September 01, 2017 by The GLS Team
Just yesterday, the cybersphere sustained another attack--this one targeting personal information and credit card data. The system of electronics retailer CeX was breached by hackers, causing a leak of its customers’ names, phone numbers, and even addresses, as well as encrypted credit card information. Because CeX is such a large firm with locations in countries across the world, up to 2 million people’s privacy was compromised from the attack.
Unfortunately, this attack is not an isolated occurrence. These kinds of cybersecurity breaches happen all the time, making it all the more crucial that corporations--and the individuals who work for them--take every proper precaution. This is where GLS can help. In a statement, CeX said that while it has always had measures in place to protect itself from these kinds of threats, “Clearly...additional measures were required to prevent such a sophisticated breach occurring and we have therefore employed a cybersecurity specialist to review our processes. Together we have implemented additional advanced measures of security to prevent this from happening again.” With a team of extremely qualified information security experts sporting many decades of combined experience, GLS can provide that additional expertise to prevent cybersecurity breaches. In addition to our team’s know-how, our training courses--meticulously crafted and then combined into comprehensive packages--will ensure that every part of your business is secure.
Specifically, if your business deals with personal and credit card information, our Privacy & Data Protection Essentials and Payment Card Industry Data Security Standards (PCI DSS) courses will walk you through every aspect of dealing with and properly protecting such sensitive information. These courses detail, among other things:
- What exactly counts as personal information
- The steps for safeguarding such information: Assessing, Reducing, Protecting, Eliminating and Responding
- What privacy laws are in place in different countries, and how they work
- Financial penalties for compromise of personal information
- Internet safeguards for dealing with credit card information, including email and password security
- Social engineering strategies that target such information
Don’t put your clients’ information at risk. Employ GLS’ expertise and comprehensive courses to safeguard your business, and the private information of others, against hackers. Contact a representative at GLS today to discuss a strategy for keeping your organization secure.
August 15, 2017 by The GLS Team
There's a new piece of malware in the wild called Ovidiy Stealer and it's looking to steal both individual and company passwords. This password malware isn't particularly sophisticated, and if one has up to date anti-virus and anti-malware programs, a corporation may not have to worry about it -- yet. Ovidiy Stealer's claim to fame isn't its sophistication, but its price. For a mere 450 to 750 Rubles (that's a mere $7 to $13 USD), crooks not only get a license for the malware, but they also get support from the mastermind in Russia, who calls himself, "TheBottle."
A $7 Piece of Malware?
Believe it or not, it's a competitive market out there when it comes to attracting malware customers. The Ovidiy Stealer is dangerous because for only $7, it's universally affordable--and appealing. It lures its victims with an executable attachment (it may be compressed as a zip file), or a link to an executable file in an email, pretending to be something it clearly is not. Once it is run, the malware targets certain browsers and steals the passwords.
Which Browsers Does it Target?
According to Proofpoint, Ovidiy Stealer is currently targeting the following browsers:
- Amigo browser
- Google Chrome
- Kometa browser
- Opera browser
- Orbitum browser
- Torch browser
The savvy user may note that it doesn't target Internet Explorer, Safari, or Firefox, but given that this password malware is constantly evolving, it may prove problematic even for those browsers in the future.
Why Should Companies Be Concerned About Ovidiy Stealer?
Ovidiy Stealer isn't aimed simply at stealing individuals' passwords. Anyone targeted could inadvertently execute the password malware themselves, allowing the criminals to obtain passwords for company bank and investment accounts, financial records, medical records, clouds, and more. Just one breach in security could result in serious damage and even serious fines, depending on the nature of the compromised data.
Is There Any Way to Prevent Ovidiy Stealer from Stealing a Company's Passwords?
The good news is that while Ovidiy Stealer is targeting a large number of accounts, it isn't particularly cutting-edge. Taking precautions as small as adding a two-factor authentication will help reduce the number of exposed accounts. Adding a password manager to all accounts, changing passwords frequently, and making certain that if there is a breach, the password manager can change the passwords quickly, is a good first step. But none of that addresses the human element. All the antivirus and malware protection available doesn't protect computer systems if the users are unaware of the potential risks and still click on harmful links or accidently run malware.
Addressing the Human Factor
Global Learning Systems offers comprehensive online security awareness training that can show employees how to spot threats like Ovidiy Stealer and avoid turning their companies into malware victims. They have a wide variety of security courses designed to train employees to remain vigilant when it comes to viruses and malware. They offer Information Security Awareness Training Courses which cover the basics, such as phishing/social engineering, Internet safety, mobile security, email safety, and identity theft. They also offer their Information Security “Best Practice” Modules Suite which provides the learner ways to put into action best security practices in everyday online use. They also offer role-based training and compliance courses which will train employees to assure compliance with specific regulations.
While Ovidiy Stealer isn't the most sophisticated malware out there, in terms of overall scale and prevalence it is deadly, and has the ability to become a real threat to any organization. A company can thwart this attack using:
- Two-step authentication
- A powerful password manager
- Training that will teach its employees to recognize potential threats
Contact Global Learning Systems today and find out how you can protect your company from Ovidiy Stealer and other malware threats.
August 11, 2017 by The GLS Team
HIPAA, or the Health Insurance Portability and Accountability Act, was enacted in 1996 to ensure that patients' medical records remained private and accessible only to the patient and the required healthcare professionals. Failure to comply with HIPAA can result in steep fines and even criminal penalties. The minimum penalty for non-compliance due to willful neglect--if it is corrected--is $10,000 for each violation and up to $250,000 per year. However, the maximum penalty is $50,000 for each violation, and up to $1.5 million in a year. Even if HIPAA regulations are violated out of ignotance, the maximum fines can reach $1.5 million. And what counts as non-compliance? The list includes lost and stolen devices, hacking, lack of training, third party disclosure, and employee dishonesty.
Lost and Stolen Devices
According to the Texas Medical Association, mobile devices such as laptops, tablets, thumb drives, and smartphones are more likely to be lost or stolen than other pieces of equipment, thus causing HIPAA non-compliance . Even if employees do as little as check their work email on their smartphones, if the email contained any personal health information or PHI it can count as a serious breach of HIPAA compliance .
Theft, unfortunately, happens all too often, and a single laptop theft can result in huge fines if the device is not sufficiently encrypted so as to prevent access to PHI. While encryption is not mandated by HIPAA, encrypting sensitive data can prevent a breach of compliance should a device become lost or stolen.
Making up 23 percent of HIPAA violations, Hacking is the second most common cause of HIPAA non-compliance. Weak passwords, unintentionally downloaded malware, internet worms, phishing, and lack of sufficient firewall protection offer hackers a way into systems and thus a way of obtaining PHI. Hackers can be deterred by the use of strong passwords, frequent updates, and firewalls. All software should be kept up to date to avoid possible security breaches. Having a good anti-malware and antivirus checker running frequent scans will also help prevent possible security breaches.
Lack of Training
Lack of HIPAA compliance training is also a crucial reason why HIPAA violations occur. It's not enough for just simply an owner or an upper management team to receive HIPAA compliance training. HIPAA violations frequently occur at a lower employee level, where office staff, contractors, volunteers, and others who have access to PHI may unknowingly violate HIPAA rules. Global Learning Systems specializes in HIPAA compliance training for all employees.
Third Party Disclosure
But It isn't sufficient for a company or clinic simply to maintain their own HIPAA compliance. Under the HIPAA Omnibus Ruling, companies are also responsible for their business associates and even subcontractors for their business associates. So, if a business associate or one of their subcontractors violates HIPAA by putting the company or clinic's PHI at risk, the company can be held liable. For this reason, it is crucial that a company's owner or manager scrutinize his business associates' compliance plans before partnering or entering into a contractual agreement with them.
Whether they are accessing PHIs with malicious intent or out of simple curiosity, if an employee does not have the right to access certain patient records, they can cause the company to be in breach of HIPAA compliance. Global Learning Systems can provide employees with HIPAA compliance training so that they fully understand the dangers and risks of accessing sensitive patient records without authorization. With our training, employees will learn that illegally accessing--not to mention stealing--personal health information can and will result in termination, strict fines, and even jail time.
HIPAA violations can occur anytime, which is why so crucial that companies and clinics be on guard when it comes to their patients' sensitive information. In particular, they should guard against:
- The security of lost and stolen devices, with data encryption.
- Hacking, by insisting on strong passwords, up to date software, firewalls, and anti-malware and antivirus software.
- Lack of training, by having all employees, contractors, and volunteers participate in HIPAA compliance training.
- Third Party Disclosure, by ensuring all third parties and their contractors have proper HIPAA compliance plans.
- Employee dishonesty, by properly training employees in HIPAA compliance to deter violations.
Global Learning Systems can help instruct you and your employees in HIPAA compliance, and provide safeguards and solutions for every possible security breach. Contact us for all your HIPAA compliance training needs.
August 03, 2017 by The GLS Team
Business ethics is constantly evolving to meet the needs of our current societal norms and expectations of business leaders. With more Millennials becoming business leaders and simultaneously representing a significant percentage of retail sales, the generation's values are definitely reshaping how corporate ethics are approached. How closely are you examining business ethics in your organization, and prioritizing your policies concerning ethical conduct, stakeholder relationships, and social responsibility?
Corporate Social Responsibility
Corporate social responsibility (CSR) measures are incredibly important to the 18-35 demographic today, with the Millennial generation being more responsive to CSR initiatives in terms of both employment and consumption.
86% of Millennials claim that it's not merely preferable, but a priority, to lend their talent to a workplace that is socially responsible. Social responsibility isn't just a platitude that gets thrown around boardrooms but a proactive approach that encompasses any and all of the following, and more:
- Using local suppliers
- Buying and hiring American
- Diverse hiring initiatives
- Investing in green, sustainable production methods and workspaces
- Addressing workplace harassment
- Fair wages and benefits to all employees, not just white-collar professionals
- Making workplace safety a priority
- Charitable giving initiatives (including paid time off for volunteer work)
The list goes on, but CSR scorecards are based on how well the organization treats its employees and the planet by the decisions made.
Hyper-transparency in the Internet Age
Millennials are more skeptical of businesses than previous generations. Because they are digitally-connected, the younger generation wants to see actions and not words when it comes to promises made to both the organization's workers and the public.
Business ethics accounts for transparency, but to what extent? Are your policies up-to-date to be hyper-transparent in the internet age, where immediate action is expected and claims can be debunked in seconds? With this constant state of connection, organizations can't afford to not be hyper-transparent today.
Being Good to People and the Planet = Good for Profit
Also known as the "triple bottom line", business practices that are good to people and the planet don't have to compromise profits.
Millennials want to see more than the CEO cutting a large check to a charity in order to keep up appearances. By adopting policies that are friendly to workers and consumers alike, and greener practices that are better for the planet than that which merely produces larger profit margins, the triple bottom line actually increases. As Millennials continue to be maligned for "killing" types of businesses known for exploitative labor practices--such as the diamond industry and chain restaurants--they are simply voting with their wallets in favor of businesses that have a strong triple bottom line.
It may be good for profit margins to ask employees to take work home or do clean-up off the clock, and sometimes it may even be legal. But since it's highly unethical, don't expect Millennials to be too excited about increasing your bottom line when there are organizations more committed to the triple bottom line. The same goes for continuing to use suppliers who don't engage in environmentally-friendly practices or who support causes that are seen as harmful.
Being good to both people and the planet is better in the long run. Millennials are committed to making businesses they lead, own, and patronize adhere to the triple bottom line.
Business ethics involve more than staying compliant with regulations, putting up a front for public relations purposes, or even switching just one supplier or changing one policy and only after immense public backlash. Social and ethical responsibility are ongoing commitments that are integral to attracting and retaining both customers and employees in the Millennial generation. Global Learning Systems can keep you up-to-date on the latest trends in corporate social responsibility and ethics training with our comprehensive business ethics training course. Contact us today to learn more!
July 31, 2017 by The GLS Team
Phishing. Social Engineering. Cyber attacks aimed at specific corporations. These are some of the concerns that many of the IT security professionals surveyed at the Black Hat USA 2017 conference stated, and is no doubt a concern of any manager involved in making certain his or her company is compliant. The Black Hat survey offers an eye-opening look into the cyber threats facing businesses today. Of the 580 IT security professionals surveyed, about 66 percent of them worked for large corporations with more than 1000 employees. The survey allowed the IT security professionals to select their top three answers, so the data would be more meaningful.
Security Foremost in the Minds of Black Hat Attendees
As might be expected, most IT professionals who attended this conference were concerned about their company's security. More than two-thirds (67 percent) of those surveyed stated that within the next 12 months they would have to deal with a serious breach in security. Almost two-thirds (60 percent) were concerned that there would be a cyber attack on a critical US infrastructure. These attendees also felt that they were short-staffed to handle the crisis when it happened. A majority of professional (71 percent) stated they didn't have enough staff to adequately combat such a cyber attack, and 61 percent felt that they could use more training to combat these threats effectively.
When asked what consumed most of their time, 35 percent of the respondents said that counteracting phishing, social engineering, and exploitation of social media took up most of their day. Indeed, these attacks are the biggest concern of half the attendees, showing how serious a problem it is. This problem is widespread and could affect your company.
What's Responsible for Breaches in Security?
It's not surprising that IT security professionals are concerned over phishing and social network exploitation due to breaches in security, but the surprising side is what -- or rather, who -- is actually to blame. Nearly one-fifth of the security professionals at the Black Hat said that they spent most of their time compensating for accidental data leak by users who did not follow security procedures. This was also a major concern of 21 percent of the IT professionals who answered the survey.
About one third of the IT security professionals spent most of their time working on keeping their company compliant with regulatory and industry security guidelines. Even so, more than a quarter (26 percent) were constantly working on fixing breaches made by their own application programmers and more than one fifth (21 percent) spent most of their time fixing mistakes made by someone in the company or external attacks that caused their company to become non-compliant.
Clearly, breaches in security is a serious problem and are often caused by employees who do not fully understand the procedures or do not recognize the seriousness of their actions. Although more employees are taking IT security seriously, 58 percent of respondents did not believe non-security employees fully understood the security issues IT faces. In fact, 13 percent of IT professionals said that their users were "completely clueless." Not a confidence builder if you're the manager who must ensure your company is compliant with regulatory and industry security guidelines.
Your Employees Are Your Greatest Danger -- and Greatest Asset
Your employees are the lifeblood of your company, but they are also your biggest security risk. Uneducated, your employees could accidentally cause security breaches that could cost your company thousands, or even millions of dollars. You can mitigate those risks through training. When each employee learns the dangers to the company and learns the correct security procedures, he or she becomes part of your "human firewall." Your employees can stop security risks before they even occur by understanding and following your company's security procedures.
At Global Learning Systems, we offer courses tailored to enhance security awareness and thwart security breaches. We offer:
Information Security Awareness Training Courses
Information Security “Best Practice” Modules Suite
Simulated Social Engineering Exploit Testing, Accompanied with Robust Phishing Awareness Training
Security Awareness Role-based Training and Compliance Courseware
With more than 25 years of experience in training employees, we can help you build your "human firewall" and give you peace of mind. Contact us at Global Learning Systems today.