by Felicien | Nov 30, 2018 | Education
How Marriott Got Caught In A 500-Million Person Data Breach
Were You Affected? (Your Questions Answered)
What Do We Need To Know About The Marriott Breach?
Another big corporation got hooked. This time it was Marriott International. They just revealed that their Starwood reservations database of 500 million customers was hacked and that the personal information of up to 327 million guests was stolen. And, this has been going on since 2014!
How Did This Happen?
On September 8, 2018, Marriott was alerted about an attempt to access the Starwood guest reservation database.
They contacted leading security experts to help them determine what occurred. Marriott said that the hacker copied, encrypted and removed their customers’ data.
On November 19, 2018, Marriott was able to decrypt the data and learned that it was from the Starwood guest reservation database.
Marriott acknowledged that the encryption security keys for this data may have fallen into the hands of hackers. This allowed them to access the massive amount of data. Secure systems lock up data and should store the encryption keys in a location that’s separate from the confidential information.
Some good questions to ask here are:
“How did the criminals get Marriott’s encryption keys?
“Why did it take so long for Marriott to reveal the breach?” They learned about it in September which is over two months ago.
And, this was a 4-year long breach! “Why didn’t Marriott know that their customers’ data was being stolen over this long period?”
Maybe we’ll find out the answers to these questions, and perhaps not. What’s for sure is that you are on your own when it comes to protecting your confidential data.
How Do I Know If My Data Was Stolen?
If you are a Starwood Preferred Guest member and your data was stored in the Starwood property’s database (which includes Sheraton, Westin and St. Regis hotels, among others) you need to be on alert.
As mentioned, this data breach goes all the way back to 2014 and includes names, passport numbers, email addresses and payment information for approximately 327 million travelers – a “big catch” for any hacker. Even your date of birth, gender, reservation dates and communication preferences may be included in the breach.
Should I Contact Marriott?
Marriott set up a website and call center for customers who were impacted by the data breach. Email notifications are also being rolled out.
Marriott is also offering affected customers the option to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert if your personal information is found. If you live in the U.S., you’ll also be offered fraud consulting services
What Else Should I Do?
If your data was stolen, you should observe for incidents of identity theft. Also, watch for phishing emails where hackers try to impersonate someone you trust to take information or money from you.
Arrange For Security Awareness Training For Your Employees
If your business data was involved, make sure that you arrange for Security Awareness Training for your employees to train them to recognize phishing attempts. This includes:
Baseline Testing to assess the Phish-prone percentage of your employees through a free simulated phishing attack.
Training For Your Users with content that includes interactive modules, videos, games, posters, and newsletters.
Simulated Phishing Attacks that utilize best-in-class, fully automated, simulated phishing attacks, thousands of templates with unlimited usage, and community phishing templates.
Reports with statistics and graphs for both training and phishing for your management to review.
Whether your business was involved in the breach or not, Security Awareness Training for your employees is always a good idea. Another good idea is to sign up for Dark Web Scanning Services.
Get Dark Web Scanning For Your Confidential Business Data
The Dark Web is a secret internet society that’s only accessible to a select group of criminals. Criminals use it to take stolen data (like the Marriott/Starwood customer information) and dump it on the black market for sale. Dark Web Scanning is a sophisticated monitoring solution that helps businesses of any size detect cyber threats that expose their stolen business accounts, email addresses, payment information, and other confidential data that’s on the Dark Web. It also does this in real time and detects any of your compromised credentials or information before criminals can use it for profit or other crimes.
Don’t Count On The Marriott’s Of The World To Protect Your Business Data – You Must Do This Yourself
Contact us for information about Data Protection, Security Awareness Training and Dark Web Scanning.
We have a Suite of IT Security Solutions to help you keep your business data secure.
by Felicien | Nov 30, 2018 | Education
No industry is exempt from data breaches that lead to widespread fraud. However, the healthcare industry faces unique challenges since it is not always easy to determine the impact of the breach on patients as well as the healthcare organizations that serve them. The problem starts with isolating where the hack originated in the first place. With so many organizations having access to patient demographic and insurance data, this can be the most time-consuming aspect of the entire fraud investigation process.
Healthcare: A Unique Form of Identity Theft
Most patients are aware that their healthcare provider and their insurance company have access to their personal medical data. Providers need the information to diagnose and treat the patient while insurers require it to pay the patient’s claims. What many fail to realize is that a large number of third-party organizations could have access to the data as well. Pharmacies, medical equipment providers, home healthcare organizations, and supplemental insurance providers are just some examples of companies with access to patient data.
The problem in healthcare is that a cybercriminal intent on stealing the medical data of another person can piece it together from a variety of sources that the victim of identity theft does not even know to exist. Some in the healthcare IT industry refer to this as synthetic identity theft. By taking small pieces of information obtained from a healthcare report and combining it with information stolen elsewhere, hackers can easily scam the healthcare system. In fact, the problem is so widespread that millions of cases of fraud take place every quarter.
What Healthcare Providers Can Do
No healthcare administrators like to admit that a security breach took place on their watch. It may look to them like hackers gained access to private patient data and then did not use it. Unfortunately, that is rarely the case. Healthcare fraud differs from financial fraud because most criminals go on to use stolen credit, debit, and other banking information right away. With healthcare fraud, they need more time to piece together a forged identity before they start inflicting real damage. The CEOs of healthcare organizations are often too quick to claim that no one used the stolen information in a nefarious manner.
Obviously, it is better for healthcare IT departments to be proactive rather than reactive. This starts with knowing every location of a patient’s healthcare data. For example, a single patient could have an electronic medical record, a paper medical record, new test results not yet transferred to the medical record, and old information stored in boxes or machines that have not been used in years. To prevent medical fraud, healthcare providers must make it a priority to know the locations of all data about a patient and take adequate steps to protect it.
Sometimes health organizations are unaware a breach has taken place until a patient complains that someone used their information to obtain numerous prescriptions or to commit insurance fraud. Once alerted to it, they need to take immediate action to stop the current fraud and prevent it from happening again. This includes taking measures such as strong encryption with medical records and guarded access to paper records.
Besides a lack of inventory, part of the problem is the current patchwork approach to healthcare privacy laws. Organizations should push the federal and state governments to create uniform standards for improved patient protection.
How to Help Patients Protect Personal Health Data
Healthcare providers must work hard to gain patients’ trust in the current climate. One way they can facilitate this relationship is to provide patients with reminders about safeguarding their own information. Here are some typical examples:
Request a new medical card with a different identification number if the original has been lost or stolen
Submit a police report after the theft of a wallet or purse
Report any information on the explanation of benefits forms that appears suspicious such as services the patient does not remember receiving
Check medical records at least once a year to ensure accuracy
Always have the most current copy of medical records available
Providers should also consider publishing an annual notice to members outlining their privacy policy and the steps they take to prevent theft of patient data. Holding open meetings and taking questions from patients is another way to assure them that the organization is serious about protecting them from identity theft in a healthcare setting.
by Felicien | Nov 30, 2018 | Education
In Part 1 and Part 2 of the 2019 Cyber Security planning series, we looked at the evolution of technology and the future of cybersecurity defense systems. There has been a steady evolution of defense options to curtail the rising efforts to commit cybercrimes. In this segment, we look at emerging and enhanced threats moving forward.
Four Primary Cyber Security Risk Areas For 2019
Cybersecurity preparedness relies on year-over-year planning and strategic implementation. That means corporate decision-makers must cull together key staff members who include IT support team leaders, department heads and primary stakeholders. Determined preparation for 2019 relies on a rich, interdepartmental understanding of company goals, system needs and actionable knowledge of cybersecurity policy and protocols.
Knowledge equals power in the cybersecurity sector and arming employees with information about how and why measures are taken to protect vital information remains job one. That being said these rank among the biggest anticipated threats facing companies in 2019.
Ransomware Expected To Thrive In 2019
Cybercriminals have steadily made a shift away from direct systems hacks and are more inclined to plant encrypted files that take over a company’s data and require payment to send a code to unlock them. The FBI reportedly claims that upwards of 4,000 ransomware attacks are carried out every day. That figure is expected to escalate in the coming years.
Most ransomware attacks are conducted by prompting a user to inadvertently click on a malicious link or website that results in infection. Although only a fraction of ransomware incursions are reported, cybercriminals generally ask for $200 to $3,000 in bitcoin payments to send a cure. These are some of the ways an IT support team can mitigate ransomware attacks.
Incident Plan: Create an actionable ransomware protocol that employees can initiate in the event of an infection.
Critical Backup: Allow for multiple backup iterations of data in secure system locations.
Anti-Virus: Maintain cutting-edge preventative antivirus programs and conduct timely system scans.
Restrict Internet: Ransomware attacks commonly occur by employees visiting unsecured sites and opening spam emails. Each workstation requires appropriate restrictions.
Third-Party Risk Heightens In 2019
Consider for a moment that more than half of all breaches are initiated through third-parties, often vendors. Organizations generally have hundreds of business partners on a variety of levels. Many of these enjoy daily engagement through electronics and direct links to an outfit’s systems. From ordering products to pay invoices to basic communication, there could be thousands of points of contact between your servers and third-parties.
Moving forward, hackers will be increasingly targeting vulnerable systems to steal sensitive information to sell or ransom. Companies that do not secure their data at a high level can act as a backdoor into other servers. Once today’s hacker has infiltrated one of your vendors, they can email ransomware and other infections programs undetected. Cyber theft efforts are more likely to be successful because employees open vendor communications with confidence. These are some of the key steps organizations may want to consider for 2019.
Personnel Changes: Work with business partners to communicate staff turnover and take cybersecurity measures to prevent technology access after departure.
IT Glitches: Monitor systems appropriately and avoid support gaps.
Share Responsibility: Develop an agreed upon cybersecurity policy and protocol with vendors and other third-parties to minimize potential cross-company breaches.
Terminate BYOD Policies In 2019
We are all well aware of the headlines regarding high-ranking government officials using personal devices. In many instances, the federal government considers using a personal electronic device for work purposes a direct and discernable security threat. Despite that glaring warning, the number of companies that allow employees to Bring Your Own Device (BYOD) has grown exponentially in the last few years.
The convenience of a values staff member having tangible connectivity 24-7 seems to outweigh any risk. In the past, this policy may not have brought about a negative result. But cybercriminals are well aware that an employee Smartphone is now a doorway into a company’s system.
What makes BYOD even more problematic moving forward is that an average of 22 percent of workers misplaces their electronic device. Compounding that misstep, only about 35 percent use a password or PIN to secure it. This vulnerability does not even account for purposeful theft of a staff member’s device. Businesses would be wise to change course on the BYOD practice in 2019 by taking the following steps.
Stop: End the practice of BYOD entirely.
Company Only Devices: Issue secured company devices that are maintained by the IT support team.
Common Cyber Security Threats Expected To Increase In 2019
Cybersecurity breaches have proven to be costly for companies and organizations in every sector. The loss of time, productivity, and damage to reputation are exponentially expensive. Many of the seemingly low-level nuisances are expected to become high-level threats in the coming years. Decision-makers would do well to address these issues with the same determination as others in 2019.
Flawed Software: Glitchy programs are emerging as a gaping hole for hackers to infiltrate otherwise secure systems. It’s imperative that all applications are patches and updated accordingly. Outdated programs should be promptly removed.
Phishing: A reported 76 percent of all businesses are the target of phishing ploys at some point. It’s imperative outfits train employees to recognize and alert the IT support team when suspicious emails are received. Phishing scams are expected to become more sophisticated moving forward.
Update Passwords: The lack of complex passwords has lured hackers to attempt to breach systems through staff logins. It’s crucial to plan routine password changes at set times during 2019. Company systems should also require passwords to include at least one number and one symbol.
Cornerstones Of 2019 Cyber Security Planning
It takes strong cyber Security planning to minimize the growing threats to innovation, productivity, and profitability. With hackers using every conceivable means to gain access to critical data, it’s easy to lose sight of the forest through the trees. In terms of planning cybersecurity in 2019, an organization’s leadership team would be wise to consider their efforts under these four foundational ideas.
Deter Threats: Consider a 2019 cybersecurity plan in term of its potential success at avoiding data and systems breaches. Ask the simple question: How does this policy or protocol make hacking more difficult?
Protection: When implementing a 2019 cybersecurity plan, it should serve to insulate systems, infrastructure, components and data from intrusion. Does the plan effectively achieve these goals?
Detection: Thwarting a data or systems breach often begins by recognizing the imminent threat. Each facet of the cybersecurity plan should include measures of detection.
Adaptability: Each year, companies across the world take strategic measures to stop cybercriminals from negatively impacting their organization. Each year, hackers counter IT support strategies to commit crimes. A well-conceived cybersecurity action plan should include ongoing oversight, articulate new and emerging threats and have the agility to withstand them and make necessary changes.
It’s essential for an organization to understand cybersecurity as a process. Cybercriminals are continually looking for creative ways to steal valuable data, and industry leaders are tasked with ongoing cybersecurity planning.
by Felicien | Nov 29, 2018 | Education
The integration of the Microsoft (MS) digital ink function and digital pen provides companies with a way to improve collaboration, increase out-the-box creativity, and drive innovation. Have you given thought on how your organization can create better cooperation among your different work teams essential for driving new product development, opening up new markets, or managing workflow? If you have, you need to invest some time and effort learning how digital ink can be of assistance to your company.
About Microsoft Digital Ink
Microsoft digital ink allows a digital pen accessory to write on the surface of a pen-enabled device. These include laptops, notepads, notebooks, and Windows-based handheld devices. This capability allows the creator to share notes, capture your thoughts, and your ideas in real-time. This benefit is of great importance when your team members find themselves limited by space or the ability to use a fully attached keyboard.
You have the need to put together elaborate sales presentations in MS-PowerPoint or jot down quickly a sales quote for a potential customer in MS-Excel. The use of digital ink allows your workers to do this in less time then it takes to format a slide or complete a spreadsheet. It takes their handwritten notes and scribbles and converts them into a presentation that gets attention.
How Digital Ink Creates Collaboration
Imagine a massive project of yours that requires the input of stakeholders from different teams within your company. Accounting for financial projections, engineering for logistical support, and business planning for managing the project’s timetable, all of these disciplines need the ability to communicate with each other to keep the project on time and within budget.
You can take the traditional route of calling time-consuming meetings that require members of the project team to sit in the same room, away from their other duties and responsibilities. Or you can install Microsoft digital pen and allow input and updates come into the project from all over without the need for lengthy meetings or huddles that take time and people resources away from their jobs, reducing their productivity and increasing your costs.
Is Microsoft Digital Ink Easy to Use?
The digital ink application is both intuitive and easy to use. It is a simple plug-and-play application that requires nothing more than the digital pen itself as the peripheral device and a machine that is digital pen enabled. Your end-users will remark at how easy it is to simply draw, doodle, write, and express their ideas in any application using digital ink, and share that information between their colleagues.
The Bottom Line
The bottom line for you and your business is this: your competitors, especially younger entrepreneurs and competitors, are already employing next-generation technology. They are doing so as a way to gain market share and increase their competitive advantage.
You need to up your technology game to hold on to your customers, maintain relevancy, and attract the type of workforce that will grow your business. With so much riding on you and the decisions you make, Microsoft digital pen is a straightforward solution for you to consider and implement company-wide.
You can not afford to stay stuck in old practices in favor of new tools that make life easier for your teams. The investment you make in digital ink will pay huge dividends in the future, regarding better deployment of your people resources and greater freedom to innovate.
by Felicien | Nov 29, 2018 | Education
Guide To Ensure Your Cloud Data Is Properly Backed Up
Cloud storage is a relatively new technology that provides access to data on multiple devices any time and anywhere. Many businesses turning to cloud storage to boost the productivity of their employees. While cloud storage is both convenient and secure, it is not infallible. Therefore, it is important that you take the time to ensure your cloud data is properly backed up. Whether you’re running Google Apps or Office 365, this guide will help you make sure you’re properly securing and backing up the data you have stored on the cloud.
How to Back Up Office 365 Data
To back up your data on Office 365, you need to specify the backup settings in a new profile or in an already existing profile. This profile should have Cloud Apps enabled. Once you’ve done this, inSync will begin backing up the user data in Office 365 according to the backup schedule you specified in the profile. In your profile, you can specify how many times in a day or week inSync should perform automatic backups.
The inSync cloud administrator is also able to back up Office 365 data at any time when needed. The procedure for performing an unscheduled backup of data on Office 365 is as follows:
Go to the menu bar for the inSync Management Console and click Availability > Backup. The Backup Overview page will appear.
Go to the All Data Sources tab and click on the Office 365 device you want to back up.
Click on the button Backup Now.
inSync will then begin the backup of the device you selected. There are multiple pages where you an view the details of the backup. You can see the backup details on the inSync Management Console, the inSync mobile app, and the inSync Client.
How to Backup Google Apps Data
If your organization uses Gmail, Docs, Spreadsheets, and Calendar, chances are you have a lot of important information stored on Google’s servers. Unless you take the time to back up your Google Apps data locally, your organization will be in major trouble if Google loses your data or denies you access to it for whatever reason. Therefore, it is essential that you back up your Google-hosted data on a regular basis.
Unfortunately, it is not as easy to back up data on Google Apps. There are many third-party apps available for backing up data on Google Apps. For example, you can use POP access with a desktop email client to back up the Gmail accounts of your employees. Thunderbird is an example of a third-party application that you can use to back up Gmail accounts. You can use Google Docs Download scripts to back up your documents and spreadsheets on Google’s servers locally.
Backups are essential even if you’re storing your data on the cloud. For more information about how to ensure your cloud data is properly backed up, don’t hesitate to contact us.
by Felicien | Nov 28, 2018 | Education
California’s recently passed privacy law, coming on the heels of similar regulations issued by the European Union, makes it imperative that businesses have clear policies and procedures for collecting, storing and using personal information.
The California Consumer Privacy Act (CCPA), passed in May 2018, is a far-reaching law that covers not only the data itself but also how businesses manage relationships with consumers and third parties. It is similar to but more stringent than, the EU’s General Data Protection Regulation (GDPR), also enacted in 2018.
What Businesses Does the CCPA Affect?
The CCPA applies to any business or non-profit organization (or entity that controls or is controlled by such a business and shares branding) that meets one of the following criteria:
Exceeds $25 million in annual gross revenue
Has personal information on 50,000 or more consumers, devices or households
Earns more than half its annual revenue by selling personal information to a third party
How Is ‘Personal Information’ Defined?
The CCPA takes a broad approach to personal information, including some data that are not typically included in such definitions. Under the act, personal information includes:
Account name
Unique identifier, including cookies
IP address
Email address
Commercial information, such as property records
Biometric data
Internet activity, including browsing history, search history and interactions with websites, ads or applications
Professional and employment-related information
.A provision also covers inferences that could be drawn from any of the other information to create consumer profiles. The law does not include publicly available information.
What Rights Do Consumers Have Under the CCPA?
Consumer rights under the CCPA include:
Data Access. Consumers can request in which categories a company has collected information, the categories of sources of that information and the specific information itself. Businesses also need to divulge the purpose of obtaining or selling personal information. Companies receiving a request must promptly deliver said information via email or mail free of charge. Businesses are required to share information no more than twice annually.
Deletion. If requested, businesses must delete any information the firm has collected and order its service providers to do the same. Data need not be removed in some instances, such as to complete a transaction, detect fraud or use for reasonable internal purposes.
Data Transactions. Businesses must reveal the categories of information sold to a third party and how those match up with the third parties’ information categories.
Opting Out. Consumers can opt out of selling their information to third parties. Those that sell information to third parties must notify consumers and provide them an opportunity to opt out. If a consumer is under 16, the business must receive affirmative consent (e.g., opting in) from the consumer or, if under 13, a parent or guardian.
Non-Discrimination. Businesses may not discriminate against a consumer who exercises these rights, including refusing to sell goods or services, charging different prices or delivering a different quality of products or services.
Does the CCPA Address Data Breaches?
In the event of a data breach, the CCPA provides consumers with a private right of action. That means consumers can pursue statutory damages and injunctive relief if data is accessed or stolen by an unauthorized party. It also allows consumers to take action if the business failed to maintain reasonable security measures.
What Other Obligations Do Businesses Have?
Businesses must post California-specific privacy rights on websites. Those sites must also disclose how consumers can request information and the categories of personal information collected or sold in the previous 12 months. There must also be a conspicuous link titled ‘Do Not Sell My Personal Information.’
Businesses must train employees on the act and consumers’ privacy rights.
How Is the CCPA Different from the GDPR?
The European Union adopted the General Data Protection Regulation that applies to nearly all companies that collect private consumer data on EU citizens. It requires companies to comply with robust data security and management protocols.
While the compliance categories are nearly the same as those under the CCPA, the guidelines are not as well defined, and enforcement is weaker. Unlike the CCPA, the GDPR applies to small and large companies and will likely evolve over time.
What Should My Business Do to Address GDPR and CCPA?
What can your company do to comply with these acts? Here are a few tips:
Create an internal privacy team, responsible for developing and reviewing privacy policies and managing consumer requests
Develop a consumer information policy and processes that include how data is collected, categorized, stored and accessed. Consider deleting private consumer data that is not needed for the business relationship.
Update your website with the required notices, links, and policies that are updated annually.
Evaluate data security, including security policies, backups, encryption and access.
