Tag Archives: cybersecurity

Don’t Ignore the Human Element in Cybersecurity, Say Professionals
16th January 2018 by Tara Alvey in General

Salt Lake City—Cybersecurity threats have become just a part of doing business. There’s no magical salve or solution that will keep your business 100 percent in the clear from any sort of cybersecurity threat—and those threats are becoming more sophisticated every year. How can you keep your company safe?

One of the first steps is to not ignore the human element. That was part of the advice given at the first Utah Business Cybersecurity and Digital Privacy roundtable, held Thursday morning at Holland and Hart’s downtown Salt Lake City offices. A group of 14 cybersecurity professionals from a wide array of industries—from tech, law, education, government and private industry—discussed cybersecurity trends, breach fallout, and what business can do to keep themselves as safe as possible.

One common cybersecurity breach is when an individual computer is compromised, which can then lead to theft of that individual’s username and password for their email login. This can then translate into phishing emails being sent to their entire contact list—even sending Word document or .PDF attachments—and thus infecting any other contact that might accidentally open what looked to be a legitimate email from a known contact. This can translate into huge losses for a company.

“That’s what we’re seeing very, very frequently, where your CEO or accounts payable individuals in the organizations are exchanging wire transfer information and it’s fraudulent,” said Dean Sapp, CISO at BrainTrace. “Over the course of a long weekend, large amounts of money get wired and approved because companies don’t have very strong dual controls over movement of money, the changing of wiring instructions and bank account information. They’re realizing large losses. If I were to average in the valley, recently, the breaches we’ve responded to are in the neighborhood of $2-300,000. So, significant amounts of money.”

Multi-factor authentication is a process that can keep email accounts safe—a user is only granted access to their accounts after they establish separate pieces of evidence to authenticate their legitimacy. You may enter a password, but you won’t get into your account until your phone dings with a separate code, or until you answer a question only you would have knowledge of, etc. Multi-factor authentication is the first line of defense against simply losing your password (and thus, your entire account) to hackers.

“Rarely are there clients calling us that have had a breach that have deployed multifactor authentication,” said Sapp. “Usually that’s one, in my opinion, of the best controls, for the least amount of money, that can reduce the likelihood of that breach.”

So why isn’t everyone using it? Bad “cybersecurity hygiene,” said Matt Sorensen, CISO for Secuvant. While hackers are quickly learning how to spread phishing scams to your LinkedIn or Facebook feed, the average person isn’t keeping abreast of developments, clicking on links and downloading attachments they shouldn’t. Companies need to make sure they educate their staff, especially if they want company-wide buy-in on something like multifactor authentication. As multi-factor authentication adds a step to login, some employees may simply not want to use it, regardless of the extra layer of security it provides.

Some companies, for instance, might make multifactor authentication available to their staff—but not mandatory. That opens the company up to liability should they be breached via a user that didn’t make use of the new tech.

“From a liability perspective, one of the things that we advise our clients about now is if they’re going to offer multi-factor authentication, are you going to require it for that user to use the system, or is it going to be optional?” said Elaina Maragakis, attorney and chair of the cybersecurity section at Ray Qiunney & Nebeker. When a breach occurs, finger pointing can ensue—is it the fault of the employee that didn’t use the multi-factor authentication, or the company that didn’t make it mandatory?

So, when enrolling new tech like multi-factor authentication, expect pushback—even from the c-suite that’s requesting it. Robert Jorgensen, cybersecurity program director and assistant professor at Utah Valley University, said when his university rolled out mandatory multi-factor authentication, there was much “wailing and gnashing of teeth” from the faculty.

“Faculty is probably one of the worst user groups to deal with, up there with executives and others, as far as user acceptance,” said Jorgensen, who added that the university then embarked on an education push to make people understand why multi-factor authentication was necessary. “It really adds seconds to the login at most. And we have it set up that you only have to do it once a day on a particular browser. … You’re talking an extra three seconds in the morning to essentially put your account on lockdown.”

Making your company—and its data—safer can be as easy as making sure everyone in the company understands and complies with new safety measures.

“When we talk about how user groups are apprehensive about implementing a security policy, there’s an important thing to be had hand-in-hand with your IT and security solutions in making sure that, from an administration standpoint, you have strong procedures and buy-in from executives from the top of the company so whenever you implement something like this, it’s not seen as a waste of time,” said Tsutomu Johnson, attorney at Parsons Behle & Latimer.

The discussion was moderated by Romaine Marshall, attorney at Holland and Hart. Read the full conversation in the March issue of Utah Business.

©Copyright 2018 by Adva Taylor, Utah Business.com  Reproduction permitted with attribution to the author.

Workspace Cybersecurity Begins with Employees
17th July 2017 by fgsiteadmin in General

I’ve looked at clouds from both sides now
From up and down and still somehow
It’s cloud illusions I recall
I really don’t know clouds at all

— Joni Mitchell, “Both Sides, Now”

And like that song from 1969, it appears that most employees really don’t know cloud computing at all. In an article on the Society for Human Resource Management’s website titled, “Public Enemy No. 1 for Employers? Careless Cloud Users, Study Says,” a North American IT solutions and managed services provider called Softchoice found that 1 in 3 users of cloud-based apps (e.g., Google Docs and Dropbox) download the app without letting their IT department know. Cloud computing became popular a few years ago because people could store all their documents, photos, and other information and then access that data from anywhere at any time and on any device.

What makes this such a bad situation is not the cloud computing itself, but that the vast majority of employees lack any sense of cybersecurity. That same study found that 1 in 5 employees:

  • Keep their passwords in plain sight (e.g., on Post-it Notes on their desks).
  • Have accessed work files from a device that was not password-protected.
  • Have lost devices that weren’t password-protected.

Complicating this further is that the employees who actually do use passwords usually have weak passwords. That is, they are easy to guess (e.g., “1234,” “password,” or their username). Rather than leave a company and its network vulnerable to attack, some IT people suggest a ban on cloud accounts for work.

Security breaches involving a company’s intellectual property can be very costly. Sometimes referred to as “ransomware,” the important data of an organization will either be stolen or encrypted and will not be released until a fee is paid.

A better solution to a ban on cloud accounts would be to educate employees on the necessity for cyber security, train them to improve their online security habits, and remind them that IT rules are in place to make a company more secure, not make it more difficult for employees to be productive. Cyber thieves are clever and when they can’t break into a system using technology, they often rely on the flaws of human nature.

As we become more and more connected to the Internet, we leave ourselves and the companies where we work more accessible to cyber threats. It’s imperative that employees keep everything locked down.

©Copyright 2017 by Tara Marshall, Help Desk Specialist, United Benefit Advisors. Reproduction permitted with attribution to the author.