April 28, 2017 by The GLS Team
Payment Card Industry Data Security Standards (PCI DSS) is how the credit card industry makes an effort to control cardholder data and subsequently reduce the incidence of credit card fraud. If your organization processes credit card transactions from major issuers like Visa and Mastercard, you must comply with PCI DSS.
Founded in 2006 to fight credit card fraud, identity theft, and help organizations of all types and sizes adapt to the growing and changing world of online commerce and related technologies, PCI DSS is an industry-wide standard that all organizations should adhere to if they take accept credits at various points of sale.
How Does PCI DSS Compliance Affect My Organization?
The Payment Card Industry Security Standards Council mandates and administers these standards. You can see a brief overview of the security standards on the council's website.
In general, organizations are required to undergo annual compliance checks by qualified external auditors, or self-assessment if you have a very small transaction volume. However, PCI DSS is not codified into actual federal law. Depending where your organization does business, some states and cities mandate PCI DSS compliance or an equivalent set of standards and practices concerning large volumes of credit card transactions and their subsequent data trails.
To date, Nevada has adopted PCI DSS into official state law as of 2009. Merchants who do business in Nevada must comply with the standards, and if they do they are shielded from liability under state law. Washington also adopted PCI DSS into law in 2010, but does not actually require organizations to adhere to these standards although it also shields them from liability.
Even if your organization does not do business in these states, complying with PCI DSS can help your organization employ better security practices when it comes to credit card data.
Passing a PCI DSS Compliance Audit
The goals of PCI DSS are as follows:
To build and maintain a secure network
Keep sensitive cardholder data safe
Maintain a secure system and address vulnerabilities
Keep access to cardholder data highly restricted
Ongoing monitoring and testing of networks
Maintaining sound information security policies
Each of these goals has its own subsequent standard that must be adhered to.
Even if you are doing the self-assessment, or aren't even required to comply, it's a good idea to be prepared for your PCI DSS compliance audit. While these standards are applied to some of the largest organizations in the world, small and medium sized businesses can also benefit from these best practices. Taking the following steps will not only help you pass a PCI DSS audit but also improve your overall security:
Only use validated payment software for physical points of sale and online shopping carts.
Never store sensitive cardholder data on paper or even computers.
Make sure all the computers in your network utilize firewalls.
Keep passwords strong on all devices and always change the default passwords on both hardware and software. Two-factor and multi-factor authentication is not required, but highly encouraged.
Only use PCI-approved PIN devices if you accept cards that entail using a PIN number.
Keep your wifi router password-protected and encrypted.
Perform routine checks on all PCs, PIN devices, and credit card machines to ensure that no one has installed "skimmers" or malware.
Train your employees in best practices for keeping cardholder data secure. Our PCI DSS training course can also give your employees the tools and knowledge they need, with interactive modules, to ensure your organization passes the audit.
Global Learning Systems can keep your organization one step ahead of data thieves all while ensuring that your organization passes all relevant compliance checks. Please contact us today to learn more about our compliance courses and on-site training.
April 28, 2017 by The GLS Team
Each quarter, the Anti-Phishing Working Group (APWG) puts out a report to keep all sectors aware of current cybercrime threats. The APWG is an international coalition that consists of more than 1,800 institutions globally designed to create a unifying force to combat these threats. Their latest published report offers some interesting insights into phishing attacks and how they are escalating including what vertical is at the most risk. Consider four takeaways worth understanding from the APWG’s latest phishing activity report.
1. The Data Proves Phishing Attacks are Escalating
The report states that phishing attacks are up by 65% from the previous year. The total number of attacks in 2016 was 1,220,523 – this breaks down to between 70,000 to 156,000 attacks each month. The net average is listed at 92,564. December was the least active with a recorded 69,533 attacks. Their theory is that the phishers slowed down purposely during the holiday season, focusing more on lower-yielding and experimental targets. The AWPG post states the most attacks came in April.
The increase of attacks includes spear-phishing activity on employee email accounts, putting companies at even greater risk of data theft. As a result, phishing has become much more sophisticated, as well. The attackers take their time to find out which companies and employees are most vulnerable.
2. The Fourth Quarter Reports the Highest Level of Attacks Ever
The AWPG began producing this report in 2004. That year, the average number of phishing attacks was just 1,609 per month. With the fourth quarter numbers in, that average has grown exponentially. The AWPG has seen an increase of 5,753% in the 12 years they have monitored this data.
The country most affected by this increase is China. The group found that 47% of this country’s machines were infected. Turkey and Taiwan had impressive numbers, as well. Over 42% of the machines in Turkey show infection and 39% in Taiwan.
3. The Most Targeted Industry was Retail/Service
Retail has been consistently targeted for a number of years. In the fourth quarter of 2016, this industry owned 41.9% of the reported attacks. In second place was financial at 19.6% and ISP following third at 12.6%.
The report also states that the number of brands targeted average about 400 per month during the first three quarters but dropped down to 264 in the fourth. This supports the idea that phishing decreased somewhat during the holiday season.
4. Phishers Didn’t Require Specific Domain Names to Fool Their Victims
As part of the study, RiskIQ reviews domain names used in these attacks. Often phishers will provide familiar domain names or ones that are very similar in an attempt to confuse their victims. This is known as spoofing. The 2016 analysis found that very few attackers spoof a brand in their domain name. This shows that it is not necessary to be deceptive in order to fool many Internet users. They could use other tricks such as:
Allowing the user to hover over the hyperlink to see a fake destination domain
URL shorteners to make the destination domain
Insert brand names somewhere else in the URL
By publishing their quarterly report, the APWG is providing businesses with a powerful security tool. They can see the trends in phishing scams and use that information to improve the company security protection.
This year, the report detailed that:
The total number of phishing attacks in 2016 was 1,220,523 – a 65% increase over 2015.
The APWG recorded more phishing in 2016 than in any year since it began monitoring in 2004.
The most targeted industry was once again retail/service.
Phishers don’t need to choose domain names to fool victims.
Another practical solution to avoiding phishing scams is to engage the management and staff in a comprehensive training course about the risks of Internet fraud. The Anti-Phishing Training course offered by Global Learning Systems, for example, teaches awareness and avoidance using interactive and scenario-based instruction. Contact us today to find out how you can get learn more.
April 28, 2017 by The GLS Team
Cybercriminals are always taking measures to be one step ahead of small business owners, so you need to arm yourself with as much information about the latest threats as possible. Small business owners are prone to phishing threats.
Phishing entails email, phone calls, mobile and web ads, and other means of getting people to turn over log-ins and other credentials. Phishers are always trying to improve how their fake pages and emails look so that people who accidentally open them will click links. Even the smartest and best-intentioned person can easily fall victim to a phishing scam.
Lately, small business owners have been falling prey to a business grant scam currently proliferating on Facebook.
Facebook Fake Government Grant Scam: Real vs. Fake Small Business Grants
There are real legitimate grant programs designed for small business owners through programs such as SBIR/TT (Small Business Innovation Research and Technology Transfer) that offers funding opportunities from federal agencies. State-level programs may also offer startup assistance for new business owners. You can find an exhaustive list of grants currently accepting proposals at grants.gov.
Business grant programs require that owners submit a proposal and follow guidelines: you're never going to hear directly from these grant programs through social media just bluntly offering you money. You won't be contacted about government grants from the agencies through a Facebook ad or a "friend" talking to you. A real-life friend could tell you about a grant program, but they won't try the following.
The Federal Trade Commission has recently received a rash of reports that social media spoofing, Facebook messages in particular, is being used to tell small business owners about small business grants. Phishers claim that recipients won a business grant or were eligible for funding. They asked for "confirmation" for the grants which means the scammer wants your cell number and other identifying information which eventually leads to handing over your passwords or paying "application fees". Users opened them because it looked like the messages came from Facebook friends.
You're never going to hear directly from these grant programs if you are not an active applicant. Most people are aware of this scam and have reported it, but victims are disproportionately older small business owners who rely heavily on social traffic and are less mindful of social media spoofing.
Telltale Signs of a Phishing Attack
Phishing attacks come in many forms such as phone scams and robocalls, email fraud, and social media spoofing. Here's what a phishing attempt looks like.
The message is rife with syntax and spelling errors.
You will be asked to contact a specific agency, number, or email because you "won something" or are "eligible" for a grant, bonus, or other large sum of money.
The signature sounds like an institution that doesn't actually link to a real website.
Copypasta: scammers often copy and paste entire copyrights, disclaimers, logos and so on without formatting it to look like the rest of the email.
Staying on Top of Phishing Threats
Preparing yourself and keeping your employees aware of phishing threats is of utmost importance for your business, whether you need to prevent another attack or haven't been attacked yet. Here's what you can do:
Use enterprise-grade email and software systems. These programs often have more safeguards in place than basic versions.
Never open attachments in emails where you're not 100% sure who the sender is.
Invest in anti-phishing training. Global Learning Systems offers a comprehensive anti-phishing training course adaptable for organizations of all sizes, to help your employees stay on top of phishing threats.
Global Learning Systems can keep you one step ahead of hackers and phishers. Contact us today to learn more about how we can keep your organization secure and aware.
April 28, 2017 by The GLS Team
Employee security awareness training is the formal process in which your employees learn the best practices for computer and online security in the workplace. It encompasses the policies and procedures that you enact as an employer so that customer and company information does not get compromised. Your workforce needs to be aware of how to stay secure so that irreparable damage isn't done to your organization in the event of a breach or other major security threat.
Staying secure in the workplace starts with quality security awareness training. Here's why security awareness training has great value for your organization in both the long and short term.
Why Do You Need Employee Security Awareness Training?
We live in the information age and the way that information is handled in the workplace is constantly changing. Your employees need to stay up-to-date on the best practices for staying secure in the office, when using portable devices outside of the workplace, on social media, through email, and much more.
Hackers strive to be one step ahead of security professionals and the people who they train. With proper security awareness training, your employees can learn how to take preventative measures against data breaches and other security threats before they become serious. Your employees should also be trained in the actions that they need to take after a breach has occurred, since the cost of being unprepared and doing nothing as a result is incredibly high.
In complying with both industry standards and regulations, it cannot be assumed that your employees already know these practices. If they used these skills in previous jobs, they may also be outdated and therefore in need of training.
Industry Standards and Regulations
Each industry has specific standards and regulations when it comes to the handling of information as well as state regulations that you need to be mindful of.
For example, healthcare organizations must comply with HIPAA when it comes to keeping patient data private. Organizations that must handle personally identifying information (referred to as PII) must comply with federal regulations and your employees must be aware of how to handle this information securely while remaining compliant with the law. Additionally, different industries are held to specific standards (opposed to staunch regulations) when it comes to the way that data is handled and kept secure.
Compliance with these standards and regulations is important for your organization to function and since the standards and practices for compliance frequently change, regular employee training on annual basis may be necessary for your organization.
Types of Employee Training Programs
Employee training programs need to take your industry and organization size into account, current security policies and procedures, as well as any other security concerns that your organization has. When devising a security awareness program, there are key elements that should be present in each one such as work area security and authentication.
There are other employee training programs that are tailored to specific needs:
A general security awareness training program is an excellent choice to start with, and it can always be tailored to your industry and organizational security concerns. Some training programs only need to be completed once while others (primarily those meant for compliance and security threats that constantly evolve) need to be undertaken annually.
No matter your industry or the size of your organization, Global Learning Systems offers adaptable employee training that can fit any workforce. Our Employee Security Awareness training course will keep your employees up-to-date on current cybersecurity regulations and best practices for nonprofit, government, and corporate organizations. Contact us today to learn more!