December 28, 2011 by Carsen
A few days ago, I read that Good Technology's first Bring Your Own Device (BYOD) report found finance and healthcare are among the top industries to adopt BYOD policies.
While these industries have some of the most need for security, I find it interesting they are opening the door for this policy.
According to Good, the rise in popularity and proliferation of smartphones and tablets has driven the "Consumerization of IT" with employee requests to use their personal, mobile devices for professional tasks. Because of this, IT departments are developing policies to allow employees to access confidential enterprise data and information with their own smartphones and tablets.
Here are the key findings from Good’s report:
1. Highly Regulated Industries Embrace BYOD: Large companies from the finance/insurance and healthcare industries dominate the overall BYOD picture, with retail/wholesale and government less likely to support BYOD.
2. Big Companies Get BYOD: 80 percent of those supporting BYOD have over 2,000 employees; 60 percent have over 5,000 employees; and 35 percent have over 10,000 employees.
3. Employees Are Willing to Pay for Personal Choice: 50 percent of companies with BYOD models are requiring employees to cover all costs, and their users are taking them up on the offer; 45 percent provide their employees with a stipend or "expense back" options to help subsidize the cost of their mobile device or service plan.
4. Offering BYOD Stipend Increases: Companies that offer BYOD stipends have the highest rate of employees using mobile devices when compared to companies that require employees cover all BYOD costs themselves, or allow for expense-back of service plan costs, but limit to users with management pre-approval.
5. BYOD Goes Global: Many believe that BYOD "doesn't work" outside U.S. due privacy laws or greater exposure to highly variable roaming costs. Our data clearly shows otherwise – with nearly half (44.9 percent) of respondents indicating they are deploying BYOD programs in multiple countries.
December 12, 2011 by Carsen
Online perpetrators are not taking holiday vacations this year
This holiday season, as gifts are purchased online and in stores across the world, unfortunately some see this as an opportunity to steal your online banking credentials. So while you shouldn’t be scared to buy Grandma that scarf she’s been wanting, you do need to be weary about a new spear phishing campaign.
The FBI Denver Cyber Squad released information on the new campaign that involves personal and business bank accounts, financial institutions, money mules and jewelry stores:
“The campaign involves a variant of the ‘Zeus’ malware called ‘Gameover.’ The spam campaign is pretending to be legitimate emails from the National Automated Clearing House Association (NACHA), advising the user there was problem with the ACH transaction at their bank and it was not processed. Once they click on the link they are infected with the Zeus or Gameover malware, which is able to key log as well as steal their online banking credentials, defeating several forms of two factor authentication.”
Okay, so how do you stay away from this trick and others like it?
Well, here are three simple tips to remember this holiday season to be sure you do not take the bait:
1. Be weary of emails from senders that you have never seen before. Even if the subject line is tempting with an urgent call to action, look at the source and be cautious of the sender.
2. Understand your bank’s policy on communication, and call your bank if a message seems urgent to confirm the email’s validity.
3. If you think you are sure the link is okay to use, still copy and paste it in a search engine to see if it is linked to a valid site. If someone has reported it as spam, it may appear at the top of the organic search, and you will know that it is a good possibility to be fraudulent.
For more information on this FBI investigation and campaign details click here.
The most effective way to keep your users safe is to provide annual Security Awareness Training to help them identify and avoid threats. Check out our Security Awareness Training course to get started.
December 05, 2011 by Robert Hodges
I thought I would share a few malicious emails I received this week because it’s not always obvious if an email is a scam or legitimate. There is often something that gives it away, but you need to be looking for it.
First, if you receive an email claiming to be from [email protected]... or something similar, delete and do NOT click on the link.
This week our employees were sent some end-of-year paperwork, and many of you are probably going through the same process. Your first response to an email from your domain might be “Oh, this is the [HR paperwork] I was expecting!” But the attachment or link in this email is actually a malicious attack.
If someone at your organization really sent you an attachment, it would most likely come from a person you recognize, not a generic email (or a general email you are already familiar with). Regardless, it’s usually a good idea to check with your manager or the person who sent it before you act on the message--especially if you weren’t expecting it or are not sure what it is.
Second, especially if you are in sales, do not believe every “lead” is legitimate. I recently received a message similar to this:
I would like to make an order, and ship to New York, NY or pick it up from your store. And my payment will be through my credit card.
Please let me know if you can assist me with the order, and please do not forget to include the website of your PRODUCT in your reply. Your quick response will be highly appreciated.
Your first hint that this is a scam is that the person doesn't even know what product she supposedly wants to buy. By saying, "include the website to your PRODUCT in your reply," it shows the sender doesn’t even know which organization you are associated with. So how would she be ready to make a purchase?
Once you collect the payment (from a stolen or fake credit card), they will either pick up the product and vanish before you get the charge-backs, or another common international scam is to ask you to wire part of the money to their “3rd party shipping company” which is simply a fake business that will take that money and vanish - again before you see the charge-backs hit. Be aware that legitimate shipping requests will ask you to use their shipping account number, not wire money directly to a shipper’s bank account.
These are just two examples of recent malicious emails I have received. You may get a handful of similar attacks like these, and these scammers are very creative at pretending they are interested in purchasing.
Here at GLS, we have our employees take our Information Security Awareness course to be sure they are ready for similar and other attacks. For information on how this course can help Information Security Awareness within your organization click here.
December 01, 2011 by Robert Hodges
“Someone has been tweeting horrible things about you. Click this link to see what they have been saying.”
This direct message is what I opened this morning in my Twitter account. Another one I received recently was similar in format but said, “someone has written an awful blog about you, click here to see it.”
Now, naturally I do not want there to be lies and rumors spread about me or the organization I work for, so of course I wanted to click and be sure this was not true. But don’t do it! It is a trap, and there are many like it.
Just when you think Apple is giving away free iPads or Target is giving away $100 giftcards, you realize you have been tricked by your “best friend,” more likely the hacker that used your best friend’s name to spread the false offerings. These are all tempting to click, but use common sense and understand these tricks are out there. It is also important to take steps to be sure you don’t become that “best friend” who is spreading the spam.
One man I know lost his son to a tragic accident several months ago, and his Facebook wall was flooded with comments offering condolences. Then I saw one random post of a friend sharing about a great deal with the link to the deal attached. Now, you know that had to be spam, and this happens all too often, even at the worst times. How embarrassed would you be to see that your organization or personal account was hacked and posted about deals on a person’s wall in a situation like that?
For this reason, as well as the fact that you do not want to download viruses, take precautions to make sure none of the above happens to you.
Starting with the basics, don’t ever share your password with others, and use different passwords for all your sites. Do not open a link unless you are absolutely sure it can be trusted. Even then, I would copy the link, open a new window, then paste it in a search engine to be sure the site is legitimate.
If you are the social voice of your organization, experts recommend an organization creates house rules. These social media house rules can be published on your organization’s site for your consumers to see and/or used as internal rules for consistent messaging and safety.
Consider only giving one person access to your main site, or if you need to have more than one administrator, an article in The BrainYard suggested using third-party applications such as HootSuite so multiple employees can post but only one will have access to the passwords of the actual sites.
The article titled, “5 Ways Enterprises Can Stay Safer On Facebook,” had some other great points from Andre Eaddy, director of cybersecurity portfolio services at Unisys, that I believe are important.
Eaddy suggested to take action quickly if there is a compromise: when an organization’s brand or reputation has been jeopardized, employees need to act immediately and be sure the right messaging is produced to alleviate the damage.
Another important item to remember as an organization is that if you have given multiple people access to the organization’s social site, the organization may face issues down the road if that employee leaves or the relationship turns. For this reason, precautions should be considered before deciding to allow multiple people to manage your site.
Eaddy also offers similar steps like not sharing passwords and educating the organization’s social media users.
To sum it up, be smart about social media. Just because a message looks personalized, it doesn’t mean it is. Just because an offer seems appealing, don’t click it. While social media is a great tool for you to connect with your employees and consumers on a more personal level, you must understand the dangers before you decide to activate these sites for your organization.