E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


COMPUTER SECURITY AND CRIME PREVENTION TIPS FOR BUSINESSES

Source: Carmel Valley News

Posted on December 20, 2012

Computer crimes involve the illegal use of or the unauthorized entry into a computer system to tamper, interfere, damage, or manipulate the system or information stored in it. Computers can be the subject of the crime, the tool of the crime, or the target of the crime.

As the subject of a crime, a criminal would use your computer or another computer to willfully alter the information stored in your computer, add fraudulent or inaccurate information, delete information, etc. Motives for this include revenge, protest, competitive advantage, and ransom.

As the tool of a crime, a criminal would use a computer to gain access to or alter information stored on another computer. In one common mode of attack a hacker would send a "spear phishing" e-mail to employees who have access to the business bank account. The e-mail would contain an infected file or a link to a malicious website. If an employee opens the attachment or goes to the website, malware that gives the hacker access bank account log-ins and passwords would be installed on the computer. The hacker would then have electronic payments made to accounts from which the money would be withdrawn. Criminals also use computers to commit various frauds and steal identities and other information.

As the target of a crime, computers and information stored in them can be stolen, sabotaged, or destroyed. Sabotage includes viruses, malware, and denial-of-service attacks. Trade secrets and sensitive business information stored in computers can be lost in these kinds of attacks.

Your computers and the information in them should be protected as any valuable business asset. The following tips deal with physical and operational protective measures, Wi-Fi hacking and hotspot dangers, personnel policies and employee training, anti-virus and spyware protection, protecting your bank accounts, use of social media, preventing and dealing with data breaches, and safer use of the Internet.

Also, consider joining the FBI's InfraGard, a partnership with the private sector with the goal of promoting an ongoing dialogue and timely communications between its members and the FBI. Its members gain access to information that enables them to protect their assets from cyber crimes and other threats by sharing information and intelligence. Go to www.infragard.net to apply for membership.

PHYSICAL PROTECTIVE MEASURES

Do not allow unauthorized persons to have access to any of your computers. This includes cleaning crews and computer repair persons. Install surface locks, cable-locking devices, and fiber-optic loops prevent equipment theft. Install computers on shelves that can be rolled into lockable furniture when employees leave their work areas. Locate the computer room and data storage library away from outside windows and walls to prevent damage from external events. Install strong doors and locks to the computer room to prevent equipment theft and tampering. Reinforce interior walls to prevent break-ins. Extend interior walls to the true ceiling. Restrict access to computer facilities to authorized personnel. Require personnel to wear distinct, color-coded security badges in the computer center. Allow access through a single entrance. Other doors should be alarmed and used only as emergency exits.

PROCEDURAL AND OPERATIONAL PROTECTIVE MEASURES

Classify information into categories based on importance and confidentiality. Use labels such as "Confidential" and "Sensitive." Identify software, programs, and data files that need special access controls. Employee access should be limited to what he or she needs to do their jobs. No employee should have unlimited access. Install software-access control mechanisms. Require a unique, verifiable form of identification, such as a user code, or secret password for each user.

Install special access controls, such as a call-back procedure, if you allow access through a dial-telephone line connection. Have your Information Technology (IT) manager change administrative password on a regular basis. A number of free tools are available for this if manual modification is not practical. This password should also be changed during non-business hours. Require that passwords consist of a random sequence of at least eight letters, numbers, and special characters.

Passwords should be changed at least every three months and not be shared. Employee user accounts should not have administrative privileges. This will prevent the installation of any unauthorized software or malicious code that an employee might activate. Change security passwords to block access by employees who change jobs, leave, or are fired. The latter become a high risk to your business for revenge or theft. Encrypt confidential data stored in computers or transmitted over communication networks. Use National Institute of Standards and Technology (NIST) data encryption standards. Design audit trails into your computer applications.

Log all access to computer resources with unique user identification. Separate the duties of systems programmers, application programmers, and computer programmers. Review automated audit information and control reports to determine if there have been repeated, unsuccessful attempts to log-on both from within and outside your facility. Look for unauthorized changes to programs and data files periodically. Use monitoring or forensic tools to track the behavior of employees suspected of malicious activities.

Monitor incoming Internet traffic for signs of security breaches. Make backup copies of important business information, i.e., documents, spreadsheets, databases, files, etc. from each computer used in your business. This is necessary because computers die, hard disks fail, employees make mistakes, malicious programs can destroy data, etc. Make backups automatically at least once a week if possible. Test the backups periodically to ensure that they can be read reliably.

Make a full backup once a month and store it in a protected place away from your business. Delete all information stored in your printers, copiers, and fax machines at least once a week. Use a secure data deletion program that will electronically wipe your hard drives. Simply hitting the delete key will leave some data on the hard drive. Be careful in getting outside help with computer security problems.

Start with a list of vendors or consultants. Then define the problem, send out a request for quotes, examine each quote, and check the provider's references and history before hiring one. If you become a victim of Internet fraud or receive any suspicious e-mails you should file a complaint with the Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center (NW3C), at www.ic3.gov. The IC3 website also includes tips to assist you avoiding a variety of Internet frauds.

WI-FI HACKING AND HOTSPOT DANGERS

Use of Wi-Fi in coffee shops, libraries, airports, hotels, universities, and other public places pose major security risks. While convenient, they're often not secure. You're sharing the network with strangers, and some of them may be interested in your personal information. If the hotspot doesn't require a password, it's not secure. If it asks for a password through your browser simply to grant access, or it asks for a Wired Equivalent Privacy (WEP) password, it's best to treat it as unsecured. You can be confident that a hotspot is secure only if it asks for the Wi-Fi Protected Access (WPA and WPA2) password. WPA2 is the most secure.

Also, unsecure laptops and smart phones make it easy for a hacker to intercept information to and from the web, including passwords and credit or debit card numbers. They are also vulnerable to virus and spyware infections, and to having their contents stolen or destroyed. A hacked laptop or smart phone can also create a security risk for the user's workplace if it contains a password to the corporate network. Wi-Fi users should take the following steps to reduce these risks:

Turn the Wi-Fi on your laptop, PDA, and smart phone off when you aren't using the network. Otherwise your Wi-Fi card will broadcast your Service Set Identifier (SSID) looking for all networks it was previously connected to. This enables hackers to figure out the key that unscrambles the network password. Use a known service instead of Free Public Wi-Fi or similar risky, unknown signals called ad hoc networks. Check the Wi-Fi security policies of your service provider and install the protections they offer to ensure it's a known network and not an "evil twin" hacker site pretending to be the legitimate one. Pay attention to warnings that a Secure Sockets Layer (SSL) certificate is not valid.

Never accept an invalid certificate on a public wireless network. Log off and look for a trustworthy network. Look for the padlock indicating an SSL connection. Keep your firewall on. And keep your operating system updated. Find out if your company offers a Virtual Private Network (VPN) and learn how to use it. Encrypted VPN sessions offer the highest security for public wireless use. Upgrade your Wi-Fi cards. The older WEP security is easily hacked. The new WPA and WPA2 are much more resistant to attack.

Learn to connect securely. Even the vulnerable WEP offers more privacy and protection than an unsecured public connection. It's not something the average hacker can crack. Only log in or send personal information on website pages that are encrypted. They will have https:// or shttp:// in their addresses and a "lock icon" at the top or bottom of your browser window. You can click on this icon to display information about the website and help you verify that it's not fraudulent. Use a different password for each account. When you've finished using an account, log out. Don't stay signed in. Pay attention to warnings from your browser if you try to visit a fraudulent website or download a malicious program. Remove all passwords and browsing history after using a shared computer.

Disable file-sharing on your laptop. Don't send any sensitive personal or business information while in a hotspot unless you absolutely have to. Put strong passwords on your wireless network. They should be more than eight characters in length, and contain both capital letters and at least one numeric character. Other advice on creating strong passwords can be found at www.microsoft.com/protect/yourself/password/checker.mspx.

Your IT manager should also do the following to protect corporate data from hotspot dangers:

Establish and enforce strong authentication policies for devices trying to access corporate networks. Require employees to use a corporate VPN and encryption when making connections and exchanging data. Better still, set up computers so that devices automatically connect to the VPN and encrypt data after making sure that the computer or device hasn't been lost or stolen. Make sure all devices and software applications are configured properly and have the latest patches.

Ensure that corporate security policies prevent employees from transferring sensitive data to mobile devices or unauthorized computers. Provide employees with broadcast air cards that require a service plan so they don't have to use public hotspots for wireless connections.

PERSONNEL POLICIES AND EMPLOYEE TRAINING

Employees can do a great deal of damage to a business by ignorance of security policies, negligence in protecting business secrets, deliberate acts of sabotage, and the public release of sensitive information. The following measures will help prevent this.

Conduct a comprehensive background check on prospective employees. Check references, credit reports, criminal records, and schools attended. Interview prospective employees. Seek to hire individual who are team-oriented, can respond well to criticism, and can deal well with conflicts, i.e., ones unlikely to become insider threats. Require vendors, suppliers, and other contractors to use similar standards in hiring their employees.

Include language in all contracts that makes contractors liable for actions of their employees. Treat all employees fairly and make sure none are teased by their peers or supervisors because of their ethnicity, speech, financial situation, social skills, or other traits.

Monitor activities of employees who handle sensitive or confidential data. Watch for employees who work abnormally long hours, weekends, or holidays, or who refuse to take time off. Many computer crime schemes require regular, periodic manipulation to avoid detection. Also watch for employees who collect material not necessary to their jobs, such as data printouts, software manuals, etc. Train your employees in your basic computer usage and security policies. Also cover penalties for not following your policies, and have employees sign a statement that they understand and will follow your policies.

Train your employees about security concerns and procedures for handling e-mails, clicking on links to websites, responding to popup windows, and installing infected USB drives. For example, they should not: open e-mail from an unknown sender, open unexpected e-mail attachments, click on any links in e-mail messages even if they look real, respond to popup windows, bring back and install "found" USB drives, etc. Train your employees to be aware of what others are doing and to report any suspicious behavior that threatens your security. Conduct periodic re-training because people forget things. Use pamphlets, posters, newsletters, videos, etc.

SPECIAL MEASURES FOR LAPTOPS

Special security measures are needed for laptops to reduce the threat from determined thieves.

Issue desktops instead of laptops to employees who seldom leave their offices. Have employees lock up their laptops when they are left unattended in their offices. Never leave laptops unguarded. Have employees carry their laptops in a sports bag or briefcase instead of the manufacturer's bag. Do not leave laptops in vehicles. Determine if employees need all the data on their laptops to perform their jobs. Remove any data that is not needed.

Train employees in the need for special measures to protect laptops and their data wherever they may be used. Create a loss response team to monitor compliance with laptop and data security measures, investigate losses, assess data needs, and remove data no longer needed. Protect data with strong passwords.

Other measures should be considered to protect your business in the event a laptop is lost or stolen.

Have employees backup their files so they can be recovered if their laptop is lost or stolen. Don't store passwords on laptops. Encrypt all sensitive information so it cannot be compromised. Keep a record of all laptop model and serial numbers, and makes so if one is recovered you can prove it is yours. Place stickers on the laptops with a phone number to call if one is lost and found by an honest person. But don't put the name of your employee or business on it.

That information could be used by criminals to guess passwords or assess the sensitivity of the data stored on the laptop. Install hardware, software, or both to aid in recovery of the laptop. After you report the laptop lost or stolen the software enables a monitoring company to track the laptop when the thief logs onto the Internet. Hardware systems work the same but have a Global Positioning System (GPS) device that can pinpoint its location. Install software that will enable you to erase sensitive information when the thief logs onto the Internet.

ANTI-VIRUS AND SPYWARE PROTECTION

The following measures can help protect your computer from viruses and spyware:

Keep your computer up to date with the latest hardware and software firewalls, and anti-virus and anti-spyware software. The latter counters programs that secretly record what you type and send the information to the thieves. They are often installed when you visit websites from links in e-mail. This also applies to multi-function printers, fax machines, and copiers that can be accessed using a web browser. Use security software that updates automatically. Visit www.OnGuardOnline.gov for more information.

Do not buy "anti-spyware" software in response to unexpected pop-ups or e-mails, especially ones that claim to have scanned your computer and detected malicious software. Do not respond in any way to a telephone or e-mail warning that your computer has a virus even if it appears to come from an anti-virus software provider like Microsoft, Norton, or McAfee. "Helpful hackers" use this ploy to get you to download their software to fix the virus or sell you computer monitoring or security services to give them remote access to your computer so they can steal your passwords, online accounts, and other personal information.

If you already have anti-virus software on your computer you'll receive a security update or warning directly on your computer. Use the latest versions of Internet browsers, e.g., Microsoft Internet Explorer 8, which is designed to prevent phishing attacks. Use Explorer in the "protected mode," which restricts the installation of files without the user's consent, and set the "Internet zone security" to high. That disables some of Explorer's less-secure features. And set your operating system and browser software to automatically download and install security patches. Do not install files or programs from CDs or flash drives before checking them for viruses.

Scan demo disks from vendors, shareware, or freeware sources for viruses. Restrict use of electronic bulletin boards. Do not download files from unknown sources. Do not allow any website to install software on your computers. Scan downloaded files for viruses. Avoid downloading executable files. Obtain copies of your anti-virus software for your employees' home computers your employees do some business work at home. Also ensure that your employees' home computers are protected by hardware and software firewalls between their system(s) and the Internet.

PROTECTING BANK ACCOUNTS

Set up dual controls so that each transaction requires the approval of two people. Establish a daily limit on how much money can be transferred out of your account. Require all transfers be prescheduled by phone or confirmed by a phone call or text message. Require that all new payees be verified. Check bank balances and scheduled payments at the end of every workday, rather than at the beginning, and contact the bank immediately if anything is amiss.

Timely action can halt the completion of a fraudulent transaction because transfers usually aren't made until the next morning. Inquire about your bank's defenses against cyberattacks and review the terms of your banking agreement with regard to responsibilities for fraud losses. Shop around for banks that provide better protections. Conduct online business only with a secure browser connection, which is usually indicated by a small lock in the lower right corner of your web browser window. Erase your browser cache, temporary Internet files, cookies, and history after all online sessions. This will prevent this information from being stolen if your system is compromised.

USE OF SOCIAL MEDIA

While the use of social media can stimulate innovation, create brand recognition, generate revenue, and improve customer satisfaction, it has inherent risks that can negatively impact business security. Thus businesses need to develop a social media strategy and a plan to address these risks. Some risk mitigation techniques for business and employee use of social media are listed below. For details see the emerging technology white paper titled Social Media: Business Benefits and Security, Governance and Assurance Perspectives published by the Information Systems Audit and Control Association (ISACA).

Ensure that anti-virus and anti-malware controls are updated daily. Use content filtering to restrict or limit access to social media sites. Establish policies for the use of mobile devices to access social media. Install appropriate controls on mobile devices. Conduct awareness training to inform employees of the risks in using social media. Provide employees with clear guidelines regarding what information about the business can be posted. Scan the Internet for unauthorized or fraudulent use of the business name or brand.

PREVENTING AND DEALING WITH DATA BREACHES

The five key principles defined by the Federal Trade Commission in its video entitled Protecting Personal Information: A Guide for Business at http://business.ftc.gov/privacy-and-security/data-security will help you protect personal information in your business and prevent data breaches. They are: (1) Take stock, (2) Scale down, (3) Lock it, (4) Pitch it, and (5) Plan ahead. You should do the following for each.

1. Take stock: Know what personal information you have in your files and in your computers. Inventory all file-storage and electronic equipment. Know where your business stores sensitive data. Talk to your employees and outside service providers to determine who sends you personal information and how it is sent. Consider all the personal information you collect from customers, and how you collect it. Review where you keep the information you collect, and who has access to it.

2. Scale down: Keep only what you need for your business.

Use Social Security Numbers (SSNs) only for required and lawful purposes. Don't use them for employee or customer identification. Keep customer credit or debit card information only if you have a business need for it. Don't keep any information you don't need. Change the default settings on your software that reads customer's credit or debit cards. Review the credit application forms and fill-in-the-blank web screens you use to collect data from potential customers, and eliminate requests for any you don't need.

Use no more that the last five digits of credit or debit card numbers on electronically printed receipts that you give to your customers. And don't use the card's expiration date. Develop a policy for retaining written records that is consistent with your business needs and the law.

3. Lock it: Protect the information that you keep and transmit.

Keep documents and other materials containing personal information in locked rooms or file cabinets. Remind employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day. Create a security policy for your employees when using laptops in and out of your office. (See prior section on Special Measures for Laptops.) Control access to your building. Encrypt sensitive information you send over public networks or use a secure file transfer service.

Don't send personal information by e-mail. Run up-to-date anti-virus and anti-spyware programs on all your computers. Use a firewall to protect your computers and network. (See prior section on Anti-virus and Spyware Protection.) Require employees to use strong passwords.

Set access controls so employees only have access to information they need for their jobs. (See prior section on Procedural and Operational Protective Measures.)

4. Pitch it: Properly dispose of what you no longer need.

Create and implement secure information disposal practices for employees in your office and for those who travel or work at home. Train your staff to separate sensitive and other paper records. Dispose of the former by shredding, burning, or pulverizing them. Use cross-cut shredders. The latter can be put in the trash. Make shredders available throughout your office, especially next to the copiers. Remove and destroy the hard disk of any computer or copier headed for the junkyard. Or wipe them securely.

Remove and securely wipe hard drives of rented copiers before returning them. Or clear the memory and change the pass codes. Destroy CDs, floppies, USB drives, and other data storage devices, or securely wipe them before disposal.

5. Plan ahead: Create a plan for dealing with security breaches.

In addition to having plans to protect personal information and prevent breaches, businesses should have response plan to deal with possible breaches. California Civil Code Sec. 1798.82 requires businesses to notify persons whose personal information has been compromised of the security breach and the specific information involved. The notice requirement is triggered if the breach involves a person's name in combination with any of the following: Social Security Number; driver's license or Identification Card number; financial account, credit card, or debit card number along with any PIN or other access code required to access the account; medical information; or health insurance information. The letter of notice should also recommend measures to take to deal with the breach.

Organize a response team and designate a team leader to manage the activities. Draft contingency plans for dealing with various kinds of breaches, including hacking, lost laptop, etc. Investigate breaches immediately. Disconnect a compromised computer from the Internet. Create a list of who to notify inside and outside of your business in the event of a breach. The latter include the appropriate law enforcement agencies, the persons whose information has been compromised, and the media. Draft notification letters and other written communications. Consider what outside assistance is needed, e.g., in forensics, media relations, etc.

SAFER USE OF THE INTERNET

There are presently two similar efforts by the U.S. Government to promote safer use of the Internet. The one by the FTC's Bureau of Consumer Protection is called Stop.Think.Click. The other, developed by a group representing industry, government, academia, and the nonprofit sector in 2009, and promoted by the Obama administration and the Department of Homeland Security, is called:
Stop.Think.Connect.
Stop.Think.Click

This effort defines seven practices for safer computing and provides tips on preventing identity theft, safe use of social networking sites, online shopping, Internet auctions, avoiding scams, and wireless security. It also provides a glossary of terms. The seven practices are:
1. Protecting your personal information
2. Knowing who you're dealing with
3. Using anti-virus and anti-spyware software, as well as a firewall
4. Setting up your operating system and web browser software properly, and updating them regularly
5. Protecting your passwords
6. Backing up your important files
7. Learning who to contact if something goes wrong online.

Stop.Think.Connect

This effort suggests that users do the following:

Stop. Before you use the Internet take time to understand the risks and learn how to spot potential problems Think. Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact the safety of yourself and your family. Connect. Enjoy the Internet with greater confidence, knowing you've taken the right steps to safeguard yourself and your computer.

You can learn how to become a partner in this effort by going to its website at www.stopthinkconnect.org. This site also contains the tips and advice for doing the following.

Keeping a clean machine:
Have the latest security software, web browser, and operating system. Use programs that automatically connect and update your security software. Protect all devices that connect to the Internet from viruses and malware. Use your security software to scan all USBs and other external devices before attaching them to your computer.

Protecting your personal information:
Secure your accounts with protection beyond passwords that can verify your identity before you conduct business. Make passwords long and strong with capital and lowercase letters, numbers, and symbols. Use different passwords for every account. Keep a list of your passwords stored in a safe place away from your computer. Use privacy and security settings to limit who you share information with.

Connecting with care:
Delete any suspicious e-mail, tweets, posts, and online advertising. Limit the business you conduct from Wi-Fi hotspots and adjust your security settings to limit who can access your computer. Use only secure websites when banking and shopping, i.e., ones with https:// or shttp:// in their addresses.

Being web wise:
Keep pace with new ways to stay safe online by checking trusted website for the latest information. Think before you act when you are implored to act immediately, offered something that sounds too good to be true, or asked for personal information. Back up your valuable information by making an electronic copy and storing it in a safe place.

Being a good online citizen:
Practice good online safety habits. Post about others as you would have them post about you. Report all types of cybercrime to you local law enforcement agency and other appropriate authorities.




CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.


ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.