Infinet

The European Union’s General Data Protection Regulation goes into effect on May 25, 2018. Many U.S. and Canadian businesses have been working hard to meet the new GDPR guidelines., but it’s not clear if others have the technology in place to notify individuals that their data was breached within the required 72-hour period. This is one of the primary components of the 2018 GDPR. No matter how you look at it, three days can go by very quickly when it comes to sending out data-breach notifications, especially if you haven’t planned in advance.

Watch Our Free GDPR Training Online

Many U.S. and Canadian businesses, even large enterprises, don’t always plan ahead and, instead, operate in a reactionary mode. Security professionals in the U.S. and Canada are concerned–The mandatory 72-hour GDPR breach-notification period has them worried because they don’t think most businesses are prepared.  The U.S. doesn’t have a national data-breach notification requirement. However, most states do require notification within 30 to 45 days. If businesses don’t comply, they will be fined 4% of their global revenue up to $20 million. Plus, the consumers whose data is breached can file class-action suits against them for noncompliance.

Experts know that the GDPR is something to take very seriously.

They believe that the regulators in the European Union will impose the largest fines they can and that they’ll make an example of organizations that lack compliance–and will do so within the first 90 days of the breach. This is much like the U.S. Health, and Human Services/Office of Civil Rights does with their “Wall of Shame” and HIPAA breaches of personally identifiable information (PII).

The GDPR requirements apply to any organization that does business in Europe and collects personally identifiable information on European citizens. It doesn’t only apply to large multi-national corporations; it applies to any business that has 250 or more employees. Smaller companies are typically exempt, except in the case where a data breach results in a risk to the rights and freedom of individuals, isn’t an occasional occurrence, or where the processing of data includes special categories like those relating to criminal offenses or convictions.

The 2018 GDPR replaces the old Data Protection Directive of 1995. The most recent GDPR breach notification requirement was enacted in April 2016.  It set a higher compliance standard for data inventory, and a defined risk management process and mandatory notification to data protection authorities.

Breach notification is a huge endeavor and requires involvement from everyone inside an organization. In-house tech support and outsourced Technology Service Providers should have acquired a good understanding of the consequences a data breach causes and the data breach notification requirements for their organization.  They must be prepared in advance to respond to security incidents.

Is your technology ready for the GDPR?

Smart CIOs and CEOs in the U.S. and Canada have been preparing for the GDPR for the last year. And many larger enterprises, especially those that regularly do business in the European Union, have seen this on the horizon for a while and have taken advantage of the two-year implementation period to seriously prepare for GDPR. These organizations are ready and won’t need to worry that they can’t meet the 72-hour notification deadline.  Many U.S. financial organizations and banks are already prepared as they are accustomed to notifying regulators and customers, and they have the IT infrastructure in place to respond quickly. Plus, banks in the U.S. have been functioning under more stringent regulations since the 2007-2008 financial crisis–They’re already well prepared.

The following are steps your organization should take to prepare your technology for the GDPR.  

• Perform a thorough inventory of your personally identifiable information, where it’s stored–in onsite storage or in the Cloud, and determine in which geographical locations it’s housed. Don’t forget about your databases. PII is often stored in databases.
• Perform a Gap Analysis. This is a process where you compare your organization’s IT performance to the expected requirements. It helps you understand if your technology and other resources are operating effectively. By doing this, your Technology Solution Provider (TSP) can then create an action plan to fill in the gaps. The right TSP will understand the GDPR regulations and how your IT must support your compliance efforts.
• Develop an Action Plan. Your TSP should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
• Ensure data privacy. If you don’t have a Technology Solution Provider, then you need one for this. Data protection is key for organizations of any size. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.”  This is a concept that has was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to do this if their data is stolen.
• Be sure to document and monitor everything that you do that’s related to GDPR Compliance. This includes any changes or upgrades that your Managed Service Provider makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when it comes to protecting citizens’ private information and that you practice “defense-in-depth” strategies where you use multiple layers of security controls when it comes to your technology.

If you have all these processes properly in place, you should be able to meet the GDPR breach notification 72-hour period. The organizations that have met most of the International Organization for Standardization information security requirements should also be ready for the new regulations.

Watch Our Free GDPR Training Online

Unfortunately, many organizations won’t do this, simply because they’re not educated about the new GDPR, or they’re so busy they don’t think they have the time to make it a priority. Some think that the GDPR doesn’t apply to them. And others who don’t undertake proactive technology methods, in general, simply “bury their heads in the sand.”  These organizations have waited too long now to make the May 28th deadline. Hopefully, yours isn’t one of them.

In the era of modern technology, effective database security is more important than ever. Your business stores a range of sensitive information (for clients and employees) all of which needs to be kept safe at all times. Should any of that data get exposed, either by malicious hackers or internal human error on your staff’s part, it could very quickly lead to severe consequences for your business. Loss of business, the trust of your clients, financial damages, lawsuits, compliance infractions, or worse. Don’t let it happen to you.

Why Should Database Security Be Enhanced?

Information stored on your business database is more than likely to be misused – either hackers who want to access, steal or corrupt it, or simply by employees who aren’t entirely sure of what they’re doing. Additionally, the database is at risk of malware infections that may lead to inappropriate effects, unauthorized access, or deletion of crucial data. Data breaches can cause an overload that would result in poor business performance and lower operational efficiency. Besides, if hackers access your private business data, it could lead to data corruption and inappropriate activity that would potentially damage your reputation. That’s why it’s so important for you to enhance database security by employing various strategies aimed at protecting the information from any unauthorized access. These strategies involve physical, administrative, and software controls. They include:

Enhancement of Physical Database Security
It may sound simple, but it’s a vitally important part of database security – make sure your servers are kept protected by physical security implementations. Locked closets, numbered keypads, video surveillance, etc. Similarly, you need to ensure that you allocate different machines from those running the web servers for your database. Given that such servers are publicly accessible, they are at a higher risk of hacking and may help in accessing the database irregularly.

Use of Database Firewalls
A firewall will help to enhance the security of the database by denying access to traffic from unidentified sources and reducing the initiation of unnecessary outbound connections. In this case, it identifies a few web servers of applications that are allowed to access the data. Web application firewalls can also be used to prevent malware such as SQL injection attacks that have a potential to delete database information.

Encryption of Data
Encryption should be a foundational aspect of your cybersecurity practices, but especially those concerning your database. In layman’s terms, encrypted data is formatted in a secret code that would be meaningless if intercepted. It is one of the most efficient ways to secure a database given that decryption can only occur through a key, which is essentially a “secret password”. In this case, there is a need for updated encryption software to ensure that private information is only accessible through the database program.

Use of Secure Passwords
Given that a password grants access to your database, it is imperative that you ensure it is complex enough that it can’t be easily guessed. In recent years, hackers have developed sophisticated tools and systems for identifying simple passwords. Therefore, combining letters, numbers, and symbols are simple ways to ensure your passwords are more difficult for hackers to crack using their standard methods.

Auditing and Monitoring Database Activity
Regular database auditing and monitoring help to detect any unusual activity or login attempts by an unauthorized individual. In addition, doing so can help you detect cases of account sharing or any other suspicious activity. The organization may need Database Activity Monitoring (DAM) software that is important in monitoring such activities automatically and independently. Additionally, auditing the database helps to identify accounts that are no longer in use, which could increase the risk of hacking.

Tight Management of the Database Access
It’s important to limit the number of people accessing the database in order to enhance monitoring. Besides, your administrators should only get the minimum privileges that are necessary for their jobs. In some instances, employees are caught colluding with external hackers to defraud an organization or steal crucial data. Therefore, it would be prudent for your business to consider acquiring access management software that provides temporary passwords to authorized users and more specific privileges when necessary. That way, any attempts to access the database with these credentials after they expire won’t work and will notify you of such attempts.

Segmentation of Database
A large, singular database is at a higher risk of exposing private information because it involves so much data. That’s why it can be useful to segment the data by creating various roles within the database. This help prevents all administrators from viewing all data whenever they like. Were you to segment your database, depending on the roles, your administrators may be classified with different privileges and access to different levels of database information.

The security of a database is undeniably important for businesses like yours. Be sure to follow strict cybersecurity practices in order to keep your database secure from malicious hackers and careless employees.

Do you use 800 million pounds of paper each year? That’s the latest estimate for the average professional – and nearly 20% ends up in landfills. Would your habits change if you were taxed on paper consumption?

The use of paper to record thoughts, plans, transactions, agreements, or anything at all, is nothing new. Ancient Egyptians invented the earliest known type of “paper”, named papyrus from the plant which the material was created. The more modern forms of paper are likely created from a process similar to that invented by the Chinese, who remain the leading paper manufacturers today.

The ability to document everything from knowledge and information to financial transactions and taxes brought the foundation of the technological era – though not quite as we see it today. For the first time in history, accountability no longer relied on memory or spoken word, but the origin of the “paper trail” concept.

One of the earliest modern ways we’ve found to scale back paper use is the predecessor to the smartphone, the personal digital assistant (PDA), like the Palm Pilot. Migrating from paper planners to a handheld organizer enabled professionals to have easy calendar access, along with a variety of other resources like the Internet and telephone.

• Would it surprise you to know that the first person to coin the phrase “PDA” was a former Apple CEO, John Sculley?

The intended purpose of technology is to improve our lives and simplify our tasks. For example, email was designed, in part, to expedite communication in a cost-efficient manner. Written communication that previously took more than a week to deliver via U.S. mail with the added cost of a postage stamp and envelope – also relying on the correct mailing address of the recipient – was now nearly free and instantaneous. The fax machine was intended to serve this same purpose of timely delivery, but still involved paper waste. In fact, fax machines created a unique problem: the sender had to have a print copy to scan and fax, and the recipient thus received a paper copy of the message. In the case of email, technology should decrease the use of paper, and successfully has.

The average professional has indeed cut back on paper use. Statistics vary, but no matter how you look at it, we consume far too much paper for the amount of technology we have at our disposal. Notice the word “consume”? The sad reality is that not all consumed paper is used. Have you ever visited a print station only to have to dig through sheets to find the printed document(s) you’re looking for? How many times do you see the same sheets that never get picked up?

• Every year, organizations look to trim costs from their budget in unique ways, but rarely are paper costs fully considered. It’s estimated that U.S. companies spend $120 million annually on printed documents – a number that can, and should, easily be reduced.

Companies like Microsoft are trying to facilitate less paper consumption, and therefore, less waste. From online storage with Microsoft OneDrive or SharePoint, where users can store, share, and access files from anywhere without needing to produce paper copies, to collaborative software solutions like Microsoft Teams or Microsoft Project which help groups jointly communicate in real time, modern solutions are geared toward less paper consumption.

One industry where paper consumption has significantly decreased in recent years is the medical field. Patient charts used to be entirely paper, including test results, office visit notes, and full patient history. For large medical practices, this involves a lot of expensive real estate for a physical item that isn’t often used. The movement toward electronic health records is more efficient in every way: cost savings for less paper and less space taken, easy to share and access from anywhere, and less chance of a test result or document getting lost or damaged.

Banking is another industry to vie for the record of worst offender in terms of paper consumption. Between lending for auto purchases or mortgages and account statements, banks recognize the high-consumption of paper and have (slowly) been moving toward online signatures, email statements, and digital records.

Even major metropolitan areas are jumping on the “green” bandwagon. Bike lanes are being rolled out in cities across the country. Mass transit light rail systems are being installed and adopted for easy navigation and decreasing carbon footprints and toxic emissions. On the smaller scale, but no less important, it’s becoming more common for consumers to be emailed a receipt at a point of purchase, rather than have a paper receipt printed at the time of transaction. Most cities have designated locations to return printer ink cartridges for recycling to help cut down on waste.

• Commonly purchased with large print workstations are service agreements to maintain the printer. Rather than a set cost, these agreements are based on use and consumption, with fees for black-and-white documents ranging from 5¢ to 12¢ on average, and color documents ranging from triple to more than five times the cost of black-and-white fees. By comparison, cloud storage costs are far more economical!

So, what can you do to help cut down on paper waste, thereby cutting costs for your company?

• Evaluate who uses a printer at your organization and for what purposes.
• Determine if your printer(s) are the most efficient available, and if they are maintained for efficiency.
• Monitor overall usage, and then assess how usage can be decreased.

There are so many ways technology can help decrease print usage and costs, and here are a few to get started:

• Cloud storage
  • This cannot be stated enough. Moving file storage to the cloud is a big leap, but can save you time and money.
  • No more file cabinets taking up real estate.
  • Documents are easier to find, access, and share from anywhere.
• Reusable notebooks
  • Do you or your team still prefer to take handwritten notes? Using a smart notebook like the Rocketbook Wave propels your note-taking into the next century. Once captured, notes can be shared to the cloud using your smartphone. Once the notebook is full, a quick run in the microwave and it’s empty to use again!
• Collaborative platforms
  • We mentioned Microsoft Teams already, but there are countless options available. From Slack to Basecamp, most offer users a similar feature base intended to encourage digital collaboration and eliminate paper waste.

It’s not unheard of to offer incentives to decrease waste, but the greatest incentive is decreasing costs for the organization resulting in increased revenue – and hopefully increased salaries! Decreased paper waste shouldn’t have to rely on staff incentives – and hopefully, it won’t come to taxation, but you never know…so let’s get ahead of the game and help ourselves while helping the planet. Saving two kinds of green – money and Mother Earth – with one effort!

The Situation

Ransomware is now one of the top security concerns for businesses and organizations of all sizes. The City of Atlanta was hit with a ransomware attack called SamSam in March, crippling some important departments like their court system, sewer infrastructure requests, and water billing department.

The attackers who deploy SamSam are known for clever, high-yield approaches. This, combined with the City’s lack of preparedness, explains why the infection was so debilitating.

Experts are telling us that SamSam will strike again. Unlike many forms of ransomware that spread via phishing attacks where individuals inadvertently invite the attack, SamSam exploits IT system vulnerabilities and cracks weak passwords. These ransomware attackers have made $1 million in less than six months.

Keeping all your systems patched, storing data in enterprise-based cloud backups, and having a ransomware preparedness plan can offer real protections against SamSam and other ransomware infections.

Unfortunately, ransomware attacks are on the rise, and as hackers use more sophisticated encryption technology, the threat is constantly evolving. According to malware security firm Barkly, a company is hit with a ransomware attack every 40 seconds. They also identified ransomware as the most prevalent form of malware, with “4.3x new ransomware variants in Q1 2017 than in Q1 2016.”

This article details how dangerous ransomware is, how it could harm your business, and what you should do to protect your data.

Part 1. What is Ransomware?

Ransomware is a type of malicious software (malware) that blocks access to a computer that infects, locks or takes control of a system and demands a ransom to unlock it. It’s also referred to as a crypto-virus, crypto-Trojan or crypto-worm. It then threatens that your data will be gone forever if you don’t pay using a form of anonymous online currency such as Bitcoin.

Most forms of ransomware are spread via spam using unsolicited phishing email or an attachment. Phishing attacks use emails disguised to look like they’re from someone you know and are more likely to trust.

Some ransomware-based applications disguise themselves as police or a government agency, claiming that your system is being locked down for security reasons and that a fine or fee is required to reactivate it. Then it typically asks you to click on a link or attachment to perform a routine task such as updating records or account details. If you do this, a worm or malware is downloaded, infects your system and locks it by encrypting your files.

Ransomware, like SamSam, can also infect your IT system using vulnerabilities in your computer’s browser. It does this when you click on a malicious code hidden in online ads or free software.

Ransomware targets small to medium-sized businesses because they are particularly vulnerable due to limited IT resources. They are also more likely to pay the ransom in the hopes that they’ll get access to their data, although the FBI warns that this isn’t necessarily so.

“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cybercriminals to target more organizations, but it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

Paying the ransom only guarantees that the malicious actors receive your money, and possibly even banking information. Also, decrypting files does not mean the malware infection itself has been removed.

No one is immune.

• Temporary or permanent loss of sensitive or proprietary information,
• Disruption to regular operations,
• Financial losses to restore systems and files, and
• Potential harm to your organization’s reputation.

The lack of awareness and cybersecurity training is a leading cause of ransomware.

Part 2. Ransomware Comes in Many Forms

Ransomware comes in many different forms, but essentially, it’s a type of malware that denies access to your computer devices unless you pay a ransom. The ransomware malware encrypts your data. Once it does this, it can travel throughout your network and encrypt other mapped and unmapped network drives. Because of this, it can bring your organization to a halt.

The ever-evolving nature of these threats makes ransomware very difficult to keep track of. (Ransomware-as-a-Service (RaaS) makes it easy for cybercriminals to set up a lucrative hacking scheme. It is provided as a vendor platform on the Dark Web. Unlawful vendors offer hackers and criminals a tool to use to lock down computer files, information or systems and hold them hostage.

Ransom32 is a type of “Ransomware-as-a-Service” that provides any cybercriminal, even those without technical knowledge, the ability to create their own form of ransomware. What makes Ransom32 so dangerous is that it uses JavaScript, and can be used on computers that run Windows, Mac OS X, and Linux.

Over 2,900 types of ransomware have been reported, and they’re growing. Here are just a few:

Bad Rabbit 

Bad Rabbit has infected organizations in Russia and Eastern Europe and is spreading throughout the world. It does this via a fake Adobe Flash update on compromised websites. When the ransomware infects a machine, users are directed to a payment page demanding .05 bitcoin (about $285).

Cerber

This ransomware encrypts your files using AES encryption and demands a ransom of 1.24 bitcoins (worth $500). It communicates via a text-to-speech voice message, a recording, a web page, or a plain text document. There’s no way to decrypt files that are encrypted by Cerber unless you pay the ransom.

Cryptolocker

CryptoLocker infects computers that run Microsoft Windows. Like other forms of ransomware, you must pay the hackers to decrypt and recover your files. CryptoLocker spreads via fake emails (phishing) designed to mimic legitimate businesses.

CryptoWall

This form of ransomware has been around since 2014, but new variants are still circulating, including CryptoBit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0. Like CryptoLocker, CryptoWall is distributed by spam or exploit kits.

CryptXXX

CryptXXX used additional capabilities including network-share encryption. This means that even if you can decrypt your files, it can still cause significant downtime by encrypting files on your network shares.

FakeBsod

FakeBsod uses a malicious piece of JavaScript code to lock your web browser. It displays a fake warning message and tells you to go to a particular webpage (that contains the ransomware). The message says to “contact Microsoft technicians” about an “Error 333 Registry Failure of the operating system – Host: Blue screen Error 0x0000000CE.” When you call the phone number, you’ll be asked to pay a fee to fix the problem.

Lockscreen

This form of ransomware isn’t new and has been in use for quite a while. It attacks Android devices. However, now there’s a new version that is more powerful and much more resilient. It used to lock your screen using a hardcoded passcode, but with the right code, you could unlock your device. Today the new version is impossible to reverse-engineer the passcode since it uses pseudorandom passcodes. Because of this, you can’t unlock your device and must pay the ransom.

Locky

If your computers are infected by Locky, it will rename all of your important files and prevent you from opening them. It does this through encryption and using the file extension–locky. Now, only the cybercriminals have the decryption key, and you must purchase it from them to retrieve your files. To do this, you have to go to the Dark Web and pay $400+ in Bitcoin.

NotPetya

This is a strain of Petya and was first seen in 2016. Today, experts believe NotPetya’s sole purpose is to destroy data instead of obtaining a ransom.

Petya

Petya is especially dangerous because it encrypts entire computer systems, and overwrites the master boot record, so you can’t reboot your operating system.

Spider

Spreads via spam emails. It’s hidden in Microsoft Word documents and installs the ransomware on a computer when it’s downloaded. The Word document (typically disguised as a debt-collection notice) executes macros that encrypt your data.

TeslaCrypta

This uses an AES algorithm to encrypt files and is specifically designed to attack Adobe software vulnerabilities. TeslaCrypta installs itself in the Microsoft temp folder.

TorrentLocker

TorrentLocker spreads via spam email campaigns and targets specific geographic regions. It also uses the AES algorithm to encrypt files. It collects email addresses from your address book to spread malware to your business contacts, friends and family members.

WannaCry

WannaCry has hit over 125,000 organizations in over 150 countries. It currently affects Windows machines through a Microsoft exploit known as EternalBlue.

WannaCrypt

This computer attack began locking down data on May 12, 2017. It affects Microsoft Windows Operating systems. WannaCrypt encrypts all the data in on your computer and holds it hostage.

ZCryptor

This form of ransomware uses a worm-like tactic to self-propagate and encrypt files and external drives so that it can attack other computers.

Part 3. How Ransomware Infects Your Computers

Ransomware attacks are increasing, and so are the ransoms to recover your data.

You’ll know when ransomware infects your computer because the hackers display a message telling you how much to pay to unlock your files. These ransoms typically run in the $300-$500 range. But, some businesses are having to pay upwards of $1,000 per computer. If you have 25 computers that are infected, that’s $25,000.

Hackers primarily use the following attack vectors to infect computers:

Phishing Emails

This is the most common scenario. A realistic-looking email is sent to you with a link or attachment that contains the ransomware. Hackers will often send a number of these links or attachments to hide the one with the malware. Once it’s clicked the malicious software loads itself and the ransomware infection spreads throughout your files, locking them until you pay the ransom.

Drive-by-Downloads

If you unknowingly visit a realistic-looking website containing ransomware, it can load itself onto your computer. If you use an old browser, out-of-date software, or third-party applications, you’ll be most vulnerable. A hacker can detect a vulnerability and exploit it. When a software vendor discovers this, they’ll release a patch to repair the issue, but by this time the criminal has already done their dirty work. Examples include unpatched versions of Adobe Flash, a bug in Java or an old web browser, or an unpatched operating system.

Free Software

A lot of us download free versions of software. Some are legitimate, but others contain ransomware. They are especially prominent in broken versions of expensive games, free games, porn content, screensavers or bogus software. By convincing the user that they should download the software, they can get past firewalls and email filters. You might not even know that you’ve done this until the ransomware activates weeks later.

Unpatched Software

According to the U.S. Computer Readiness Team (CERT) using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware. Microsoft provides a guide to help you keep your software up to date. They recommend that you use feed update functionality to stay informed about new ransomware variants and what you should do to protect your data.

Part 4. What to Do If Your Files Get Encrypted.

Tell your employees to let you know if they experience the following:

• They can’t open their files, or they get error messages saying a file is corrupted or contains the wrong extension.
• A window pops up with a ransomware program that they can’t close. This window may contain a message about paying a ransom to unlock files.
• A message says that a countdown has started for a ransom to decrypt files and that it will increase over time.
• They see files in all directories with names like “How to decrypt files.txt or decreypt_instructions.html.”

Ransomware isn’t easy to find while it’s at work encrypting your files. So, you might not know that it’s happening until the hacker sends you a message. By this time, the infection has completed its job. The best thing you can do at this point is to contain the virus from spreading throughout your network.

Unplug the infected computer from your network. You may also need to turn off all network access for all your computers until you know the virus is contained. Set your Basic Input Output System (BIOS) time back if the ransomware has started a countdown. This will hopefully give you more time to recover your critical files and try to eliminate the malware. You can access your BIOS time through the BIOS Setup Utility on the computer.

Restore your files from your last backup. This is why it’s important to regularly backup your files to a safe, offsite cloud location. Just make sure your most recent backup wasn’t infected as well. If you use a Disaster Recovery as a Service (DRaaS) solution, you should be able to do this and quickly “spin up” the DR image on your computer. By spinning up the image in a self-contained virtual machine (VM), you can inspect the DR image without exposing it to your entire network.

Alert the FBI. Don’t pay the ransom. This is a mistake because you still may not get your files back and the criminal will continue to extort you for money.

Unfortunately, recovery from ransomware can be difficult as cybercriminals fine-tune their tactics and become more sophisticated.

Part 5. How to Protect Your Data From Ransomware

The good news is that there are best practices you can adopt to protect your business. The Small Business Administration has these 14 recommendations. Your Technology Solutions Provider can help you with these.

1. Implement an awareness and training program. Because end users are targets, employees should be aware of the threat of ransomware and how it is delivered.
2. Enable strong spam filters to prevent phishing emails (an attempt to obtain sensitive information electronically) from reaching employees and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
3. Scan all incoming and outgoing emails to detect threats and filter executable files (used to perform computer functions) from reaching employees.
4. Configure firewalls to block access to known malicious IP addresses.
5. Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
6. Set anti-virus and anti-malware programs to conduct regular scans automatically.
7. Manage the use of privileged accounts based on the principle of least privilege: no employees should be assigned administrative access unless absolutely needed and those with a need for administrator accounts should only use them when necessary.
8. Configure access controls—including file, directory, and network share permissions— with least privilege in mind. If an employee only needs to read specific files, the employee should not have write access to those files, directories, or shares.
9. Disable macro scripts (toolbar buttons and keyboard shortcut) from office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications.
10. Implement Software Restriction Policies (SRP)s or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs including the AppData/LocalAppData folder.
11. Consider disabling Remote Desktop Protocol (RDP) if it is not being used.
12. Use application whitelisting, which only allows systems to execute programs known and permitted by security policies.
13. Execute operating system environments or specific programs in a virtualized environment.
14. Categorize data based on organizational value and implement physical and logical separation of networks and data for different organization units.

In Conclusion

The increased incidence and rapid evolution of ransomware have raised concerns and stakes for both small and large businesses. Of everything we’ve discussed here, the two most important things to do to protect your business is to use a solid enterprise-grade cloud backup solution and to provide professional Cybersecurity Awareness Training for your employees. In both cases, your Technology Solutions Provider is your best friend. They’ll help you fight and prevent ransomware and cybercrime of all kinds. Don’t wait. Contact them today

Most business owners are cognizant of the prevalence of fraud in the digital world today. According to Experian’s Global Fraud and Identity Report 2018, almost three-quarters of businesses believe fraud is a growing concern, and nearly two-thirds reported fraudulent losses over the past year.

What is Fraud?

Fraud occurs when an individuals’ payment information is used without their authorization. When hackers breach your network and access your customers’ or clients’ sensitive cardholder information, they have many opportunities to commit fraud numerous times. Anytime someone falsifies an identity and “tricks” a system into thinking the person making a purchase is someone other than who they actually are, this is considered to be fraud.

Fraud is Pervasive in Today’s Digital World

This is because the majority of business and consumer data remains vulnerable. As the value of digital information grows, so does the hacker’s motivation to develop methods to avoid detection from the latest technologies.

The existing account setup process requires consumers to provide extensive amounts of personal information along with passwords and secret questions. And data breaches provide this information to cybercriminals. When this data is stolen, it’s often used for fraudulent activities.

Fraud is a moving target just like the hackers. New tactics are evolving where criminals combine real and fake information to create new identities.

Most business owners just don’t have a handle on this – and they lack confidence in their ability to protect their customers and their companies from fraud.

One of the reasons for this is that their initiatives are mostly reactionary rather than proactive as many continue to use legacy cybersecurity technology rather than investing in new, more sophisticated data protection solutions. As a result, every month that goes by increases their vulnerability and exposure to data breaches and fraud.

Fraud is an ever-present and growing risk

For businesses in e-commerce, managing the risk of fraud is a delicate balancing act between providing an ease of use for customers vs. fraud protection. They struggle with mitigating fraud and providing a positive customer experience. Unfortunately, the customer experience wins out in most cases, and businesses are willing to risk fraudulent losses over losing customers to their competition. Ironically, they are setting their businesses up for reputational damage where they will end up losing customers anyway, fail to gain new ones, and possibly face financial penalties and litigation costs.

The 2017 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the global average cost at $3.6 million, or $141 per data record. That’s a reduction in the average cost in 2016, but the average size of data breaches has increased. It’s also worth noting that the average cost of a data breach in the United States is much higher at $7.3 million.

More than 50 percent of businesses say they still rely on passwords as their top form of authentication.¹ And business leaders know that using passwords isn’t the most secure option. But customers are used to them, and business owners want to please them. They also complain that they lack the financial resources to adopt more advanced authentication methods when this would save them legal fees and penalties if/when their customers’ accounts are breached–not to mention their reputation and the future existence of their business. This, of course, is very shortsighted.

How data breaches and fraud are connected

Data breaches and fraud don’t usually occur at the same time and place. Cybercriminals won’t steal a customer’s information and turn around and use it for a purchase from the same business. So. it’s not easy for a business to detect when a breach occurs.

Data breaches are typically detected by using specific security tools that monitor all payment activity. Merchants should follow PCI/DSS Standards to identify and prevent breaches and remain compliant. PCI-DSS audits will help you find vulnerabilities in your system and reveal inadequacies that must be eradicated.

A successful case of fraud spreads like cancer

If a hacker can get one password, they may have the keys to other password-protected accounts. The more online accounts people open, the greater their risk. And most people have quite a few. If the hacker can figure out the password to someone’s email account, they may also have the key to their credit card and banking accounts as well.

You must remain vigilant to prevent data breaches and fraud.

What to do if you suspect fraud

A key indicator of evidence of fraud is in chargebacks where a customer disputes a charge on their credit card, and where you aren’t paid for the service or product. If your chargeback rate increases above a 1% margin, this is a good indication that you’re experiencing fraud.

In this case, you should hire a third-party auditor like an IT Managed Services Provider (MSP) to help bring you back into compliance and stop the thieves. They will detect where the problem(s) exist and if what they find indicates a data breach. PCI-DSS compliance requirements mandate that you do this to stop the fraudulent activity.

Of course, you should contact the card processor as well. They will connect you to the card providers who can often identify the point of access or detect a suspicious pattern of activity.

What You Can Do to Reduce Fraud and Data Breaches.

Use EMV Technology.

EMV (Europay Mastercard Visa) is the global standard to authenticate payment cards. EMV technology can help you protect your business from fraud. It ensures the card is legitimate and that the person using the card is the authorized user.

EMV chips are microprocessors that store and protect cardholder data. They use a unique cryptogram that’s validated by the card issuer. This makes it more difficult for hackers to break the code and steal card information to commit fraud.

Today, if you don’t use an EMV-capable terminal, and the transaction turns out to be fraudulent, you can be held financially liable for that transaction.

EMV has been used in the United Kingdom since 2004, and card-present fraud has gone down by 80% as a result. By comparison, without EMV in the U.S., fraud increased during this time by nearly 70%.

Protect Data in Transit by Using Encryption.

When credit card data is stolen, it’s considered a data breach. Considering the number of card payments your business processes in a month, hackers may view you as the “Pot of Gold at the end of a Rainbow.” In other words, your business is a prime target.

You can help stop the hackers from accessing data in transit by using end-to-end encryption (E2E) and point-to-point encryption (P2PE).

The advantages of end-to-end encryption are:

• That you don’t need a separate key for the decryption of the data.
• You have flexibility in deciding what data to encrypt.
• You can choose specific configurations for more functionality.
• The file size is small, and the processing time is minimal.

Point-to-point encryption encrypts transmitted data as it goes through a designated “tunnel.” This is used most often for credit card information that’s encrypted from the point-of-sale (POS) to the credit card processor.

With encryption, if a breach does occur, and data is stolen, it will be useless to cybercriminals in its encrypted state.

Protect Data at Rest by Using Tokenization.

Tokenization breaks up a sequence of data into pieces such as words, keywords, symbols, phrases, and elements called tokens. Tokens can be words, phrases or even whole sentences. In other words, tokenization keeps cybercriminals from using data by replacing it with meaningless characters. Tokenization is helpful for businesses that store sensitive card data for re-billing. It’s also one of the most effective and affordable ways for businesses to protect their customers’ confidential card data.

Combining encryption and tokenization is one of the best ways to protect your business from the devastating effects of a data breach.

Secure Your IT Environment

• Ask your IT Managed Services Provider (MSP) to set up a next-generation firewall, anti-spam, and anti-virus solutions.
• Ensure your POS and router are on different networks and separate from other systems that access the Internet.
• Don’t use your business POS for surfing the Web. This can expose it to viruses and result in vulnerabilities that can be breached.
• Assign separate login credentials for each user.
• Forbid sharing of login credentials and enforce this.
• Keep your user list up to date and disable accounts that are no longer needed.
• Only provide remote access for users with a clearly identified need.
• Don’t leave remote access software turned on when unattended.
• Keep all software and anti-virus, anti-spam programs up-to-date.
• Regularly run and review scans for malware.
• Regularly have your MSP run vulnerability scans.
• Ask your MSP to train your staff on the latest security threats and what to do if they come across one.
• Train your staff how to detect unauthorized skimming devices that could be installed on POS or credit-card terminals.

Have Your MSP Train Your Employees on Cybersecurity Awareness.

Teach your employees about password security and make sure you enforce this behavior:

• Don’t use words from the dictionary.
• Don’t use names of family members.
• Don’t reuse passwords from your other accounts.
• Don’t write down your passwords or put them where others can see them.
• Consider using a Password Manager (e.g., LastPass or 1Password).
• Use password complexity (e.g., P@ssword1).
• Create a unique password for work separate from your personal use.
• Change passwords at least quarterly.
• Use passwords with 9+ characters.
  • A criminal can crack a 5-character password in 16 minutes.
  • It takes five hours to crack a six-character password.
  • Three days for a 7-character password.
  • Four months for eight characters.
  • 26 years for nine characters.
  • centuries for 10+ characters.
• Turn on Two-Factor Authentication if it’s available.

Teach employees about ransomware and phishing threats. These appear to be from an official like the IRS or FBI. If a screen pops up that says you’ll be fined if you don’t follow their instructions, don’t! If you do, the criminal will encrypt all your data and prevent you and your employees from accessing it. Teach them to:

Beware of messages that:

• Try to solicit your curiosity or trust.
• Contain a link that you must “check out now.”
• Contain a downloadable file like a photo, music, document or pdf file.

Don’t believe messages that contain an urgent call to action:

• With an immediate need to address a problem that requires you to verify information.
• Urgently asks for your help.
• Asks you to donate to a charitable cause.
• Indicates you are a “Winner” in a lottery or other contest, or that you’ve inherited money from a deceased relative.

Be on the lookout for messages that:

• Respond to a question you never asked.
• Create distrust.
• Try to start a conflict.

Watch for flags like:

• Misspellings
• Typos

Ask Your MSP to Help You with PCI Compliance.

PCI Compliance is not a one-time event but should be a continual process to ensure your IT systems are appropriately transmitting and storing sensitive data. It mandates that network and business practices are secure.

Failing to maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS) can ruin your small business if you get hit with a data breach.

It’s not always easy to do this on your own. Your MSP can help by:

• Performing scans of your network to identify and eliminate vulnerabilities that can lead to data breaches.
• Monitoring network activity and blocking malicious activity before it can lock down or steal your data.
• Providing you the tools and resources to promote compliance.
• Implement data-breach protection solutions.
• Help you sign up for a breach assistance/cyber insurance program that provides for reimbursement of certain card brand fees that are charged if data is compromised. Some cover the costs of a data breach, which can be upwards of $100,000 or more.

Protect Your Business from Data Breaches, Fraud, and the Resulting Consequences

When you take all of this seriously, you’re not just protecting your customer’s confidential information; you’re also protecting your business from fraud.

Most companies that experience a data breach will see a rise in cost to retain existing customers. And, they will also see an increased cost to acquire new customers. When you add these increases in cost to the loss of revenue from customers that choose take their business to your competitors, you’ll soon see how your damaged reputation dramatically affects your company’s bottom line.

You don’t have to face this alone.

The right IT Managed Services Provider can be your best ally against security threats. From helping you with integrated and compliant POS systems to implementing technologies like encryption and tokenization, and providing compliance and breach assistance, the right IT Partner is worth every cent when it comes to helping you secure your business against the devastating effects of credit-card fraud and data breaches.