» 

Blog

Why You Should Implement a Third Party Vendor Assessment Program

  third party vendor assessment program

Third party vendors are incredibly useful. They allow businesses to automate certain processes they can’t do themselves, like implement payroll services to compensate employees, and bridge gaps in their technology. But while the money, time, and brainpower freed up by outsourcing tasks is a huge positive, third party vendors have their downsides. There must be a mutual agreement between all parties involved regarding security best practices. And sadly, that’s rarely a main focus, causing high risk to creep in where you least expect it.

As security concerns skyrocket, with data breaches happening to organizations of all sizes in all industries, IT and security teams are searching for ways to be proactive in their cybersecurity plans. Security awareness programs and carefully documented policies are a good start. But there’s no better way to prevent future security vulnerabilities than by starting with one of the biggest risks a company can have: careless outside players.

READ MORE: The Benefit of Empowered Employees: Why a Good Security Awareness Program Matters

“Security breaches attributed to third-party partners are increasing,” explains Paul Dusini, Information Assurance Manager at business management consulting company NuHarbor Security. “The number of data breaches attributed to third-party vendors increased by 22% since 2015.” And such frequency only continues to rise.

“Security breaches attributed to third-party partners are increasing. The number of data breaches attributed to third-party vendors increased by 22% since 2015.”

In fact, one of the biggest data breaches of this decade, Target Corporation in 2013, was thanks to unsecure third party vendors. A recent news report from American Banker states that “hackers first breached one of the retailers’ heating and air conditioning vendors, and from there, through a billing system, broke into Target’s servers to steal data on 40 million credit and debit cards and personally identifiable information of 70 million shoppers.”

Why aren’t third party vendors reviewed more often to prevent these kind of breaches? Shockingly, third party vendors are often considered an afterthought, since they provide services to an organization without being a part of their daily business goals. “Only 52% of companies have security standards for third-parties,” NuHarbor Security writes, yet an average of 90 vendors touch company data on a weekly basis. That’s a large number of players and access points a hacker could use to steal information—and part of the reason why third party vendors should be taken more seriously.

The good news is, organizations don’t have to quit third party vendors all together, a feat that’s likely impossible in this day and age anyway. Even better, data breaches and other vulnerabilities through third party vendors can be avoided.

Third Party Vendor Assessment Programs

Kathryn Anderson of Backbone Consultants has worked alongside many businesses, giving her the unique ability to observe how their IT teams practice data security and obtain valuable insight into where they regularly have security gaps. One of the best ways to close these gaps, she urges, is to start with third party vendors … and implement a third party vendor assessment program to minimize risk.

READ MORE: Introducing Kathryn Anderson of Backbone Consultants

I have helped grow 3rd party risk programs at multiple organizations across different industries,” Anderson explained in an interview with us. “From a compliance standpoint, third party (and fourth party) risk is becoming a key area for auditors. The reason why is that it’s high risk having third parties, parties that are under different cultures and employee policies, allowed access to your information by providing you with services. So it’s understanding and vetting those third parties that’s blowing up right now—for a very good reason.”

Implementing a third party vendor assessment program is an important step toward properly addressing third party risk and keeping it the way it should be: low and under control. Part of the work, Anderson said, could include creating a questionnaire for vendors based on the services they’re providing, using IT governance and risk management frameworks, discussing the value of the program with your organization, and sitting in on any approval meetings departments have for the new applications or cloud-based services they want to use.

Unfortunately, while these programs have a plethora of benefits that lessen the possibility of security vulnerabilities, they aren’t always easy to get off the ground. But the time and resources it takes to look at an organization and “figure out what you should really care about, what matters, and what are the triggers that say ‘this is a high risk vendor,’” she said, come with incredible benefits. And it can be done with a culture shift and proper stakeholder buy-in.

“The program is not about people sitting in the back corner looking at logs to identify anomalous activity in your environment, it’s being part of the business. Because security is a business risk. It’s not an IT risk,” Anderson explained, discussing how important it is get key players to want to work with you and your program. A vendor assessment program enables security to integrate with the rest of the organization and help it (rather than hinder it) achieve business goals in a safe and positive manner.

“The program is not about people sitting in the back corner looking at logs to identify anomalous activity in your environment, it’s being part of the business. Because security is a business risk. It’s not an IT risk."

“Security shouldn’t be a ‘no’ group. It should be a proactive partner. If the company has some sort of business need, it’s not up to security to say no,” she continued. “They can offer suggestions on how a desired vendor can improve their controls, identify gaps, or point out vendors that have better security controls, but IT and security should not be a ‘no’ group.”

In fact, Anderson said, a third party vendor assessment program is an ally in the quest for company success, not an obstacle to be overcome. “IT and security are like the security on a race car. The business is going super fast around the track, and it’s our job to make sure the airbags work and that they have a parachute. If anything, we put the security in place so they can go faster. We should be an enabler, not a road block.”

How to Implement a Third Party Assessment Program

If you’re ready to implement a third party assessment program in your organization, here are four steps you can take to get started.

#1. Identify Your Third Party Vendors

Organizations often don’t have a firm understanding of every third party vendor they use. Different departments use different vendors to get their work done. For example, Marketing uses an application to streamline their design goals or Development uses a web service to track project hours. Identifying these vendors and making a list of who you’re using pieces together the big picture, and leads to step 2.

#2. Review Your Current Third Party Vendors

Once you have a list of the third party vendors you’re using, review them to make sure they are up to standard. Do they have good cybersecurity practices? Are they accessing internal networks, and are those access points secure and monitored? How strict is their access; are they only allowed into the areas they need? Is the way they handle your data secure? Have there been odd discrepancies in the way they’ve worked with your organization, such as delays, inconsistent staffing, or spotty communication?

These areas of review can help you determine what level of risk your company currently faces. Then, you can make informed decisions on whether to keep these vendors, terminate the relationship, or discuss ways they should improve their controls.

#3. Create a Questionnaire for Potential Vendors

As Anderson suggested, using a questionnaire that addresses the specific services offered by a vendor (so asking a point-of-sale vendor retail-related questions) gives you insight into areas of weakness or concern before you create a relationship with them.

Ask questions like:

  • What sort of information will you need access to?
  • Do you have updated security policies and procedures in place?
  • Are you compliant with privacy laws/regulations regarding confidentiality and customer data? If so, which ones?
  • How often do you update your OS security?
  • What sort of controls do you have in place to secure your data?
  • What security software do you use to scan for viruses?

You can find several example third party vendor questionnaires online and use them to create your own.

#4. Assess which Meetings You Should Attend (then Attend Them)

With the beginnings of a third party vendor assessment program in place, you should start to anticipate the third party vendors that are added to your organization. If certain departments hold review meetings to discuss which vendors they should add to their arsenal, ask to sit in on them and speak up if you detect any problems or red flags that might cause high risk.

Just remember, security should be a proactive partner, not a nay sayer. The point of a third party vendor assessment program is to close vulnerability gaps and work with the organization to meet business goals and needs, not police what they can and cannot use.

These four steps serve as great starting points in creating a preliminary vendor assessment program, but they’re not all-inclusive. If you want to take your planning further, consider contacting a certified cybersecurity consultant. They’ll work with you to produce a detailed risk assessment for your organization, including reviews of your overall third party risk, reviews of proposed and existing contracts, and execution of a dynamic risk assessment questionnaire. Contact Backbone Consultants for more information on how they can help you implement a third party vendor assessment and decrease your security risk.

Want to hear more from Kathryn Anderson? Make sure to attend our July 26 webinar, Lessons from the Field: 7 Steps to Proactive Cybersecurity. The event is open to everyone, but it should especially interest those who want to learn how to implement a third party vendor assessment program or manage resources in their organization. Register now to join the conversation.

 


6 Experts Debunk Common Cybersecurity Myths

Cybersecurity warrior protecting dataThe life of a cybersecurity professional looks a lot like the plot of a Greek mythology action movie. We spend years preparing for an attack by an unknown creature, basing our strategy on tales passed down from cybersecurity warriors before us. DDoS attacks are waged by the mythical Hydra with multiple heads attacking from every angle; phishing emails are released, disguised as alluring calls from beautiful Sirens.

Along with these aggressions come the myths of how best to defend against such attacks. Which is why HelpSystems set out to debunk some of the most popular cybersecurity myths that exist today.

We asked six uniquely-qualified security experts from around the world to debunk their favorite IT security myths.

Read their intriguing answers in Cybersecurity Myths Debunked.

cybersecurity experts

 

Cybersecurity Myths Busted eBook


The Benefits of Empowered Employees: Why a Good Security Awareness Program Matters

 employee security awareness program

Every organization dreams of how they’d like to implement cybersecurity. It’s perfect in its execution: requirements would be met or exceeded, employees would be fully educated on security risks, and data would never be threatened by renegade phishing scams or careless user errors. But sadly, faced with time and resource constraints, it can be difficult for busy organizations to do more than just check the “high importance” boxes (like creating a data breach response plan and solid networking practices). Especially if today’s ever-changing security needs are hard to keep up with as it is.

Kathryn Anderson of Backbone Consultants argues that this struggle to maintain and surmount cybersecurity needs is exactly why businesses should find time to implement a security awareness program. As a security advocate with over a decade of industry experience, Anderson is passionate about risk and governance. And through her experience, she gained powerful insights on how to inspire awareness, responsibility, and empowerment in an entire organization.

READ MORE: Introducing Kathryn Anderson of Backbone Consultants

Anderson started pushing for employee awareness in her Senior Information Security Specialist role at a Fortune 500 consumer food company. Her manager had already put some groundwork in place, but she was fully responsible for developing a security awareness program that would impact new employees, near-retirees, and everyone in between.

Why spend so much time on employee education? “It’s a way to get people to care,” Anderson said during a recent interview with us, “and to be empowered.” She believes that security should be a part of employee job responsibilities from the moment they start their first day of work. But more importantly, it should be part of their responsibilities in everyday life—not just when they’re on the clock.

So Anderson used her security awareness program to shift the culture at the consumer food company, starting with a focus on modern cybersecurity risks and scams. “I brought in an email phishing tool. Based on the type of security events we were seeing and the questions I received, it was clear that the opportunity at our company and our highest risk area was phishing emails for employees,” Anderson explained. “What was super cool about the anti-phishing program I created was that it actually empowered our employees. Security became part of their job responsibilities and not just something that a bunch of nerds in the back were working on to keep them safe.”

“Security became part of their job responsibilities and not just something that a bunch of nerds in the back were working on to keep them safe.”

Several great program initiatives kept the momentum going. A fake phishing email sent internally encouraged coworker-to-coworker discussion that filled marketing meetings, finance meetings, and office spaces with excited security chatter. Employees started asking how they could help protect company data during their daily routine and discussing their role in the overall success of the company. It was a huge, and exciting, change from the initial belief that only IT and security were expected to be proactive in keeping data safe.

While Anderson’s work inspired employees to own their part in the consumer food company’s security practices, she also made it a point to talk about the importance of following the same rules at home. “Through the security program, we really focused on how you can help protect your family and keep your personal information safe,” she said. “So one tool that companies can also use is understanding that your employees are holistic beings; they’re not just people who are in the office from 9 to 5.”

The call for organizations to cultivate a vested interest in employee safety is not new. Brad Beatty, Lead Security Engineer at Enterprise Holdings, shared his thoughts on LinkedIn, writing “I had a vested interest in the success of those around me and the company I worked for because I was treated like family. I propose that by empowering employees … those employees will arise to the occasion and not only become your strongest business asset, but your strongest cyber security defense.”

Likewise, Darran Rolls, CTO and CISO at SailPoint, also wrote about employee empowerment: “[Cybersecurity pitfalls don’t] stop with employees. Friends and family are also targets. Because of this, it’s important that employees emphasize the importance of cybersecurity awareness with those closest to them and follow best practices outside of the workplace.”

So, what did the Fortune 500 consumer foods company do? With Anderson leading the initiative, they started having frequent conversations with their employees on how to protect data outside of work. They talked about how to stay protected during tax season, even though it had nothing to do with company data. And by putting time and effort into their employees’ personal lives, employees responded by practicing good security ethics everywhere they went—which ultimately helped lessen the opportunity for user error, both inside and outside of the workplace.

“There’s a lot of synergies between security and personal security. It’s an opportunity for people in my field to reach out and have conversations with everyday people they encounter, like at the library, or at parties. When you start talking about dual authentication at parties, everyone loves you and you’re always welcome back,” Anderson said. “You might even get a second dessert!” she added, laughing.

Are you focused on building a cybersecurity culture for your employees? If not, now is the time. The resources you’ll expend to create a strong security awareness program for your organization will be more than worth the good that follows.

Want to hear more from Kathryn Anderson? Make sure to attend our July 26 webinar, Lessons from the Field: 7 Steps to Proactive Cybersecurity. The event is open to everyone, but it should especially interest those who want to learn how to implement a security awareness program or manage resources in their organization. Register now to join the conversation.

 


10 Easy Ways to Protect Your Data at Work

In a recent survey of UK workers, over half the employees who participated across 1,000 organizations admitted that they open suspicious email attachments. More than 80% also said they open strange attachments if the sender appears to be someone they know, and “one in five said the business they work for has no policy on how to handle email attachments, or they have not been made aware of it.”

Organizations that operate without a clear cut security awareness plan (for emails, file transfers, or even internet use) open themselves up to huge security risks—risks that are easily preventable with a bit of training and forethought but sadly, often overlooked.

If this sounds like your workplace, never fear. Even without a policy to follow, there are ways you can implement security practices in your current role and workspace to protect yourself, your information, and your company’s data from prying eyes and malicious scams.

Here are 10 easy ways to promote security in your role, without needing permission to do so.

1. Never download unapproved software

That free screen capture application or photo editing software may seem tempting, but don’t download it without approval from your IT department. Free software is rife with malicious code, which can introduce malware, ransomware, and other threats to your computer and company network.

If you aren’t sure whether the software is safe to download, contact IT. And when you’re on your personal computer, check trusted online resources, such as forums or software review websites, for information on the application you want. Most times, if it’s not safe, you can find an alternative application that is.

2. Send files (in and out of network) securely

If you need to send a file to someone in your network or out on the remote network, always make sure to send it securely. Use a managed file transfer solution to protect sensitive company data. And instead of using FTP, email, or other unsecured methods to transfer files, use a secure protocol like SFTP or Open PGP to encrypt the information.

3. Don’t send sensitive information in emails or online messages

Email and online messaging are incredibly fast and convenient methods of sending information to someone, but they’re not secure. A single spear phishing email or instant message containing a bad link can give hackers access to the information on your computer. And if you send sensitive information through messages and your workspace is compromised, you’re doing the work for them. Hackers won’t have to go far to retrieve your private data.

It’s important to also remember that emails and online messages can be forwarded with just a click of the mouse or intercepted during transmission. Once that username/password combination, credit card number, or completed W-2 form is out of your hands, renegade employees can forward the information just about anywhere. So instead of transmitting data across the network, cut out the middleman. Identify situations where you can deliver the information directly, whether by a phone call or in person. Can’t do that? Send the data via an encrypted folder-to-folder transfer or through a secure form with a link and password.

4. Follow security best practices for application passwords

Changing your password every 60-180 days is a standard industry procedure. Even if it gets annoying, following this simple practice can limit the access hackers might already have (for those who come in and quietly monitor business processes without making any sudden moves) by cutting them off after a specific amount of time.

However, when employees do change their passwords, they often rift off their original password, like adding an extra number or switching out the capital letters. In fact, 19% of work professionals use a weak password to protect their data, according to a recent report. And unfortunately, people also use the same password across multiple websites, which is a huge security risk. If hackers access one account, they can access them all.

With all the data breaches happening today, it’s important that you create strong passwords, use a different one for each account, and change them every so often, at work and at home. Your personal data is just as important as company data—and remember, anyone can have their information stolen.

5. Clarify sender intentions if you receive a questionable email or attachment

In general, it’s a good practice to approach your inbox with a critical eye. Be wary of every attachment you don’t recognize or didn’t anticipate, even from senders you trust, and follow up in person, over the phone, or in a separate email thread if you aren’t sure about the contents.

This may add extra time to your day, but it’s worth your thought and attention. Phishing and spear phishing emails are one of the top ways hackers gain access to company accounts. To learn more about phishing attacks, check out our recent blog post: 7 Ways to Protect against Corporate Spear Phishing.

6. Install computer updates whenever they’re available

Depending on what operating system you use, updates and security patches can be frequently available. Microsoft, for example, ships new updates for Windows on the second Tuesday of every month (you can find a list here). Apple’s updates come a little more sporadically but are still shipped often enough to help maintain OS security.

Installing these updates and patches is an important part of keeping your system up-to-date with the latest security concerns and improvements. Some companies automate this process, installing updates in the background so you don’t have to. If you’re not sure whether this applies to you, check with your IT department.

7. Avoid using external flash drives to transfer information

Despite how common it is to use USB flash drives (it seems they’re handed out like candy these days), they’re not secure.  These tiny thumb drives can be loaded with malware or reformatted with tampered firmware (the USBs permanent software). So unless you know where the USB has been before it was delivered into your hands, it’s best not to use it.

But why not just wipe it clean, you might ask? “You can give [the USB] to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean,’ [but] the cleaning process doesn’t even touch the files [in the firmware],” said security researcher Karsten Nohl in an interview with Wired. Once the firmware has been affected, it’s difficult, if not impossible, for most people to find the corruption and remove it.

Then there’s the obvious danger with USB drives: not being able to control where they go, or who has access to the files, once it leaves your hands. Even if it’s tucked away in your desk, can you be sure no one will take it when you’re not looking, or that extra copies won’t be made of the file while someone else uses it? No. Better safe than sorry.

8. Lock your computer whenever you step away from your desk

This is a seriously simple step you can take to mitigate risk in your workspace. Anytime you leave your desk, even to grab a cup of coffee or hit the bathroom, you should lock your computer. This may not prevent external hackers from stealing sensitive company data, but it can deter renegade employees or “visiting guests” from snooping through your information while you’re away.

If you’re worried you’ll forget in the rush of an ever-busy workday, most computers allow you to set a default lock whenever your session has been inactive for x amount of minutes. Ask your IT department how to configure this, then set it to an amount of time that creates a balance between security and usability. Ten to fifteen minutes is usually adequate (unless otherwise already set by your organization).

9. Ensure your connection is secure if doing work from home

If you’re able to work from home, make sure you set up a secure connection that meets your company’s standards before accessing any sensitive information, including email and user accounts. Avoid working on devices that haven’t been approved by the IT department, such as personal phones or laptops that might be compromised with malware or questionable software. And always use protected WiFi, as open WiFi connections (especially ones in public places) are vulnerable to packet sniffer programs that can read and steal transmitted data.

10. Make security a topic for discussion in your role, department, and organization

Last, but certainly not least, be an advocate for security in your organization. If you recognize the need to protect your data and your company’s data, others will start to recognize it too. Ask leadership or the IT department if they plan to create a security awareness program or document their policies for internal reference. Share what you learn with your coworkers, or bring them into the conversation by asking them how they handle security in their own role. And apply what you do at work in your personal life, because your data is important too.

For further information on how to protect your data at work, check out our blog post on email security: Top Email Security Challenges and How to Solve Them.

 

 


USPS Eliminates FTP, Requires Secure File Transfers via SFTP, AS2 or PDX

Early this year, the United States Postal Service (USPS) announced the elimination of FTP (File Transfer Protocol) from their business practices and policies—a change that strengthens the security of their data transmissions and addresses recent audit findings.

What does this mean for you? The change is still in transition for now, but after August 31, 2017, mailers and shippers will need to send data to the USPS using one of the following secure communication methods: PDX (Parcel Data Exchange), SFTP (Secure File Transfer Protocol), or AS2 (Applicability Statement 2). This applies to SSF, EMM, BPOD, DEXTRO, and ERR files.

Any of these approved methods will work. The USPS lists PDX as preferred, allowing business customers and third-party vendors to use PDX through their web application. But for those who can’t or don’t want to switch to PDX, SFTP or AS2 are just as secure, cost-friendly, and easy to implement.

Are you in the market for a solution that supports SFTP and AS2 protocols? GoAnywhere MFT offers both of these in a managed file transfer solution that’s affordable and intuitive. Connect to Secure FTP servers (including SFTP, FTPS, and SCP) for protected communication, or send AS2 messages with multiple file attachments. However you want to do it, we’ve got you covered.

To see how GoAnywhere MFT can meet these new USPS policies and save your organization money in the process, request a demo.

 


How Does MFT Work?

Compared to using a variety of standalone  FTP and SFTP tools and scripts, managed file transfer (MFT) technology allows professionals to streamline how data is transferred. Managed file transfers help organizations send and receive files in their cloud and private networks, create and control workflows, automate file transfers, and centralize management from a single system.

The why behind using an MFT solution makes sense. It reduces costs, improves the quality of your data transmissions, and helps you meet stringent data security compliance requirements. It also simplifies your system-to-system, user-to-system, and user-to-user file transfers—and keeps security at the forefront of everything it does.

The what of a MFT solution is fairly straightforward. Managed file transfer solutions are a type of software that use industry-standard network protocols and encryption methods to streamline the management of a company. What does “managed” in managed file transfer mean? It refers to how the solution can automate and transfer your data across your organization, network, systems, applications, trading partners, and cloud environments from a single, central interface.

So we know the what and why of MFT solutions, but we haven’t discussed the how of MFT solutions. How do managed file transfers work, and how do they affect you?

Step One: Original File is Sent from the MFT Program or Plugin

Say you need to send a confidential document to someone in a remote office. Maybe it’s a seasonal restaurant menu for another retail location, maybe it’s an audit report for a trading partner, or maybe it’s a financial document for a homeowner. Whatever the scenario, you can send the file to a third party by using an MFT solution.

The file’s journey from you to your recipient can start in many ways. You can:

  • Securely send the file through a MFT email plugin
  • Send it through a web client (access to the MFT solution from a browser)
  • Automatically sendit directly through the managed file transfer workflow
  • Place a file in a dedicated folder that the recipient can connect to securely for download

Whatever method you choose to send your file, MFT ensures the data is transferred quickly and securely.

Step Two: Your MFT Solution Encrypts the File

After you send the email, upload the file to your browser, or drop it in a monitored folder, your MFT solution receives the data and secures it in a few different ways. MFT can encrypt your files using FIPS 140-2 compliance AES ciphers or the Open PGP standard, among others. To protect your file transmissions, MFT can use SFTP, SCP, FTPS, AS2, and HTTPS protocols to encrypt the data you send. And an MFT solution like GoAnywhere MFT allows you to zip compress files before transmission.

Once your data is properly protected, you can also use your MFT solution to schedule file transfers, translate sent and received data to popular formats like Excel, XML, and JSON, update and pull files from monitored folders, and more.

Step Three: Encrypted File is Delivered to the Recipient & Decrypted

When the file leaves the MFT server, it is sent to whatever location you indicated for the recipient, whether that be a designated folder on a server, email address, or so on. The recipient at the remote office can then grab the file, decrypt it, and even translate it as needed.

For peace of mind, MFT solutions often include audit logs that store and track crucial audit information. This helps with PCI DSS and HIPAA compliance, but it also allows you to track the movement and activity of the file that occur once it leaves you, so you never have to wonder if the transfer was successful, if it failed, or whether or not the file was even opened.

If the recipient has a file to send you, they can repeat the process, starting the journey all over again!

 

Still curious about MFT solutions and if they’re right for your business?
You can learn more about the benefits of an MFT solution in our FREE whitepaper:

Beyond FTP: Securing and Managing File Transfers

 

 

 

 

 


Introducing Kathryn Anderson from Backbone Consultants

July is fast approaching, and with it our latest webinar on cybersecurity, Lessons from the Field: 7 Steps to Proactive Cybersecurity. This engaging, hour long session will cover seven lessons organizations should use to build security awareness and protect sensitive company data.

Who’s speaking? Expect powerful discussion between Bob Erdman, Security Product Manager at HelpSystems, and a very exciting guest speaker—Kathryn Anderson of Backbone Consultants.

Meet Kathryn Anderson

Kathryn Anderson is a Senior Manager of IT Risk and Compliance. She comes to Backbone Consultants—and our webinar—with over a decade of relevant business and security knowledge.

As part of her role in IT Risk and Compliance at Backbone Consultants, she consults with businesses on needs they have and identifies security opportunities they may not realize they have. She helps them “understand what their risks are as an organization from a reputation standpoint, from a financial standpoint, from an operations standpoint, and find those opportunities they may not be looking at.” By studying the whole picture, she can give each company a complete overview of their institution and make suggestions for improvement.

We recently had the opportunity to sit down with Kathryn Anderson and learn about her background and security goals. “I started my career in Identity and Access Management. I fell into it and found, very quickly, that I absolutely loved it,” Anderson told us. “There are so many components of security that help organizations and their customers keep data safe, which is what attracted me to security as I delved into the Identity and Access Management part of it.”

Anderson’s first introduction to security was at TCF Bank, where she worked in an Identity and Access Management role doing user attestations and term and transfer lists. As her responsibilities evolved, she began to identify areas where the security department could use tools to automate business processes, like employee termination from central applications.

Finding these opportunities for improvement helped Anderson understand the importance of developing strong cybersecurity practices. “The purpose of this job really has a lot of value. If you have a system ID that’s just sitting out there and isn’t being used, and a terminated employee has access to some sort of information, it could put your data at risk. Understanding what security was helped elevate my career path,” she said.

After seven years at TCF Bank, Anderson accepted a position in Risk and Governance at General Mills, where she spent a majority of her time developing programs on Security Awareness and Third Party Vendor Assessment. She focused on security education, too, ensuring General Mills employees not only understood security best practices, but also felt empowered to protect data at work and at home.

Kathryn Anderson’s passion and interest in business security makes her a valuable guest speaker, and we’re excited to hear more from her in the upcoming weeks. She’ll also share her thoughts on the importance of proactive cybersecurity during our July 26 webinar. The event is open to everyone, but it should especially interest those who want to learn how to implement a security awareness program or manage resources in their organization.

About Backbone Consultants

Located in Minnesota, Backbone Consultants has provided clients with end to end cybersecurity services and compliance since 2008. Their services include IT audit and compliance, cybersecurity, data privacy, and technical training. Comprised of a strong professional team, Backbone Consultants work with companies to tackle business needs and identify areas of improvement in how they develop and manage their IT assets.

You can learn more about Backbone Consultants at their website.

Webinar Details

Lessons from the Field: 7 Steps to Proactive Cybersecurity

Wednesday, July 26, 2017

11 am - 12 pm CT

Don’t miss out! Register now to join the discussion.


7 Steps to Protect Yourself Against Corporate Spear Phishing

Anyone with an email account is used to spam. It happens one day: you get that first unsolicited email, and then a flood of ads, flash sale offers, and foreign bank transaction requests rushes into your inbox. In that moment, the battle for your virtual sanity begins.

But while spam emails are mostly harmless—you tend to see them from a mile away and respond accordingly—spear phishing emails are dangerous, and they’re harder to detect.

What is Spear Phishing?

In general, phishing is the practice of sending fraudulent emails from what appears to be a trusted sender in your organization, like a family member, bank institution, or business you frequent (eBay or PayPal are two good examples of this). Phishing and spear phishing attacks both follow this practice, but the similarities end with the strategy they use to get your information.

Regular phishing attacks trawl the waters with a wide net, hoping to catch whoever falls for their scam. Spear phishing emails, on the other hand, target users that have specific access to the information hackers want. These users could be accounting employees, executives, or IT professionals.

Spear phishing emails are tailored to look, sound, and feel legitimate. The messages they contain generally include a grab for confidential information, like a link you can follow to change your password, a downloadable attachment, or a request for sensitive employee data. Regardless of what form it takes, if you follow the email’s instructions, your computer and organization are immediately compromised.

Spear Phishing Affects Everyone

The number of spear phishing attacks on organizations climbs every year. Cybersecurity growth has spiked to anticipate these security concerns, but that doesn’t mean companies who follow best practices are protected from a potential attack. Employees can fall victim to these scams without ever realizing something is amiss, and the repercussions of a single instance of infiltration? They’re crippling.

Spear phishing attacks affect a multitude of industries. According to InfoSec Institute, top industries targeted by these attacks in 2014 and 2015 include logistics, retail, public administration, finance, and services. What’s worse, a successful attack can cost a company, on average, $1.6 million. This is no small amount of damage.

Are you confident your business is secure enough to shut down potential phishing attacks? Think again.

In 2014, the Carbanak Breach impacted over 100 financial institutions and cost them around $1 billion. According to Kaspersky Lab, who investigated the breach, “The attackers used spear phishing emails [to infiltrate the bank’s intranet], luring users to open them, infecting machines with malware. A backdoor was installed onto the victim’s PC based on the Carberp malicious code, which, in turn gave the name to the campaign — Carbanak.

Seagate Technology was affected in a similar way in 2016. Through an email that looked like a request from the CEO, all W-2 forms the company had were stolen, compromising Seagate employees in more ways than one. And the heartache could’ve been avoided with a few extra, precautionary steps.

How to Protect Yourself against Spear Phishing

If you’re concerned about the danger of spear phishing attacks or looking for ways to make your environment more secure, we suggest you implement these seven steps in your company. They may help stop a potential attack before it can begin.

1. Keep your systems up-to-date with the latest security patches

Check your operating system frequently for the latest security patch releases. If you’re running Windows, Microsoft is always updating and promoting their security patches, especially if they foresee a new security concern and want to fortify their users. This is also true of unsupported versions, like Windows XP, if there’s enough risk to warrant an update.

Like Microsoft, Apple, Linux, AIX, and VIOS operating systems also have security patches. New ones are released as industries rise to meet and predict new phishing attacks, so keep your systems (both customer-facing and internal systems) up-to-date and install new security patches whenever possible to avoid gaps in protection.

2. Encrypt any sensitive company information you have

File encryption is a good way to protect sensitive company data from prying eyes. With the right tool or solution, the files you send to your systems, cloud environments, trading partners, and remote locations will be secure, making it difficult for outside parties to decrypt your data even if they get their hands on it.

What should you encrypt? Here are just a few examples that limit the amount of damage a spear phishing attack could do to your organization:

  • Hard drives
  • Cloud storage
  • Passwords and security questions
  • Internet activity (using a VPN or masked IP address)
  • External storage (USB drives, external hard drives)
  • Files (business contracts, audit reports, tax documents)

managed file transfer solution can encrypt your files at rest and in transit using modern, secure encryption methods. Good MFT software helps ensure that you stay up-to-date as encryption standards change over time, while making your data transfers simple to manage and audit.

3. Use DMARC technology

You’d think, in this day and age, that emails received from an address you know would be trustworthy. After all, you get emails from AwesomeCoworker@company.com all the time, which means even the suspicious emails are safe to answer. Right? Wrong. Far too often, hackers are able to spoof the FROM field of an actual email address, such as JoeSmithCEO@company.com, and send a message with that address to company employees.

Because these spoofed emails look real and cause successful spear phishing attacks, DMARC (Domain-based Message Authentication, Reporting & Conformance) technology uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to analyze incoming emails against its database. If the email doesn’t match the record for the sender, DMARC rejects it and submits a report to a specified security admin.

Patrick Peterson is a visionary leader at Agari, a company that prevents cyber attacks and secures email for Fortune 1000 companies. He addressed the growing need for DMARC in a recent data security panel: “A very important aspect in email security is making sure your email provider uses technology like DMARC. It's the only email authentication protocol that ensures spoofed emails do not reach consumers and helps maintain company reputation. Top tier providers like Google, Yahoo, Microsoft and AOL all use it to stop phishing.”

Despite the obvious benefits of using email authentication technologies, DMARC and other protocols like it are not foolproof. Google fell victim to a successful spear phishing attack in May 2017 when hackers sent emails containing fraudulent Google Doc links to Gmail users. Though Google reportedly stopped the attack within an hour, the damage was still felt. Over a million accounts were compromised.

While we still recommend implementing DMARC into your email, consider it but one of many tools you should use to secure your data, users, and company. It’s just safer that way.

4. Implement multi-factor authentication wherever possible

Many businesses have implemented multi-factor authentication (MFA) into their security routine. Some, like Google, allow their customers to turn on MFA as a precautionary measure. Others require clients to enter a sequence of personal details to access their account.

So why not use MFA to protect your data?

Multi-factor authentication is a simple way to ensure anyone who accesses your private data is legitimate. How does it work? It requires at least two pieces of identification, like a login and randomly generated token, that makes it infinitely harder for hackers to compromise your systemseven if they have half the information needed to get in.

If we lived in a perfect world, user passwords and security questions would always be secure. But in reality, employees recycle passwords across multiple websites and overshare personal data on social media, compromising the integrity of their logins and security questions.

So really, implement MFA wherever you canat work and in your personal life. At the very least, it’ll give you an extra layer of protection against spear phishing and other potential data breaches.

5. Make cybersecurity a company focus

Is cybersecurity a focus in your organization? It should be. When security is forefront in your mind and the minds of your employees, better decisions are made and more precautions are taken, enabling you to prevent spear phishing attacks before they become a concern.

Here are a few ideas to get you started:

  • Document and send internal security procedures to your employees.
  • Create a cybersecurity policy and data breach response plan for your organization.
  • Schedule quarterly meetings with key players to review the latest spear phishing attacks in the industry.
  • Identify potential spear-phishing targets, and brief them on the actions they should take if they receive a questionable email.
  • Review employee roles and access regularly, including third party vendors, partners, and those in remote offices. Make adjustments as necessary.

6. Educate your employees and regularly test their knowledge

Over 90% of cyber attacks are successful because of employee error. What’s the common method used in these cyber attacks to compromise data? You guessed it, spear phishing.

Spear phishing emails are rarely transparent. One believable email from a spoofed address is all it takes to gain access to employee credentials and, from there, sensitive company information. But the good news is, human error is avoidable with some training and education.

Talk to your employees about the reality of phishing attacks. Set aside 15 minutes at your next company meeting to educate them on what spear phishing attacks look like, what they do, and any steps they should take if they encounter one. Document a quick guide to internet security and make it available on your network. Even quarterly quizzes with a fun prize for winners can be the motivation needed to build security knowledge.

The more opportunities your employees have to learn about spear phishing and other scams, the better prepared they’ll be if they encounter something suspicious.

7. Confirm suspicious email activity before interacting with it

If you receive a suspicious email from someone you trust, but you’re not sure if it truly came from them, stop by their office, pick up the phone, or send them a separate email.

The two minutes it takes to establish validity is absolutely worth it, no matter the outcome. Best case scenario? The email is legitimate, and you have peace of mind. Worst case scenario? It’s a spear phishing email, but you still have peace of mind, and the person you spoke to can now warn others in the organization of a potential phishing attack.

Spear phishing attacks happen every day. But though they’re a security concern, they don’t have to be a problem if you plan ahead, prepare your organization for attacks, educate your employees, and encrypt your data.

 

Looking for more tips to help you combat cyber threats? Watch our on-demand webinar, where top cybersecurity experts discuss how you can protect your company from data breaches and avoid security risks.

 


Preview of Gartner Security & Risk Management Summit 2017

Four days of security discussions, over seventy five speakers, and six program tracks; these are the numbers exciting cybersecurity professionals around the nation as they prepare to attend this year’s Gartner Security & Risk Management Summit. Taking place from June 12-15 in National Harbour, Maryland, this summit is one of the biggest and most important of the year.

Linoma Software, a HelpSystems company, will be attending this premier gathering of security, risk management, and business continuity management leaders, in order to take in this all too valuable informational experience.

Here are some must-see sessions that we’re looking forward to:

What Can We Expect from the EU’s General Data Protection Regulation?

June 12, 2017 | 10:00 AM – 11:00 AM | Carsten Casper

Are you ready for GDPR compliance? Do you have a timeline in place to implement the required security protocol? The latest cybersecurity compliance regulation out of Europe has companies around the world wondering – does this apply to us? This session will go into full detail about the regulation, as well as what actions IT departments in non-European countries must take to meet compliance regulations.

Forcepoint: Insider Threats: Understanding Intent and Creating Actionable Programs

June 12, 2017 | 11:30 AM – 12:15 PM | Dr. Richard Ford, Meerah Rajavel

In a time where large and harmful security breaches seem to occur as often as the sun rises and sets, companies often struggle to hard to pinpoint where these breaches are coming from and why. A recent study from Crowd Research Partners showed that cybersecurity professionals consider “internal threats” the biggest threat to IT security. This session, presented by Joint Forcepoint Chief Scientist Dr. Richard Ford and CIO Meerah Rajavel, will examine strategies for implementing people-centric protection systems that will prevent bad cyber practices and enable good behaviors to help stop breaches caused by internal threats.

Roundtable: Managing Cloud Service Provider Security

June 12, 2017 | 2:00 PM – 3:00 PM | Jay Heiser

When it comes to the many cloud services that enterprises are confronted with, well, the sky’s the limit (pun intended). The cloud and its many benefits are more relevant than ever, and in this session, speaker Jay Heiser poses the question: who is accountable for managing this risk and ensuring that these cloud providers can be trusted? With such promising discussion, we strongly urge you not to miss this one.

To the Point: How to Respond to PCI DSS v.3.2

June 15, 2017 | 12:00 PM – 12:30 PM | Rajpreet Kaur

The 2018 deadline for compliance to PCI DSS v.3.2 is rapidly approaching. This session will cover information surrounding the various enhancements to the latest PCI DSS version and how to deal with them. Our recent whitepaper breaks down everything new about v.3.2, but we’re certainly interested in hearing what additional details and considerations Rajpreet discusses in this session.

 

We can’t wait to see you at the Gartner Security & Risk Management Summit of 2017! Make sure to come find us in booth 100 or reserve time at the event to chat.