How Cyber Hygiene Keeps Your Business System Safe

These days, your business computer system faces many threats — malware and viruses alone aren’t the only things you have to worry about. Phishing attacks, social engineering, and password crackers all pose risks to the security of your system, and the safety of your business’s, your employees’, and your customers’ personal information.

By practicing good cyber hygiene, you can protect your business system from the many threats it faces. Cyber hygiene involves mitigating risks by implementing best security practices. Even without a dedicated IT security staff, you can protect your business by using strong passwords, implementing multiple levels of security, updating software regularly, and training your employees to resist social engineering attacks.

Use Strong Passwords

It might seem simple, but using strong passwords is a fundamental aspect of cyber hygiene, and one that many system users still struggle with. It’s all too common for users to create generic, easily-guessed passwords, like password123, often because they’re worried about remembering a complicated password. Even a more personal password, like the name of a child or pet, can be easily guessed by hackers who have access to yours or your employees’ social media feeds, or by software that can crack passwords in a matter of minutes.
Passwords are your business system’s first line of defense against hackers, so it’s important that you and your employees are using strong passwords to access the system, use password-protected apps, or open files that contain sensitive data. Use a password generator like LastPass to create and store secure passwords that can’t be easily guessed by password cracker software. Change your own password, and encourage employees to change theirs, at least every few months.

Keep Sensitive Info on a Need-to-Know Basis

Your business system may contain a wealth of sensitive information that could be valuable to hackers, including your employees’ personal info, customers’ payment info, and more. It’s worth considering whether you want everyone in your organization to have access to all of this info every time they log into the system. You may want to put sensitive info behind additional password protection, so that only those who need to access the info can get to it. This will mitigate your risk from insider threats, and it’ll also put an extra layer of security into your system so that a hacker won’t be able to access sensitive info with a random employee’s password. Limit administrative privileges to those who need them.

Update Software Regularly


Software updates keep your business system running smoothly, but they also keep hackers from gaining access to your system by addressing vulnerabilities in your code. Hackers learn to exploit flaws in operating systems and common apps in order to access systems surreptitiously, but software and device manufacturers release patches for these flaws as part of their regular software updates. Make sure you’re installing regular updates; automated updates are best for your system’s security. Stop using any software that’s no longer supported. Don’t forget to verify that your wireless router and smart devices on your network, such as security cameras and systems, thermostats, and smart TVs, receive regular software updates, too.

Train Your Staff

Today’s cyberthreats often use social engineering to attack systems at their weakest point — the human beings who use them. Social engineering attacks seek to manipulate users into falling victim to phishing attacks, giving up sensitive data voluntarily, or similar. You can protect your business system from these kinds of attacks by making sure you and your employees are aware of the threats they face and are educated in cybersecurity best practices.
Make sure new employees receive training in cybersecurity best practices, and make sure to refresh that knowledge regularly with additional trainings for all employees. Don’t leave yourself out of the loop; learn how to avoid phishing attacks, ransomware, and other cyberthreats by keeping private data private, avoiding suspicious links, backing up data regularly, using strong passwords, and more.
Cyber hygiene mitigates the risk posed by hackers to protect your business from a data breach that could destroy all you’ve built. By taking care to implement best security practices in your business, you can make sure that your business’s sensitive data is protected, so that you, your employees, and your customers can continue to benefit from the organization you’ve built for years to come.
 

Will 2017 be the Final Year of the Password?

Passwords have become a necessary evil and many users complain about the burden of coming up with complex passwords, and the even bigger challenge of remembering those passwords.

Bank POV: An Interview with U.S. Bank CIO Dominic Venturo

At the Plug and Play Retail and FinTech Expo on October 22nd, I had the opportunity to interview Dominic Venturo, CIO of U.S. Bank, on his views of the future of fintech and the role of the traditional bank in the new age cloud and increasingly mobile-first landscape. While its invigorating to cover the fintech newcos, they hardly have the monopoly on innovation. And, in the words of the legendary and enduring Grandmaster Flash, “You have to know where you came from to understand where you are going.” Partnering with the banking establishment can provide insight (and resources) that may save newcos time and iterations later.
Why choose to spotlight U.S. Bank? First, it has what Venturo calls a “wide lens” or breadth of business in that it runs a large payments business, is both an issuer and an acquirer, and also has a large retail bank. But mostly I find the U.S.’s fifth largest commercial bank interesting in that it makes innovation a core component of its culture. Aside from the sending of a C-level executive to speak at an accelerator/incubator micro-conference despite not having a venture wing, the company strives to support and to work with innovative partners including start-ups. States Andy Cecere, chief operating officer for U.S. Bancorp, “Innovation is part of our culture and it is how we view the development of new products and services. By anticipating what our customers will want or need in the future, we can better prepare our customers and company for whatever is ahead, capturing opportunities and avoiding pitfalls along the way.” Recent examples of innovation from U.S. Bank include advances in mobile payments, voice biometrics, tokenization and integrated mobile and web commerce solutions.
But what I really like about U.S. Bank is that it is willing to be a banking industry contrarian — and successfully so. One notable example is that while the majority of banks have cut back on small business lending (sub $1 million) over the past few years, U.S. Bank has increased its commitment to SMBs. In its fiscal year ended September 30th, the bank stepped up the overall dollar value of its SMB lending by 15.4% over 2014, while spreading its lending over an 18% greater number of loan recipients. The bank lent $776 million via 3977 loans in its fiscal year 2015 — a modest size loan average of $195,122 per business. Yet U.S. Bank reported an overall full year record performance in 2014 with net income of $5.85 billion.
But back to my interview with Dominic Venturo. Pardon the video quality — impromptu interviews necessitate the occasional shaky frame whilst one adjusts her grip on the cell phone… Thankfully the post-production team has added a little more pizzazz by posting each of my questions on-screen prior to Dominic’s answer.

Some interesting takeaways:

  • It’s not so much the cloud now, it’s mobile.
  • He sees the greatest fintech innovation happening in the minutiae of the payment life cycle — making in-app payments seamless, simplifying mobile payments.
  • Passwords are going away for both internal use as well as consumer multi-factor authentication, with mobile phone-based biometrics being an area that U.S. Bank is focused on.
  • Hardward tokens are not necessarily making a full-out comeback (for authentication) but there is a marked increase in their use — U.S. Bank uses them internally.

 

UK seeks to shutter Russian site streaming video from webcams

If you feel like someone’s watching you, you might be right. A mega peeping Tom site out of Russia is collecting video and images from poorly secured webcams, closed-circuit TV cameras, even baby monitors worldwide and is streaming the results.

Bionym begins shipping its heart rhythm-based password band to developers

A day is nearing where you will be able to open a door or access your laptop based on your unique heart rhythm. Bionym, maker of the Nymi wristband, began shipping units to developers today so they can create applications for the unusual password system. Bionym originally intended to ship the bands to consumers earlier this year, but has been delayed.

[youtube=http://www.youtube.com/watch?v=jUO7Qnmc8vE&w=560&h=315]

Security battles escalate

The extent of the ongoing IT security threat continues to expand in form, scale, and response. While both threats and responses are becoming more sophisticated, so far the threats appear to be winning. The challenge to the enterprise is substantial.
Seemingly safe sources as threats
News this week brought examples of how threats have been increasingly found to come from supposedly trusted authorities:

Continued modifications of traditional threats
Threats were also found with wrinkles on traditional methods:

  • A five-year old attack, labeled ‘NightHunter’, has found been gleaning work email passwords from phishing campaigns sent to HR, finance and sales departments.
  • A newer threat, ‘BrutPOS’, exploits poor RDP implementations and weak passwords to harvest credit card data from POS systems.

International economic warfare
Not only actual security issues, but also mere claims of security concerns, have become weapons in protectionist, international economic warfare. China’s state media this week asserted that the iPhone is a threat to state economic data and other interests because of its standard smartphone tracking capabilities. This complaint is an updating of a tactic that China has used previous to constrain international competition from firms such as Google and Microsoft.
Exposure of overreach by the U.S. National Security Agency (NSA) has likely been the most economically damaging so far, as an updated form of local content requirements is amassing in countries such as Germany. Both these genuine and opportunistic localized response to security concerns make business more difficult for cloud companies and their enterprise customers.
Growing government response
Increasingly large and coordinated efforts have also been amassed to take down increasingly sophisticated threats. As Dark Reading reported, “[T]he U.K.’s National Crime Agency (NCA) announced that it has seized Shylock operators’ command-and-control servers and taken control of the domains they use to communicate. The effort was led by NCA, and included  the FBI, the European Cybercrime Centre at Europol, GCHQ, BAE Systems Applied Intelligence, Dell SecureWorks, Kaspersky Lab, the German Federal Police, and others in Italy, Turkey, France, Poland, and the Netherlands,” where Shylock is a complex bank fraud malware system.
In the last month, it had been the U.S. Secret Service that had alerted P.F. Chang’s to its security breech. The NCA this also launched a competition and training initiative to further cyber security skills and understanding.
Increasingly personal challenges
Cyber criminals are finding new ways to probe one of the greatest traditional weakness in cyber (or other) security systems, which is the human element. The Shylock criminals have actually posed as bank employees, using chat systems to gather more sensitive data. And, the use of blackmail, too, has apparently been rising.
Security firms respond
Some counter-responses naturally come from IT security firms. ThreatStream last month launched a new Modern Honey Network (MHN) tool to make it easier for enterprises to set multiple honeypot traps for lurking hacker threats. BioCatch used the occasion of the World Cup to showcase its passive biometrics technology for establishing user identity and screening bot attacks and execution. The startup FarSight Security was launched to identify newly created domains that have been set up for malicious purposes. (Gigaom Research cloud security market coverage can be found here.)
Longer-term solutions
At this point, there are no signs that the good guys will successfully squelch the bad in the near, medium, or even long term. Mobile and cloud technologies have provided new frontiers for battle. While big data and predictive analytics can be applied to counter threats, they can also be used to make those threats more sophisticated.
Although government law enforcement appears to be beginning to catch up with these forms of cyber-based crime, their efforts alone of course will not be sufficient. It is clear that enterprises will have to continue to raise the bar on their security efforts on both human and technological levels.
Among the expected and required developments are the following:
On the technology level, the following have all been rightly named as key security developments:

On the human and organizational levels, the following should be recognized:

  • C- and board-level involvement will have to become the norm in order to assure the attention, funding, and enterprise-wide coordination that are needed are provided and updated continuously.
  • Just as IT spending and management are becoming more integrated across the enterprise, security will be both important enough and have sufficient reach beyond pure technology to require integrated management and responsibilities on the corporate and line-of-business departmental levels. That is, cybersecurity will also have to be managed, with authority and responsibility, at the non-IT departmental level.
  • A security-oriented mindset will need to be fostered among even those technical staffers who do not naturally have such an outlook. As Kenneth van Wyk recently suggested with his idea to give developers hacking exercises in order to attune their thinking to that of hackers.
  • Just as the banking credit card networks have long straddled technological implementations and the human ‘real’ world, with failsafes established in recognition of the impossibility of perfect security, organizations and individuals of all types will need to incorporate pragmatic procedures to limit and abate failures and damages. That is, the management and mitigation of security breeches will be an ongoing part of a mature security system.

How to update your Apple ID password

It is always a good idea to change your Apple ID password a few times a year. When Apple admits that its security has been compromised, you should change it right away.