Posts Tagged ‘data security’

Keeping Up With Security

Posted on: February 24th, 2020 by jiml | No Comments

It is 2020. Wow.  It seems like just yesterday we were preparing for Y2K.  The cyber world is a very different place than it was twenty years ago.  In 2000, there were 361 million Internet users.  Today there are well over four billion. Some of those four billion are bad actors, creating viruses and malware. I bet your data security is not the same as it was twenty years ago.  What if we framed that differently and asked if your defenses are different than they were three or four years ago? Do you have the same answer?  The security threats have changed dramatically over that time, from sophisticated ransomware threats, to malware that mines for bitcoin for the bad guys. Your defenses have to keep up with the new threats.

Ransomware continues to be a real threat.  According to a recent study by Datto, there is a very large gap between how the threat of ransomware is perceived by businesses versus those working in the technology field. 89% of Managed Services Providers feel Ransomware is a significant threat to small and medium sized businesses, while only 28% of small and medium sized businesses perceive Ransomware as a significant threat. The folks that deal with security are much more concerned about it, perhaps the business world should take note and ensure they are protected against this threat.

Also changing is the need for compliance. Many states have recently expanded their laws regarding the protection of private data.  California, New York among others have updated their laws to provide better protection of private data ….and increased fines for businesses that do not take the proper precautions. As of 2018, all fifty states have something on the books for protecting personal identifiable information.  Do you know your state’s regulation?  Are you meeting the standards?  Are you aware of the fines?

In a changing world, staying current with the cyber world AND the regulations and compliance issues that affect your business are important.  Studies have repeatedly shown that businesses that keep up with technology outperform those that do not.  How do you stack up? Do you know? Here at Colden Company, we can provide an assessment of where your business stands and recommend measures to safeguard against today’s threats.

If you have any questions about this or want to get an early release of the browser, please feel free to reach out to us at (888) 600-4560 by phone, or info@coldencompany.com via email.

New York State SHIELD Act is Here

Posted on: November 26th, 2019 by jiml | No Comments

In August, New York State signed into law the SHIELD Act or the “Stop Hacks and Improve Electronic Data Security” Act. This is an enhancement to New York States previous law and has several keys points that anyone doing business in New York should take note of. This law goes into effect on March 21, 2020 with a notable exception noted below.

Expanded jurisdiction:  The SHIELD Act now pertains to any business, inside New York or outside of New York that stores private information on New York residents. This is an expansion of the jurisdiction from the previous statute.

Expanded definition of private data: New York has expanded the definition of private data to include biometric data and any combination of username, email address and access codes that could lead to the compromise of electronic accounts.  Interestingly, New York did not take the additional step of covering DNA as some other states have.

Increased reporting requirements: In past, HIPAA covered organization could get by with reporting a suspected breach to the Department of Human Services.  The SHIELD Act requires the New York State Attorney General also be notified of a data breach. In addition, the definition of a breach has been expanded to viewed data, not just downloaded data as was previously the case. This part of the act goes into effect October 23, 2019 before the remainder of the Act. Fines for non-compliance have increased as well.

As a business, you have a responsibility to know and comply with this law. Not knowing the law is never an excuse for violation.  The act requires businesses to comply in three different areas:  Administrative, Technical and Physical. While the individual safeguards are too numerous to put in this post, Colden Company can assist your business within each area of the Act and set your company on a path to compliance. Please feel free to reach out to us at (888) 600-4560 by phone, or info@coldencompany.com via email.


Phishing Scams Part 2

Posted on: August 29th, 2018 by jiml | No Comments

Last month we focused on the developments in phishing scams as the topic of our blog. Based on the high volume of interest in the topic, we are going to continue the conversation this month. Just to summarize a few of the key points from last month’s blog posting:

• 91% of data breaches come from phishing attacks
• Phishing attacks are becoming more sophisticated
• Phishing attacks are becoming more numerous
• Phishing attacks are becoming more dangerous

Another trend we did not speak of last month, is the increase is regulation and compliance surrounding the security of data, particularly personal identifiable information (“PII”). The federal government has been discussing a bill that would impose a uniform set of standards around data collection and responsibilities much like the European Union did with GDPR (General Data Protection Regulation). For now, most states have a statute on file for businesses to follow, many of which are vague at best. We expect to see a strengthening of these regulation at the state level (many states have already committed to this) and more uniformity. If the federal government passes a statute, we will have uniformity nationwide.

It is also worth mentioning that according to RapidFire Tools, 2017 was a record year for fines for businesses that failed to meet their data security responsibilities. These fines are being leveled by state Attorneys General offices in many cases. We expect this trend to continue as well. This means businesses have increased liability surrounding data security.

Let’s bring the conversation back to phishing scams. The increase in risk and liability surrounding data breaches indicates that businesses should do more to combat the threats to their business. Phishing scams, as mentioned above, account for a high percentage of the data breaches so this is a logical place to put resources. Colden Company offers phishing simulation tests for your organization. These tests will send your users topical phishing simulations (without the risk) and determine who the “clickers” are in your organization so that targeted training can occur. Sample emails are kept current with the latest discovered real-world phishing scams, so the tests are simulating scams that your users could be exposed to any day. There are a plethora of other advantages to the phishing program we have developed including video training sessions, specialized email content for quick consumption by users and dark web scanning to see what data might have already been compromised that you might want to be aware of.

Want to hear more? Call us at 888-600-4560, email us, or visit us on Facebook or Twitter.







Security for the SMB (Small-Medium Sized Business)

Posted on: June 27th, 2018 by jiml | No Comments

According to a study conducted by VISA, 85% of data breaches occur at small businesses. This is no accident. The simple reasons are 1) there are a lot of small businesses and 2) small businesses are easier targets than large enterprises. Many small businesses are under a mistaken impression that they are safe because they are small. “Who would want to hack my small business?” they say. Security by obscurity, as it is called, is a myth.

The fact of the matter is hackers often do not target your small business. They simply attack what is available to them. Many hacker tools work by inputting a range of IP addresses. These are public IP addresses that is the Internet-facing portion of a business. Hackers often do not know who is behind those IP addresses and therefore do not know if they are attacking the Pentagon or Joe’s Crab Shack. The tools return vulnerabilities that can be exploited at each address. Which entity do you think has more vulnerabilities presenting themselves, the Pentagon or Joe’s Crab Shack? As a generalization, small business does not have the same level of resources to spend on data security that large organizations have. This leaves them as targets to hackers looking for low hanging fruit to attack. Another analogy is the car thief in downtown Manhattan. If he sees a car with the club in the steering wheel, he is going to move on to an easier target as there are seemingly endless targets.

So, what can you do as a small business to protect yourself without breaking the bank? Here are some low-cost but effective ways to improve security:

1) Create stronger passwords. According to a Mastercard study, current hacker programs can crack a 6-digit password in about ten seconds. Stronger passwords are one of the most important things businesses can do for protection. Use password managers like LastPass and KeePass to help you manage those stronger passwords.

2) Lock your computer when you are away. If you have any sensitive data or PII (Personal Identifiable Information) such as credit card information, health information, social security numbers or other human resource data, you have an obligation to protect that data. Make sure your computer screen is locked or locks automatically when you are away.

3) Use encryption. Microsoft has a tool called BitLocker built-in to Windows 10 Professional so the data on your computer will be less likely to be stolen. Laptop users specifically should do this as they are far more likely to be stolen than desktops.

4) Educate your staff. Employee Awareness programs may soon be required for businesses storing protected data. Many scams can be pulled off without any actual breach of a businesses’ defenses. Hackers simply use social engineering to trick employees into giving up information or money.

5) Take security seriously. Many small businesses do not take the threats seriously enough…until a breach occurs. Breaches are costly on many levels and can be a death blow to a struggling business. The threats are real.

Need help improving security without breaking the bank? Call us at 888-600-4560, email us, or visit us on Facebook or Twitter.







National Cyber Security Awareness Month

Posted on: October 28th, 2017 by jiml | No Comments

October was National Cyber Security Awareness Month. Here at Colden Company we are trying to do our part to raise awareness through webinars, social media posts, and other communications. We often say here at Colden Company “If you are running your business the same way you were three or four years ago, you are not staying the same, you are falling behind.” This saying was originally intended to apply to technology because technology is continually advancing; if your business is not taking advantage of it, your competition likely is. The saying is also particularly appropriate for data security. The threats facing your business are not staying the same; they have increased in both number and complexity over the years. We do not think anyone reading this would disagree with that point. In conjunction, your defenses should also be improving to combat the increasing threats. If you are using the same defenses you were three or four years ago, you are not staying the same, you are falling behind the data security curve and, most importantly, exposing your business to more risk.

Raising awareness to cyber security concerns is a worthwhile exercise. However, it seems like we are running the risk of desensitizing people to the risk by continual bombardment of this breach and that vulnerability that appear on the nightly news. Not all vulnerabilities are equal in size and scale and some judgment needs to be used to inform the public of the risks. Having said that, the risks are real. Cyber criminals have, unfortunately, been wildly successful with certain hacking campaigns like ransomware, which has lined their pockets with millions of dollars (and in some cases tens of millions) which they are using to perfect their craft. Hacking is a business and it is big business – make no mistake about it.

As a business, you may read about the latest breach and think to yourself “Here we go again. I can’t stop it so why worry about it.” We understand that sentiment. The question we would pose is “If you could stop a data breach at your business, would you?”. It’s true that there are many different threat vectors that hackers can use to attack your business. Why not spend time and effort blocking the most common ones? There are things you can do without breaking the bank to further protect your business. Incremental improvement may just save the day and prevent a breach.

When a hacker probes your business for a vulnerability and your business is protected from it, do you know? In most cases, the answer is no. Hackers use sophisticated programs to probe networks and attack the ones that are vulnerable and leave the ones that are not. This makes proving return on investment (ROI) for security a much more difficult number to show. How do you show ROI on something that did not occur? We can only do so, by citing the costs of breaches that have occurred.

Hacking attempts and breach attempts happen on a much more regular basis than you may believe. It is almost a certainty that your business was targeted at some point in the last year. The frequency with which this type of activity occurs would surprise most. We see more of this because it is our business to protect our customer’s critical data and we have tools in place to monitor and report on certain types of attacks. Unfortunately, the business that have with the best security measures in place are often the ones who had a security breach or had some type of security scare. It is analogous to buying the home security system after the break-in; you don’t want to go through that experience again, so you prepare.

So, in closing, I ask you to do this. Tomorrow morning when you wake up, pretend you just got a phone call from a staff member who told you there has been a data breach at your business and data has been compromised or lost. What would you do? How would you feel? If you would like to avoid that feeling, take the time to improve your data security to keep pace with the increasing threats. After all, if you are staying the same, you are falling behind.

Give our certified security experts at Colden Company a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.







Top Ten Myths of PCI Compliance

Posted on: September 27th, 2017 by jiml | No Comments

Hackers WANT your credit card data. They WANT your customer’s credit card data. They will try hard to get it. They will NOT stop. These are unfortunate truths.

In 2006, MasterCard, Visa, JCB, American Express, and Discover established the PCI Security Standards Council, a 3rd party entity, to manage the Payment Card Industry security standards and to promote the standard’s implementation by all companies (i.e. merchants) that accept credit/debit cards including all:
Retail merchants: Any business that operates in a storefront location, where the customers’ debit and credit cards are physically swiped through the payment terminal.
Internet merchants: Any business being run online. It allows businesses to collect and process credit and debit card information from their e-commerce website.
MOTO (mail or telephone order) merchants: Any business that operates by taking payments via the telephone and/or direct mail

Even if you process one credit card per year, your business must be PCI compliant. If you process through a third party, that does not absolve your business from PCI compliance. Many businesses do not take this seriously….until a breach occurs. As many of you know already, the credit card companies and banks have made a concerted effort to shift liability for the massive amount of credit card fraud taking place from their business to yours. If your business is not using chip readers, you are at risk. If your business is not PCI compliant, you are at risk.

PCI Compliance is not solved through a single vendor or product. There are many requirements and some of them are business process related and some are technology related. Below is a list of the top ten myths surrounding PCI requirements from the PCI Security Standards Council.

Top Ten Myths of PCI Compliance

1. One product will make us compliant.
2. Outsourcing card processing makes us compliant.
3. PCI DDS compliance is an IT project.
4. PCI DSS will make us secure.
5. PCI DDS is unreasonable, requiring too much effort and expense.
6. PCI DDS require us to hire a Qualified Security Assessor.
7. We don’t take enough credit cards to necessitate compliance.
8. We completed a SAQ so we’re compliant.
9. PCI DDS makes us store card holder data.
10. PCI DDS is too hard.
Source: www.pcisecuritystandards.org

Is your business PCI compliant? Are you aware of the penalties for being out of compliance? Given the current data security climate, have you given this enough attention? If you answered “no” to any of the above questions, give Colden Company a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.







Ransomware in the News Again

Posted on: May 29th, 2017 by jiml | No Comments

Ransomware is making the news again this month, with the WannaCry virus that affected hundreds of thousands of computers in many countries around the world (150 countries according to Wikipedia), including the United States. This virus would encrypt all of your files and demand ransom in turn for the decryption key. If your data was not properly backed up, your data would be at risk.

This particular strand of ransomware attacked a known vulnerability in Windows operating systems, called the EnternalBlue exploit. Microsoft had released a patch for it so if your computers were properly patched you were not at risk. If you are in the habit of delaying Windows updates, your system was at risk. While systems running Windows XP were most at risk due to the fact that there was no patch out for the vulnerability (Microsoft has since released a patch that XP users have to manually download), but the vast majority of infected computers were Windows 7 computers. This is due in part to the vast proliferation of Windows 7 as compared to Windows XP which has been phased out in many places as well as the change in policy with Windows 10 that makes it more difficult to delay and manage updates. Since Microsoft installs updates for you in most versions of Windows 10, most systems were patched.

While keeping your systems properly patched was the best defense in this case, most strands of ransomware attack through email or enticing users to click on ads or other click bait to infect computers. The vast majority of ransomware strands work in this manner. This is why it is critical to have defenses for these types of attacks. Quality spam filtering is important to filter out much of the email attacks. User education is key to recognizing those attacks that make it past the spam filter. Web filtering is key to preventing users from going to known bad sites and accidentally infecting their machines. Finally, as a last resort, having a reliable backup system in place is your last defense. Paying ransom should never be an option, as it only perpetuates the cycle. Security is best applied in layers.

As we have said in many previous blog posts, if you are running your business the same way you were three or four years ago, you are falling behind. This is especially true with security. The security threats have dramatically increased in that time and your security defenses need to keep pace.

Contact us today to review your data security at (888) 600-4560, email us, or visit us on Facebook or Twitter.







The Security Weak Link – Users!

Posted on: March 30th, 2017 by jiml | No Comments

It’s said that amateurs hack computers and professionals hack humans.

With all the recent discussion about ransomware, malware delivered by malicious websites, and other technology-enabled attacks on businesses, it’s easy to be lulled into a false sense of security by thinking that technology created security problems and technology (e.g. antivirus software, firewalls, etc.) can, should, and will solve these security problems for your business.

Social engineering attacks outnumbered attacks on software vulnerabilities and exploits for the first time in 2015. Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss amounting to more than $2.3 billion. Hackers are attacking the weakest link in any business’ security perimeter – the employees – to steal from your business!

Social engineering is using manipulation, influence and deception to get your employee to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker. It could be something as simple as talking over the telephone to something as complex as getting your employee to visit a website, which exploits a technical flaw and allows the hacker to take over the computer. Your employees could be tricked into anything from allowing someone access to your office to giving up their passwords or user IDs over the phone. Social engineers go to great lengths to gain access to data they can exploit, such as personal information (passwords, account numbers, etc.), company information (phone lists, identity badges, etc.), and network information (servers, networks, etc.).

Some examples of social engineering attacks are the following.

Spear Phishing – Instead of casting out thousands of emails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The emails are ostensibly sent from organizations or individuals the potential victims would normally get emails from (CEO, CFO, company website, vendors and supplies, etc.), making them even more deceptive. These emails often convey a high sense of urgency, making employees act quickly without thinking the situation through.

Dumpster Diving – This is exactly what it sounds like: digging through trash looking for valuable information such as junk mail (especially credit card offers), company phone lists, company org charts (names, titles, etc.), corporate letterhead to create official-looking correspondence, and even computers and other electronic equipment that might contain valuable data.

Six Degrees of Separation – Here the hacker identifies a “whale,” or a high-level employee. Using social media and watching their in-person patterns, the hacker reaches out to the target’s friends, family, or employees with the full intention of earning the trust of the target eventually. The criminal may begin by gathering personal nuggets about team members, as well as other “social cues” to build trust or even successfully masquerade as an employee.

Social engineering is an undeniable reality with the potential to have a very real-world impact on your business. What are some ways that your business can protect your employees and keep valuable data out of the hands of criminals who could damage your business?

1.Password Management – Outline strict standards for secure passwords (length and complexity) and insist on regular password expiration and change.

2.Two-Factor Authentication – Two-factor authentication, also known as 2FA, requires not only a password and username but also something that only your employee has access to such as a physical token or token-generating app. Use 2FA to secure high-risk network services like VPNs or third-party web services.

3.Anti-Virus Defenses – Always enable and keep updated anti-virus defenses at vulnerable locations such as firewalls, email gateways, and employee workstations.

4.Change Management – When your employees are comfortable and familiar with a well-documented change-management process (rather than reacting off the cuff), they’re less vulnerable to an attack that relies on a false sense of urgency.

5.Information Classification – Ensure that confidential information is clearly identified, uniquely secured, and handled as such.

6.Document Destruction – Confidential information should be shredded rather than thrown into the trash or recycling.

7.Data Destruction – Electronic equipment and storage devices should always be responsibly disposed of using an R2 certified recycler that provides specific data destruction services and documentation.

Most important of all is building a security-aware culture in your business. Educate your employees on the real-world damage done by such theft to other companies. Empower your employees to recognize threats and make smart security decisions on their own. Embed security awareness deeply in the minds of your employees and ensure that employees at every organizational level feel comfortable with reporting anything suspicious.

Colden Company can provide your business with several security services to keep your business safe. We offer managed antivirus, regular security assessments, vulnerability scanning (internal and external), hacking detection, systems patching and updating, perimeter security services, and other technology-enabled solutions to protect your business. In keeping with the topic of social engineering, we can provide security awareness training to your employees as a first step in embedding a security awareness in your business. Building awareness is the single most important step you can take to keep ahead of the criminals.

Don’t be a victim or another FBI statistic! Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.







Have Private Information on Your Network? Learn How to Avoid Fines!

Posted on: February 23rd, 2017 by jiml | No Comments

Businesses have a responsibility to protect “private” information that belong to employees and customers. Social security numbers, credit card numbers, and health information are among the information that falls under these legal protections. If you are storing this type of information and your network is breached, your business has a legal responsibility to report that to the appropriate authority.

The nightly news is filled with example of corporations receiving large fines for breaches, such as AT&T’s $25 million fine and Morgan Stanley’s $1 million fine. What is lesser known is that small business is far more often the victim of breaches and those small businesses are subject to fines, and the cost of credit monitoring for each person whose information was breached. With the massive increase in malware, the threat of a data breach is higher than ever. How do you avoid being the victim and avoid those costly fines?

Cybersecurity is a topic we could blog on all year and still not cover every angle. For the purposes of this discussion, we will focus on a proactive measure that your business can take which is to identify your areas of risk. That identification process is accomplished by scanning computers for the type of information that your business has a legal obligation to protect. Our scans find and report on the location of that data so remediation can take place. With this information, a decision can be made to either discard the private data if not needed or protect that data if needed.

The scan results have often been startling to the business owner. We have found information that would have led to as much as six figure fines. Don’t get taken by surprise, let Colden Company help you avoid the fines! Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter.







The Risk with Data Breaches

Posted on: December 27th, 2016 by jiml | No Comments

Does your company store private information such as credit card numbers, social security numbers, or health information? Are you sure? Data breaches where this type of information is exposed can cost your business money. A quick scan of the newspaper headlines on any given day will often report on a breach and subsequent fine, whether it be Morgan Stanley’s $1 million dollar fine, or AT&T’s $25 million dollar fine. There are plenty of high profile examples. Beyond the headlines, many smaller businesses are finding themselves subject to data breaches and fines. These fines may not accumulate to the millions of dollars as in the cases mentioned above but can be just as impactful – if not more impactful – as small businesses might not have the same type of financial cushion that big companies have.

Breaches, especially preventable breaches, that result in the exposure of private data will result in a fine. Businesses have a legal responsibility to report breaches that expose individuals’ private data. That responsibility varies from state to state. At Colden Company, we work with businesses large and small to assess that risk. We have specialized technology that can proactively scan your data resources for the type of protected data that, if breached, would result in a fine. We have worked with many small businesses that have told us “no, we do not store that type of data.” A quick search of the HR person’s computer often proves otherwise.

The question we are often asked is “what steps do we need to take to prevent getting fined?” Good question. Legal documents are often vague, citing businesses must take reasonable precautions. What constitutes reasonable? And if you are breached, it is very easy for the state to say your defenses were obviously not reasonable enough or you would not have been hacked! A leading non-profit security organization, SANS Institute, has compiled a list of twenty recommended security steps that businesses can take. If you would like a copy of this list, please email us at info@coldencompany.com.

There is a balance between usability of your systems and security of your systems. Given the nature of the threats that exist, we are advocating for a tip of the scales in favor of more security. The measures your business was taking two or three years ago may not be sufficient to protect your business from today’s threats. Add on to this the increasing likelihood that a breach can result in fines, lost data, and lost customer confidence and this should prompt your business to take a second look at its security practices.

Studies have shown that preventative maintenance is far less costly than reactionary spending to a breach. The scanning technology we spoke of above is just the type of preventative measure that can protect your business. This type of scan is extremely valuable as it can point you right to where your vulnerabilities are – vulnerabilities you might not know you have. Contact us today at (888) 600-4560, email us, or visit us on Facebook or Twitter to schedule your scan.