It’s a Wrap! #CyberAware

Standard

Today is not only Halloween, it’s the last day of National Cybersecurity Awareness Month!

As a reminder, the major themes this year have been:

Make Your Home A Haven For Online Safety.

Millions Of Rewarding Jobs: Educating For A Career In Cybersecurity.

It’s Everyone’s Job To Ensure Online Safety At Work.

Safeguarding The Nation’s Critical Infrastructure.

Please be sure to visit staysafeonline.org/ncsam and browse the resources for a ton of helpful guides, tip sheets and other resources to help you be as secure as possible.

My friends at KnowBe4, a security training company that I work closely with also have some excellent resources I’ve inserted here.  Feel free to share within your company to help maintain a culture of cybersecurity awareness well beyond today.

#CyberAware

You may click on each image to download the PDF version.

SocialEngineeringRedFlags

 

BlockMobileAttacks.jpg

5TipSheets.jpg

 

 

 

 

 

 

I’m Back!

Standard

I’ve been on vacation, so hope you haven’t minded the lack of posts 🙂  I’m back and want to share the latest article I wrote for Foster’s and Seacoast Sunday on the 21st.  Enjoy.

protect-your-business-v2

Small Businesses at Risk to Cybersecurity Attacks

In my last article, I wrote about October being National Cybersecurity Awareness Month. We have just finished week 3 and are about to move into week 4. Week 3′s theme was “It’s Everyone’s Job to Ensure Online Safety at Work.” Week 4′s theme is “Safeguarding the Nation’s Critical Infrastructure.”

When thinking about the workplace and the prevalence of small business throughout New England, the story is not a pleasant one. Too many small businesses think they are not at risk for a cybersecurity event. However, consider in 2017, 61 percent of small businesses reported a cyberattack, up from 55 percent the year before. The average cost of these attacks exceeded $1 million, enough to bankrupt many small businesses.

All industries are impacted by cyberattacks, but the most targeted industries are financial services, technology and communications, manufacturing, retail and professional services. The reasons for the attacks vary widely, from financial fraud to identity theft to the theft of intellectual property, the lifeblood of many businesses.

The attack methods vary and defending against these attacks often feels like a game of leap frog. The bad guys figure out a way to penetrate a network and the technologists figure out how to block that attack. The problem is the attackers are sophisticated and have access to increasingly powerful computing resources, so they figure a new way around the defenses and the cycle starts over again, millions of times a day.

Defending your business is not a trivial task, but in the quest to secure businesses, especially small businesses, the most often overlooked thing is employee training. You must invest in training your staff to understand their role in protecting your business. From what they say on social media about their job to the email messages they open and the links they click, people are the last and most important line of defense.

I have heard too many stories where someone in an accounting department gets an email asking them to login to a website to check something. It could be anything from an invoice to a tracking number or to update security information about their account. Messages like this are easy to spoof and get the person targeted to try to login to what looks like a legitimate site, but they often get an error telling them their login failed and to try again. The problem is the site was fake and hacker just captured the username and password the person was using. The hacker is often then able to access and monitor that accounting person’s email traffic and eventually will trick that person, or one of their colleagues into initiating a fraudulent transaction that could cost hundreds if not millions of dollars.

The news is awash with stories similar to the scenario above. Law enforcement is overwhelmed with reports like this. If you haven’t lost millions of dollars, likely tens of millions, it’s unlikely law enforcement will be able to act on your case fast enough to help recover any funds. This is how real and present a danger these cyber threats are.

While this may all seem daunting, there are several things a small business is able to do to help protect themselves. Take the time to take inventory of your critical data and systems. Be sure you understand what you can live without and what you can’t. If you do ever suffer from a cyberattack, be sure you know what you need to continue operating while you assess the damage and recover. Also, be sure you have a communication plan ready to inform your staff, your business partners, your customers and if necessary, the public about what has happened to your business. Get in front of the matter, so your business does not suffer damage to its reputation and not just its technology.

Today’s cyberattacks are evolving nearly in real-time. Businesses large and small across all industries need to understand their risk profile, take appropriate steps to protect their technology infrastructures, educate their employees how to help protect the business and have appropriate response plans in place for when, not if, you are attacked. Try not to feel overwhelmed by the risks. Be prudent in your approach. There are plenty of talented professionals out there to help you understand and mitigate your risk. Just don’t ignore it.

Week 3 Tips #CyberAware

Standard

protect-your-business.png

Week 3 of National Cybersecurity Awareness Month is all about protecting your place of work from cyber threats.  In addition to identify what assets you need to protect, consider the following key considerations:

Protect your assets: Ultimately, your goal is to build a culture of cybersecurity that includes employees knowing how to protect themselves and the business and understanding the cyber risks as your business grows or adds new technologies or functions.

Use employee training to communicate the message and gain employee buy-in.  Don’t make this a one time event, have recurring training throughout the year to maintain a culture of cybersecurity awareness.

Be able to detect incidents: We have fire alarms in our businesses and homes that alert us to problems. In cybersecurity, the more quickly you know about an incident, the more quickly you can mitigate the impact and get back to normal operations.

While everyone has a firewall and anti-virus software, who is monitoring it?  Just the basics are not enough.  You should have intrusion detection and prevention and other security technologies in place that are designed to look for patterns that are not normal.  The tools alone are not enough, you need to have a qualified cybersecurity professional reviewing this information in real-time to catch potential risk.

Have a plan for responding: Having a recovery plan created before an attack occurs is critical. Make and practice an incident response plan to contain an attack or incident and maintain business operations in the short term.

You never want to put your head in the sand if you think you are the victim of a cybersecurity event.  You need ot have a plan to rapidly response and protect your business.  This includes internal communication and external communication as well.  Be sure you have a message that will contain the fallout and not risk damage to your business reputation.

Quickly recover normal operations: The goal of recovery is to move from the immediate aftermath of a cyber incident to full restoration of normal systems and operations. Like the response step, recovery requires planning. Recovery is not just about fixing the causes and preventing the recurrence of a single incident. It’s about building out your cybersecurity posture across the whole organization (not just the
IT person or group), including increasing the focus on planning for potential future events.

Be sure the technology is in place to recover quickly and maintain business operations.  This may mean having to operate in a somewhat reduced state while the full impact is assessed.  You need to be sure you have reliable backups of your systems and the ability to bring them online in locations other than your offices, should the event warrant that.  be sure you understand the concepts of RPO and RTO, Recovery Point Objective and Recovery Time Objective respectively.  You may have a Disaster Recovery (DR) Plan that addresses this, but do you also have a Business Continuity Plan (BCP) to account for ongoing operations?  You should.

Here are some helpful resources to help you assess these critical areas:

SMB Cybersecurity Awareness Toolkit
CyberSecure My Business
Federal Trade Commission’s Business Center for Privacy and Security
NIST Cybersecurity Framework
Better Business Bureau Cybersecurity

Welcome to Week 3 #CyberAware

Standard

This week’s National Cybersecurity Awareness Month theme is “It’s Everyone’s Job to Ensure Online Safety at Work.”  While you’d think this is obvious, it’s still not.

educate-all-employess-v1.png

Consider these stats:

  • Verizon‘s 2018 Data Breach Report, a highly respected annual report on the state of cybersecurity, notes that 58% of cybercrime is taking place in small and mid-size businesses (SMB’s).
  • The cost of cyber attacks to SMB’s was more than $2,235,000, on average.
  • The Better Business Bureau finds that more than half of small businesses would be unprofitable within a month, if they were to permanently lost access to their critical data.
  • Nine of our ten small business report some basic security in place.  This consists of anti-virus protection, firewalls and employee education.

The first topic for this week is indentifying your digital “crown jewels.”  This remains an annual part of National Cybsecurity Awareness Month as knowing what is important is the first step to protecting it.

Check out the CyberSecure My Business resource page related to “Identify.”

There you will find a wealth of resources to help you identify your most important data and systems.  I encourage you to review all of the resources listed on that page.  I strongly recommend you watch the National Cyber Security Alliance webinar titled “Learn to Identify Key Assets and Data.”

Before you can implement an effective plan to protect your organization, you must take the necessary steps to understand what needs to be protected.  These resources will help you do this efficiently.  Get to it!

Why Careers in Cybersecurity? #CyberAware

Standard

teach-kids-about-cybersecurity-careers-v1

As we continue along in Week 2 of National Cybersecurity Awareness Month, the focus is on careers in cybersecurity.  Consider some of these stats:

  • There will be 3.5 million cybsecurity jobs by 2021.
  • Cybercrimes cost victims $3 trillion dollars in 2015 and is predicted to double to $6 trillion by 2021!
  • The median salary for an information security professional was $95,510 in 2017, more than double the median average of all U.S. careers.
  • Most millennials look to their parents for career advice (40%).  That percentage rises to 57% when talking about cybersecurity careers.
  • Over the last several years, the number of teachers who talk with their students about cybersecurity has tripled.  This is great!

Here’s what you can do, especially if you are a parent:

  1. Volunteer at a school and talk about the growing career options in cybersecurity.  We can’t start too young.  Check out this link for resources you can use to start the discussion.
  2. Check out CyberPatriot and think about mentoring kids in a cybersecurity challenge event.
  3. If you know someone who works in the cybersecurity field, see if you can get them to come and talk with students or host an open house for students at their company.
  4. Educate youself about cybersecurity careers so you can help spread the message.
  5. Work with your schools and school boards to educate them on the importance of cybersecurity education to help prepare our kids for their future.
  6. Visit CompTIA, the Computing Technology Industry Association and explore the resources related to cybersecurity education and workforce development.

Welcome to Week 2 #CyberAware

Standard

week-2-twitterToday starts week two of National Cybersecurity Awareness Month.  This week’s theme is “Millions of Rewarding Jobs: Educating for a Career in Cybersecurity.”

It’s estimated that there will be more than 3.5 million cybersecurity jobs by 2021.  According to the Bureau of Labor Statitistics, that’s a 28% growth rate over the 10 year period from 2016 to 2026.  It’s not just about coding anymore!

The most important thing we can do to help build our cybersecurity workforce is talk with our kids.  Too much of our public education system is focused on coding as the only IT career path.  To be clear, software development is an important and needed skill, but it’s not the only skill that our kids can pursue.  It’s our obligation, as parents and professionals, to educate our kids on all of the IT career options available to them and cyberecurity is a significant area of growth and need.

There are some excellent resources available at this link to help start these conversations.  Download the tip sheet on that page and share it with your kids and your schools, to help start the discussion.

Veterans make up a significant group of individuals entering the workforce who have a strong foundation in cybersecurity.  Hiring veterans for careers in IT is a great way to bring highly qualified and motivated technical professionals into your company.  Many university’s are now offering degrees in cybersecurity, so for college age kids or those pursuing higher education at a later age, there are more options now than ever.  If you are a cybersecurity professional, think about becoming a mentor in the workplace or at local schools.

If you know kids that may be interested, have them check out the excellent CyberPatriot site where they can learn more and participate in online learning and competitions.  Together, let’s build the next generation workforce of technical professionals that our country needs.

 

It’s National Cybersecurity Awareness Month

Standard

The following article was published in todays Fosters and Seacoast Sunday.

oct-is-ncsam-twitter-v2.png

Every October the National Cyber Security Alliance and Department of Homeland Security declare National Cybersecurity Awareness Month. In this age of ever-increasing cyber threats, this is such an important initiative everyone should pay attention to at home and work.

This year is the 15th year for National Cybersecurity Awareness Month. The themes this year are about our shared responsibility for protecting ourselves online. Each week has a specific theme with useful recommendations to help you be more secure. Week 1 is just wrapping up and the theme was “Make Your Home a Haven for Online Safety.” The following are some suggestions for doing this:

Lock down your login: Visit www.lockdownyourlogin.org for recommendations to improve the safety of your logins. Where ever you are able, you should enable multi-factor authentication and leverage biometrics to secure your login so it’s just not your login name and password that’s required to access your accounts and systems.

Back it up: Back up your important information. Large-capacity external USB hard drives are affordable. At a minimum, you should back up your data to an external drive and store it outside your home for safe keeping. Even better, an online Cloud backup solution can back up your data in real time and safely store it offsite.

Personal information is like money. Value it. Protect it: Be careful with what you share online, especially on social media. You should always safeguard your personal details, not just online, but even over the phone. Be careful what information you share and be absolutely certain of who you are sharing it with.

Keep a clean machine: Always keep computers, mobile phones and tablets up to date and protected with proper security tools. If you no longer need a previously installed software application, remove it. Don’t let it sit there as over time, it may become a risk.

Pay attention to the WiFi router in your home: Change the factory password to something very secure and enable the highest level of security for your wireless password to keep non-authorized people from connecting to your wireless network. Lastly, keep the router software up to date so any known risks are patched and eliminated.

Share with care: Those online games that ask you how many states you’ve been to or naming your first pet, the street you grew up on, etc. can be used to steal your identity. Just don’t play them.

Next week’s theme is “Millions of Rewarding Jobs: Educating for a Career in Cybersecurity.” The IT workforce is experiencing a massive shortage of skilled talent. IT careers, especially cybersecurity, are widely available. Encourage schools to expand curriculum beyond coding. We need to get our kids interested in IT careers as our economy continues to evolve to a technology driven engine. We are importing more technical talent than we are developing at home. This is an economic and national security risk. We need a grassroots effort to change the mindset of parents and teachers so kids are exposed to all of the opportunities available to them.

The week of Oct. 15 has the theme “It’s Everyone’s Job to Ensure Online Safety at Work.” No matter where you work or the size of your company, you play a critical role in ensuring your business is safe. All employees need to be aware of your company’s most important data. You handle easily replaced material very differently from material that is expensive or hard to replace. The same should hold true for your digital data. Every person in the company has a responsibility to protect the data they work with even it’s as simple as swiping a customer’s credit card on care reader in a restaurant.

Companies need to have processes to identify potential cybersecurity risks and trigger a response plan should an incident occur. It’s critically important for your teams to know how to detect an event and how to respond. It’s also critically important for your teams to know what they are authorized to do or say in these situations and who needs to be made aware.

The final week has the theme “Safeguarding the Nation’s Critical Infrastructure.” Critical infrastructure encompasses a wide range of industries. Public utilities, the financial system, health care entities and information technology firms make up some of the major components of our nation’s critical infrastructure. These firms must have robust and cybersecurity plans and collaborate with many government agencies in real time to ensure the safety of these systems for the good of all.

For more about National Cybersecurity Awareness Month, visit https://staysafeonline.org/ncsam/ and follow the hashtag #CyberAware on social media.

Your Facebook Account May Not Be Hacked

Standard

But telling all your Facebook friends not to accept your fake friend requests may actually be helping the hackers, so you may want to think about deleting those posts.

Facebook Fake AccountI don’t know about you, but my Facebook feed was inundated with friends warning me not to accept friend requests from them as their account got hacked and these are fake.  While the requests may be fake, the account has probably not been hacked.  Yes, Facebook had a significant security breach recently, with over 50 million accounts potentially impacted.  You may have noticed after that news broke, that you were logged out of your Facebook account and had to log back in and create a new password.  This was Facebook’s proactive response after the breach, to try to require all its members to be safe.

Here’s the reality of the situation:

  1. Your account may not be actually hacked.  An account does not have to be actually hacked in order for a hacker to copy your profile picture and pretend to be you and send out friend requests.
  2. Your friends should know if they are already friends with you.  They should not accept a friend request from you if you are already friends.  This is simply common sense.
  3. By posting not to accept friend requests, you may be playing in to the hackers hands.  They want to disrupt Facebook and clutter feeds to make people frustrated with Facebook.  Don’t help them.
  4. Definitely don’t forward messages on Facebook messenger.  Those could spread a potential virus without you knowing.  Just ignore and delete the messages.
  5. You should never copy and report Facebook statuses like this or others that seem innocent enough.  These often let the hackers know who is vulnerable to their ploys and they will use this against you, now or in the future.
  6. If you want to know if you account has actually be duplicated, just search Facebook for your name.  If you see more than one of you, then someone is trying to impersonate you.  Follow Facebook’s process to report a fake account.  That’s the best way to deal with these things.

At the end of the day, just use common sense.  Ignore friend requests from people you are already friends with.  Don’t help the hackers out by telling all your friends to ignore those requests, just ignore them and move on.

Wrapping Week 1 of #CyberAware

Standard

The last two themes for this week of National Cybersecurity Awareness Month are “Pay Attention to the WiFi Router in Your Home” and “Share With Care.”

You want to be sure that you don’t simply purchase a WiFi router and plug it in, connect and jump online.  Hackers love to find WiFi routers that still use the default username and password and are left open for ease of access.  It’s one of the simplest and still widely used ways to steal identities.

Be sure you set a strong password for your router and enable the maximum level of wireless encryption, so that devices that connect to your router and protected and the wireless traffic encrypted and hidden from pyring eyes.

When it comes to sharing information online, do so with care.  The more you share, the more you risk accidentially exposing personal information or enough details about you to impersonate you.  Less is sometimes more.

Also, think about what you share online as if it were tomorrow’s lead headline in the newspaper.  If you wouldn’t want it there, don’t share it online because that’s exactly where it could wind up, now or in the future.

Visit staysafeonline.org for all the tips on maintaining your online safety.

Keep a Clean Machine #CyberAware

Standard

keep-a-clean-machine-v3

Keep all software on internet-connected
devices – including personal computers, smartphones and tablets – current to reduce risk of infection from ransomware and malware.

 

 

  • Keep your mobile phone and apps up to date: Your mobile devices are just as vulnerable as your PC or laptop. Having the most up-to-date security software, web browser, operating system and apps is the best defense against viruses, malware and other online threats.
  • Delete when done: Many of us download apps for specific purposes, such as planning a vacation, and no longer need them afterwards, or we may have previously downloaded apps that are no longer useful or interesting to us. It’s a good security practice to delete all apps you no longer use.