by Felicien | Oct 11, 2018 | Education
In 2016, Uber suffered a data breach that exposed the personal information (names, email addresses, and phone numbers) of 57 million users. In the same breach, some 600,000 driver’s license numbers of Uber drivers were exposed.
So, What Was The Response?
The Federal government and state governments have laws protecting data privacy. Most of them require rapid reporting of data breaches to both the governments and the individuals whose data was exposed. Instead of following the laws, Uber decided to bury the bodies. With a careless indifference toward the rules and regulations that Uber has shown previously, the company got caught in a most unusual manner this time.
In this data breach, hackers first proved to Uber that they had stolen their data, then they demanded $100,000 not to reveal it. That’s a new twist for cyber-thieves.
How Did The Hackers Get The Data?
GitHub is a site where programmers and systems architects publish code and other information, both to store it privately and to show it off to others. The hackers got into the private side of Github and obtained user credentials of the Uber development team. Once they had those, they had free run of Uber’s systems.
What Did Uber Do?
Rather than reporting the breach as required, Uber’s Chief of Security paid the bounty of $100,000, got the hackers to sign a non-disclosure agreement, and disguised the $100,000 payout as a bug bounty on Uber’s internal records. The affected individuals were not contacted. The whole incident was covered up (hopefully).
Uber was already under investigation by the Federal Trade Commission (FTC) for failure to protect consumer information. In the course of that investigation, the 2016 hack was uncovered. The first settlement where Uber confessed to failing to protect customer and driver information was dated August 2017.
Then in November, Uber’s new CEO disclosed the massive breach. At that time, Uber had agreed to pay reparations to exposed individuals and various states to the tune of $148 million. One state attorney general called Uber’s behavior “Just inexcusable.”
Uber agreed to follow relevant laws in the future and hired outside counsel and an outside data firm to assess its security practices and safety measures. The results of those efforts have not been disclosed.
It was also learned that Uber paid the hackers to delete their copy of the data. That potentially violates a law that forbids companies from destroying any evidence in cases of cybercrime. Uber eventually fired their chief of security and several others.
It is the nature of the beast that Uber could not, in fact, confirm that the hackers had deleted every copy of the data. They could have, for example, made another copy and sold it on the Dark Web. Cyber Thieves are not known for their honesty. So, Uber’s efforts to conceal the breach and repair the damages may have been overshadowed from the start.
What Are The Lessons We Can All Learn From This?
Ever since the resignation of Richard Nixon in 1974, the phrase, “It’s not the crime, it’s the cover-up” has been well-known and understood.
The home décor and cooking guru Martha Stewart was convicted and imprisoned, not for a stock transaction that was, in fact, legal, but for lying to the FBI about it. Aside from their general legal and public relations futility, cover-ups usually do not succeed. Somebody leaks, or (as happened in this case), law enforcement stumbles across the cover-up while investigating something else.
When an incident like this happens, companies need to proceed on the assumption that the cover-up will be, at best, a temporary patch on a continuing problem.
What else can be learned from this?
Another lesson is that things that are supposed to remain private may not. The hackers were able to penetrate a supposedly private area of Github. In addition, the database they stole was on a third-party server, not one directly managed by Uber.
Even though the credentials stolen from GitHub were valid for the third-party server, had something like two-factor authentication been in place, the hackers would not have been able to access the server even though they had the proper credentials. There is more than enough blame to go around here. And, of course, the data on the third-party server was not encrypted.
Funding Hackers Is Not A Good Idea
In addition to everything else that was wrong in Uber’s response, the company wound up, in effect, rewarding the hackers with additional funding, enabling them to hack even more victims. Cybersecurity experts agree that funding hackers, no matter how desperate the situation seems, is never a good idea.
Uber’s response here can be compared to the similar reactions of Experian, a credit reporting agency, to a hack of its database that exposed the data of several hundred million users. First, it concealed the breach, then it denied it every happened, then Experian confessed that it did happen. Finally, they tried to monetize the breach by creating and advertising several “security” products to consumers.
Every move was deceptive and demonstrated just how little Experian cared about the privacy of its users. The lesson from Uber and Experian for the general business community is simple: “Don’t handle breaches the way we handled ours.”
by Felicien | Oct 10, 2018 | Education
Last year, Markets and Markets Research released a report that revealed that 50% of companies were considering the use of BYOD (bring your own device) policies. IT departments were tasked with developing a policy that allowed employees to use their personal devices without endangering the security, but things seem to have changed. More and more companies are moving toward company-owned devices – but why?
Costs
Most people think it would be cheaper for a company to have employees bring their own devices, but there are some hidden costs involved. One, of course, is the loss of productivity which we’ll discuss more in a moment. Given that BYOD devices can raise the probability of an organization suffering a cyber attack, there are also costs that can be traced directly to the fallout of a data breach. The potential cost of a data breach can easily be calculated using a tool like this one from IBM.
Productivity Issues
When employees bring their own smartphones, tablets, and other devices to work, those devices are going to be a distraction. The temptation for employees to check out social media sites such as Facebook and Instagram or to play games on their phone during working hours are even worse if they are already using their personal device for work-related tasks. While being forced to use a company-owned device isn’t going to eliminate this problem, it will at least reduce the temptation to waste company time. It will also discourage the use of electronic devices to access inappropriate material while at work.
Bad Habits
Employees who are accustomed to using their own phone to access company email are, by force of habit, going to be less likely to be cautious about opening phishing emails or files that could contain malware. If an employee isn’t in the habit of carefully checking out emails before they open them for their personal email on their device, they aren’t suddenly going to become careful about company email they open on the same device. Employees are likely to be more careful with a company-owned device, in part because they don’t want to be blamed for putting the company at risk.
Remote Wiping of Personal Devices
If a device is stolen, there is an extremely high probability that sensitive data will be on that device. One solution that many IT departments depend on for dealing with device theft or breach is a remote wipe. While this is an excellent idea for devices that belong to the company, employees will not like the threat of having their personal device remotely wiped without warning. The loss of personal information such as contacts, pictures, and messages could not only anger the employee involved but lead to potential lawsuits.
Too Much Reliance on Non-IT Employees
When employees are allowed to use their own devices, there is a major shift in responsibility. In most cases, it is simply not possible for IT to ensure that every employee device has the right security measures in place and that they are updated on a regular basis. When employees fail to do this and a breach happens, IT will most likely receive the blame. IT should not be held accountable for risks they cannot reasonably control. Company devices in the hands of those who truly understand cyber dangers are safer as long as they have access to the tools needed to minimize cyber risks.
Cybersecurity Threats
In 2016, researchers discovered that 56% of respondents felt that BYOD was one of the biggest threats to endpoint security for their organization. Another study indicated that 20% of organizations had experienced a breach related to BYOD, which doesn’t bode well for its continued use. One of the major reasons behind companies moving away from BYOD policies is undoubtedly the threat of ccyber attacks A company may have the most bullet-proof BYOD policy possible, but if it cannot be enforced or if employees can find ways to work around compliance, then those BYOD devices become a major threat.
Conclusion
There are pros and cons to both the BYOD approach and the company-owned device approach. Quite a few companies are easing off on their BYOD policies, implementing partial BYOD or eliminating it completely. Reasons behind this change include:
Costs
Employee productivity issues
Employee bad habits
Physical theft of devices
Reliance on non-IT personnel to avoid security threats
Increases in cyber threats as more employee-owned devices are put into use
Add all of these issues to the fact that employees may be annoyed at having to supply their own equipment for work and it is easy to see why many organizations have realized that BYOD is not a good fit for them. Whether the widespread implementation of BYOD continues to grow as predicted remains to be seen.
by Felicien | Oct 10, 2018 | Education
“Digital transformation” is a term likely circulating around IT departments everywhere. The vast majority of businesses today, no matter how big or small, will likely need to further digitalize their operations in order to keep up with competitive markets and an ever-growing list of digital trends.
There are endless components associated with digital transformation. Late last year, tech company MuleSoft conducted their annual Connectivity benchmark for 2018, which surveyed more than 600 ITDM across a variety of industries. The results shed light on the importance of digital transformation, the issues that stand in the way of these transformations, and what ITDMs (Information Technology Decision Makers) believe to be the future of IT.
According to the survey, the stakes are high. The vast majority of ITDMs surveyed admitted their business’s revenue would be negatively impacted if digital transformation didn’t take place, and soon. Companies simply can’t afford to let their IT operations fall to the wayside.
Digitalizing your business operations is no easy task. Creating an online portal or creating new online processes doesn’t mean you’ve digitalized. You’ve got to have clear goals before you begin this undertaking. More often than not, the top goal of businesses is to streamline their operations to run more efficiently.
Analyzing The Data
The vast majority of ITDMs understand the importance of upgrading their digital enterprises, with only 3% of organizations surveyed revealing they had no intentions of a digital revamp. In fact, approximately three quarters (74%) of those surveyed said they were currently undergoing digital transformation initiatives. Another 23% revealed plans to do so over the next three years.
Establishing Clear Goals
Digital transformations are futile without an end goal. Therefore, in order for ITDM to effectively transform their digital operations, they need to know both what is at stake, and in which ways they’d like a revamp to serve the organization.
Of ITDMs surveyed, more than 83% cited increasing IT’s operational efficiency among their top priorities. Other areas of high importance include improving business efficiency, and introducing new products and faster services. Digital transformations can help enhance a number of aspects of your company, rendering them vital in today’s business landscape.
The MuleSoft survey revealed that ITDMs intend to focus on a few specific initiatives to achieve their IT goals. These include modernizing their legacy apps, integrating SaS apps and investing in mobile apps. Other areas of focus include migrating apps to the cloud and establishing an e-commerce platform.
Enhancing The Customer Experience
One other major goal for businesses undergoing digital transformation is to improve the customer experience. This means improving the customer experience by connecting customer-facing systems. The vast majority, 92% of ITDMs, revealed that forging a connected experience for both customers and employees is a priority for their respective organizations. As of December 2017, only 39% of those surveyed revealed their organizations offered a completely connected user experience. These figures are in line with a previous MuleSoft survey, which found that over half of consumers believe they are receiving a disconnected experience when dealing with businesses like retailers, banks, insurers, and other public services.
Common Roadblocks
IT departments face a number of issues that hinder the potential for successful digital transformation. In addition to time constraints, there are other factors at play, such as misalignment between business and IT, problems within legacy infrastructure and systems, and a lack of resources and budget.
For today’s businesses, there is often a disconnect between what IT professionals must do, versus what their departments can realistically handle. While it’s commonly the responsibility of IT to implement development projects and focus on innovation, much of their workload involves helping the business run. In fact, the survey data shows that 63% of IT departments’ time is spent on business operations, rather than exploring new ways to drive profits through technology.
Integration Issues
Of all the roadblocks between IT departments and their goals, integration seems to be the largest barrier. Nearly 90% of ITDMs revealed challenges with integration, with 81% saying point-to-point integration creates the biggest headaches. Not only is this an issue for efficiency, but it presents financial repercussions, with organizations spending almost one-quarter of their yearly IT budgets on integration.
The Benefits Of APIs
It’s common knowledge in the IT circle that APIs make life easier for developers. They’re also critical for success in today’s digital landscape. Not only do APIs expand a business’s capabilities, but they also make it easier for employees to consume data in a simple, standardized way. According to MuleSoft’s Connectivity survey, organizations have both increased IT-self service and decreased their operational costs by leveraging APIs. And the results can be seen in revenue, as well. More than 35% of ITDMs surveyed through the Connectivity survey revealed that more than one-fourth of their revenue was the result of APIs.
Digital transformations are a fact of life for many businesses today, and if they’re not yet, they soon will be. From managing operations to improving customer and employee experiences, digital transformations are just one-way businesses are further embracing the power of the internet age.
by Felicien | Oct 9, 2018 | Education
Most homeowners and renters understand the importance of home security. In fact, in today’s world, it’s not uncommon for homeowners to spend hundreds or even thousands of dollars on home protection. But while securing your belongings is considered good common sense, homeowners don’t as often consider the concept of data security. This is understandable, but in reality, it’s just as important to ensure that your data is protected as well.
Unbeknownst to many, your home’s security system and its surrounding technology may even leave you susceptible to a data breach. These have the potential to wreak havoc from a personal data standpoint. Paying close attention to the technology you are using to protect your home can help you avoid the ever-growing risk of a cyber breach.
Here are a few things homeowners can do to keep their networks protected.
Strengthen Your Wireless Security
Securing your wireless router is paramount to effective data security. Your wireless networking security will depend heavily on the health of your router.
One useful tip?
Don’t leave your Wi-Fi on unless it’s necessary. This means that if you and your family are planning a long trip, don’t forget to turn your network off.
Other precautions include disabling your Wi-Fi Protected Setup, or WPS. The WPS is intended to make it easier for those within your household to join the central Wi-Fi network. However, it can also be used by hackers to gain unauthorized access.
Configuring your Wi-Fi’s signal strength is also important. Casting too wide of a net can leave you susceptible to outside hackers. As a security measure, configure it so Wi-Fi is only accessible to those within your home’s area. You can also disable your network’s remote management, and be on the lookout for any unknown devices or connections showing up on your network.
Update Your Software
Keeping your security systems up-to-date is important in ensuring nothing falls through the cracks. Applying updates and patches ensure you are running the most recent technology available for your device.
Your work doesn’t stop at updates, though. Installing an anti-virus solution built to detect, prevent and clear your system of viruses ensures a strong line of defense against hacking. While antivirus solutions won’t protect your system from, say, zero-day exploits, they can be helpful in preventing malware from entering your devices.
Install A Network Firewall
Firewalls are extremely useful in maintaining the security of your systems. This type of solution blocks unauthorized users from acquiring access to your private data. Installing a firewall is a solid step toward keeping your data safe. These can be installed via software, hardware or a unique combination of both.
Back Up Your Data
Computer users understand the frustration that comes with a hardware failure. In the event that this happens to you, it’s best to be prepared. Keeping a solid backup solution will give you peace of mind in the event of an accident. Test your backups thoroughly and regularly by creating dummy files and deleting them, or scheduling a day to unplug and determine how long it takes to get your system up and running. All this can help you form a legit plan of action to help you recover from a hardware failure.
Maintain Strong Encryption
Configuring your router improperly can pave the way for a data breach. You should use the strongest possible encryption methods for your device. Some of these protocols may include Wi-Fi Protected Access 2 (WPA2), Temporary Key Integrity Protocol (TKIP), and Personal Advanced Encryption Standard (AES).
Here are some tips to help you create a strong line of defense against a breach.
Update Your Router Password
It can be tempting to begin using a new router fresh out of the box, but be cautious. While your router has a set password, it may be easy to guess, or worse, printed right on the router itself. Changing your router’s password to something safe and known only by you is necessary if you’re hoping for optimal protection. The same goes for your Network name. While these typically come standard, you’ll want to change yours, though be careful not to include personal information such as your last name or address.
There are some things you can do to ensure a strong password. First, avoid using the same one for all of your accounts. If your password is stolen from one site, all other accounts for which you use it may be put at risk. You also shouldn’t share passwords with anyone or divulge them to anyone.
Approach Email With Caution
You may have taken all the necessary precautions to keep your home network secure from hackers, but often it’s not the technology that’s to blame for a breach. While it’s true that cyber criminals take advantage of unencrypted data, an inadequate firewall or out-of-date software, they also frequently target individual users. E-mail, for instance, is one of the most frequently used platforms by hackers. And while these attacks can hit suddenly and without warning, there are still things you can do to protect yourself.
If you receive an e-mail from someone you don’t know, don’t answer right away. Always first verify the person’s identity before responding. If you suspect an email from an organization may contain malware, first contact the company directly before replying. One giveaway is a misspelling in the URL of a malicious website. Also be sure to never share personal or financial information via e-mail or telephone.
Don’t leave your data security up to chance. All of these steps combined can help you form a solid plan for preventing a cyber breach.
by Felicien | Oct 9, 2018 | Education
Today’s small business owners are tasked with managing operations, employees and a wide range of things pertaining to the modern day business. It’s no surprise, then, that amid the hustle and bustle, some areas of importance are thrown to the wayside. Cybersecurity is often one of them.
According to studies, the majority of small business owners don’t believe their businesses are at risk of a cyber attack. This mindset is dangerous for business owners because they will not be prepared for a cyber-attack. In the event of an attack, it can wreak havoc on a small business that hasn’t yet armed itself with proper security protocols.
According to the Ponemon Institute, cyber-attacks cost small and medium-sized businesses an average of $2,235,000 in 2017. In order for small businesses to form a strong line of defense against cyber attacks, they’ll first need to evaluate their risk, and what’s at stake. Here are a few things small businesses should consider when preparing to amp up their data security.
Securing Your Data
Implementing solid data security for your business is a complex task that requires manpower. And although it can present quite the conundrum for small business owners, it’s something that, according to the FCC, must be done.
First, you’ll need to evaluate your current system. Which data do you actually need? While keeping customer data is important, it’s just as important to only ask for customer information that will actually be utilized. For instance, don’t ask for a social security number if you don’t need it.
The same notion applies for how long to keep this data. Don’t store your customers’ data longer than needed. The longer you keep it, the longer you are liable in the case of a data breach. And if you don’t have a retention policy in place, it’s time to implement one. Don’t forget that hand-in-hand with a retention policy is a process for how to delete the data. Do keep this in mind.
Strengthening Your Passwords
Implementing a strong password policy can make all the difference in keeping your data protected. Complex, unique passwords are paramount to data security, but how can you be sure those you’re using are really up to par?
You may want to look to the NIST for a list of digital identity guidelines that can help clarify what you should and shouldn’t be doing when setting new passwords. From two-factor authentication to the inclusion of symbols and capital letters, there are plenty of ways to strengthen your passwords to minimize the risk of an attack.
Establishing Network Segmentation
While, yes, one of the main goals of a small business should be to have a reliable network set up for operations, there’s a lot more to be done to ensure adequate data security. If your office frequently has customers traveling through your space, it’s best to implement a separate network that will prevent access to your data by just anyone. Doing this both minimizes the impact on your employees’ network and keeps internal data safe.
Don’t Ignore Updates
A constant bombardment of update notifications is annoying, and can even hinder productivity. And although it’s tempting to ignore these and push on with your work, updates are important in keeping your systems working properly. This is why it’s so important to stop ignoring them. In fact, small businesses should adopt a policy for updates and scheduled maintenance to ensure things aren’t falling through the cracks. A service provider can help you keep all your devices inline with the most current standards, and ensure updates are carried out accurately and within the proper timeframe.
Training For Success
If your business is one that employs mobile workers, data security becomes a bit more complicated. You’ll need to ensure these mobile workers’ devices are as secure as those within your office. Keep in mind that deleting company information in the event of a lost or stolen device is crucial.
A company may have the very best security in place to protect their data, but all it takes is one employee incident to destroy the reputation you’ve built. If your company’s salespeople do not require access to secured customer ddatabases don’t authorize them to use it. Giving access to crucial data only when it’s needed can help you minimize the chance of a cyber-attack.
You may be doing a fantastic job at training your employees for proper data security, but human error will always be an issue. This is not something you can prevent entirely, but you can teach your employees what to look out for. You can also help them understand the negative consequences associated with data breaches and the true impact of failing to be alert.
Data security for your small business is definitely not something you want to ignore. As an entrepreneur, you are likely both excited and weary of what’s to come. Don’t let a data breach put an end your empire before it starts.
