What is Cyber Espionage? According to this comprehensive definition from Wikipedia, “cyber spying” or “cyber espionage” is:

“The act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary, or of classified nature) from individuals, competitors, rivals, groups, governments, and enemies for personal, economic, military, or political advantage using methods on the Internet, networks, or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware.”

With the likelihood of U.S. economic sanctions against China in response to repeated acts of civil cyber espionage, many U.S. companies are asking if they might also be targeted. The possibility of such attacks is definitely increasing, as cyber espionage is not strictly limited to the political sphere; financially motivated hacker groups appear to be on the rise. These groups’ efforts are focused on acquiring business secrets that can be sold to third parties, or used for insider trading. Closer to home, similar attacks from former employees or business competitors are a real concern.

What kinds of information might be targeted in a cyber attack?

Generally, the answer is anything that could give your competitors an advantage. For business owners, this could mean having your competitors gain access to information about your product features, pricing, customer or vendor contracts, M&A plans, employee information, and more. Customer contact information is also of interest to attackers, who might use it to engage in phishing attacks.

What steps can you take to protect your company?

There are several steps you can take to mitigate the risk of cyber espionage:

●    Use up-to-date malware and virus removal software. If you aren’t already doing this, now is the time to start. Your network is most likely to be infected when employees visit websites that contain viruses and other malware. While you can employ web usage controls to limit the sites your employees access and to monitor the ones they do, you can still be infected when employees use their own devices, such as laptops, flash drives, and so on. Keeping your virus removal software up-to-date can greatly decrease this problem.
●    Have a process in place for properly suspending or terminating the accounts of problem employees or employees who are no longer with your company. It’s easy to overlook the importance of promptly removing access, but the most sure way to protect against misuse of access is to remove it.
●    Enforce the use of “strong” passwords. This means both educating your employees concerning the risks of using common passwords, and requiring them to use complex, unique passwords instead.
●    If you have data on a public cloud, consider whether it is sensitive or not. If it is, it may be in your best interests to move it to a private cloud where you have more control over security.
●    Train your employees on all aspects of cyber security. We discussed the need for strong passwords above; additionally, educate your employees on other security issues. For example, offer guidelines for how to identify suspicious emails, and how to report them when received.

As more companies move to cloud-based services, security in the cloud is becoming a greater concern. How can you make sure your company’s sensitive data is protected while still taking advantage of the convenience the cloud offers?

What is the Cloud?

First, we need to understand exactly what we mean when we talk about the cloud. Confusingly, the term can be used for very different things. People may be referring to the public cloud, to a private cloud, or to a hybrid of public and private.

A public cloud is one that is accessed by multiple users and organizations. With a public cloud, providers offer applications and storage via the internet to the general public. Lower cost is the main advantage of a public cloud. Limitations include security concerns for sensitive data.

A private cloud is accessed by only one organization. While a private cloud can reduce security concerns and offer the opportunity to customize for an organization’s needs, it also involves the additional costs of development.

A hybrid cloud, obviously, is a mix of public and private, allowing organizations to use different solutions for different needs.

To take advantage of cloud services effectively, organizations need to be aware of their needs. For example, companies that deal with health information or financial, or other sensitive data will want to avoid storing that data in a public cloud.

What Issues Do Your Company and Your Employees Face?

One of the greatest difficulties faced by employees is cumbersome security requirements. For example, according to a July 1015 study done by Dell, approximately 85% of users are faced with the need to have and keep track of multiple passwords for the different services they use on the job. Additionally, 82% of users who work remotely reported that they are required to use additional security measures. Ultimately, the study showed that 91% of users feel that their productivity is impacted by the steps they have to take to meet security needs.

The case of multiple passwords is especially worrisome, as employees tend to be focused on completing tasks over meeting security requirements. This can lead to disastrous workarounds, including using the same password for all cases, making a hacker’s job easy, or even writing down passwords and keeping them in poorly secured locations. If you’ve ever written a password on a slip of paper and “hidden” in under your keyboard, you know how easy it is to fall into the habit of workarounds.

However, most companies know that security has to take priority over ease of use. This makes sense, especially when dealing with sensitive customer data. How can companies balance these two competing needs?

What Solutions are Available for These Issues?

One promising approach is known as “context aware” security. This approach involves varying levels of security requirements depending on different factors. For example, a company might require only a standard level for a user whose geographical location is in California, but place additional scrutiny on a user logging in from an Eastern European country. This is a more sophisticated approach than those available in the past, which would either allow all users to log in easily regardless of geographical location, or would subject all users to intense scrutiny regardless of location.

More generally, encouraging IT professionals to move away from a “silo” approach to security will alleviate the need for multiple passwords. In the “silo” approach, new features are added to systems independently of each other, without much thought given to how each addition will interact with old features. In the short term, a quick and easy way to provide security in this environment is to require users to create a new password each time they need to be given access to a new feature. But in the long term, this is costly in terms of encouraging users to get around security with risky workarounds. Taking the time to have a coherent overall plan for adding new features will minimize this risk.

Having a social media presence is a requirement for companies today. Most customers expect to be able to find out about and interact with you on Facebook, Twitter, LinkedIn, and possibly other sites such as Instagram or Snapchat. With this increased visibility comes an increased burden. You need to protect your company from hackers who may wish to use your social media accounts for their own ends. Unfortunately, most social media platforms do not provide adequate security options for organizations.

How can social media accounts be hacked?

Over the past few years, we have seen major organizations whose accounts have been hacked. In 2103, these included the Twitter accounts of Associated Press, 60 Minutes, and others. More recently, Target’s Facebook page was used by a person outside their organization to humorously ridicule complaining customers. While amusing, the fact that this could happen without Target’s knowledge should raise concerns for any company with a Facebook account.

How did hackers manage to use these organization’s accounts? While the Target case involved simply replying to other commenters on Target’s Facebook page while using a Target Logo for a profile picture, more extreme methods can be employed. For example, a proven method hackers have employed to acquire login and password information to accounts is phishing. In several cases, the hackers simply sent out emails to individuals in a company telling them they needed to reset their account passwords and providing a link to do so. This link directed the victims to a false page designed to look legitimate. Victims entered their account information, accidentally giving it to the hackers. In an attack such as this, it only takes one user with account information to be fooled for the attack to succeed.

What are some best practices to protect against these attacks?

1.    Regularly monitor posts on your accounts. In the case of Target’s Facebook page, regular monitoring of the account, especially after enacting a policy that was predictably controversial (gender-neutral displays for children’s toys), would be the best defense against having a person outside the organization appear to speak for it.
2.    Use alert service applications to monitor activity on your accounts. These applications automatically check for varying kinds of unauthorized access.
3.    Use a password manager. Among other features, these can provide random password generators that make is simple for you to create strong passwords.
4.    Control the number of people in your organization who have access to your social media accounts. Keep this number low, and maintain records of who has access. You may want to consider using a social media management system such as HootSuite or SproutSocial, as these make it possible for you to allow members of your organization to post content without knowing account passwords.
5.    Have your IT department change account passwords regularly.
6.    Avoid using a work email address when you set up your social media accounts. Hackers can easily guess at work email addresses (FirstName@YourCompany.com, Marketing@YourCompany.com, etc.) until they hit on one that works.

Protecting against hacking will be an ongoing process. However, following the above tips should provide your organization with additional security.

How likely is your business to be able to recover after a disaster? According to FEMA (Federal Emergency Management Agency), 40% of businesses affected by disaster never reopen. Additionally, 25% more fail within the next two years. The consequences of a poorly thought out or non-existent disaster recovery are clear. No business or organization should risk overlooking this critical need.

Natural disasters including hurricanes, earthquakes, and floods come readily to mind when thinking of disaster recovery. And during California’s severe drought, wildfires are of course of grave concern. There are other kinds of disasters to be aware of too. Can your business recover from data loss caused by a power surge? Can your company still function if the majority of the employees are struck by an influenza epidemic? How well can you recover from a security breach?

Your disaster recovery plan should also take into account relatively mundane concerns that can still have a profound effect on your business, including loss of internet service for an extended period or a server crash at a busy time.

Cloud technology is one way of minimizing your risks during a disaster, since it can allow you to place key functions off site in areas at less risk. And while no one can plan perfectly for all possibilities, there are several steps you can take to further minimize your risks. Before disaster strikes you can plan ahead, making sure to consider the following:

●    Your business location – If a disaster means you can’t do business in your usual location, you’ll need to have an alternate location planned. You may need to arrange to transport employees, equipment, data, and supplies.
●    Staying in touch with your customers – Also develop a plan for how you’ll let your customers know your new temporary location and how to contact you.
●    Documenting your property – In addition to keeping an up-to-date inventory of all of your equipment, consider taking pictures of your property to assist your insurance companies if they need to assess damage.
●    Meeting your emergency cash need – Develop processes for how you’ll manage cash flow. You’ll want to be sure necessary bills continue to be paid as well as being able to deposit payments from your customers.
●    Identifying what’s needed to keep your business running – Prioritize your critical business functions and consider how quickly you’ll need to get each function back up and running.
●    Educating your employees – You’ll need to be able to communicate with your employees during a disaster, of course. But all of your planning will be for nothing if they aren’t trained in your disaster recovery processes before a disaster actually happens. Make certain that your employees know what they need to do ahead of time and that they have access to important contact information for vendors, suppliers, your insurance companies, etc.

A final step to consider in any disaster recovery plan is to re-analyze your processes

What is “social engineering?”

Even if you think you’ve taken every possible step to make certain your data is secure, there’s one aspect of security you may well have overlooked – exploitation of the human factor, which is also referred to as “social engineering.” In the context of IT security, this involves the psychological manipulation of people so they act in a way that allows attackers to get past technological security features, or so they share information that should be confidential. For example, rather than trying to break into a system or crack a password, an attacker would instead persuade a human user to give them a password.

What are some kinds of social engineering to watch out for?

Phishing: This is a technique of getting confidential information by fraudulent methods. It can involves attempts to acquire user names, passwords, credit card details, or even money. Phishing attempts frequently make use of the following techniques to make people more likely to share information:
●    Using link shorteners or embedded links to create apparently legitimate links. After these links are clicked, they direct the victim to websites created for fraudulent purposes.
●    Using threats to create a sense of urgency and fear so the victim will act quickly without thinking through their actions (e.g., “Your account will be canceled unless you act immediately!”).
Tips for preventing phishing: You and your employees should be wary of requests for information that should be confidential. Take the time to verify that these requests are legitimate before providing information.

Tailgating: Also known as “piggybacking,” this kind of attack refers to a method of entering an unattended but secured area by simply walking in behind a person who has the proper access. After gaining access to a secured area, an attacker has much easier access to unattended laptops, etc.
Tips for preventing tailgating: You and your employees need to create an atmosphere where it is not considered “common courtesy” to allow entrance to unknown people who do not have the proper security credentials. While it might seem polite to hold the door for another person, train employees to only do so if they also verify that the other person has the appropriate security card or other credential.

Quid pro quo: Quid pro quo means, “something for something.” These attacks involve a promised benefit in exchange for information. For example, a common type of attack can involve a person who makes multiple calls to phone numbers at a company, pretending to be a technical support representative calling to help with a reported problem. Odds are good that after enough calls, they’ll stumble upon a person who does, in fact, have a problem. At that point, the attacker may exploit their victim by having them install malware or otherwise give the attacker access.
Tips for preventing quid pro quo attacks: Technical support representatives should be able to provide identifying information (e.g., a ticket number for a reported issue) before you or your employees trust them with information or access. More generally, you and your employees should be wary of offers that appear “too good to be true,” and of unexpected offers to improve credit scores, financing, and so on.

Additional tips to avoid social engineering attacks

Don’t be in a hurry – Attackers want you to act before you think. When dealing with suspicious requests, remember to slow down.
Be wary of unusual emails – If an email that appears to come from a trusted source seems odd to you, that source may have been hacked. Verify the source of the email.
Educate and train your employees regularly – Make sure everyone in your company is familiar with the various types of social engineering attacks and that they know which information is considered confidential.