How to Get Your Employees Thinking about Cyber Security

Large scale cyber-attacks are, it seems, never far from the headlines these days and each event ought to serve as a warning to businesses alike. In September alone we have had four examples where we have been impacted by a data breach. Deloitte, SEC, Equifax, and Sonic among the organizations breached.

But, it isn’t just the big boys who are suffering at the hands of hackers. It’s said that 14 million small businesses in the US were hacked in the last year – which is about half of the total.

It’s a big threat for businesses, and that means you have to think about how these businesses can protect themselves. One of the most important things to remember is that security is a team effort. Your business won’t be secure if everyone doesn’t know how they can play their part. If you can get everyone thinking about cyber security—and appreciating the role that they can play—then that’s half of the battle overcome.

So, how can we get there?

Introduce processes

You need to introduce processes in your business that put cyber security at the forefront. Whether it’s the way you manage the passwords used to access your systems, the way in which you handle your paperwork to keep confidential data secure, or the way in which you deploy antivirus software and encryption to protect your systems and the data held within them, it all needs solidifying. Crucially, you also need to ensure that your processes are effectively communicated to every member of your staff and that there’s a clear structure in place for anyone to raise queries, report issues or suggest gaps in your defenses that need to be addressed.

Nominate people with responsibility

With that in mind, your processes will be most effective if they are introduced alongside a structure. This might mean nominating one person to take the lead on cyber security within your organization or, if you’re big enough, it might mean appointing a team of people. These people can monitor and review your processes, ensure they are implemented and be at the center of an effective communication strategy. By making responsibility clear, it helps to avoid a situation where employees all presume that it’s someone else’s job.

Training sessions

Once you have your structure in place and your process mapped out, it’s time to think about training. Every member of your staff should be clear on your cyber security strategy—but should also receive training on the nature of the threat posed by hackers online. It’s important that you know what you’re up against—and that the potential danger is spelled out so that people know that all of this isn’t being done for nothing. Effective training will definitely get your employees thinking and, hopefully, talking about cyber security.

Training, structure and process are the three main pillars required to get your employees thinking about cyber security. Together, they form the foundation of a business equipped to cope with the threats now faced online. So, implement this advice and see if your business is safer as a result.

Steps to Staying Secure

As technology continues to gain a more important role in our lives, it also grows in complexity. Given how quickly technology changes, keeping up with security advice can be confusing. It seems like there is always new guidance on what you should or should not be doing. However, while the details of how to stay secure may change over time, there are fundamental things you can always do to protect yourself. Regardless of what technology you are using or where you are using it, we recommend the following steps to stay safe.

First and foremost, keep in mind that technology alone will never be able to fully protect you. Attackers have learned that the easiest way to bypass even the most advanced security technology is by attacking you. If they want your password, credit card, or personal data, the easiest thing for them to do is to trick you into giving them this information. For example, they can call you pretending to be Microsoft tech support and claim that your computer is infected, when in reality they are just cyber criminals that want you to give them access to your computer. Or perhaps they will send you an email explaining that your package could not be delivered and ask you to click on a link to confirm your mailing address, when in reality they are tricking you into visiting a malicious website that will hack into your computer. This is how attacks such as Ransomware or CEO Fraud start. Ultimately, the greatest defense against attackers is you. Be suspicious. By using common sense, you can spot and stop most attacks.

Passwords: The next step to protecting yourself involves using a strong, unique password for each of your devices and online account. The key words here are strong and unique. A strong password means one that cannot be easily guessed by hackers or by their automated programs. Tired of complex passwords that are hard to remember and difficult to type? Try using a passphrase instead. Instead of a single word, use a series of words that is easy to remember, such as “Where is my coffee?” The longer your passphrase is, the stronger. A unique password means using a different password for each device and online account. This way, if one password is compromised, all of your other accounts and devices are still safe. Can’t remember all those strong, unique passwords? Don’t worry, neither can we. That is why we recommend using a password manager, which is a specialized application for your smartphone or computer that securely stores all of your passwords in an encrypted format.  

Finally, one of the most important steps you can take to protect any account is enable two-factor authentication. Passwords alone are no longer enough to protect accounts; we all need something stronger. Two-step authentication is much stronger. It uses your password, but also adds a second step, either something you are (biometrics) or something you have (such as a code sent to your smartphone or an app on your smartphone that generates the code for you). Enable this option on every account you can, including your password manager, if possible. Two-step verification is probably the single most important step you can take to protect yourself, and it’s much easier than you think.

Updating: Make sure your computers, mobile devices, applications, and anything else connected to the Internet are running the latest software versions. Cyber criminals are constantly looking for new vulnerabilities in the software your devices use. When they discover vulnerabilities, they use special programs to exploit them and hack into the devices you are using. Meanwhile, the companies that created the software for these devices are hard at work fixing them by releasing updates. By ensuring your computers and mobile devices install these updates,

Backups: Sometimes, no matter how careful you are, you may be hacked. If that is the case, often your only option to ensure your computer or mobile device is free of malware is to fully wipe it and rebuild it from scratch. The attacker might even prevent you from accessing your personal files, photos, and other information stored on the hacked system. Often the only way to restore all of your personal information is from backup. Make sure you are doing regular backups of any important information and verify that you can restore from them. Most operating systems and mobile devices support automatic backups. In addition, we recommend you store your backups in either the Cloud or on an external device offline to protect them against cyber attackers.

By following the steps above, you will go a long way to protecting yourself while leveraging the latest technology.  You will make it much harder for someone to hack you.            

Why Are We So Stupid About Passwords?

Yet another study has revealed that people are picking millions of weak passwords. Password management software vendor Keeper Security reviewed 10 million passwords that came to light in 2016 via data breaches and found that nearly one in six were "123456."

"If the media stopped saying 'hacking' and instead said 'figured out their password,' people would take password security more seriously." 

Keeper Security published a list of the top 25 most commonly used passwords, reporting that they account for more than half of the 10 million passwords it analyzed. How many countless hours have been lost by security experts attempting to share with friends and loved ones the optimal secrets for picking passwords or helping to set up password management software to ensure they never reuse the same password across multiple sites?


The latest analysis of leaked passwords shows that in recent years, unfortunately, little has changed when it comes to how most people pick their passwords (see Why Are We So Stupid About Passwords?). Part of the problem is perception, according to Khalil Sehnaoui, managing partner of information security firm Krypton. He says that the majority of what gets referred to today as "hacking" is really just attackers guessing passwords.

Not So Secret: '18atcskd2w'

One interesting finding from the Keeper Security study is that across 10 million leaked passwords, the 15th most used one was "18atcskd2w." In a list populated by numeric sequences, "qwerty," "passwords" and "google," that's an obvious anomaly. The prevalence of "18atcskd2w" was seen last year as well, after paid breach-reporting service LeakedSource in April detailed a February breach of Verticalscope.com that resulted in a dump of 45 million records relating to more than 1,100 websites and communities that the site runs, ranging from Techsupportforum.com and MobileCampsites.com to Pbnation.com and Motorcycle.com.


In the Verticalscope.com breach, 18atcskd2w was the second most common password used on the site. "What I believe happened is that these accounts were created by bots, perhaps with the intention of posting spam onto the forums," security expert Graham Cluley wrote in a blog post at the time.
Verticalscope.com subsequently confirmed the data breach, but it has yet to reveal the cause. Still, the organization reset all passwords and said that while it was "already using encrypted passwords and salted hashes to store passwords," it would also require users to follow stronger password rules, saying that "passwords now require a minimum of 10+ characters and a mixture of upper- and lower-case letters, numbers and symbols."

Stop Expiring Passwords

The service said it would also automatically expire passwords "to encourage more frequent password changes," but many security experts now say that forced password expiration puts users at greater risk. Indeed, last year, the U.K. government's National Technical Authority for Information Assurance, now the National Cyber Security Center, warned in its guidance: "It's one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack." It notes that related risks include users being more inclined to reuse passwords, write them down, base new passwords on old ones or to choose weaker, easier-to-remember passwords.


As a result, the NCSC noted it "now recommends organizations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords ... while doing little to increase the risk of long-term password exploitation."

Spear-Phishing Success Continues

Training users to expect that their passwords will need resetting puts them at greater risk from spear-phishing attacks, which remain highly effective and low-cost ways for sidestepping both sites that secure passwords well and users who pick strong passwords. Take the Democratic National Committee, which was allegedly targeted by hacking teams sponsored by the Russian government that are often referred to as Cozy Bear and Fancy Bear. Thomas Rid, a professor of security studies at King's College London, noted in an October 2016 feature for Esquire that Fancy Bear targeted Gmail-using victims via spear-phishing emails that contained links shortened with the Bitly service that led to phishing sites designed to trick Gmail users into changing their password. In reality, however, the fake password-reset site was harvesting their passwords so attackers could use them to access their Gmail accounts.


Between October 2016 and May 2016 these attacks targeted 4,000 accounts and were wildly successful, with one in seven victims ultimately revealing their passwords, Rid writes. "Among the group's recent breaches were the German parliament, the Italian military, the Saudi foreign ministry, the email accounts of Philip Breedlove, Colin Powell and John Podesta - Hillary Clinton's campaign chairman - and, of course, the DNC."

The New PCI Data Security Standard 3.2 Refresher

The new and always evolving requirements make up the greatest changes – most of which do not go into effect until February 1, 2018:

• Section 3.3 is an updated requirement that clarifies that any displays of a primary account number (PAN) greater than the first six/last four digits of the PAN requires a legitimate business need.
• Section 3.5.1 is a new requirement for service providers only to maintain a documented description of the cryptographic architecture (algorithms, protocols, and keys) involved in their cardholder data environment (CDE).
• Section 6.4.6 is a new requirement for change control processes to incorporate verification of other PCI DSS requirements that are impacted by a change such as network diagrams, endpoint controls, and the inclusion of new systems into the quarterly vulnerability scan process.
• Section 8.3 has been expanded into sub-requirements to require multi-factor authentication for all personnel with non-console administrative access and all personnel with remote access to the CDE. This includes a new requirement, 3.2, that addresses multi-factor authentication for all personnel with remote access to the CDE and a new requirement 8.3.1 that addresses multi-factor authentication for all personnel with non-console administrative access to the CDE. In other words, we're going to start seeing a lot more multi-factor authentication.
• Sections 10.8 & 10.8.1 are new requirements for service providers to detect and report on failures of critical security control systems such as firewalls, anti-virus, and audit logging mechanisms.
• Section 11.3.4.1 is a new requirement for service providers to perform penetration testing on segmentation controls at least every six months.
• Section 12.4.1 is a new requirement for service providers whereby executive management must establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include accountability and a charter to ensure the program is communicated to management.
• Sections 12.11 & 12.11.1 are new requirement for service providers to perform quarterly security program reviews and maintaining documentation and sign-off of those reviews.
• New Appendix A2 that outlines additional requirements for SSL/TLS, namely:
  • After June 30, 2018, stop using SSL/early TLS as a security control and use only secure versions of the protocol (i.e. TLS v1.2).
  • Prior to June 30, 2018, existing implementations that use SSL and/or TLS 1.0 and 1.1 must have a formal Risk Mitigation and Migration Plan in place.

There's also additional clarification in PCI DSS version 3.2 that directly impacts application security programs such as:

• Backup/recovery sites need to be considered when confirming PCI DSS scope.
• Added Testing Procedure (11.3.4.c) to confirm penetration test is performed by a qualified internal resource or qualified external third party.
• Training for developers must be up to date and occur at least annually.

A complete summary of all changes can be found in the document Summary of Changes from PCI DSS Version 3.1 to 3.2.