Posts Tagged ‘cybersecurity’
Monday, March 28th, 2016
By Dennis Powell, e-Management
Experts say cybersecurity is 90% YOU and only 10% technology. What are you doing to protect yourself from hackers?
Newsflash! There is no privacy on the Internet. I repeat: There is NO privacy on the Internet. Anyone with a web browser can see everything anyone has ever posted online! That’s according to the e‑Management Chief Information Officer (CIO) team (and numerous other cyber experts). Cyber experts say online security is 90% user and 10% technology. I know it sounds like a lot of responsibility. But securing the things stored on your Internet-enabled devices that are important to you (e.g., finances, pictures, intellectual property, work products, family stories) may be easier than you think.
Clearly, you should invest in anti-virus and anti-malware software or services. But that’s just 10% (technology) of the solution. The other 90%, remember, is you. Here are a few simple considerations to help you protect yourself from hackers.
-
Keep work and home separate. We are not talking about a work-life balance here. Keep your work and personal devices separate. Hackers will sometimes target you to steal valuable information about work projects or sensitive customer or client information. Oftentimes, the easiest way to hack a nonprofit, business, or government agency is through the organizations’ staff. Avoid using your smartphone for dual purposes, such as accessing your corporate enterprise network and visiting sites to download apps/games on the same device. Still, it may be best if you talk to your company’s or agency’s information technology (IT) or cybersecurity team about BYOD (Bring-Your-Own-Device) policies and best practices before accessing work products from home or downloading personal-use entertainment on business devices.
-
Be mindful of online phishing and social engineering scams. You’re only human. And that’s what hackers are counting on. They prey on admirable qualities in people, including being helpful and trusting of others. Clever and “social” hackers employ tactics such as having chats with you while claiming to be someone you would normally trust. In reality, their intentions are nefarious—potentially tricking you into giving away clues and facts to obtain sensitive information. Similarly, phishing scam artists carefully craft e-mails and posts on social media sites like Twitter and Facebook. The phishing goal is to get you to click on links that launch malware, which downloads to your device and essentially gives hackers free range to your sensitive information and privacy. To protect yourself, never respond to online requests for personally identifiable information such as your full social security number. In addition, do not complete forms within the body of an e-mail message. And, avoid clicking on the links of sensational posts on social media sites.
-
Avoid tricks that will hold your computer ransom. It’s true. Hackers have an arsenal of malware to infect your computer. Even your cloud files can be destroyed if you’re a victim to ransomware. That’s malware that holds your files hostage and demands payment for you to re-gain access. (As if the anti-virus subscription you paid for was not expensive enough). Hackers have even gone one step further with the encrypted CryptoLocker, which made ransomware headlines last year. How do you get infected? According to a Symantec blog posting, it’s the old enticing e-mail that you just gottah open trick AND then the ransomware infection downloads. The good news is that there is protection for malware/ransomware through security products like Symantec. Also, the e-Management CIO team recommends daily backups of your data to avoid the pain and inconvenience of losing or paying for access to your files.
-
Get training. But before you sign up for a class, accept the fact that you are important enough to be a target for online predators. Next, take advantage of possible free training available to you. Several government agencies such as the Small Business Administration (SBA) offer free training. One best practice is continuous cybersecurity training. At e-Management, for example, we have a commitment to cybersecurity readiness. One of the first things our employees learn in the training is: There is the possibility that someone will deliberately or accidentally attempt to steal, damage, or misuse the data in our computer system(s).
Remember, online security is 90% user and 10% technology. By the way, if your company needs support figuring out where you may be at risk and what you can do to improve your level of readiness, do . We can help.
Knowledge is protection.
You get it. Cybercrime is on the rise and you have to do something to protect yourself from the cyber-crooks. The recently relaunched e-Management blog will focus on technology and cybersecurity, providing useful tips to help you navigate the ever-changing landscape of apps, policy, privacy protection, and consumer tech. So, (1) how do you protect yourself from hackers? (2) Does the organization you work for have clear guidelines around cybersecurity? (3) What are other consumer technology or cyber-focused topics you’d like for the e-Management blog team to tackle?
Tags: CryptoLocker, cybersecurity, Dennis Powell, Hackers, Ola Sage, Phishing, ransomware, social engineering, tech
Posted in Corporate, Information Security, Internet/Intranet, IT Infrastructure, Lifestyle, Social Media | 22 Comments »
Wednesday, March 18th, 2015
By Dennis Powell, e-Management
Building a company with great culture is one way to help your small business thrive. What other tips do you have for small business success?
It seems like we blog about everything under the sun…the best food, great travel destinations, social media, government agencies, and we can go on and on. We, however, haven’t focused on small businesses or entrepreneurs in a while. So, we wanted to share four tips that every small business and entrepreneur should consider for success.
-
Build a company with great culture. In an article on Monster.com, Michael Burchell, author of The Great Workplace—How to Build It, How to Keep It, And Why It Matters, gives a number of reasons why organizational culture can mean success for small businesses. At e-Management, our CEO strongly believes that culture starts at the top and makes it a priority for the company’s leadership to model the culture we want employees to experience and promote. Great work culture can reduce staff turnover. In addition, employees tend to be happier at companies with great culture and their happiness can mean customer care that stands out from the competition. Not to mention, great workplaces are oftentimes centers for creation and innovation. So, don’t underestimate the value of culture taking your business to the next level.
-
Reward your staff. A recent report from Bersin by Deloitte (formerly Bersin & Associates), The State of Employee Recognition in 2012, suggests that rewards programs have “a much more measurable role in business performance than previously believed.” Specifically, the research indicates businesses with defined recognition programs see a 14% improvement in “employee engagement, productivity and customer service” over organizations without formal staff acknowledgements. Employee recognition works at e-Management and is a key component of our management philosophy. We highlight staff achievement in a variety of ways. At our All-Hands Meetings held quarterly, we present awards to employees who have received commendations from clients and their peers. Award recipients are treated to a special awards dinner and other perks. In 2014, e-Management handed out more than 90 awards to staff.
-
Take risks! But, you have to be smart about it. Drew Hendricks, a contributor to Inc.com provides tips for knowing the difference between good risks and foolhardy endeavors. Hendricks asserts that all “successful business owners must learn the art of taking calculated (i.e. “good”) risks. Calculated risks come with identifying risks, anticipating risks, having mitigation plans in place, and having a strategic vision that includes financing, marketing, and sales among other components. Remember, when it comes to growing your business: No calculated risk. No glory.
-
Take cybersecurity seriously! Cybersecurity is a buzz word in business and in the news. Why? Well, it’s a big deal. The average cost of a targeted cyber-attack to a small business is $188,242, according to a 2010 survey from Symantec. And according to the National Cyber Security Alliance (NCSA), 60% of small companies go out of business within 6 months of a major cyber breach. Yet, many entrepreneurs and business owners don’t know what their exposure is or don’t have a response plan in place in the event that they are targets of hackers. At the very least, small businesses should learn about the new Critical Infrastructure Cybersecurity Framework from the National Institute of Standards and Technology (NIST) and find products like CyberRx that help to simplify and automate the framework for small business success.
Your Success in Business
Those are our tips. Now it’s time for you to sound off: (1) How important do you think organizational culture is to the success of businesses? (2) Do you think small business owners and their staff should be concerned about internet hackers? (3) What tips do you have for small business success?
Tags: CyberRx, cybersecurity, Dennis Powell, , entrepreneur, great place to work, Leadership, NCSA, NIST, Ola Sage, Small Business, smallbiz
Posted in Corporate, Economy, Information Security, Leadership, Small Business | 29 Comments »
Five-Finger Discount?
Tuesday, January 6th, 2015
By Dennis Powell, e-Management
More than 3 million smartphones were stolen in 2013 according to Consumer Reports. What are you doing to protect your mobile devices?
Check the Urban Dictionary and you’ll find the phrase “5-finger discount.” The term refers to how stealing requires only one hand or five fingers. Not protecting your smartphone (Windows Phone, iPhone, Android, Blackberry etc.) is essentially allowing cyber predators and real-life thugs to steal your personal information or even your identity. Well, we can all agree that’s not good for anyone. So, we’ve pulled together these…
Five Tips for Protecting Your Smartphone to Counter the 5-Finger Discount
-
Curb Your App-etite: Apps can be practical, useful, fun, and convenient. But apps from shady sources can open you and your phone up to enormous risks. Word of advice from the FCC Smartphone Security Checker is to install apps from “trusted sources” only and be sure to “research” before downloading to determine the legitimacy of the app and app maker. An inability to curb your “app-etite” can lead to malicious software, viruses, stolen information, or a non-functioning smartphone. You’ve been warned!
-
Install Anti-Virus Software: Apps, games, and other fun downloads are popular with most smartphones users. But it is also important to download at least one antivirus app for added protection. If you are an Android user, check out for reviews of security apps. If you’re an iPhone fan, Security Today has a great article, which lists apps designed to safeguard your favorite iPhone or tablet.
-
Make Sure Your Smartphone Opens for Only You: HealthIT.gov offers a few tips for protecting your smartphone. One tip seems like a no brainer: Securing your smartphone by using some method of authentication. Yet, Consumer Reports National Research Center’s 2014 Annual State of the Net Survey shows that only 36% of all smartphone owners use a password, personal identification number, or some other authentication processes to verify the mobile phone user’s identity. Authentication is a simple precaution which locks out potential offline and online threats by requesting a password or some other form of authentication. We strongly recommend it for protection!
-
Turn It Off: offers common sense tips for protecting your phone on its website. One that may surprise you is turning off your Wi-Fi and Bluetooth® when you aren’t using either. Sophisticated hackers can easily connect to your smartphone and steal sensitive information through these connections.
-
Insure It: The CTIA-The Wireless Association® recommends that smartphone users consider insuring their mobile devices. Many wireless providers offer affordable insurance plans directly or through a third party vendor. An insurance plan could mean a free replacement of your phone if it is loss or even damaged. Are you clueless when it comes to anything insurance? Well, check out Suzanne Kantra’s Techlicious about how to go about choosing the best plan for you.
More Tips…
There are certainly more than five ways to protect yourself from theft and cyber breaches. For instance, many smartphone users install tracking apps and software that disables phones when devices go missing. (1) What tips have worked for you in protecting your smartphone investment? (2) How easy is it for others to access your mobile phone? (3) What would you do if your smartphone suddenly disappeared?
Tags: apps, CTIA, CyberRx, cybersecurity, data breach, Dennis Powell, Digital Trends, , Hackers, Ola Sage, Security Today, smartphone, wireless
Posted in Information Security, Internet/Intranet, Lifestyle, Social Media | 27 Comments »
Don’t Be a Target
Wednesday, February 12th, 2014
By Dennis Powell, e-Management
In response to a significant data breach of Target's systems during the holiday season, Reuters reported last week that the retailer is investing more than $100M in a "smart card" program, which takes advantage of more secure credit/debit cards that uses microprocessor chips.
Recently news outlets around the country reported large hotels experiencing significant data breaches resulting in customers debit and credit card information being misused. During the holidays, large retailers reported they had been victims of data breaches exposing tens of millions of consumers to financial risk. It seems like everywhere you look someone is stealing sensitive information. So what can consumers do to protect themselves from becoming a target of cyber fraud, whether online or offline? Look no further, we’ve pulled together a short list of suggestions designed to help consumers.
-
Replace bank cards immediately: If you hear of a data breach including debit or credit cards at a retailer you’ve used, you may want to call your banking institution and request replacements. When it comes to protecting yourself from cyber criminals, it pays to take immediate action, before they do!
-
Consider signing up for fraud monitoring services: Providers of fraud detection solutions offer a variety of options for consumers. Fraud monitoring services may include bank account protection, e-mail alerts for suspicious activities, and insurance protection some up to $1 million. If you don’t know where to start searching for monitoring solutions, check out the online which gives side-by-side comparisons. Be sure to call your financial institutions before purchasing new services, because you may already be covered.
-
Manage passwords and PINs: Changing your password periodically can help to protect your online accounts and mobile apps from hackers. It’s a good idea to retire passwords every 90 days or more frequently if you believe you are at risk for fraud. Be sure to create strong alphanumeric passwords. In fact, passwords are strongest when they have at least one special character (e.g., #, $, % etc.) and an uppercase letter. Additionally, if you hear of data breaches involving any brick and mortar or online retailers you’ve accessed, then consider changing your personal identification numbers (PINs).
-
Be mindful of the pitfalls of the web: The Internet is the number one source for malware distribution today. Malware is software that can be used to steal sensitive information from PCs, smartphones, and other tech devices. The malicious software can also disrupt your computer’s overall performance and operation. In addition to malware, cyber thugs are using evolving techniques and technologies to rip off your information (identity) or your money. So, be careful about providing personal and sensitive information to websites; and be extra cautious of unexpected or strange invitations from social media sites (Facebook, Tumblr, Twitter, etc.) and other websites. You should also be aware that your PC, tablet, or smartphone can become infected by viruses from instant messenger-type services and apps.
-
Use caution when accessing free wireless or public Internet connections: Many wireless (Wi-Fi) hot spots of your favorite coffee house, bookstore, or hotel may not be secure, which can invite hackers to sensitive information stored on your tablets, PCs, and smartphones. So if you are accessing the Internet using free or public wireless, you may want to visit encrypted websites only. The Federal Trade Commission’s OnGuardOnline.gov site offers up a few more tips for identifying encrypted websites and protecting yourself on public Wi-Fi systems.
We could go on and on…
There are so many ways to protect personal information from cyber criminals and identity thieves. Education is a good start. It is a great idea to share with the entire family the importance of being savvy in an age of data breaches. The Consumer Federation of America operates IDTheft.org, which offers additional tips to consumers about protection against fraud in the Electronic Age. So, (1) what would you do if you were suddenly a victim of a cyber crime or identity theft? (2) Have you or a loved-one been a victim of identity theft? (3) What tools are you currently using to protect yourself?
Tags: breach, cybersecurity, data, Dennis Powell, , fraud, identity theft, Ola Sage
Posted in Corporate, Economy, Information Security, Internet/Intranet, Lifestyle, Risk Management, Social Media | 11 Comments »
C&A Isn’t What It Use to Be
Monday, March 14th, 2011
By Doug Stemper, e-Management
Certification and Accreditation…what is it, you ask? C&A can either be the most excruciatingly dull thing you have ever done in your life, or it can be a valuable tool to managing the security of your government IT system. While C&A has been through its changes over time, it all boils down to one primary purpose: To document the security controls, or lack thereof, and what you are doing about it.
Certification and accreditation (C&A) is a process that helps to lock out the “bad guys,” secures your information, and protects your mission. What security controls do you have in place to safe guard your organization?
That’s it. Really. Since I know you want more C&A, here is my crash course, C&A for Dummies.
Enters FIPS Back in 1983, FIPS102, Guidelines for Computer Security Certification and Accreditation came along; FIPS are Federal Information Processing Standards, the things you have to do. As time went on, other guidelines sprung up like the Department of Defense’s DoD Information Technology Security Certification and Accreditation Process (DITSCAP), for defense-related national security systems, National Information Assurance Certification and Accreditation Process (NIACAP), developed by the National Security Agency, and the Central Intelligence Agency’s Director of Central Intelligence Directive 6/3, Protecting Sensitive Compartmented Information within Information Systems. Organizations were pretty much free to choose which method they wanted to implement.
There’s a New Law in Town Following FIPS, the federal government enacted the Federal Information Security Management Act of 2002 (FISMA). This new law mandated that system security be documented and managed. Along with certain documentation requirements, security was to be planned for and implemented during the life cycle of the system. In its original version, the required documentation artifacts were the system security plan(SSP), the contingency plan(CP), the contingency plan test report, the security test and evaluation(ST&E) plan, and the risk assessment. As time went on, more requirements were added throughout government and locally, but these documents were the first basic requirements.
With C&A, Less is Better Properly executed, and properly written, the documentation for a full C&A should not exceed 75-100 pages for the entire package. Many organizations tend to believe that more is better. Since a C&A is meant to be a living, working document, the less that needs to be reviewed and updated, the better. Excessive content only gets in the way of effective management of the SSP. But, that does not mean that any required aspects of the package should be neglected.
…but WAIT! There’s more! The above has been the environment (and way of thinking) for the last five to eight years; with the goal of obtaining an Authority to Operate (ATO) from the Designated Approval Authority (DAA). Within the last year, however, there has been a shift in thinking that includes the Risk Management Framework. While it is still important to document the system security in a comprehensive SSP, the emphasis has turned to technical security controls. There really isn’t a standard system for tracking management and operational controls, but technical controls can be measured and tracked automatically because they either work, or they don’t. And there are numerous products available to test and report security status. So, from a technical standpoint, security can be implemented and measured so that weaknesses can be identified, prioritized, and addressed. This is the basis of the “new” C&A process.
The New ATO The new guideline for obtaining a “Security Authorization” (the new ATO) is NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. For those familiar with the C&A process, this changes the approach to documenting system security and changes, or actually consolidates, the required documentation. The new security authorization package contains: the security plan; the security assessment report; and the plan of action and milestones (POA&M).
All of this is a consolidation of process steps and applies a project management-type framework to ensuring the documentation and implementation of security controls throughout the life cycle of the system. Along with the security authorization, the major operative aspect of the new Risk Management Framework is a “continuous monitoring” function that tracks and records security changes in the system. If new security risks are found, they are recorded on a POA&M and managed until either mitigated or the risk is accepted as part of the normal operating environment.
A key element of the new process is that there is no longer a fast requirement for the security authorization to expire. With a viable, robust continuous monitoring program, the authorizing official will be able to comprehend the level of risk at all times and react appropriately.
So there you have it… C&A as we have known it is no more. Long live security authorization and continuous monitoring!
C&A Q&A Has this blog posting helped to clarifying the role of C&A in federal agencies? What security controls do you have in place to protect your agency? What IT security issues are the biggest for your organization?
I look forward to your responses and/or questions.
Tags: C&A, certification and accreditation, CnA, contingency plan, cybersecurity, DITSCAP, DoD, Doug Stemper, , federal, FIPS, FISMA, Government, information assurance, NIACAP, POA&M, Risk Management, SSP, ST&E
Posted in Uncategorized | 6 Comments »
|
|