May 27, 2014 by The GLS Team
The explosion in social media for both business and personal use has blurred the lines between what is acceptable behavior in each environment. The business environment requires that individuals behave responsibly online as respectable representatives of their company. In the personal environment, this is not always the case. Fortunately, there are convenient ways to help employees maintain proper etiquette according to company specific standards, protecting both the individual and also the organization.
Some of the top reasons employees should know about social media security include the confidentiality of sensitive information, the reputation associated with companies and their employees, the security of passwords used for secure and unsecured websites, and the use of appropriate language and topics of conversation in various environments. The social media environment is unique, because our professional and private activities often overlap. When this overlap occurs, employees should be aware that their personal activities have the potential to impact their professional careers.
Strategies for Acceptable Social Media Behavior
Instructing employees on acceptable social media behavior does not need to be a complex or time-consuming process. In most cases, simply making people aware of the risks associated with social media in regards to the organization or professional use is enough to prevent future issues.
The first thing an organization should do is to establish what it will consider as acceptable professional behavior. What can and can not be shared about the company and what constitutes confidential information. It is nearly impossible to maintain an organization-wide standard for social media use by evaluating issues on a case-by-case basis as new problems arise. This organization approved standard can be worked into training programs for employees such as Global Learning's Social Media Compliance program, which covers global issues that individual employers may overlook.
Common Social Media Security Concerns
Keeping Confidential Information Private
Social media is designed as a platform for public sharing. People share all sorts of information to the general public and complete strangers through social media sites. While this is what attracts people to social media in a personal context, in a business setting, this level of free sharing is typically unacceptable.
Personal and Organizational Reputation
Public sharing is a double-edged sword. Professional online conduct can have a positive impact on the reputation of an individual or an organization that he or she represents just like unprofessional conduct can have a negative impact. Employees should be aware of how social media use affects the impression for themselves and the company as a whole.
Appropriate Language and Conduct
People tend to maintain a professional demeanor during business hours that transitions to a more relaxed posture in informal settings. With social media, it is often accessible to the same individual in both environments. The reader of a social media post will see no difference between the two. Individuals need to be aware that a post made informally one day, can be read by someone expecting a professional the next. This is especially important if you use your personal accounts to connect with professional contacts.
Logins & Passwords
It might be tempting to use the same login information and/or password across multiple accounts or sites; this is, however, a very dangerous thing to do. Different types of sites offer varying degrees of security, and if one site is compromised, the attacker will gain access to all of your accounts. It is always better to create unique logins and passwords for recreational uses versus those used in a professional setting. Using only one password for multiple sites puts all of those accounts at risk if that password is compromised.
Consumers, suppliers, competitors, and employers use social media to gather information about each other. As such, it is important for all involved to use social media wisely. This wise use will include established corporate policies that employees must comply with that are presented to each individual who represents the organization. In addition to in-house training, external training programs in social media security offer a convenient, global perspective to help companies avoid the unexpected.
May 22, 2014 by The GLS Team
Recent studies indicate that carelessness and negligent actions of individuals within an organization continue to be the main cause of information security breaches. For self-protection as well as the protection of the organization and its clients, being able to identify and avoid security threats is a priority. The importance of security awareness training has never been so critical.
What is Security Awareness?
Employees who are security aware are individuals who understand there is the possibility of people deliberately or accidentally stealing, damaging, or misusing data contained in a company's computer system and throughout the organization. The intent of security awareness is to stop such theft from happening. The first line of defense is awareness of the different kinds of risks involved and knowledge of safeguards available.
The Cost of Inaction
An IBM Security Services report indicates there were at least 1.5 million monitored cyber-attacks in 2013 in the United States. Not all data breaches are reported, and some companies do not even know they have been compromised. With data moving freely between networks, the cloud and mobile devices, the threat can only increase. It is real, and it can be very costly.
A joint 2013 study from Symantec and the Ponemon Institute indicates the average total cost to an organization of a data breach was $5,403,644. A 2013 UK study from the Department for Business, Innovation and Skills indicated that for small businesses the total cost of a security breach could range from $55,000 to $100,000, and from $700,000 to $1,300,000 for large businesses. The Symantec and Ponemon study showed that about 64% of data breaches were caused by system problems and human mistakes.
Approaches to Improved Security
Every organization must ensure its employees understand the risks in collecting, storing and transferring information and know how to stay protected. Protection requires security awareness training to develop a security-aware culture and associated behavior change within the organization. Of course, employees should learn corporate practices and policies for working with information technology.
Employees must be aware of the value of data as a corporate asset. Corporate data is private information, not to be shared freely. Personnel must also be provided with clear instructions about what to do if a security breach is discovered.
Being able to make better decisions about data protection means employees also have to:
- Be aware of the key vocabulary surrounding cyber security
- Appreciate the outcomes of recent security incidents and threats
- Understand individual responsibilities for protecting company data
- Know the security threats posed by social media
- Implement safe email practices
- Appreciate general protocols for improved safety on the Internet
- Be able to better detect the presence of malware
- Maintain up to date virus protection
- Use best practice approaches for passwords and access controls
- Be able to use appropriate methods of data storage and retention
- Be aware of typical phishing approaches and how to recognize them
- Understand requirements for safe use of mobile devices
- Understand typical approaches to identity theft and safeguards to prevent its occurrence
- Know how to maintain the physical security of equipment
- Follow the dictates of the Federal Information Security Management Act, if it is a company requirement
Additionally, this is not just a one-time training requirement. Refreshers and updates will be needed, and training repeated for new hires.
Most organizations find it is most cost effective and efficient to engage specialist training companies to provide employee information security awareness training. At Global Learning Systems we offer extensive experience in mitigating risk through security and compliance training for organizations. Cutting-edge web-based security awareness courses are available off-the-shelf, and can be customized to organizational requirements and quickly implemented. Policies and procedures can be incorporated, and refresher courses and other materials are available (including posters, newsletters, security news emails, short videos, and more).
May 14, 2014 by The GLS Team
A phishing email usually contains a link with directions asking the recipient to click on it. Clicking the link transports the email recipient to an authentic looking, albeit fake, web page. The target is asked to input information like a username and password, or even additional financial or personal data.
The miscreant that orchestrates the phishing scheme is able to capture this information and use it to further criminal activity, like theft from a financial account and similar types of criminal activity. A consumer must be on guard against this type of criminal activity. Following are the 10 best practices to avoid phishing attacks. The first four are tied to user behavior, the last six are ways to shore up your software and hardware vulnerability.
1. Never Click on Hyperlinks in Email
Never click on a hyperlink included within the confines of an email. This is particularly necessary if the link is included in an email from an unknown sender. If a recipient feels the need to check out the website the link supposedly is associated with, that individual should manually type the URL into the web browser itself.
2. Never Enter Sensitive Information in a Pop Up Window
Pop up windows represent another tool used by phishers with illicit agendas. An important tactic to prevent phishing attacks is to never enter information into a pop up window. In fact, a person is best served restricting pop up windows all together, except at those sites that an individual knows to be trustworthy.
3. Verify HTTPS on Address Bar
Whenever a person is conveying confidential information online, he or she must confirm that the address bar reads "HTTPS" and not the standard "HTTP." The "S" confirms that the date is being conveyed through a legitimate, secured channel.
4. Education on Phishing Attacks
Finally, staying abreast of phishing scams and the technology and techniques designed to prevent them is crucial. A plethora of reliable educational resources exist on the Internet that are designed to assist a person in preventing phishing attacks including our training course here.
5. Keep Antivirus Protection Current
Although keeping antivirus protection up to date may seem like a patently obvious strategy, a surprising number of people fail to take this very basic step. The reality is that identity thieves and other criminals constantly are changing their schemes. Therefore, maintaining current antivirus protection is an invaluable first line of defense against phishing attacks.
6. Utilize Anti-Spam Software
A number of reasons exist for taking advantage of anti-spam software. One of the benefits of this type of software is that it can provide some degree of protection against phishing attacks. This type of software naturally filters out a good amount of phishing emails that would otherwise end up in an inbox.
7. Utilize Anti-Spy Software
On a related note, a person is best served by using anti-spy software as part of a comprehensive effort to prevent phishing attacks. This type of software lessens (although does not completely eliminate) the presence of spyware on a computer. Reducing the amount of spyware that ends up on a computer significantly lowers the risk of a malicious phishing attack.
8. Install and Maintain a Reliable Firewall
Another of the 10 best practices to avoid phishing attacks is in the installation and maintenance of a reliable firewall. A firewall protects against the introduction of malicious code onto a computer, which represents another form of phishing.
9. Protect Against DNS Pharming Attacks
DNS pharming attacks represent a recently developed type of phishing attack that does not involve email or pop up windows. Rather, an individual's local DNS server is said to be poisoned. The net result of this poisoning is that a person's attempt to go to an actual website is interrupted and misrouted to a fake venue. The fake site looks remarkably like the real thing and is designed to capture personal and financial information. For example, a person may desire to go to his or her bank website, but end up at a fake one through a DNS pharming attack.
The only sure way for this type of phishing attack to be prevented is for an administrator to use security techniques to "lock down" a DNS server.
10. Utilize Backup System Copies
A tactic designed to protect against phishing attacks is the creation of backup system copies. By making these copies, a person can revert to an uncorrupted system if a phishing attack is suspected.
In addition, check out this video we created on Email Phishing.
May 13, 2014 by Eric Cates
In the wake of last month’s destructive vulnerability Heartbleed, yet another major weakness has been uncovered. Recently, a security flaw was identified in the OAuth/OpenID functionality. Please be aware, this could allow someone to obtain your personal information for accounts such as Google or Facebook and could possibly take control of the account altogether.
The scheme behind redirection…
Have you ever been to a site where the site gives you the option to log-in using a third party account? This allows you to use account credentials from, for example, your Google or Facebook account to log into the current site instead of having a separate username and password for that site.
The flaw enables a fake "log-in using a third party account" page to appear and pass your information to the malicious source in addition to the proper site you were expecting.
CNET reported earlier this week that the discovery employs vulnerability “Covert Redirect” that targets a log-in, pop-up on the affected sites domain to redirect the user to authorize the third party account. What is tricky about the Covert Redirect is that the fault uses the actual site address for authentication instead of a fake address.
What are you facing?
What users are finding as a result of this flaw are a collaboration of email addresses, birth dates, contact lists, and full control of accounts being attacked when personal information is entered into these once trusted sites.
If you use your Google account (or other account) to authenticate into a third party site:
Take a minute, access that third party site, log-in and change the log-in method. Set up a separate account at that site, and stop using the third party authentication method.
To avoid data loss, be careful about clicking links that direct you straight to the log-in of Facebook or Google.
For more security tips and education for your workforce, visit our compliance training page here.
May 08, 2014 by Carsen
Email phishing is one of the most prevalent attacks cybercriminals use today. Our Security Short video below will walk you through the threat and provide you with some tips on how to quickly detect such attacks. Awareness is key to preventing breaches, so feel free to share this with others. Watch it here:
For information on our Anti-Phishing Training Program click here.