Click here to learn more about our financial professionals by visiting FINRA's BrokerCheck.


AUGUST SAVVY CYBERSECURITY NOTES

| August 06, 2018
Share |

In this issue:

  • Three important cybersecurity actions for every business

1.  Emerging threats
2.  Cybersecurity shorts
3.  Software updates

Three important cybersecurity actions for every business

Businesses—big and small—are regular targets of various cyberattacks. Experts estimate that these attacks will cost businesses worldwide $6 trillion by 2021. This dollar amount includes stolen money, data destruction, theft of intellectual property, restoration, and much more. Being attacked is a costly situation for any size business.

Yet many studies show that small- and medium-sized businesses are at greater risk. In 2017, 61% of small businesses reported experiencing a cyberattack of some kind. Often, smaller businesses owners think they will be safe from hacks and breaches because they don't have as much money or data as big businesses. Hackers do not discriminate, however. They recognize that smaller businesses tend to have smaller security budgets, which may make their job easier and that there is still a lot of data to be stolen.

Regardless of your business size, you need to be guarding it against cybersecurity threats. Here are three important cybersecurity actions that every business should be taking.

  1. Add tighter wire transfer controls

A major scam felt by businesses of all sizes is something called the CEO scam. In this heist, a hacker impersonates a CEO by sending a fraudulent, phishing email to a lower-level employee in the company. The email asks the employee to complete a wire transfer to an account that is actually controlled by the hacker. Usually, by the time the fraud is discovered, it is too late to retrieve the money. This scam has costs businesses $1 billion worldwide.

The best way to combat this type of fraud is by implementing strong wire transfer rules throughout your business. First, require two-step confirmation of every wire transfer request. This means that if the request comes in via email, the recipient must confirm the request either in person or over the phone. Another tip is to require that multiple people sign off on the request before it is approved.

  1. Boost mobile-phone security among staff

Another popular scam hitting businesses is called mobile-account hijacking. Here, a fraudster hacks into your mobile phone account and directs all of your calls and messages to a different number that they control. They do this to intercept 2-step log-in codes or impersonate you via phone.

To thwart this attack, all senior employees (at a minimum) should have PINs on their mobile accounts. This is not the same as having a passcode to unlock your smartphone but rather a special password with your mobile account carrier. You should call your mobile account carrier or log into your account online to set this up. Once the passcode is created, you will have to provide it to make any changes to your account online, over the phone, or even in the store.

  1. Create a company security policy

One item you need to create if you have not already is a written company security policy. This policy needs to include specific rules (even if they seem simple) like not opening attachments from unknown people, proper Wi-Fi use, and a password policy.

This policy should also have written instructions about what to do in case your company does suffer a data breach.  It should be reviewed and updated regularly.

Having  a policy written down and available to employees improves security because it reminds them of best practices which will limit the success rate of an attack.

Emerging threats

Voice assistants in your office could lead to cybersecurity issues. While smart assistants can make your day to day easier, weak security practices can make them dangerous. Earlier this year, an Amazon Echo device recorded a private conversation and sent it to one of the user's contacts. What if you were having a private business conversation and it was recorded and sent to the wrong person? This is not to say that voice assistants are bad; rather, be sure to practice smart security when using them. Ensure that your device is connected to a secure network and consider turning the device off during sensitive conversations.

Retirement plan record-keeper Empower Retirement introduces security guarantee as 401(k) fraud rises. If a plan participant loses money due to an unauthorized transaction that is no fault of the investor, Empower will restore that money. This is a move in the right direction for the retirement plan record-keeping industry.

Cybersecurity shorts

New Wi-Fi routers will offer better security, according to the Wi-Fi Alliance. The new protocol WPA3 will improve password security—hackers will no longer be able to indefinitely guess passwords at one time. The new feature will only allow them to guess one password at a time, making the process more difficult and time consuming. WPA3 will also be fully encrypted by default—creating a safer connection for you to use. WPA3 is expected to be released in 2019.

Creating accounts online could actually help protect your identity. Security expert and writer, Brian Krebs wrote about the strategy this month on his blog. Krebs explains that creating online accounts to manage your various accounts (banking, Social Security, your cable and internet, etc.) can be helpful because it ensures that a hacker won't create the account for you (and then control it). Krebs shares the stories of victims who were defrauded after criminals set up fraudulent accounts in their names. You can read their stories here.

Eight states demand that Equifax better its security following the 2017 data breach.Regulators from the states presented Equifax with a consent order demanding the company create an annual internal audit program as well as strengthen patches and disaster response in the next 90 days. Equifax has agreed to the order and said that new policies were already in the works.

Data broker Exactis leaks records of 340 million people. The data aggregation firm, which appears to hold data of millions of American adults and businesses, did not protect their database with a firewall and was easily discovered by a security researcher. Since the discovery, the database has been protected and is inaccessible to unauthorized third parties. It is unknown if the database was wrongfully accessed by criminals. 

Adidas announces data breach affecting some customers who made purchases online. The breach is currently being investigated and at this time officials believe usernames, passwords, and contact information was exposed. It is not believed that financial or fitness data was breached.

ExxonMobil reward card announcement turns spammy. The company sent letters to rewards members advising them of changes to the program, but directed members to phone numbers that advertised Caribbean cruises and an adult talk hotline. The website provided by Exxon installs an extension on your browser and changes your default search engine to Yahoo. ExxonMobil has since changed the website address.

How much is your personal information worth?On the dark web, not much. Your Social Security number can be sold to a hacker for just $1. Your debit card number with bank information or credit card number will put a crook back just $5 each. Medical records tend to go for about $60 because they contain so much information.

Want to protect yourself and your employees from phishing? Know what to look for. Security software firm Sophos has made a list of the most successful phishing email subject lines from their phishing threat test. The most clicked on phishing emails have subject lines of: "A task was assigned to you," "Let's meet next week," and "Harassment Awareness Training."

Timehop announced security breach affecting 21 million users. The company discovered the breach while it was occurring on July 4th and was able to shut it down in two hours. Unfortunately, that did not stop hackers from accessing the names and emails of all Timehop users and the phone numbers of nearly 5 million users. Users will be notified when they log into the app.

Software updates

Adobe: As usual, Adobe released another update for Adobe Flash Player this month. Critical security holes were discovered in the problematic software and users should update to version 30.0.0.0.134 and update their browser plug-in as well. Adobe also released a new version of Adobe Reader and Acrobat this month that address over 100 security issues. You can read more about the update here.

Microsoft: Fourteen updates addressing over 50 security vulnerabilities were released by Microsoft this month. The updates include fixes for critical issues in Internet Explorer and Edge. Microsoft Office and other programs are also affected. Your device should prompt you to update automatically but you can learn more about the patches here.

Share |