☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

Preventing Social Engineering Attacks

Posted on by

Social EngineeringReliable security systems can prevent losses for your business. While many businesses invest large sums of money into building sound physical structures and robust IT systems or even hiring on-site security guards, they often overlook the biggest security vulnerability—people.

No matter how dependable security systems might be, people with authorized access to those systems will always be a vulnerability. That’s why criminals have begun employing a series of tactics called “social engineering” to convince people to give them access—something that costs companies billions each year, and is completely preventable.

What is social engineering?

Social engineering is the art of accessing information, physical places, systems, data, property or money by using psychological methods, rather than technical methods or brute force. In order to do so, social engineering relies upon a set of tactics that exploit psychological weaknesses and blind spots in order to convince victims to give social engineers what they want.

That’s what can be so dangerous about social engineering—criminals can use psychological blind spots to have employees willingly give unauthorized parties access, information or property. These attacks can occur in a number of different forms, including a well-crafted spear-phishing campaign, a plausible-sounding phone call from a criminal posing as a vendor, or even an on-site visit from a “fire inspector” who demands access to the company’s server room.

Psychological Weaknesses

There are a number of different types of attacks, but social engineers almost always prey upon the following psychological weaknesses in order to get what they want:

  • Fear of conflict. People dislike conflict and confrontation and will use almost any excuse to avoid them. Social engineers exploit this by exuding confidence when they ask for information or physical access that they have no right to. When social engineers display confidence, most people prefer to comply with requests rather than challenge them.
  • Getting a deal. Confidence artists have always relied upon the greed of their victims; social engineers exploit a similar principle. These criminals have often been known to use gifts and giveaways to get victims to let down their guard. Sometimes, the giveaway itself will be used to masquerade a piece of malicious code that the unsuspecting victim then uploads to his or her computer.
  • Sympathy. Sometimes, social engineers employ a softer tactic, using charisma and humor to gain sympathy or to ingratiate themselves to an individual or group. By establishing rapport and breeding positive feelings, victims are too distracted to realize that they’re being scammed.
  • Need for closure. The need for closure is a well-documented psychological need, and one which social engineers exploit. In the event that they are ever questioned or confronted, social engineers who’ve done their homework will have an answer to any challenge or question likely to come their way. In most cases, any answer—even if it’s undocumented, unsubstantiated or blatantly untrue—offers people psychological closure, giving them the sense that they’ve done their due diligence.

Preventing Social Engineering Attacks

Educating your employees is essential to minimizing the risk of social engineering. Even the best security system will fail if employees willingly allow unauthorized use of their workstations or email their system credentials to a criminal. In order to make your educational efforts stick, consider employing the following strategies:

  • Encourage your employees to “Stop. Think. Connect.” The “Stop. Think. Connect.” campaign is a global initiative that encourages people to be smarter about online privacy and security. The motto is an easy-to-remember way to approach divulging sensitive information, both in person and online.
  • Make a personal connection. The same principles that make your company vulnerable can make your employees vulnerable in their personal lives. Show employees how the same practices for security at work will make them more secure in their personal lives as well.
  • Use “social proof” to your advantage. Social engineers will often deploy social proof—evidence of a large number of people or select important people engaging in a behaviour as proof of its validity—in order to gain compliance. Use that to your organization’s advantage by making sure executives and managers make security a top priority as an example for the rest of the company.
  • Train. Getting the information out there is important, but most adult learners retain more information when they receive interactive training. Consider specific social engineering training that encourages questions and incorporates interactive examples that relate directly to your employees’ work activities.
  • Test. Make sure your educational and training efforts work by conducting regular tests. Despite growing awareness of social engineering tactics like phishing, large numbers of people still open emails and click on links that they shouldn’t. Consider conducting an in-house phishing audit to find out just how many employees have taken their security training to heart.

Remain Vigilant

Your employees will always represent a possible vector of attack for criminals, which is why you should always remember the human factor when considering security. Just as your company upgrades systems and installs software patches, so too should you periodically remind your employees of best practices and determine what new tactics social engineers are using to exploit people.

 

©  Zywave, Inc. All rights reserved.

The Fake President Fraud

Posted on by

CThe “fake president fraud” is a type of scam in which a criminal posing as a company executive convinces an employee to voluntarily transfer a large sum of money directly to the criminal’s account. It may be hard to imagine that any of your employees would authorize a wire transfer to an unknown account, but law enforcement officials have seen a marked rise in the occurrence of this scam over the past several years.

What’s especially dangerous about this particular type of fraud is that many companies—even those with both crime and cyber policies—might not be covered unless they have a social engineering fraud endorsement on their crime policy. Read on to better understand how the scam works and what you and your employees can do to mitigate the risks.

Understanding Social Engineering

The scam’s success relies on criminals using something called “social engineering.” Social engineering refers to tactics that exploit common psychological weaknesses and preconceived notions about authority and social relationships to make people engage in certain behaviours. Often, that means exploiting patterns of behaviour that are automatic and subconscious, so that victims might not even realize what they’ve done until after the fact.

Because social engineering relies on exploiting your employees’ assumptions and subconscious thought patterns, it can be hard to recognize unless someone points it out. That’s why the best way to defend your organization is to learn how a scam works and educate your employees about it.

How Does the Fake President Fraud Work?

The fake president fraud may vary in some of its details, but it always contains four major elements.

  1. The “president” makes contact. Someone posing as a high-level executive in the company—often the president, CEO or CFO—will reach out to the target employee. This contact often occurs via email, either from a domain that is deceptively similar to the company’s actual domain, or via a “personal account.”
  2. The “president” asks for a wire transfer. The “president” asks the employee to wire a large sum of money to a foreign bank account. The employee might be told that the money is for a host of seemingly legitimate purposes (recent acquisitions, paying off debts, paying vendors, etc.).
  3. The “president” pressures compliance. At this point, many employees may question the unusual request or the break in typical company protocol. That’s when the “president” deploys psychological pressure on the employee to accept the scenario as genuine and comply with the request. Those pressures can rely on a number of different factors, including the following:
    • Authority: The criminal will emphasize his or her rank to convince the employee. This offers the criminal many options, such as using that authority to intimidate the employee or preying upon the employee’s desires to impress a superior.
    • Time pressure: Criminals will often claim that the transfer is an urgent matter, forcing the employee to ignore typical protocol and eliminate the chance that he or she might disclose the transfer to another party or verify the information before making the transfer.
    • Secrecy: Often deployed in conjunction with time pressure, the “president” may emphasize that this deal must remain secret for strategic or legal reasons. Having the employee “in” on the secret can make him or her feel special and thereby increase the chance that the transfer will go through.
  4. The employee makes the transfer. The employee contacts the bank, and the bank then makes the transfer. Even if it is unusual, the bank will transfer the funds to the account if the employee making the request is authorized to do so.

Why This Scam is NOT Covered by a Cyber Policy

This scam bears similarities to certain cyber scams, like spear phishing. Insofar as both kinds of scams involve sending emails targeted to specific employees, the tactics are similar. However, there are some crucial differences.

Spear phishing targets an employee in order to convince him or her to open an email or click a link, which downloads malicious code onto the employee’s computer and allows the criminal to access the company’s network. With phishing scams, the crime is an unauthorized data breach, and, as such, the exposure would be addressed by a cyber policy.

By contrast, in the fake president fraud, the employee willingly authorizes a wire transfer to the criminal’s bank account. Even though the crime was initiated via email, the fundamental criminal act is fraud, not data breach, and will not be covered by a cyber policy.

Mitigating Risks

There are a number of things companies can do to reduce the risk of falling victim to such a scam. These include the following.

  • Educate Employees. It’s essential that all employees—especially those who are authorized to make wire transfers—are aware of the scam and how it works. Ultimately, this scam works by preying on a number of psychological blind spots, including ignorance. Combat that by making your employees aware of the risk and diligent about company procedure.
  • Demand Adherence to Protocols. Your company should have protocols for authorizing the transfer of funds. Reinforce the importance of adhering to these protocols.
  • Verify Identities. This can be especially important if employees have infrequent contact with C-suite executives or if requests are frequently made remotely. Establish guidelines for independent means of verification if requests fall outside of established protocols or if timelines must be accelerated.

Make Sure You’re Covered

Insurance solutions for the fake president fraud are available, but they often come in the form of a specific endorsement on a crime policy.

© Zywave, Inc. All rights reserved.

25 Most Commonly Stolen Passwords

Posted on by

Internet securityHow clever is your password? If it’s on the list below, your password is just as easily stolen as it is remembered. Protect yourself by making sure you’re not using one of the top 25 most commonly stolen passwords of 2015, as determined by IT security firm SplashData.

To create a more secure password, make sure you are not relying only on numbers, and try to avoid simple keyboard patterns. You may also want to avoid easy-to-find information such as birthdays, favourite sports teams and addresses. Attempt to create a password that is eight or more letters long, and avoid using the same password for multiple access points.    

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball
  11. welcome
  12. 1234567890
  13. abc123
  14. 111111
  15. 1qaz2wsx
  16. dragon
  17. master
  18. monkey
  19. letmein
  20. login
  21. princess
  22. qwertyuiop
  23. solo
  24. passw0rd
  25. starwars

 

© Zywave, Inc. All rights reserved.

Estate Planning for Your Digital Assets

Posted on by

cloud computingTechnology has become more pervasive, and it’s become increasingly difficult to avoid having at least some kind of valuable data that has to be managed. Whether it’s important photographs, documents hosted in the Cloud, online banking accounts, or Web-based assets like social media accounts or websites, virtually everyone has some digital assets to track.

That can be a daunting task in its own right, but what happens to those assets if something should happen to you? If you haven’t taken the time to plan for your digital assets, your loved ones could find themselves unable to access your accounts. And, if one of those accounts is compromised by a data breach, hackers could use your online accounts as a “back door” into your bank accounts or other assets.

Estate planning for your digital assets is a crucial part of your overall estate-planning strategy. While it’s always best to consult with a financial planner or legal counsel when considering estate planning, there are some general guidelines everyone should follow when making plans for their digital assets.

Create an Inventory

“Digital assets” can refer to a broad range of things, but in general, it refers to any part of your digital identity that would require your successors’ attention. The first step in planning is making sure that you have an exhaustive, centralized inventory of your assets so that your executor, attorney or trustee knows where to find everything.

  1. Hardware

Begin by making an inventory of your hardware. It may seem obvious, but don’t take this step for granted. Many people use a number of different devices in their day-to-day lives, with important data stored in each of those devices. Remember to create an inventory and make a note of hardware that may be company-owned, and also remember that pieces of old hardware—computers, cellphones, cameras, etc.—may have important data on them.

Tailor your inventory to your needs, but consider some of the following:

  • Computers, laptops and tablets (including username and login information)
  • Cellphones
  • Digital cameras
  • CDs, DVDs, flash drives, SIM cards, external hard drives and other devices that store data

In addition to making a list of the names and locations of all of your hardware, it could be helpful to your successors to map out the file structures of your data. Write out step-by-step instructions so your successors know how to navigate the file system on your hardware in order to access your important information.

  1. Online Assets

Next, consider your online presence in its various forms. Though it may be daunting, consider every site for which you’ve created a user profile and determine whether or not your successors will need to gain access. In doing so, be sure to log website names, URLs, usernames and passwords:

The list will vary, but be especially mindful of websites that store your personal information or banking information. Consider the following:

  • Online backing accounts
  • Shopping sites (e.g., Amazon, the Apple Store, eBay)
  • Social media accounts (e.g., Facebook, Twitter, LinkedIn)
  • Cloud-hosted email accounts (e.g. Gmail, Yahoo, Outlook)
  • Cloud Storage (e.g., Dropbox, Google Drive)
  • Organizational sites and apps (e.g., OmniFocus, Evernote, Pinterest)
  • Subscriptions (e.g., Netflix, Audible, Hulu Plus, HBO Go)
  1. Work

Depending on your job, it might make sense to create a separate inventory for any work-related information that might be among your digital assets. This will vary widely from profession to profession, but as telecommuting becomes more commonplace, it’s an increasingly important consideration. In some cases, it’s a matter of keeping sensitive information secure. In other cases, it’s simply a matter of making sure your successors have access to the work you’ve been doing on projects that they might need to take over. Consider the following:

  • Client files
  • Spreadsheets
  • Online databases or software
  • Projects tasks, notes or drafts

Everyone’s digital assets are bound to be different, which is why making an exhaustive inventory is so important.

Provide Access to Your Assets

Once you have an inventory of your digital assets, it’s important to make sure you provide your successors with access. You’ll want to choose someone you can trust to handle sensitive personal and financial information, as well as the task of carrying out your wishes. It could be a trusted advisor, an attorney, or a family member or friend.

Whomever you choose, make sure you keep records naming that person and his or her responsibilities along with the rest of your estate planning information. Just because someone has your hardware or knows your passwords doesn’t mean that he or she is authorized to use them. Certain laws may prohibit others from accessing or using your digital assets, so having proper documentation is essential.

Write Out Instructions

Once you’ve created an inventory of your assets and assigned the appropriate executor or trustee, you’ll want to document your wishes. It may seem tedious, but it’s important to take the time to be detailed. After all, you wouldn’t want someone mistakenly selling or deleting important documents or photographs.

Planning for the Future

Estate planning may conjure unpleasant thoughts about death, but it’s important to plan now so that your wishes can be carried out and your loved ones and colleagues can continue on without undue stress.

It’s also important to make sure you have the people and the resources that you need in order to make sure your wishes are carried out as you’d like.

 

© Zywave, Inc. All rights reserved.

Young Employees and IT Security

Posted on by

iStock_bus people w cell-000016828639SmallHiring young employees can bring fresh talent and innovation, giving your company an edge over your competitors. But that edge can quickly be erased, as young workers also bring additional technology risks. According to the 2011 Cisco Connected World Technology Report, a study involving almost 3,000 college students and young professionals under age 30, 70 per cent of young employees frequently ignore their company’s information technology (IT) policies.

Millennials have grown accustomed to sharing everything about their personal lives on Internet sites such as Facebook® and YouTube®. This poses a dilemma for an employer: If young employees don’t safeguard their own personal information, how can you entrust them with your company’s sensitive data? Companies with the need to be Internet-savvy must hire young talent, but are these employees worth the risk?

Eye-opening Statistics

The Cisco report says that 80 per cent of young employees either don’t know about their companies’ IT policies or they think they are outdated. Additionally, 25 per cent of those in the study had been a victim of identity theft before age 30.

Why are young employees negligent about IT security? The study found that some young employees’ attitudes and beliefs towards IT policies include the following:

  • They forget about the policies.
  • They think their bosses aren’t watching.
  • They believe the policies are inconvenient.
  • They think they don’t have time to remember the policies while they’re working.
  • They feel the need to access unauthorized programs to get their job done.
  • They believe security is the IT department’s responsibility, not their own.

Additional Risks to Consider

Young employees can compromise IT security by leaving their computers or other personal devices unattended, increasing the risk that that both the equipment and company data could be lost, stolen or misused. Sending work-related emails to personal email accounts and using computers and social networking sites for both work and personal reasons can also compromise IT security. Millennials are more apt to blur the line between using IT for both personal and work-related purposes, which can increase the risk of negligence.

Consider that not only young employees, but all employees can compromise IT security in the following ways:

  • USB flash drives. While these are convenient portable devices for storing information, they make it too easy to take sensitive information out of the office and can be misplaced easily because they are so small.
  • Wi-Fi networks. Whether it’s an employee’s personal Wi-Fi network at home or free Wi-Fi at the local coffee shop, it is important that employees use virtual private network (VPN) and take other security measures when they log in on networks outside of your company.
  • Laptop computers. Lightweight and handy for working remotely, laptops are also susceptible to viruses from improperly-secured Wi-Fi networks.
  • Smartphones. They provide information at your fingertips, but are also another portable way to take sensitive data out of the office.
  • Collaboration websites. Websites, such as a wiki or SharePoint® site, are great tools for employees working together on projects, but it’s critical that only authorized employees are logging in and accessing your company’s projects on these sites.
  • Social media tools. Sites such as Facebook and Twitter™ can benefit your business; however, negligent use, including sharing critical company information, can be a risk.
  • Other communication applications, such as peer-to-peer (P2P), Skype and instant messaging tools. These applications can be vectors for malware and a threat to information security.

Employers shouldn’t necessarily prohibit employees from using technology, as this list includes many tools they need to get the jobs done. It’s important to know the risks and educate young employees to use the technology properly.

Mitigating the Risks

Employers must find the balance between allowing young employees to use social networking websites and portable devices to do their jobs, while at the same time protecting company information. Employers should examine their exposures and consider what level of risk they are willing to accept. Other special considerations for managing young employees and mitigating the risk include:

  • Review your company’s IT policy. If it needs to be updated, ask recent graduates for advice on updating the policy to reflect current changes and trends in IT.
  • Make sure young employees (and all employees) are aware of your company’s IT policy and the consequences if the policy is not followed.
  • Create strong, trusting relationships between young employees and your IT department.
  • Create IT awareness materials so young employees are continually reminded of IT security risks and what they can to do prevent them.
  • Train new young employees on data protection and IT security risks, and provide refresher training for seasoned employees to ensure everyone is aware of the risks and the importance of safeguarding company information.

 

© Zywave, Inc. All rights reserved.

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN