10 Ways to Protect Your Company and Employees from Hacking

10 Ways to Protect Your Company and Employees from Hacking

Here is a link to my blog posting on websitemagazine.com

UK Study: SMB’s report more security breaches in 2013

A new study released by PwC and InfoSecurity Europe, indicates that the large increase in security breaches is occurring in the Small Business segment (under 50 employees) and that these businesses are “now experiencing incident levels previously only seen in larger organisations.”   

Below are some of the report highlights: 

• 63% of small businesses were attacked by an unauthorized outsider in the last year (up from 41% a year ago)
• 23% of small businesses were hit by denial-of-service attacks in the last year (up from 15% a year ago)
• 15% of small businesses detected that outsiders had successfully penetrated their network in the last year (up from 7% a year ago)
• 9% of small businesses know that outsiders have stolen their intellectual property or confidential data in the last year (up from 4% a year ago)
• 57% of small businesses suffered staff-related security breaches in the last year (up from 45% a year ago)
• 17% of small businesses know their staff broke data protection regulations in the last year (up from 11% a year ago)

 Good News/Bad News

For the SMB segment, there has been a rise in the cost associated with breaches.  The average cost for to a small business for its worst breach was between 35,000 to 65,000 pounds. 

The silver lining here is that senior management does understand the risk of cyber-crime and there is an increase effort to prioritize investment and education in this arena.

New Study: Only 2% of leading online retailer sites use secure HTTPS for e-commerce

A new research reports indicates that very few e-commerce websites automatically protect users by directing them to highly secure HTTPS versions that use always-on SSL.  The study, conducted by High-Tech Bridge analyzed the top 100 e-commerce sites.

According to Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge, comments on the findings: “Alarmingly, only 2% (two per cent) of leading global online retailers automatically ensure their customers use the secure HTTPS version of their website when making orders or adding goods to their shopping carts. Also, 7% of websites are failing to enforce their customers to use HTTPS for the most sensitive operations such as login, checkout and payment, while 27% of websites don’t even have an HTTPS version for “non-critical” sections of their website, such as shopping cart management or search for goods.”

Here is a summary of findings from the report:

 

• 0/100 websites have expired or untrusted SSL certificates.
• Only 1/100 of website certificates expire in less than one month.
• 99/100 of websites have 2048-bit or even stronger encryption certificate.
• 2/100 websites do not have SSL certificate at all, leaving their customers totally unprotected.
• 7/100 websites are putting customer information at risk by failing to enforce the use of HTTPS for the most sensitive operations such as login, checkout and payment.
• 73/100 websites do not have a secure HTTPS version at all for some “non-critical” online activities of their customers, such as shopping cart management for example.
• An extremely low 2/100 websites protect users by automatically using a secure HTTPS version (SSL) by default.
• Only 25/100 websites have SSL EV certificates.
• 33/100 websites display non-SSL content together with SSL content on their pages.

Related articles

• Do non-secure webpages pose a threat to e-commerce consumers? (globalnews.ca)
• E-Commerce Security Reminders (Before You Confirm Your Cart) (business2community.com)
• eCommerce Made Simple Now with GiftLogic and 3dcart Shopping Cart Software (hispanicbusiness.com)
• Does a Certificate Authority See Your Private Key? (mobilesociety.typepad.com)

Microsoft’s guidance for protecting the enterprise from attack

Microsoft has released its guidance on best practices to protect enterprises from malicious attack.  Here is a summary of the report recommendations:

1. Keep all software up-to-date:  Attackers will try to use vulnerabilities in all sorts of software from different vendors, so it is important for organizations to keep all of the software in their environment up to date and run the latest versions whenever possible.
2. Demand software that was developed with a security development lifecycle:  Until you get a software update from the affected vendor, test it, and deploy it, it’s important that you manage the risk that attackers will attempt to compromise your environment using these vulnerabilities.
3. Restrict websites: Limit web sites that your organization’s users can visit.  This likely won’t be popular in the office, but given the majority of threats found in the enterprise are delivered through malicious websites, you might have the data needed to make a business case.
4. Manage security of your websites: Many organizations don’t realize that their websites could be hosting the malicious content that is being used in these attacks.  Organizations should regularly assess their own web content to avoid a compromise that could affect their customers and their reputation.
5. Leverage network security technologies: technologies like Network Access Protection (NAP), Intrusion Prevention System (IPS), and content filtering can provide an additional layer of defense by providing a mechanism for automatically bringing network clients into compliance (a process known as remediation) and then dynamically increasing its level of network access.

Related articles

• Cisco Warns of Internet Dangers That Are Easily Preventable (eweek.com)
• Microsoft expands encryption and boosts legal protections for its data to tackle government spying (thenextweb.com)
• Microsoft expands encryption and boosts legal protections for its data to tackle government spying (alternativenewsalert.com)
• Windows XP Zero-Day Vulnerability Popular (informationweek.com)