today’s cyber criminals now have access to advanced tools and sophisticated strategies. Arguably though, their most powerful weapons are patience and persistence to mount a sustained attack on your organization if you end up in their crosshairs. If they want to access the data in your network, they will find a way. Their motivation, in most cases, is the revenue they can generate from your sensitive information. But who are their prime targets and what makes them so appealing to cyber criminals?

Conversations That Matter features Dominic Vogel
“Hackers go where the money is, they focus their attention on the top five applications in use.”
According to Vogel, the #1 program under threat is email.

Three common targets for cyber crime are: Law Firms, Financial Services and Brick-and-Mortar Businesses. Within each of these categories, here is what cyber criminals are after:

LAW FIRMS
Cyber criminals are looking for valuable, juicy details hidden inside client files. If they find their way into the network of a law firm, they are not going to be disappointed. They will obtain data that they can directly monetize or that can be used for a broader social engineering campaign later. Law firms have all kinds of sensitive financial information (account numbers & other sensitive account information, credit card information), personal information about themselves and their clients and business insider information. Cyber criminals can find out about a pending business deal and then: a) impersonate a party in a deal to another party or b) blackmail an individual or company with that information. Cyber criminals can monetize any sensitive data either directly or indirectly in a targeted fashion.

FINANCIAL SERVICES PROVIDERS
It almost goes without saying (but we’re taking it upon ourselves to say it) that when clients of financial service providers give their personal details to their advisors, they expect that information to be safeguarded to the highest degree. Who among us would not insist on the highest standard of cyber security for their private investment or bank account information? Professional services are given financial information, social security numbers, sensitive businesses information and private family and health information. Cyber criminals can directly monetize this information if they sell it on the black market or if they gain access to those accounts. Alternatively, they can send out phishing emails impersonating financial institutions and investment management companies saying that they need to ‘reset their password.’ Now cybercriminals have access to your account. In a less direct manor, the information can be aggregated to tell more about a person and that information can subsequently be used in an attack. There’s no end to how creative a determined adversary can be in getting their hands on your valuable information, whether directly or indirectly.

BRICK & MORTAR BUSINESSES
Particularly of interest to cyber criminals that target Brick-and-Mortar businesses are things like the financial information of their customers, customer lists, company account information, business processes and plans, lists of company suppliers, and intellectual property. Vendors and business partners can have login credentials into your networks which can open up a significant entry point for a carefully crafted cyber attack. Even seemingly innocuous data can be used against the company. These professional cyber attackers scan for something they can use in a phishing attack to make the attack sound more legitimate and then, after getting into an organization’s network, they will monetize the data indirectly.

The three categories we have explored in this article are just the tip of the iceberg. The list of professional services, from mortgage brokers to business consultants, is extensive. Accounting firms, for example, have extensive business and personal financial records and hold similar information to law firms. Brick-and-Mortar business is another broad category which could be anything from restaurant chains to manufacturers to retail stores. From hotels to insurance brokerages, the list of prime targets for cyber criminals is long with many subcategories. We will be diving deeper into these and other key cyber targets in future articles and videos.

PRACTICAL ADVICE
If you are concerned about the possibility of a cyber attack on your organization, here are six fundamentally important steps you can take:

  1. Do an inventory of all your valuable assets (intangible assets that you need to protect)
  2. Create your risk register
  3. Select which risks should be treated and in what order the risks should be treated in
  4. Select risk treatment options (controls) for each risk in the following categories:
    a. People
    b. Processes
    c. Technology
  5. Implement the controls
  6. Regularly monitor and review the effectiveness of your controls

Completing these action items with get you started on building your cyber risk management framework and hardening your cyber security posture. In order to successfully manage your cyber threats, you need to do the basics well.

“Prime Targets for Cyber Criminals” is a guest post by Dominic Vogel