☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

Managing Cyber Security During a Merger or Acquisition

Posted on by

handshake-SDuring a merger or acquisition, insurance policies and finances need to be scrutinized and the future of employees addressed. Cyber security is often put on the back burner, which is unfortunate because this is a time when company data is at its most vulnerable.

Data transfers must proceed without a hitch, or else the companies risk damaging reputation, losing customers and hurting future sales. Additionally, legal responsibilities must be upheld before, during and after the data transfer process.

Use the following checklist to ensure you’ve covered all of your cyber security bases:

  1. Identify all data assets that will need to be transferred.
  2. Gather and merge all data standards, policies and processes from employees at both companies.
  3. Identify potential risks that could occur during data transfer.
  4. Prior to any data transfers, ensure data is backed up.
  5. Run background checks on any employee who will be involved in the data transfer process.
  6. Craft a business continuity plan to prepare for potential data loss or outages during the period when the transfer will be occurring.
  7. Assign a high-level person the job of overseeing all data transfers. They will have the task of dividing and conquering by assigning one person to each data asset that needs to be transferred.
  8. Legally transfer ownership of data assets as quickly and completely as reasonably possible.
  9. Host training sessions on new data standards, policies and processes.
  10. Update disaster recovery plans, business continuity plans and emergency plans to include newly acquired data assets.
  11. Update the risk profiles for newly acquired assets.

Preparing for Data Transfer

Planning for data transfer should begin as early in the merger or acquisition process as possible. It is wise to assign one person the task of overseeing all data transfers so that there is little room for miscommunication or error. That person can then delegate smaller tasks, such as identifying data assets, identifying potential risks during transfer and making sure the data transfer is in compliance with federal or provincial law, but the person in charge should be aware of the current status of all tasks at all times. This person should also manage the implementation of the interim business continuity plan so that daily operations are disturbed as little as possible.

Keep in mind that if the acquired company has already completed portions of the data transfer or consolidation tasks, you should review the work to ensure accuracy.

Consider relocating IT employees from the acquired company early so that they can help with the data transfer and risk identification process, as they will be more familiar with their data and systems. Sufficient time should be mapped out to allow any older data to be converted for use in newer software and programs.

Finally, ensure that your system configuration records are up to date prior to any data transfers or consolidations. This will help isolate any issues that might occur and allow for an effective fix.

Good Practices for Data Transfer

Even if your company is completely prepared for the data transfer, it’s still possible that issues will arise during the process. Here are some good practices your company can utilize to minimize these risks:

  • Try to avoid using any kind of removable media to transfer data from one place to another. If the only method you can use is removable media, then take extreme care to be sure all records are encrypted, especially if they involve personal information.
  • If you have any data that isn’t getting transferred, you should dispose of it safely and completely to ensure it cannot be stolen.
  • Do not try to move all data at one time. Set small goals to complete every day or week to prevent an overload on your system or large, messy mistakes.
  • Consider halting some of your company’s cyber services until all data has been switched over in order to protect the services from being adversely affected by the transfer. Another option would be to run a similar service until data has been transferred.
  • Increase protective monitoring systems to prepare for the possibility of a disgruntled employee. Mergers and acquisitions are scary, uncertain times for employees, whose roles are often modified or eliminated to accommodate a new company structure. Update all clearances and access capabilities for employees based on new roles and duties.

Safe and secure data transfer during a merger or acquisition is of utmost importance. Communication is crucial during this time and basic duties and responsibilities should be quickly laid out and assigned to employees before, during and after the transition. Data transfer is not just about preventing and managing a compromise or interruption to services; you also need to keep your customers’ and stakeholders’ needs in mind, and take their concerns into consideration. Most importantly, ensure your new and existing clients know that you’re keeping their data safe.

 

 

© Zywave, Inc. All rights reserved.

Spear Phishing: Targeted Cyber Crime

Posted on by

The word password hooked by fishing hook“Phishing,” a type of cyber attack in which a hacker disguises him- or herself as a trusted source online in order to acquire sensitive information, is a common scam that can put employees and businesses at risk. However, more resourceful criminals are resorting to a modified and more sophisticated technique called “spear phishing,” in which they use personal information to pose as colleagues or other sources specific to individuals or businesses. And, when attacks contain personal information, they are much more difficult to identify as malicious.

For businesses, the potential risk of spear phishing is monumental. The 2015 Internet Security Threat Report released by Symantec Corporation, a company that specializes in security software, states that, globally, 5 out of every 6 large employers were targeted in spear phishing attacks in 2014, and that there was an average of 73 spear phishing email attacks per day.

How to Protect Your Business

Though it is difficult to completely avoid the risk that spear phishing attacks pose, there are ways to prevent further damage to your business. For example:

  • Be cautious when you are asked to divulge personal information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone. When in a Web browser, you can ensure a website is secure when you see a lock icon in the URL bar, or when an “s” is present in the “https” of a URL. The “s” stands for “secure” at the end of the normal “http”.
  • Some spear phishing schemes use telephone numbers, so be sure to never share information over the phone unless you initiate the call to a trusted number.
  • Never click on links or open attachments from unknown sources. Even opening a file that seems familiar can give a spear phishing attacker access to personal information stored on your device.
  • Ensure that your company’s security software is up to date. Firewalls and anti-virus software can help protect against spear phishing attacks.
  • Encourage employees to think twice about what they post online. Spear phishing hackers often attain personal information through social media sites. Make sure that employees know how to keep this information private to protect their own security as well as that of your business.

Regularly check all online accounts and bank statements to ensure that no one has accessed them without authorization.

 

© Zywave, Inc. All rights reserved.

How Hackers Can Control Your Car

Posted on by

CYBER CRIMEFiat Chrysler Automobiles is recalling 1.4 million vehicles—not for a manufacturing flaw or a faulty part, but for a vulnerability to hacking. The company deemed the recall necessary after two software programmers demonstrated how easy it was to remotely tamper with a Jeep Cherokee’s radio, air conditioning, dashboard display, windshield wipers, brakes and transmission.

This hack is an example of what the security industry calls a zero-day exploit—a vulnerability in a piece of software that the vendor is unaware of. In the case of Fiat, hackers, through wireless access gained via the Internet, sent commands through the vehicle’s entertainment system, taking control of any number of vehicle functions. This could, in theory, be performed from a laptop across the country.

But this type of vulnerability isn’t limited to Fiat vehicles, as most auto companies produce models that are susceptible to breaches. Industry leaders like General Motors, Ford and Toyota are atop a long list of auto makers believed to be the most susceptible to hacking.

As vehicles become increasingly connected, the risk of hacking becomes more apparent and no longer limited to select models. By 2022, an estimated 82.5 million automobiles worldwide will be connected to the Internet.

Since the hack, Fiat has taken strides to prevent remote manipulation by distributing USB drives to vehicle owners that they may use to upgrade vehicle software and deter hackers—but that may not be enough. While automakers are aware of cyber risks and are even taking steps to prevent attacks, experts say that the auto industry is far behind when it comes to cyber security and that current solutions aren’t yet strong enough to thwart hackers.

 

 

© Zywave, Inc. All rights reserved.

Mobile Device Cyber Security

Posted on by

Cell phone wallpapers3Because of their convenience, smartphones and tablet devices have become a universal presence in the modern business world. As usage soars, it becomes increasingly important to take steps to protect your company from mobile threats, both new and old.

The need for proper phone security is no different from the need for a well-protected computer network. According to the computer security software company McAfee, cyber attacks on mobile devices increased by almost 600 per cent from 2011 to 2012—and experts expect that number to continue to increase.

Gone are the days when the most sensitive information on an employee’s phone was contact names and phone numbers. Now a smartphone or tablet can be used to gain access to anything from emails to stored passwords to proprietary company data. Depending on how your organization uses such devices, unauthorized access to the information on a smartphone or tablet could be just as damaging as a data breach involving a traditional computer system.

Lost or Stolen Devices

Because of their size and the nature of their use, mobile devices are particularly susceptible to being lost or stolen. According to a 2012 study by the Ponemon Institute, nearly 40 per cent of organizations experienced a data breach as a result of a lost or stolen mobile device. Since most devices automatically store passwords in their memory to keep users logged in to email and other applications, gaining physical possession of the device is one of the easiest ways for unauthorized users to access private information.

To prevent someone from accessing information on a lost or stolen device, the phone or tablet should be locked with a password or PIN. The password should be time sensitive, automatically locking the phone out after a short period of inactivity. Most devices come with such security features built in. Depending on your mobile provider, there are also services that allow you to remotely erase or lock down a device if it is lost or stolen. Similarly, it is possible to program a mobile device to erase all of its stored data after a certain number of login failures.

Malicious Attacks

Mobile devices are just as susceptible to malware and viruses as computers, yet many businesses don’t consider instituting the same type of safeguards. Less than 20 per cent of mobile devices have anti-virus software installed, which is practically an invitation to thieves or hackers to pillage whatever information they want from an unprotected device. Furthermore, it doesn’t matter what operating system the devices have, whether it be Android, Apple’s iOS, Blackberry or Windows Mobile—all are vulnerable to attacks.

As reliance on these devices continues to grow, so will their attractiveness as potential targets. Third-party applications (apps) are especially threatening as a way for malware to install itself onto a device. These apps can purchase and install additional apps onto the phone without the user’s permission. Employees should never install unauthorized apps to their company devices. Apps should only be installed directly from trusted sources.

Hackers can use “ransomware” to restrict a user’s access to their device’s data, contacts, etc., and then demand a ransom to get it back. Even if the user pays the ransom, there is no guarantee that he or she will get the data back. Employees should know to never pay the ransom if this type of software finds its way onto a company device.

A big difference between mobile devices and laptops and other computers is the ability to accept open Wi-Fi and Bluetooth signals without the user knowing. Hackers can take advantage of this by luring devices to accept connections to a nearby malicious device. Once the device is connected, the hacker can steal information at will. To prevent this, make sure all mobile devices are set to reject open connections without user permission.

Preventive Measures

While the current mobile device security landscape may seem lacking, there are plenty of ways to be proactive about keeping company devices safe from threats.

Establish a Mobile Device Policy

  • Before issuing mobile phones or tablets to your employees, establish a device usage policy. Provide clear rules about what constitutes acceptable use as well as what actions will be taken if employees violate the policy. It is important that employees understand the security risks inherent to mobile device use and how they can mitigate those risks. Well informed, responsible users are your first line of defence against cyber attacks.

Establish a Bring Your Own Device (BYOD) Policy

If you allow employees to use their personal devices for company business, make sure you have a formal BYOD policy in place. Your BYOD security plan should also include the following:

  • Installing remote wiping software on any personal device used to store or access company data.
  • Educating and training employees on how to safeguard company data when they access it from their own devices.
  • Informing employees about the exact protocol they must follow if their device is lost or stolen.

Keep the devices updated with the most current software and anti-virus programs.

Software updates to mobile devices often include patches for various security holes, so it’s best practice to install the updates as soon as they’re available.

There are many options to choose from when it comes to anti-virus software for mobile devices, so it comes down to preference. Some are free to use, while others charge a monthly or annual fee and often come with better support. In addition to anti-virus support, many of these programs will monitor SMS, MMS and call logs for suspicious activity and use blacklists to prevent users from installing known malware to the device.

 

Back up device content regularly.

Just like your computer data should be backed up regularly, so should the data on your company’s mobile devices. If a device is lost or stolen, you’ll have peace of mind knowing your valuable data is safe.

Choose passwords carefully.

The average Internet user has about 25 accounts to maintain and an average of six-and-a-half different passwords to protect them, according to a recent Microsoft study. This lack of security awareness is what hackers count on to steal data. Use the following tips to ensure your mobile device passwords are easy to remember and hard to guess:

  • Require employees to change the device’s login password every 90 days.
  • Passwords should be at least eight characters long and include uppercase letters and special characters, such as asterisks, ampersands and pound signs.
  • Don’t use names of spouses, children or pets in the password. A hacker can spend just a couple minutes on a social media site to figure out this information.

 

© Zywave, Inc. All rights reserved.

 

 

Cyber Liability: Protect Your Email

Posted on by

Spam EmailEmail is a critical part of everyday business, from internal management to direct customer support. The benefits associated with email as a primary business tool far outweigh the negatives. However, businesses must be mindful that a successful email platform starts with basic principles of email security to ensure the privacy and protection of customer and business information.

Set up a spam email filter.

It has been-well documented that spam, phishing attempts, and otherwise unsolicited and unwelcome email accounts for more than 60 per cent of all email that an individual or business receives. Email is the primary method for spreading viruses and malware. Consider using email-filtering services that your email service, hosting provider or other cloud providers offer. A local email filter application is also an important component of a solid anti-virus strategy. Ensure that automatic updates are enabled on your email application, email filter and anti-virus programs. Additionally, ensure that filters are reviewed regularly so that important email and/or domains are not blocked in error.

Protect sensitive information sent via email.

With its proliferation as a primary tool to communicate internally and externally, business email often includes sensitive information. Whether it is company information that could harm your business or regulated data such as personal health information (PHI) or personally identifiable information (PII), it is important to ensure that such information is only sent and accessed by those who are entitled to see it.

Email is not designed to be secure, so incidents of misaddressing or other common accidental forwarding can lead to data leakage. If your business handles this type of information, you should consider whether such information should be sent via email, or at least consider using email encryption. Encryption is the process of converting data into unreadable format to prevent disclosure to unauthorized personnel. Only individuals or organizations with access to the encryption key can read the information. Other cloud services offer secure Web-enabled drop boxes that allow secure data transfer for sensitive information, which is often a better approach to transmission between companies or customers.

Implement a sensible email retention policy.

It’s important to manage the email that resides on your company messaging systems and your users’ computers. You should document how you will handle email retention, and you should also implement basic controls to ensure information is retained for the necessary period. Many industries have specific rules that dictate how long emails can or should be retained, but the basic rule of thumb is only as long as it supports your business efforts. Many companies implement a 60- to 90-day retention standard if not compelled by law to use another retention period.

To ensure compliance, consider mandatory archiving at a chosen retention cycle end date and automatic, permanent email removal after another set point, such as 180 to 360 days in archives. In addition, discourage the use of personal folders on employee computers (most often configurable from the email system level), as this will make it more difficult to manage company standards.

Develop an email usage policy.

Policies are important for setting expectations for your employees or users, and for developing standards to ensure adherence to your published polices.

Your policies should be easy to read, understand, define and enforce. Key areas to address include what the company email system should and should not be used for, and what data is allowed to be transmitted. Other policy areas should address retention, privacy and acceptable use.

Depending on your business and jurisdiction, you may have a need for email monitoring. The rights of the business and the user should be documented in the policy. The policy should be part of your general end user awareness training and reviewed for updates on a yearly basis.

Train your employees in responsible email usage.

The last line of defence for all of your cyber risk efforts lies with the employees who use email and their responsible and appropriate use and management of the information under their control. Technology alone cannot make a business secure. Employees must be trained to identify risks associated with email use, how and when to use email appropriate to their work and when to seek professional assistance. Employee awareness training is available in many forms, including printed media, videos and online training.

Consider requiring security awareness training for all new employees and offering refresher courses every year. You can provide monthly newsletters, urgent bulletins when new viruses are detected and even posters in common areas to remind your employees of key security and privacy do’s and don’ts.

 

© Zywave, Inc. All rights reserved.

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN