Posts Tagged ‘data security’

Cyber Criminals Now Targeting Small Businesses

by Robert Driscoll on October 1, 2009

phishing-identity-theftIt seems like every other day in the news and various media forums we are told of cyber criminal organizations that have hacked in to various company databases and have stolen their customers’ information.  There are several well documented cases such as the recent capture of Albert Gonzalez who was indicted, along with two Russian nationals, for supposedly stealing over 130 million credit and debit card numbers.  The previous largest known breach occurred in 2005 and 2006 when over 45 million card numbers were stolen from TJX, the parent company of TJ Maxx and Marshalls among others.  But what about small businesses?

NACHA, the Electronics Payments association, is a non-profit organization that oversees the Automated Clearing House (ACH) Network that over 15,000 financial institutions use to originate and receive payments.  In early September, NACHA issued a statement to all of its members alerting them of the increase in cyber attacks targeting small banks and businesses.  According to a recent article in The Washington Post, the confidential notice that was sent out to the NACHA members identified criminal cyber groups in Eastern Europe as being the ones primarily responsible for stealing millions of dollars from corporate bank accounts and then sending the money via wire transfer to overseas accounts.

Why are small businesses being targeted?  The security policies at these types of companies tend to not be as sophisticated and therefore easier to gain access in to their infrastructure.  Also, while many financial institutions have created several security measures and alerts to prevent credit and debit card fraud, the same cannot be said for ACH transactions.  Nick Holland, a senior analyst at Aite Group which focuses on the financial services industry, states that, “While an unusually large credit card transaction might trigger a fraud alert, a crook could initiate a similar ACH transaction without anyone batting an eyelid in many cases.”

How are small businesses being targeted?  As was reported in The Washington Post article, the scammers infiltrate companies in a similar fashion:  they send a targeted email with a virus-laden attachment or link to the company’s controller or treasurer.  When the link or attachment is opened, the malware starts to gain access to the company’s financial data.  The majority of the illegal wire transfers are under $10,000, therefore not attracting the attention of federal agencies.  Some though, have been devastating to some banks, such as Dwelling House Savings and Loan which was forced out of business as cyber criminals siphoned over $3 million over a period of 6-12 months in 2008 through illegal ACH transactions.  The FBI now says it is looking in to this kind of criminal activity.

To reduce the risk of data breaches or theft, companies must constantly update their security policies and make sure they are being enforced.  The application of multiple security layers is required to reduce your company’s exposure in today’s digital world.   While companies must defend themselves against attacks, they have to constantly juggle between protecting their company’s sensitive data and creating a flexible and responsive infrastructure to allow companies (and their employees) to effectively work in today’s ever changing and complex marketplace.  If your business performs ACH transactions, it’s time to consider an effective transaction monitoring solution before it’s too late.

Protect Your Business & Avoid a Disaster

by Robert Driscoll on September 3, 2009

Harley2-1_data_protect_dog

Your company’s data might be your most valuable asset, and with our ever-increasing dependence on IT systems and digital data, it is becoming even more important to protect it in the event of a disaster.

There are a number of reasons why companies haven’t initiated a disaster recovery plan.  It could be:

  • Lack of resources (both internal and external)
  • Limited budget
  • Don’t feel there is a need for one

According to a 2008 study done by KPMG, only 5-6% of a company’s IT budget was allocated to disaster recovery planning and preparation.  At the same time, according to another study done by Janco Associates, only 6% of companies who suffer a catastrophic data loss survived, 43% of these companies never re-open and 51% close within 2 years of the disaster.  In this same study, it was found that 93% of companies went out of business that didn’t have their data backed up at all in the event of a disaster.

Even an event that disrupts your business for a short period of time can have catastrophic consequences.  The chart below outlines the costs associated with computer downtime and lost data for businesses.

Industry Sector

Energy

Telecommunications

Manufacturing

Financial Institutions

Information Technology

Insurance

Retail

Pharmaceuticals

Banking

Lost Revenue Per Hour

$2.8 million

$2.0 million

$1.6 million

$1.4 million

$1.3 million

$1.2 million

$1.1 million

$1.0 million

$996,000

The primary threats to a company’s data are:

  • Hardware or system problems
  • Human error
  • Software Corruption or program problems
  • Computer viruses
  • Natural disasters

What they all have in common is that they are unpredictable and possibly unavoidable, but with a good disaster recovery plan in place, these threats can be minimized or completely eliminated.  If you don’t have a disaster recovery plan in place, there are several sites that you can go to that provide free templates to help get you started, but ultimately, you should contact a 3rd party who has expertise in designing and implementing a disaster recovery plan that meets your companies requirements.  As you start designing your disaster recovery plan, it is important to weigh the risk of financial loss vs. the cost of creating a contingency plan.

Whether you spend the money or accept the risk, it has to be an executive decision.  Not understanding your risks at all could be the biggest risk for your business.

Be socially responsible with your Social Identity

by Guy Ralfe on September 2, 2009

hacker

The social media call today is to get online and participate. Over the last year a day hasn’t gone by without someone mentioning a new contact through a social network site or some new statistic about the presence and reach of social media networks, but more often of late we are hearing more news of misfortune surrounding social media.

This is not unexpected as this is a common characteristic of social groups. It has gone on for centuries and is to some degree the cause of wars and organized crime – where there’s a large group that appears to have something relative to another it produces an opportunity to exploit. In social media this has manifested itself in Identity Theft and Brand Damage (topic of next post)

Identity theft seems to be rampant today and rather intimidating. An article in the Daily Mail quotes a large UK insurance company Legal & General as warning that insurance premiums may rise if household members utilize social media sites.

This is on the back of the claim that criminals are preying within these network sites for opportunities such as burglaries, personal account details and identity theft. What appears to be an innocent use of your ability to broadcast everything from your thoughts through twitter, photos on Flickr and everything about yourself on facebook, MySpace, LinkedIn or such sites, can potentially provide key information to criminals to utilize against you.

What this means is that we have to be conscious about how we configure our accounts on these sites and responsible with what information is shared through which channels.

Here is some edited advice published by Robert Siciliano on bloggernews

  • Before you post anything online, think about what a criminal could do with that data.
  • Don’t post specific details about yourself such as address, date of birth, kids’ names, pets’ names, phone numbers, or any account numbers or financial information of any kind. This information can often be used to retrieve passwords and help get fraudulent access to personal accounts.
  • Do not tell the world you are going on vacation! This is an open invitation to any would be burglar. Remember posting pictures of your vacation while on vacation is much the same as writing that you are on holiday.
  • If you’re a “partier” and like to imbibe, informing the world that you just smoked a joint is not only one of the worst things you could do for your career, it also makes all your friends guilty by association.
  • Before posting pictures or videos, consider what a criminal or potential employer might see. Could they be used against you in any way?
  • If you let your kids use social media, you must monitor every aspect of their Internet activities. Pick up McAfee’s Family Protection software and take control of your childrens’ Internet use.
  • Take advantage of privacy settings and lock down your profile, so that only those who you approve can view everything.
  • Get a credit freeze. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  • Invest in identity theft protection and prevention services such as Intelius. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Remember that it is not only criminals that are potentially scouting you out! Today it does not take a lot of effort to perform searches on individuals. Posting something that may be illegal or unsavory can just as easily be picked up by a prospective future employer, client or worse used against you in court!

Social media is built on trusting relationships. It is this trust that is manipulated to exploit your situation and information. As aptly demonstrated in Himanshu Jhamb’s article Social Media: A Dangerous Opportunity, this does not need to be intimidating and there are many things we can do to protect ourselves. We just need to be aware how these tools can be utilized and act responsibly to protect ourselves from criminals or others carrying hidden agendas.

Don’t be intimidated, enjoy your social media experience!

What’s In The Name

by Robert Driscoll on August 20, 2009

2008-01-28-domain-real-estate-istockphoto572188-400x300Many different areas of business have been covered in the past several weeks on Activegarage.com from the dance of entrepreneurship , creating and protecting your intellectual property, to protecting your company’s data .  Our goal is to help people transform their world by coming up with uncommon offers in the marketplace. 

So, now you’ve come up with the next breakthrough and are ready to take your first step as an entrepreneur.  You’ve come up with a name for your company and have set up a corporation.  You’re excited.  Financial freedom is just around the corner.  You go to register your company’s domain name and you come to find out…someone already owns it.  Don’t give up. 

Here are some simple steps to help you to continue moving forward.

1.     Change Your Domain Suffix

If .com is not available, look to see if any of the other domains are available (.net, .biz, etc…).  Be careful though as you might be in violation of a possible trademark infringement if the other domain in use is a legitimate business.

2.     Change The Name Slightly

Work on finding variations of the name you want until you find one that is available.  Again, be careful with this option as well as you could also be in violation of a possible trademark infringement. 

3.     Buy The Domain Name

Domain names are bought and sold all the time at sites like GoDaddy.com or BuyDomains.com.  Having the right domain name online can help establish your company’s identity.  Determine what the value of building your brand without being able to use the company name and domain you desire and compare that to what it would cost to buy the domain you want.  If the latter is less, simply buy the domain and continue moving forward. 

4.     If You Already Own The Trademark

If you already own the trademark to your company’s name, you have some options.  If you are dealing with a cybersquatter, the first, and less expensive, option is to contact ICANN and file a dispute under the Uniform Domain-Name Dispute-Resolution Policy.  The cost to go this route varies as it depends on the number of domains filed in the dispute and the number of panelist required.  You can also send a cease and desist letter to the party that is “squatting” on your desired domain.  A sample letter can be found here .  While this process might be time consuming and cumbersome, it is considerably less expensive than the final option. 

5.     Seek Legal Advice

When you’ve exhausted all of your options, this might be the only one remaining.  Before going down this path, consider the time and money it might take if you try to resolve this matter with the “help” of an attorney.  If this goes to court and you win, you could have all or part of your legal expenses paid for by the other party, but be careful as you could very easily lose and incur legal expenses and still not have the name you wanted for your business. 

Unfortunately there is no one way to resolve this issue, but it is important to understand that you do have options should you encounter this problem.  It is just as important to determine how much time and money you are willing to invest before you go after the name you want.  Sometimes it’s just easier to come up with a new name.

My Computer Got Infected By The Swine Flu. What?

by Robert Driscoll on August 6, 2009

SpamIn April and May of this year, while the CDC and other federal agencies were working hard to prevent the spread of a swine flu outbreak, another outbreak was occurring that did not catch the headlines: Swine Flu Spam.

With Swine Flu at the forefront of everyone’s mind, spammers got busy. When the possible Swine Flu outbreak was being reported in April of this year by the media, Cisco stated that Swine Flu related spam accounted for 4 percent of the worldwide total at its peak. Symantec reported on their blog one scam that spammers unleashed where they had a viral PDF document of Swine Influenza FAQs. When users clicked on the PDF document, it unleashed a malicious InfoStealer code onto the victim’s computer.

Well just when we thought our computers were safe from getting infected by the Swine Flu, Sophos Labs reported on July 22nd on their blog that with the Swine Flu pandemic ongoing, spammers are continuing to play off of peoples fear. This time they sent an email titled, “Novel H1N1 Flu Situations Update,” which had an attached Word document that when opened had the following image in it:

swine-flu

This image is identical to the one found on the CDC website. Unbeknownst to the users who clicked on the Word document, a Trojan was unleashed on their computer that not only stole all of their passwords (encrypted ones as well), but it also tracked all of their key strokes. All of this information was sent back to a malicious website where most likely the stolen information would be sold in one of several underground markets. Spam continues to be a major problem not only for individuals but corporations as well. Symantec reported that as of April of this year, “unsolicited email made up 90.4% of messages on corporate networks.” While companies have become “smarter” in not allowing certain attachments to pass through to their networks, spammers have started attaching URLs in their messages enticing people to click on them which then redirects them to a website that carries the malware. This type of spam generally tends to not get stopped by firewall or anti-virus or anti-spam software.

So how do you defend yourself against malicious emails?  To lower your risk of malware infections, you need to:

  • Download software only from sites you know and trust.
  • Set your browser security high enough to detect unauthorized downloads.
  • Use anti-virus and anti-spyware software, as well as a firewall, and set them to update automatically.
  • Don’t click on links inside pop-up windows.
  • Don’t click on links in spam that claim to offer anti-spyware software; you may unintentionally be installing spyware.

Clues that malware may be on your computer include:

  • A sudden increase in pop-up ads.
  • A sudden or repeated change in your computers Internet home page.
  • New and unexpected toolbars or icons on the system tray at the bottom of your computer screen.
  • Slowed computer performance.
  • Random error messages.

While it is important for both individuals and corporations to have the necessary security measures in place to protect them from these spam messages by incorporating firewalls, antivirus software, email filters, etc…, the best way to reduce these threats is to simply educate yourself, and if you work for a corporation, educate your peers to not open or click on anything that looks suspicious. Sound stupid? Well, so does your computer getting the Swine Flu.

Please Steal My Data

by Robert Driscoll on July 23, 2009

“Please Steal My Data” That’s in essence what you are telling hackers without the proper security technologies in place in your business. In today’s marketplace, many companies are dealing with shrinking budgets and trying to cost-justify investments in security appliances.
Every company wrestles with what the financial return on investment (ROI) is for purchasing security technology to protect their critical data. With the rise in malicious code threats growing over 160% from 2007 to 2008 alone (over 1.6 million), this is not an area that should be overlooked. While each company’s network is unique along with their security requirements, they can still learn from other companies mistakes in not only securing their data and networks, but also in understanding what the financial impacts could be if you neglect this area.

Take for example when TJX (owner of TJ Maxx, Marshalls, HomeGoods and other retail chains), who has over 2,000 retail stores in the US and Canada, had their payment systems hacked from May 2005 to December 2006 (or longer). During this period, over 94 million of their customers’ credit card information was obtained. (Letter from the CEO)

Even though TJX was certified as being PCI (payment card industry) compliant, the hackers still managed to find a flaw in their network, in this case, by intercepting unencrypted data that was transmitted wirelessly between handheld payment scanners. Once they had access to the payment scanners, they were then able to gain access to TJX’s database which eventually led them to their 94 million customers. When this security breach became public, TJX was hit with several lawsuits from their pension fund holders, banks, Visa and MasterCard. In the end, this “incident” cost TJX over $57 million, $40 million of it from Visa alone to help them with the cost of re-issuing all the cards. Several analysts, including Forrester Research, “have estimated TJX’s costs could run as high as $1 billion, including legal settlements and lost sales.”

While it might be hard to compare your business to a $15 billion company like TJX in trying to determine your security risk and the costs associated with a breach, a study from the Ponemon Institute can help shed some light on what the possible cost is. Their study, released in February 2009, showed that, “data breach incidents cost U.S. companies $202 per compromised customer record in 2008. Within that number, the largest cost increase in 2008 concerns lost business created by abnormal churn, meaning turnover of customers.”

To every company, the value of their brand, in financial terms, is invaluable, but a data breach could cost millions of dollars or could completely put the company out of business. What will your company be worth then?

It is about the data

by Thomas Frasher on June 16, 2009

blue_dataMany new online offerings are intended to work directly or indirectly with customer provided data.  Acquisitionaggregation and data security are but some of the concerns that online offerings must take into account if they are to have a successful business.

1. Acquisition – this is the first and most important step, without this working reliably no amount of feature development will make the product successful. The ease of acquisition setup and consistency of data acquisition is of paramount importance if the offering provider expects to minimize early abandonment of the application. Here are some scenarios and the likely results for each:

a. Data acquisition is easy to setup – the offering can see rapid adoption, and very high growth rates.

b. Setup is moderately complex, either in detail or in complexity of procedures – the abandonment rate may still remain low as long as value is established early.

c. Setting up the data acquisition is very complex, unexplained terms are used, or has cryptic workflows – the initial abandonment rate will be high.

d. Setup is easy and the data collection is unreliable – the abandonment rate will still be high.

Clearly, from the scenarios above: The data in the offering and what it represents as the ability to take care of present and future concerns is all that is important to the customer. Anything that impedes, challenges or thwarts those concerns is reason enough for abandonment.

2. Aggregation or ETL – This is the second step and MUST be flawless. ETL refers to Extract, Transform and Load; this is the process by which the customer’s data is uploaded into the offering database. Any failures at this point reflect on the application very poorly, and once that happens, customers don’t trust the details that they see in the offering. What’s worse is: the lost trust is difficult if not impossible to win back.

3. Data Security – The customer’s data must ALWAYS be secure and the customer should be able to determine the securing mechanism and whether they are connected to the offering website (security certificate, SSL connection, etc.). Online offerings will only get one chance to fail on this point. As has been seen over the past few years, failure to secure customer data as in the case of Heartland Payment Systems is very damaging to the public identity of the company and depending on the type of data compromised has large legal consequences.

Suffice to say that as online offerings continue to be a substantial area of growth for companies in the coming years, paying due attention (or not) to acquiring, aggregating and securing data will be the thin line between abandonment and success… afterall, it is about the data!