1-888-643-2217 Email ABEX
Keeping you updated

Tag Archives: Cyber liability

Cyber Liability: Protect Your Email

Spam EmailEmail is a critical part of everyday business, from internal management to direct customer support. The benefits associated with email as a primary business tool far outweigh the negatives. However, businesses must be mindful that a successful email platform starts with basic principles of email security to ensure the privacy and protection of customer and business information.

Set up a spam email filter.

It has been-well documented that spam, phishing attempts, and otherwise unsolicited and unwelcome email accounts for more than 60 per cent of all email that an individual or business receives. Email is the primary method for spreading viruses and malware. Consider using email-filtering services that your email service, hosting provider or other cloud providers offer. A local email filter application is also an important component of a solid anti-virus strategy. Ensure that automatic updates are enabled on your email application, email filter and anti-virus programs. Additionally, ensure that filters are reviewed regularly so that important email and/or domains are not blocked in error.

Protect sensitive information sent via email.

With its proliferation as a primary tool to communicate internally and externally, business email often includes sensitive information. Whether it is company information that could harm your business or regulated data such as personal health information (PHI) or personally identifiable information (PII), it is important to ensure that such information is only sent and accessed by those who are entitled to see it.

Email is not designed to be secure, so incidents of misaddressing or other common accidental forwarding can lead to data leakage. If your business handles this type of information, you should consider whether such information should be sent via email, or at least consider using email encryption. Encryption is the process of converting data into unreadable format to prevent disclosure to unauthorized personnel. Only individuals or organizations with access to the encryption key can read the information. Other cloud services offer secure Web-enabled drop boxes that allow secure data transfer for sensitive information, which is often a better approach to transmission between companies or customers.

Implement a sensible email retention policy.

It’s important to manage the email that resides on your company messaging systems and your users’ computers. You should document how you will handle email retention, and you should also implement basic controls to ensure information is retained for the necessary period. Many industries have specific rules that dictate how long emails can or should be retained, but the basic rule of thumb is only as long as it supports your business efforts. Many companies implement a 60- to 90-day retention standard if not compelled by law to use another retention period.

To ensure compliance, consider mandatory archiving at a chosen retention cycle end date and automatic, permanent email removal after another set point, such as 180 to 360 days in archives. In addition, discourage the use of personal folders on employee computers (most often configurable from the email system level), as this will make it more difficult to manage company standards.

Develop an email usage policy.

Policies are important for setting expectations for your employees or users, and for developing standards to ensure adherence to your published polices.

Your policies should be easy to read, understand, define and enforce. Key areas to address include what the company email system should and should not be used for, and what data is allowed to be transmitted. Other policy areas should address retention, privacy and acceptable use.

Depending on your business and jurisdiction, you may have a need for email monitoring. The rights of the business and the user should be documented in the policy. The policy should be part of your general end user awareness training and reviewed for updates on a yearly basis.

Train your employees in responsible email usage.

The last line of defence for all of your cyber risk efforts lies with the employees who use email and their responsible and appropriate use and management of the information under their control. Technology alone cannot make a business secure. Employees must be trained to identify risks associated with email use, how and when to use email appropriate to their work and when to seek professional assistance. Employee awareness training is available in many forms, including printed media, videos and online training.

Consider requiring security awareness training for all new employees and offering refresher courses every year. You can provide monthly newsletters, urgent bulletins when new viruses are detected and even posters in common areas to remind your employees of key security and privacy do’s and don’ts.


© Zywave, Inc. All rights reserved.

Small Businesses Most Vulnerable to Cyber Attacks

Network security crashAccording to a recent survey, 81 per cent of small business owners think that cyber security is a concern for their small businesses, while 94 per cent either frequently or occasionally think about cyber security issues.

Surprisingly, only 42 per cent of respondents had invested in cyber security protection in the past year, despite the fact that 31 per cent of these businesses had experienced either a successful or attempted cyber attack.

It’s possible that small business owners might simply be spreading themselves too thin. About 83 per cent of small business owners said that they handle cyber security themselves. But given the threat, it was surprising to discover that 95 per cent of small business owners don’t have cyber insurance.


© 2015 Zywave, Inc. All rights reserved.

Physical Protection of Cyber Assets

Cyber attacks aheadWhen it comes to securing cyber assets, many people often think of only mitigating cyber risks like spam, phishing and malware. However, cyber assets can also be compromised physically. This article examines the physical exposures your cyber assets face and provides steps for mitigating these risks.

Secure company facilities.

The physical security of a facility depends on a number of security decisions that can be identified through a comprehensive risk management process. It is easy to think about physically securing your company’s facility as merely an exercise in maintaining control of access points and ensuring there is complete visibility in areas that are determined to be high-risk—either because of the threat of easy public access or because of the value of information located nearby. However, maintaining facility security also includes the physical environment of public spaces. For instance:

  • Employees whose computers have access to sensitive information should not have their computer monitors oriented toward publicly accessible spaces such as reception areas, check-in desks and waiting rooms. Employees should be trained to not write out logon information on small pieces of paper affixed to computer equipment viewable in public spaces.
  • Easy-to-grab equipment that could contain sensitive or personally identifiable information (PII), such as laptops, tablets and mobile phones, should be located away from public areas. If you have an environment where employees are working in a waiting room or reception area, train them to not leave these types of devices out on their desks unsecured.
  • Consider using cable locks as an easy way to increase security for laptop computers. Most laptops feature a lock port for a cable that can be connected to the user’s desk. Be sure to store the key to the cable lock in a secure location away from the desk to which the computer is locked.
  • If extremely sensitive information is stored on a laptop, consider installing tracking software. Most tracking software programs run unnoticed, and allow stolen computers to be located more easily. Many also allow administrators to wipe the hard drive remotely, if necessary.
  • Consider implementing a badge identification system for all employees, and train employees to stop and question anyone in the operational business area without a badge or who appears to be an unescorted visitor.

Minimize and safeguard printed materials with sensitive information.

The most effective way to minimize the risk of losing control of sensitive information from printed materials is to minimize the quantity of printed materials that contain sensitive information. Establish procedures that limit the number of copies of printed reports, memoranda and other material containing PII.

Safeguard copies of material containing sensitive information by providing employees with locking file cabinets or safes. Make it a standard operating procedure to lock up important information. Train employees to understand that simply leaving the wrong printed material on a desk, in view of the general public, can result in consequences that impact the entire company and your customers.

Ensure mail security.

Your mail centre can introduce a wide range of potential threats to your business. Your centre’s screening and handling processes must be able to identify threats and hoaxes and to eliminate or mitigate the risk they pose to facilities, employees and daily operations. Your company should ensure that mail managers understand the range of screening procedures and evaluate them in terms of your specific operational requirements.

Dispose of trash securely.

Too often, sensitive information, including customers’ PII, company financial data and company system access information, is available for anyone to find in the trash. Invest in business-grade shredders and buy enough of them to make shredding convenient for employees. Alternatively, subscribe to a trusted shredding company that will provide locked containers for storage until documents are shredded. Develop standard procedures and employee training programs to ensure that everyone in your company is aware of what types of information need to be shredded.

Dispose of electronic equipment securely.

Be aware that emptying the recycle bin on your desktop or deleting documents from folders on your computer or other electronic device may not delete information forever. Those with advanced computer skills can still access your information even after you think you’ve destroyed it.

Disposing of electronic equipment requires skilled specialists in order to ensure the security of sensitive information contained within that equipment. If outside help, such as an experienced electronic equipment recycler and data security vendor, is not available or too expensive, you should at a minimum remove computer hard drives and have them shredded. Also, be mindful of risks with other types of equipment associated with computer equipment, including CDs and flash drives.

Train your employees in facility security procedures.

A security breach of customer information or a breach of internal company information can result in a public loss of confidence in your company and can be as devastating for your business as a natural disaster. In order to address such risks, you must devote your time, attention and resources (including employee training time) to the potential vulnerabilities in your business environment and the procedures and practices that must be a standard part of each employee’s workday.

And while formal training is important for maintaining security, the daily procedures you establish both in how you normally conduct business and in the way you model good security behaviours and practices are equally important. In short, security training should be stressed as critical and reinforced through daily procedures and leadership modelling.

Establishing procedures and training employees to physically protect your company’s cyber assets will allow for a secure work environment.


© Zywave, Inc. All rights reserved.


Cyber Extortion Hits Close to Home

“It took me 26 hours of work… without sleep… to get the network back online. Not fun…” says Richard Mash of Network Partners.  In his most recent encounter with hackers Mr. Mash was helping his client, a local small business, after the hackers stole and encrypted the client’s information, demanding a ransom.

Mr. Mash continues “The client’s network became infected with a really nasty virus called CryptoLocker. The virus was sent to them in an email with an attachment that was supposedly a resume from a job applicant. Not surprisingly, someone in the HR department opened the attachment and within minutes the network was infected with a virus and all their critical data files were encrypted… The authors of the virus demanded a significant amount of money in return for decrypting the files, effectively holding the company to ransom. Luckily, we had good backups of all their data and we were able to recover everything without paying the ransom request. The important thing to note is this company had 3 different levels of anti-virus protection, all of which allowed the virus to penetrate the network.

I’m sure all of you are aware that computer viruses can be spread by email. Even though many of us maintain excellent anti-virus products on our networks to help protect our data from viruses, these programs are not 100% foolproof.  We also need help from our employees to keep important data safe.”

Mr. Mash shared some very helpful tips with ABEX to help us protect our network so we don’t encounter a similar problem.  We thought these tips would be worth sharing with you so that you can protect your network from viruses.  The most important thing is to be vigilant about emails that you receive:

  • NEVER open an attachment in an email that comes from someone you do not know or do not trust.
  • A simple rule of thumb: NEVER click on a link in an e-mail and avoid opening attachments if at all possible (Especially ZIP archives). And, if a link must be clicked on in an e-mail, hover the mouse cursor over the link to see where it leads to. If it looks suspicious please ask!
  • These emails may seem to come from companies that you trust, like Canada Post or UPS. If you are not expecting a “delivery notification” from a courier, then don’t open it.
  • Banks or Credit Unions will not send you unsolicited emails with attachments… ever. Just delete them.

How can businesses protect themselves?

To manage and minimize the potential damage from a cyber attack, companies should employ a comprehensive cyber risk management strategy that along with a cyber insurance also includes appropriate loss control techniques, an assessment of company’s networks vulnerabilities, and employee security awareness training.

Businesses should make sure that their cyber insurance policy coveres costs in case the company is unable to access its computer system, the system is infected by a virus, confidential information is compromised, or its brand and reputation is tarnished by posts on social media. In addition, the policy should cover the cost of independent computer security consultant to assess any threats, prevent immediate threats, offer reward to prevent perpetrators of the threat and reimbursement of any ransom the company is required to pay in the event above measures fail to mitigate the threat against them.

Please contact ABEX today for more information on our cyber risk management process.

Hackers can tap USB devices

Source: mobile.reuters.com

USB Flash DriveUSB devices such as keyboards, thumb-drives and mice can be used to hack into personal computers in a potential new class of attacks that evade all known security protections, a top computer researcher revealed on Thursday.

Karsten Nohl, chief scientist with Berlin’s SR Labs, noted that hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.

“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl, whose research firm is known for uncovering major flaws in mobile phone technology.

The finding shows that bugs in software used to run tiny electronics components that are invisible to the average computer user can be extremely dangerous when hackers figure out how to exploit them. Security researchers have increasingly turned their attention to uncovering such flaws.

Nohl said his firm has performed attacks by writing malicious code onto USB control chips used in thumb drives and smartphones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data, he said.

Computers do not detect the infections when tainted devices are inserted because anti-virus programs are only designed to scan for software written onto memory and do not scan the “firmware” that controls the functioning of those devices, he said.

Nohl and Jakob Lell, a security researcher at SR Labs, will describe their attack method at next week’s Black Hat hacking conference in Las Vegas, in a presentation titled: “Bad USB – On Accessories that Turn Evil.”

Thousands of security professionals gather at the annual conference to hear about the latest hacking techniques, including ones that threaten the security of business computers, consumer electronics and critical infrastructure.

Nohl said he would not be surprised if intelligence agencies, like the National Security Agency, have already figured out how to launch attacks using this technique.

Last year, he presented research at Black Hat on breakthrough methods for remotely attacking SIM cards on mobile phones. In December, documents leaked by former NSA contractor Edward Snowden demonstrated that the U.S. spy agency was using a similar technique for surveillance, which it called “Monkey Calendar.”

An NSA spokeswoman declined to comment.

SR Labs tested the technique by infecting controller chips made by major Taiwanese manufacturer, Phison Electronics Corp, and placing them in USB memory drives and smartphones running Google Inc’s Android operating system.

Alex Chiu, an attorney with Phison, told Reuters via email that Nohl had contacted the company about his research in May.

“Mr. Nohl did not offer detailed analysis together with work product to prove his finding,” Chiu said. “Phison does not have ground to comment (on) his allegation.”

Chiu said that “from Phison’s reasonable knowledge and belief, it is hardly possible to rewrite Phison’s controller firmware without accessing our confidential information.”

Similar chips are made by Silicon Motion Technology Corp and Alcor Micro Corp. Nohl said his firm did not test devices with chips from those manufacturers.

Google did not respond to requests for comment. Officials with Silicon Motion and Alcor Micro could not immediately be reached.

Nohl believed hackers would have a “high chance” of corrupting other kinds of controller chips besides those made by Phison, because their manufacturers are not required to secure software. He said those chips, once infected, could be used to infect mice, keyboards and other devices that connect via USB.

“The sky is the limit. You can do anything at all,” he said.

In his tests, Nohl said he was able to gain remote access to a computer by having the USB instruct the computer to download a malicious program with instructions that the PC believed were coming from a keyboard. He was also able to change what are known as DNS network settings on a computer, essentially instructing the machine to route Internet traffic through malicious servers.

Once a computer is infected, it could be programmed to infect all USB devices that are subsequently attached to it, which would then corrupt machines that they contact.

“Now all of your USB devices are infected. It becomes self-propagating and extremely persistent,” Nohl said. “You can never remove it.”

Christof Paar, a professor of electrical engineering at Germany’s University of Bochum who reviewed the findings, said he believed the new research would prompt others to take a closer look at USB technology, and potentially lead to the discovery of more bugs. He urged manufacturers to improve protection of their chips to thwart attacks.

“The manufacturer should make it much harder to change the software that runs on a USB stick,” Paar said.



Receive notifications of new posts automatically.


Like us on Facebook

Connect with us on LinkedIn