10 Things to Know About Cybersecurity Based on Actual Cases

The Federal Trade Commission can be a great resource when it comes to protecting your business. Hear about and learn from some actual cybersecurity cases from the FTC. And scroll to the bottom of this article to watch a full recap of the FTC presentation.

In a recent COSE WebEd Series Webinar, the FTC's Amy Hocevar shared her thoughts on lessons you can learn from real world FTC cases.

  • Email
  • Compass Payroll

    The FTC helps ensure consumers have accurate information and promotes competition so that we have better products, lower prices, more innovation and a better economy. The FTC’s provisions prevent companies from engaging in unfair or deceptive ad practices, and prohibits unfair methods of competition.

    FTC’s role in cybersecurity

    The FTC has taken action against hundreds of companies who did not follow its guidelines regarding spam, spyware, general security cases and cybersecurity. The following four points guide the FTC’s enforcement:

    FTC guideline No. 1: Information security is an ongoing process.

    FTC guideline No. 2: A company’s security process must be reasonable and appropriate in light of the circumstances (volume, sensitivity of information, cost of tools available, etc).

    FTC guideline No. 3: A breach does not necessarily show a failure to have reasonable security measures—there is no such thing as perfect security.

    FTC guideline No. 4: Your practices may still be unreasonable even if you haven’t had a breach—it doesn’t mean there aren’t things you can improve or that a future breach isn’t possible.

    Cybersecurity lessons

    The following 10 lessons on cybersecurity are based off of some of the FTC’s actual cases, including some well-known company names.

    Lesson No. 1: Start with security. The idea of protecting your company should be factored into every decision within your business.

    Don’t collect information you don’t need. In the case with a company called Rock You, consumers had to provide email addresses and email passwords in order to access all features, which led hackers to access information of up to 32 million users. The FTC said this company created an unnecessary risk to email accounts by collecting sensitive information that it didn’t need.  In the case of BJ’s Wholesale Club, the FTC said that credit card information was stored long after the sale was complete. Hackers stole personal information from BJ’s consumers, leading to fraudulent charges all because the company did not securely dispose of the information when the company no longer had a legitimate need for it.

    Don’t use personal information when not necessary. The FTC alleged that Accretive Health, instead of using fictitious data, used real consumer information in employee training sessions but failed to remove it from machines when the sessions were over.

    Lesson No. 2: Control access to data sensibly.

    Restrict access to sensitive data. In a case with Morgan Stanley, the company did a lot of things right, but an employee gained access to a report where the security settings were configured incorrectly. While a breach did occur, the FTC closed its investigation, highlighting that the company had reasonable protections in place.

    Limit administrative access. Only employees tasked with a specific job should have access to that particular information. The FTC brought a case against Twitter, discovering that the company granted almost all of its employees access to passwords, email addresses, phone numbers and other information. Hackers were able to gain administrative control on multiple occasions in the Twitter system.

    Lesson No. 3: Require secure passwords and authenticity.

    Store passwords securely. In a case against Guidance Software, the FTC alleged that the company failed to protect information due to the way they stored network user credentials in clear, readable text. It is essential for companies to have strong policies to store passwords and that check-ins are conducted to make sure those policies are being followed.

    Guard against brute force attacks. The FTC says that not  disabling accounts after a certain number of unsuccessful login attempts may unreasonably place networks at risk.

    Protect against authentication bypass. One area that many business owners are unaware of is that hackers can access accounts, not by typing in a correct password, but by predicting a specific URL that bypasses the login.

    Lesson No. 4: Store sensitive personal information securely and protect it during lifecycle.

    Use industry-tested methods and cryptography when transmitting information. Experts may have already developed accepted standards that can be applied to your business. Familiarize yourself with methods that already exist in your industry. In the case of ValueClick Media, the FTC brought action against this company because its encryption method was subject to significant vulnerabilities that were commonly known and easy to protect against.

    Ensure proper configuration. Hire experienced personnel to ensure your products are working properly. The FTC alleged that Fandango employees disabled secure encryption, which could lead to a hack. This situation could have been avoided if they had tested to make sure there weren’t any vulnerabilities in play.

    Lesson No. 5: Segment your network and monitor who is trying to get in and out.

    Only connect people/locations within a company when necessary. The FTC alleged that DSW was compromised because they allowed computers on one in-store network to connect to other in-store networks. If they had segmented branches, they would have reduced the risk of such a widespread attack.

    Consistently monitor activity on your network. The FTC alleged that Dave and Busters did not use effective measures to monitor and was consequentially hacked. If the company had been monitoring their system, it’s likely they would have caught it.

    Lesson No. 6: Secure remote access to your network.

    Ensure endpoint security across all areas. When thinking about security it’s important to consider not only computers being used inside your company walls, but other computers being used outside of your company as well.

    Put sensible limits in place. According to the FTC, Dave and Busters didn’t adequately restrict third party access to its networks and therefore a data breach occurred through a vendor. Reduce this risk by restricting connections to your network. One way to do this is to block certain IP addresses; perhaps only allow IP addresses from countries you do business with. Also, allow for temporary third party access only when needed.

    Lesson No. 7: Apply sound security practices when developing new products.

    Train engineers in secure coding. The complaint against HTC America alleged that the company failed to implement readily available security and therefore malicious third-party apps were able to put sensitive information from the company at risk.

    Follow platform guidelines for security. Businesses must verify that privacy and security features work. Snapchat advertised that messages would disappear forever, but it was later discovered the app saved video files in a location that made them easy to recover. Verify that privacy and security features live up to your claims; test for common vulnerabilities and make sure your business is protected against them.

    Lesson No. 8: Make sure your service providers implement reasonable security measures.

    Put it in writing.  The FTC alleged that GMR Transcription hired people to transcribe audio files but failed to protect the information so it became accessible on the internet. It is important to actually put security requirements into your contracts to ensure service providers are compliant. Make sure companies you are doing business with know you will follow up with them in terms of security issues.

    Lesson No. 9: Put procedures in place to keep your security current and address vulnerabilities that might arise.

    Update third-party software. TJ Maxx was alleged to have not adequately protected its consumers simply because it failed to update it anti-viral software. In the case against Fandango, the company was notified of a vulnerability but didn’t act because the notification was misclassified. Heed credible security warnings and move quickly to fix them. Consider having a dedicated email address for people to send these problems to and a staff member dedicated to responding.

    Lesson No. 10: Secure paper, physical media and devices.

    Keep safety standards in places when data is en route. With Accretive Health, personal data was locked in a car that was stolen and, therefore that information was compromised. Information should be out of sight, encrypted, and should not be transported unless absolutely necessary.

    Dispose of sensitive data securely. According to FTC complaints in Rite Aid and CVS,  both companies tossed prescriptions in dumpsters. They could have easily shredded and disposed of the materials appropriately instead of putting their consumers’ information at risk. Additionally, wipe hard-drives, photo copiers, and other machines before getting rid of them.

    For a full recap of this session, please see the video below.

    If you would like more details, consider signing up for information from the FTC because if a data breach occurs or there is a threat out there, the FTC will be talking about it and notifying you. www.ftc.gov

    Next up: 13 Tips from the FTC to Protect Against Phishing Attacks
  • More in Operations
  • 13 Tips from the FTC to Protect Against Phishing Attacks

    In the second article of this series from the Federal Trade Commission, we’re holding a magnifying glass up to phishing and ransomware scams and bringing you 13 things to consider as you set up strategies to protect your business.

    The Federal Trade Commission (FTC) is bringing you an informative series on various scams that can target and potentially devastate small businesses. In the first article of this series, we highlighted an unsophisticated, but highly lucrative, scam aimed at the business community: the sending of and billing for unordered merchandise. In this second installment from the staff of the FTC’s East Central Region, we focus on more sophisticated scams involving phishing and malware.

  • Email
  • Compass Payroll

    What is ‘phishing’

    Phishing is when a scammer uses fraudulent emails or texts, or copycat websites to get unsuspecting people to share valuable personal information—such as account numbers, Social Security numbers, or login IDs and passwords—which scammers can use to steal money, your identity or both. Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies, or they may pretend to be a colleague or a familiar vendor. 

    Scammers also use phishing emails to get access to your computer or network to install malware. Malware includes viruses, spyware and other unwanted software that gets installed on your computer or mobile device without your consent. These programs can cause your device to crash and can be used to monitor and control online activity. They also can make your computer vulnerable to viruses and deliver unwanted or inappropriate ads. A lucrative form of malware for scammers is called ransomware, a program that can lock you out of important files on your computer.

    To reduce the risk of falling for a phishing attempt or downloading malware, you should train every employee or contractor who has access to your network—including yourself. Here are 13 things to keep in mind as you establish strategies to protect your business:

    Tip No. 1: Think twice before clicking on links or downloading attachments and apps. Even emails from your friend or colleague could be dangerous. Files and links can contain malware that can weaken your computer’s security. You also can get malware from visiting a compromised site or through malicious online ads.

    Tip No. 2: Do your own typing. If a company or organization you know sends you a link or phone number, don’t click. Use your favorite search engine to look up the website or phone number yourself. Even though a link or phone number in an email may look like the real deal, scammers can hide the true destination.   

    Tip No. 3: Make the call if you’re not sure. Do not respond to any emails that request personal or financial information. Phishers use pressure tactics and prey on fear. If a colleague or a vendor asks for personal or financial information, pick up the phone and call them yourself using the number in your address book or on their website, not the one in the email.

    Tip No. 4: Turn on two-factor authentication. For accounts that support it, two-factor authentication requires both a password and an additional piece of information to log in to an account. The second piece could be a code sent to a mobile device, or a random number generated by an app or a token. This protects an account even if the password is compromised.

    Tip No. 5: Back up files to external hard drives or cloud storage. Back up company files regularly to protect against viruses or a ransomware attack. Remember to log out of the cloud and unplug external hard drives so hackers can’t encrypt and lock your back-ups, too.

    Tip No. 6: Get well-known software directly from the source. Sites that offer lots of different browsers, PDF readers and other popular software for free are more likely to include malware.

    Tip No. 7: Read each screen when installing new software. If you don’t recognize a program, or are prompted to install additional “bundled” software, decline the additional program or exit the installation process.

    Tip No. 8: Install and update security software and use a firewall. Use security software you trust, and set operating systems, web browsers and security software to update automatically.

    Tip No. 9: Don’t change your browser’s security settings. You can minimize “drive-by” or bundled downloads, which are more likely to have malware, if you keep your browser’s default security settings.

    Tip No. 10: Pay attention to your browser’s security warnings. Many browsers come with built-in security scanners that warn you before you visit an infected webpage or download a malicious file.

    Tip No. 11: Don’t click on pop-ups or banner ads about your computer’s performance. Scammers insert unwanted software into banner ads that look legitimate, especially ads about your computer’s health. Avoid clicking on these ads if you don’t know the source.

    Tip No. 12: Scan USBs and other external devices before using them. These devices can be infected with malware, especially if you use them in high traffic places, like public computers.

    Tip No. 13: Talk about safe computing. Educate your colleagues that some online actions can put the company’s computers at risk: clicking on pop-ups, downloading “free” games or programs, opening chain emails or posting personal information.

    How do I know if company computers are infected with malware? 

    Monitor computers for unusual behavior. A computer might be infected with malware if it:

    • slows down, crashes or displays repeated error messages;
    • won't shut down or restart;
    • serves a barrage of pop-ups;
    • serves inappropriate ads or ads that interfere with page content;
    • won’t let you remove unwanted software;
    • injects ads in places you typically wouldn’t see them, such as government websites;
    • displays web pages you didn’t intend to visit; or
    • sends emails you didn't write. 

    Other warning signs of malware include:

    • new and unexpected toolbars or icons in your browser or on your desktop;
    • unexpected changes in your browser, like using a new default search engine or displaying new tabs you didn’t open;
    • a sudden or repeated change in your computer’s internet home page; or
    • a laptop battery that drains more quickly than it should.

    What if I think I’m a victim?

    If you suspect there is malware on your computer, there are many companies that offer tech support. Online search results might not be the best way to find help, however. Tech support scammers pay to boost their ranking in search results so their websites and phone numbers appear above those of legitimate companies. If you want tech support, look for a company’s contact information on their software package or on the purchase agreement.

    What if I know I am a victim?

    If you are a victim of ransomware, where hackers take over your computer and demand a sum of money to give you back control, you can contain the attack by disconnecting the infected devices from your network to keep ransomware from spreading. If you’ve backed up your files, and removed any malware, you may be able to restore your computers. You should also contact law enforcement by reporting ransomware attacks to the Internet Crime Complaint Center or an FBI field office.

    Should I pay the ransom?

    Companies often ask if they should pay the ransom. Law enforcement doesn’t recommend paying the ransom, although it’s up to you to determine whether the risks and costs of paying are worth the possibility of getting your company’s files back. If you pay the ransom, there’s no guarantee you’ll get the files back. In fact, agreeing to pay signals to criminals that the company hasn’t backed up its files. Knowing this, they may increase the ransom price—and may delete or deny access to your files anyway. Even if you do get the company’s files back, they may be corrupted. And your company might be a target for other scams.

    The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. You can file a complaint online at www.ftc.gov/complaint or by telephone at 1-877-FTC-HELP (1-877-382-4357). Forward phishing emails to spam@uce.gov and to the organization impersonated in the email.

    Next up: Don't Take the Risk of Fraud Lightly: 17 Steps to Protect Your Business
  • More in Operations
  • Don't Take the Risk of Fraud Lightly: 17 Steps to Protect Your Business

    While completely eliminating incidences of payment fraud may be impossible, there are definitely steps you can take to minimize the risk of exposure.By taking daily precautions, you can make it that much harder for fraudsters to perpetrate their schemes.

    While completely eliminating incidences of payment fraud may be impossible, there are definitely steps you can take to minimize the risk of exposure.By taking daily precautions, you can make it that much harder for fraudsters to perpetrate their schemes.

  • Email
  • Compass Payroll

    Some basic tips for avoiding fraud:

    • Adhere strictly to your company’s security policies; they put them there for a reason.
    • Always use strong passwords to thwart attempts to hack your accounts.
    • Never share your passwords or let someone else log-in to your computer.
    • Enroll in your bank’s security alerts, notifying you if there’s suspicious account activity.
    • No financial institution, including Fifth Third Bank, should never send you an email asking you to verify or supply personal information.
    • Never send personal information via e-mail unless it is to a trusted source and use some type of encryption.
    • Never open unsolicited e-mails from unknown e-mail addresses. Set your spam filter on high to block suspicious communications.
    • Exercise reasonable care when downloading software and opening email attachments. Never download or open an e-mail attachment from an unknown email address.
    • Install a firewall and both anti-virus and anti-spyware software. Keep your virus definitions and browser and security software current.
    • Don’t write your PIN number on your credit card.
    • Make sure your mobile phone number and other contact information are registered with your card issuer so they can verify transactions.
    • Don’t let your commercial card out of your sight when making a transaction.
    • When entering a PIN into a card-reader or ATM, use your free hand or body to shield the number from prying eyes.
    • Always review receipts after using your corporate credit card and report any suspicious charges.
    • Be sure to keep the card issuer’s phone number in your mobile phone’s contact list in case your card is lost or stolen.
    • If shopping on the Internet, use only secure, trusted sites.
    • Where available, take advantage of Europay Mastercard Visa (EMV) credit/debit cards with embedded microchips which dramatically reduce point-of-sale (POS) fraud.

    Beyond these proactive steps, businesses should also take advantage of protective tools offered by their bank, such as malware detection software and authentication for more secure logins. Follow these tips to help protect your business from the growing threats of fraud.

    Fifth Third and Fifth Third Bank are registered trademarks of Fifth Third Bancorp. Deposit and credit products provided by Fifth Third Bank. Member FDIC.

    Next up: 17 Things You Didn't Know About Energy Usage and Project Funding
  • More in Operations
  • 17 Things You Didn't Know About Energy Usage and Project Funding

    Commercial buildings represent more than 40% of all the energy consumed in the U.S., so there’s obviously a lot of room for energy savings. Read on to learn more about energy consumption and how you can get the financing you need to complete energy efficiency projects.

    It’s no big secret to business owners that energy costs are one of the biggest expenses their business faces. In fact, commercial buildings represent 43% of all of the energy consumed by buildings in the United States, yet are still just a tiny fraction of the energy efficiency market, according to the International Energy Agency.

  • Email
  • Compass Payroll

    It’s clear how becoming more energy efficient should be a priority for business owners. Earlier this month, the COSE/GCP Energy Team hosted a workshop on financing solutions that make energy projects feasible and help businesses become more energy efficient, thus improving their bottom line.

    Listed below are the 17 things you need to know about how companies are using (or misusing) energy and how they can obtain financing to make their energy consumption more efficient.

    1. Barriers to investment. According to a 2016 International Facilities Management Association study of sub-100,000-square-foot buildings, owners listed financial capacity and technical expertise continue to be barriers to investment in energy efficiency and clean energy upgrades.

    2. No budget. More than three out of four owners (76%) have no specific energy budget.

    3. Limited third-party options. A total of 87% of owners have limited access to third-party financing options, largely because they do not know that such financing exists.

    4. No contract. Almost nine out of 10 owners (88%) have no energy services agreement or contract.

    A solution

    C-PACE financing could be a solution for the business owners listed above. What is C-PACE and how can it help?

    5. What is C-PACE? C-PACE is a government financing policy that classifies energy-saving upgrades as a public benefit, such as a sewer, road extension, etc.

    6. How can C-PACE Help? With C-PACE, private lenders provide capital to build qualifying projects and they are repaid through the property tax bill over the life of the equipment (often 20 or more years). This makes most projects cash flow positive from day one.

    7. What qualifies? Most energy efficiency and water projects qualify.

    How PACE financing can help

    So, what are the benefits of C-PACE financing for pre-existing buildings?

    8. Attractive terms. It provides long-term financing with fixed rates of up to 20-year terms.

    9. Attractive cost. The cost of capital is low.

    10. All-in financing. This is 100% financing. No capital outlay is required from the property owner (hard or soft costs).

    11. NOI positive projects. With no capital outlay and long-term financing term, projects generally cash flow and generate net operating income beginning on day one.

    12. Non-recourse financing. The financing is non-recourse, with no corporate or personal guarantees required.

    13. Non-accelerating financing. The financing is non-accelerating, even in the event of the sale of the property.

    14. It’s not debt. It does not consume credit capacity because it’s not considered debt.

    15. Flexible structure. It can be structured to pass through costs with tenants for NNN leases.

    16. Fast underwriting. Fast-tracked underwriting can lead to a quick close.

    Contact the COSE/GCP Energy Team today

    17. Contact us today. And what’s the 17th takeaway on all this? It’s to contact the COSE/GCP Energy Team at energy@gcpartnership.com and let the Team evaluate your project, prescreen your business for C-PACE and connect you with the capital and resources you need to start saving on your energy expenses.

    Next up: 2010 CIO Symposium Google Apps and Cloud Computing Breakout Session
  • More in Operations
  • 2010 CIO Symposium Google Apps and Cloud Computing Breakout Session

    When Google announced its free “Gmail” service on April 1, 2004, many initially thought it was to be a cute April Fool’s joke. Over six years and more than a dozen free or nearly free applications later, Google apps and other cloud-based options have moved from nice consumer toys to serious enterprise tools.

    When Google announced its free “Gmail” service on April 1, 2004, many initially thought it was to be a cute April Fool’s joke. Over six years and more than a dozen free or nearly free applications later, Google apps and other cloud-based options have moved from nice consumer toys to serious enterprise tools. For many CIOs, the question has changed from “Can cloud-based applications like this be taken seriously?” to “Will I be taken seriously if I don’t strongly consider Google Apps for my organization?” Join us for a discussion of IT leaders who swear by them, swear at them, and ponder the future of Google apps and other cloud applications in the enterprise. 

  • Email
  • Compass Payroll

    Panelists included: Matt Hallock, Expedient; Stephen Hujarski, ASW Global; Michael Kimmel, Cleveland Institute of Art 

    Listen here.

    Next up: 2010 CIO Symposium Keynote Address by Anuj Dhanda of PNC
  • More in Operations
  • 2010 CIO Symposium Keynote Address by Anuj Dhanda of PNC

    The CIO Symposium strives to bring thought-provoking and engaging keynote presenters to our conference. This year is no exception as Anuj Dhanda, CIO of PNC, will present our afternoon keynote. 

    Keynote Presenter: Anuj Dhanda, CIO - PNC 

  • Email
  • Compass Payroll

    The CIO Symposium strives to bring thought-provoking and engaging keynote presenters to our conference. This year is no exception as Anuj Dhanda, CIO of PNC, will present our afternoon keynote. As the 12th largest bank in the country, PNC's IT needs are varied and critical. Mr. Dhanda will share information on the company's IT strategy and offer insight into some of the merger issues with the company's acquisition of National City Corporation. 

    Listen here.

  • More in Operations