Category Archives: Clinton Henry

Hacking People: Why Your Biggest Vulnerability Isn’t In Your IT Department

By Clinton Henry

Clinton HenryLast week, Chris stopped off at his local coffee shop to have a chai before heading off to a trade show to deliver a keynote speech. As he sat at his usual spot near the counter, a heated discussion ensued next to him regarding the third quarter of 2017. In the middle of the morning’s caffeinated hustle and bustle, a marketing meeting was in progress.

He knew it was a marketing meeting because the three employees left the screens on their computers open to “Marketing Plans.” Much to his amazement, they abandoned the table and were apparently in line—as well as online. They left two smartphones and a couple of memory sticks out in the open, plain as a Pumpkin Spiced Latte.

While reasonable predictions aren’t always correct, there’s a strong possibility that eventually the company will experience a breach. Moreover, it’s highly unlikely that anyone within the business or IT has taken a serious look at how its users operate to protect it from this sort of vulnerability.

The biggest risk for any organization being hacked is neither the firewall nor the server. It is another problem altogether: social engineering. Social engineering is when employees inadvertently (or out of malice) give cyber thieves sensitive corporate or client information. The problem with most businesses and IT departments is while they may be eager to invest in cybersecurity measures for their organization, they often neglect investing in shielding the most common attack surface motivated hackers use to gain access: employees.Over-familiarity with and blind trust of technology can be a dangerous thing. Click To Tweet

Let’s review some of the socially engineered pitfalls that occur all too often:

Public Wi-Fi: Public Wi-Fi is to your computer network as Kryptonite is to Superman or garlic is to a vampire. Unless you are sending out information that is encrypted via a secured site, never conduct any business from an unsecured Wi-Fi hotspot.

Public Places: In the space of two seconds, it would have been possible for a thief to take screen shots of the third quarter plan with a smartphone or to swipe the smartphones and stick drives or even one of the laptops. Any document, especially any document with links to your organization, is all a cyber thief needs to get going. Never leave documents unattended.

Ever hear of visual trespass? It is the practice of someone in any public space looking over your shoulder viewing your computer screen. Here’s an apt example: Alison, the head of tax and audit for a publicly traded company, was traveling and noticed a stranger was trying to observe her computer screen in an airport while she was working on her corporation’s soon- to-be-public 10-k filing. While the stranger may have been rude (and not a cyber thief), the person working on those financials was misguided and careless.

Moreover, public conversations that should be held in private can undo a company quite easily. Recently, the same Chris from earlier was in O’Hare airport while a gentleman next to him was on the phone with a colleague who needed access to a file. The helpful companion, within earshot of Chris, decided it was a good idea to give his coworker his personal password so he could access the file. If Chris was an opportunist, he could have simply made conversation with the unsuspecting traveler later and traded business cards, giving Chris his username and company along with his password. The businessman would have been none the wiser.

Phishing: Remember those emails we once received from Nigeria, Lithuania, or Romania that named us as the heirs to great fortunes? All they needed to secure the millions owed to us was a credit card number. People fell for it in droves. Then there were fake job postings that asked us for background information. The postings looked legitimate and we fell for that too. We gave them what they asked for.

Phishing has not gone away. It has become so sophisticated that we believe it comes from our bosses, a supplier, or a nonprofit we might support. The links in the email are typically malware that can infect the entire network and grab important files. Don’t fall for it. When in doubt, always verify. An interesting fact: Millennials are more prone to falling for phishing than older employees. Over-familiarity with and blind trust of technology can be a dangerous thing.

Vindictiveness: Remember that angry employee who was terminated? What precautions were taken to make sure that he or she was immediately shut out from the network? Terminated employees can sometimes be vindictive. Have a plan and protect your data so the recently fired sales executive can’t walk to your competitor with your latest leads or biggest accounts.

Vendors: Your computer network is only as good as who has access to that network. Many cyber thieves have successfully snuck in through a back door by going through the networks of your vendors. This is a potentially huge problem for any organization having a continuous relationship with suppliers. If your network is secure but your vendors have cyber security that is more like Swiss cheese, it can potentially create a huge vulnerability in your network.

Remember that while most internal IT organizations often seek funding for the latest network security equipment or software to beef up cybersecurity, they often neglect to engage their users to harden the organization from social engineering attacks that are commonly used to compromise a company. Neglecting to offer sufficient training for their users leaves the organization vulnerable to a hacker using a company’s own employees against it.

Clinton Henry is one of the world’s leading cyber security and identify theft experts. Known for his engaging keynotes and insightful perspective on business and personal cyber security, Clinton has amassed a loyal following of business and IT executives who look to him for guidance on how to protect their corporate profits and reputation from attack or compromise.

Save

9 Surefire Steps to Lockdown Your Cyber Security

By Clinton Henry

Clinton Henry“Dear Client.” That’s how the letter usually begins.

The next few sentences are a little trickier; there is really no good way for someone to hear that their data has been stolen. Unfortunately, getting this letter is becoming an all too common occurrence in business. Businesses lose more than $100 billion a year to cyber-attacks and fraud globally.

While a security breach might be one of the last things on your mind, the most recent Travelers Risk Index report shows that it’s a top concern for your clients, customers, and contractors – “Personal Privacy Loss and Identity Theft” went from barely ranking on their survey a few years ago to being number two, right behind “Financial Security.”

The expectation of cyber security has to be met with the same fervor and drive that you strive to meet all your other clients’ expectations.

1) Engage and Educate Employees: It’s important that you create a culture of security within your organization because security is everyone’s responsibility. If you don’t have buy-in from all your team members, you’re exposing your business to unnecessary risk. The majority of attackers gain access to networks via social engineering and the manipulation of a user within an organization, not via command line “hacking” from a dark, Cheetos-filled basement somewhere, as the movies often portray. Why would someone spend days trying to crack your accountant’s password when they can simply call your IT desk pretending to be your accountant and ask him to reset it to something new?

2) Anti-Virus: Having an up to date anti-virus deployed on all of your desktops and servers is vital. An unprotected computer is an easy target for a motivated attacker. Don’t make it easy on them – pay for anti-virus and make sure it’s regularly updated by your IT staff.

3) Password Management: It’s important that you and your employees leverage strong, complicated passwords that aren’t easy to guess. There are now hacking applications you can plug into a computer that will run through the most common 10,000 passwords used in about four minutes, trying each of them. You’d be surprised how many folks with access to critical data have the password of “password,” or if they are feeling clever, “password1” (Did this just guess your password? Go change it!).

4) Secure Your Networks: Without getting too technical, just know that having a firewall between your corporate network and the Internet is very important. If you don’t, there is very little stopping someone from freely accessing your data.

5) Secure Your Cloud: No matter what cloud provider or service you use, make sure you do your due diligence on their security practices. If they can’t easily and quickly tell you how your data is secured, odds are it isn’t. Also, for any accounts used to access your firm’s data, make sure you have strong passwords and only access it via a computer you own or trust. If you access your cloud on an infected machine, a hacker could potentially learn your password and use it later on without your knowledge.

6) Protect Banking Information: Make sure that all financial data, accounts, and records are kept secure and segregated from the rest of your business’ general shared drives. If financial transactions are conducted electronically, ensure they are done over an encrypted connection and that your employees never email account numbers, credit card information, or sensitive financial documents.

7) Backups: One of the most common types of breaches now being seeing are called “ransomware” attacks. Instead of “stealing” data from your organization, these attackers find your critical data and then encrypt it (digitally locking you out of it), making it so only the person with the digital “key” can unlock and access that data. The hackers then offer the victim access to the “key” for a very large fee. If you’re hit with one of these attacks you have two options:

Pay the fee or restore the locked data from a recent backup. This is why backups are so important. Recently a very large hospital, a police department, and a public school (along with literally thousands of other victims) have been forced to pay tens of thousands of dollars to get their data back. Making sure your data is backed and stored separately from your main repository can help protect you from attacks such as these.

8) Physical Security: This one is self-explanatory but you’d be surprised how much client data is left lying around the office. Ensure your partners, trusted employees, and finance team lock away any sensitive documents when they aren’t working with them.

9) Mobile Devices: While they are a convenience and increase productivity of the staff, mobile devices mean that your clients’ sensitive data can potentially walk out your firm’s door without you ever knowing it. Make sure that all mobile devices used to access corporate data have passwords (your email server can force this requirement), and if you have employees that use laptops you should look at having the hard drives for those machines encrypted. Most modern operating systems have encryption built in (you just have to enable the feature), and it’s foolish not to leverage it. If an employee accidently leaves a laptop on a plane or in the back of a taxi, you’ll be guaranteed that all data on it is secure and protected.

Your business, your brand, and your bottom line depend on the trust you develop with your clients. Handling the items listed above will go a long way in protecting all three.

Clinton Henry is one of the world’s leading cyber security and identify theft experts. Known for his engaging keynotes and insightful perspective on business and personal cyber security, Clinton has amassed a loyal following of business and IT executives who look to him for guidance on how to protect their corporate profits and reputation from attack or compromise.

Save

Save