30 November: International Information Security Day

30 November: International Information Security Day

On November 30, the International Information Security Day. A celebration that arose in 1988, as a consequence of the first case of malware spreading over the network that was registered in the world, known under the name of Morris worms, which affected 10% of the machines connected to the Internet at that time, which was Aparnet.

As a result of this situation the Association for Computing Machinery (DHW), decree that every November 30, all people would be reminded of the obligation and need they have to protect their data from any type of corrupt action that may occur in the digital sphere.

Currently, most of the sensitive information of companies is on the Internet, more specifically in the different clouds. Workers are the first responsible for ensuring this data and not sharing it by any other means that could put the information at risk.

This is designed to create greater awareness of computer security issues and encourage people to secure the personal information stored on their comp.

In order to join the celebration, here we share 7 basic tips that every Internet user should follow.

How to protect your internet security

  • Manage your passwords well: It is not only about putting a difficult password in terms of length, but also that it does not have as much relation to you, or at least not as obvious a relationship as your dog’s name or your date of birth. As well as avoiding words that appear in the dictionary. The second thing is to try to vary the password in the different portals, if you want you can have 5 main ones, but not just one for everything.
  • Don’t trust the public Wifi: It’s not that you can’t use it to ask questions, watch a video while waiting for the train or read news, but don’t use it in high-risk spaces, such as enter the bank’s page and even enter your social networks or email.
  • Always update the software: We all find it tedious that every so often the computer or our website says that we have to update a program or plugin, but normally these updates seek to create patches in gaps that the previous version has left free and that puts our data at risk.
  • Don’t download everything from anywhere: A bad habit that netizens have, is that we love the free and that’s why without thinking much we give it to download. Same with emails that have an attachment that looks interesting. First make sure that the website or sender is safe and then download the content.
  • The mobile phone is also a computerYou must manage your mobile, just as you do with your PC. That is, download an antivirus and take care of the sites you enter with it.

 

Cyber security is no longer enough: businesses need cyber resilience

Today, we work from anywhere, on more devices, more networks, facing more risk than ever before. Widespread phishing, malware, ransomware attacks, and other frauds pose a risk not just to individuals or platforms, but to entire economies, governments, and our way of life.

Yet the way we think about securing our businesses and our data hasn’t really kept up. Business resources are often still allocated to defensive cyber security, which is focused on protecting the confidentiality and integrity of data. But these defenses are proving insufficient in the face of attacks that grow more sophisticated by the day. We need cyber resilience in addition to cyber security, and it’s important to understand the difference.

Challenges in the use of maturity models

An assessment-focused framework based on a numerical score can lead to a box-checking culture. But cyber resilience is not about comparison, and there is no final destination. This measurement framework should scale for industry by focusing on the people, processes, and technology required to ensure entire value chains are resilient.

When the National Institute of Standards and Technology (NIST) framework for improving critical infrastructure cyber security was introduced there was a national call to action. Now, society and business is at another turning point. Both public and private organizations are working in entirely new, more digital, more distributed ways, which has further opened the floodgates to cyber risk. The May 2021 Presidential Executive Order states that: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” It calls for a public-private partnership to make the bold changes necessary to protect hybrid cloud infrastructures.

And like the NIST Framework, it’s important that a new, scalable cyber resilience framework is developed out of just such a partnership, fit for organizations to use across industries. So consider this an open call: can we come together to establish this framework? Can we make cyber resilience a part of business as usual? We need to work together, to make everyone stronger.

 

Sources:
(1)  World Economic Forum
(2) Marketing Research Telecat
(3)  Security Info Tech

Pictures: <a href=’https://www.freepik.es/fotos/personas’>Foto de Personas creado por rawpixel.com – www.freepik.es</a>

Holidays Fuel Surge Online Phishing Scams

Holidays Fuel Surge Online Phishing Scams

We’ve all been targeted in phishing attacks — fake messages from a seemingly trusted or reputable source designed to convince you to click on a malicious link, reveal information, give unauthorized access to a system or execute a financial transaction.

It may come as at text message, a phone call, or an email.

Someone may warn you that an account is in arrears, your Social Security Number is being “suspended,” or that you may be arrested for “fraud.” They may even have a portion of your SSN as “proof,” and claim they are going to increase your benefit.

They may claim that your SSN is being used to commit fraud in another state and that you need to call “them” back as soon as possible, or warn of pending legal action. They may say that your “account” is being renewed on your pre-arranged credit card for some service you never subscribed to.

These are all examples of “phishing” attacks that are seeking your personal information in order to cheat or steal from you.

Fraud has become a multi-billion dollar industry, and despite warnings, hundreds of thousands of Americans fall victim to these attacks every year. Don’t be one of them.

It’s important to understand that the Internal Revenue Service, the Social Security Administration, and other government organizations will never call you on the phone. They will mail you needed information. If you log onto their sites online, be sure that the web address, or URL, clearly shows that you are connected to a .gov website.

You will never get a legitimate call from a “private investigator” who is working on a bank fraud case and asking for your help, another common scam. They may simply try to sell you an auto warranty. Just hang up.

If someone asks you for secrecy, it’s they who are trying to hide. Never give a credit or debit card number, or any other personal information to a caller, or anyone who says they need to “confirm your identity.” Never listen to anyone who tries to gain your trust by providing fake “documentation,” false “evidence,” or the name of a real government official

Many phishing attempts are easily recognizable, like Mark Zuckerberg contacting you personally about a prize you’ve won. If you’re ever in need of a laugh, this guy spent two years replying to phishing emails and then wrote an entire book on his hilarious exchanges with fraudsters.

At this point, phishing is widely accepted as a “given” — part of daily online life. However, attackers keep innovating, finding new ways to social engineer their victims by preying on their natural curiosity, trust and compassion for others. And today, there are plenty of phishing schemes that aren’t so obvious and can potentially dupe even the most cautious online user. For example, highly convincing COVID-19 scams, from Facebook messages from “friends” who’ve fallen on hard financial times to emails requesting proof of vaccination status, are rampant right now.

According to US-CERT, some of the most common — and seemingly legitimate — phishing emails include fake communications from online payment or internet service providers (claiming there is a “problem” with your account); false accusations from the FDIC on violating the Patriot Act (requesting that you to “verify” your identity); and phony communications from your employer’s IT department (seeking passwords or other sensitive information that somebody can use to gain access to corporate systems and data)

In today’s digital age, keeping your personal information personal is vital to ensuring that your assets are not put at risk. If your information is compromised, you’re vulnerable to fraud, hacking, and identity theft which can cost countless hours and significant amounts of money to correct or repair.

With online shopping trumping in-store retail this holiday season, cybercriminals will have no shortage of potential victims to target. And they’ve only gotten smarter and more nefarious over the past year.

Bad Actors Are Taking Advantage Of Pandemic-Related Shortages

“The pandemic has caused significant shortages in many items, especially electronics,” said Erich Kron, security awareness advocate at cybersecurity firm KnowBe4. “This season is already known for the stress related to finding that must-have gift, however, the continued emotional stress caused by the COVID-19 pandemic combined with the even more significant shortages is causing people to take bigger risks to get that perfect gift. This means turning to unknown online vendors or social media marketplaces as a desperate last resort. Unfortunately, these risky moves often result in disappointment as scammers take the money and run.”

Phishing attacks are on the rise.

In 2020, 93% of UK organisations were targeted by Covid-19-related malware. 88% of security professionals reported an increase in phishing attacks.

Typically, criminals behind phishing attacks aren’t attempting to steal money. They’re attempting to steal something potentially much more valuable: data.

When phishing attacks trigger data breaches, the consequences for businesses can be severe.

Reputational damage

Following the announcement of a data breach, a company’s reputation immediately takes a hit.

Headlines like “British Airways data breach: Russian hackers sell 245,000 credit card details” and “EasyJet admits data of nine million hacked” become mainstream news stories. It doesn’t matter how formidable a company’s PR department might be.

Such reports can take years to fade from memory. As long as they linger, they influence public opinion of a brand.

Loss of custom

Reputational damage is just the beginning of the backlash.

News of a data breach tends to make customers nervous. A 2019 survey revealed 44% of UK consumers will stop spending with a business for several months in the immediate aftermath of a data breach. 41% of consumers reported they would never return to a business that had experienced a breach.

After 157,000 TalkTalk customers had their data compromised in 2015, customers left in their thousands. The costs of the breach reached £60m in 2016 alone. In 2019, it was reported that the company failed to notify 4,545 customers affected by the breach at the time. The ramifications, it seems, will continue for years.

Phishing scams are the most commonly reported type of cybercrime, and hackers frequently target business emails to increase profit potential. Companies can help employees protect themselves from these common types of attacks by offering training and education on what to look out for when it comes to phishing schemes. Individuals need also be diligent when it comes to unexpected emails or communications.The same cautions should be applied to voice calls, text messages, and other digital interactions.

In general, businesses are at a high risk of fraud due to a variety of factors, including large amounts of operating cash, multiple online users, and regular patterns of electronic and check payments. These payments can be targeted by account takeover or business email compromise scams.

See how Soffid can help you stay ahead of the curve in a rapidly evolving digital world avoiding phishing or any attack to your company, shall we talk?

 

Source:
(1) consumer.ftc.gov
(2) Dark Reading
(3) TechNews

Picture: <a href=’https://www.freepik.es/fotos/personas’>Foto de Personas creado por rawpixel.com – www.freepik.es</a>

Habitissimo

Habitissimo

Habitissimo is using Soffid as a Service to minimize their security risks:

  • Single sign-on: Users also get the benefit of using a single password to connect to their desktop operating systems, cloud and legacy applications.  This has enabled Habitissimo to enforce a secure password policy, including Linux, Windows and MacOs desktops.

  • Identity provisioning: Users are automatically created and disabled as soon as HR staffs register users in their HRMS.
  • Privileged accounts: Hibitissimo is now able to manage privileged accounts in servers and desktops, performing a proper password rotation.
  • Multi-factor authentication: Security has been improved by using a second authentication factor. Users can select the most comfortable device from a list of compatible devices.

As a result of these improvements, Habitissimo has been able to achieve the ISO-27001 certification.

 

 

 

Reinventing cybersecurity: Gartner Predictions

Reinventing cybersecurity: Gartner Predictions

The deeper we foray into the Internet Age, the more organizations turn to AI to raise our productivity, improve sales, or enhance our experiences. Now, they are also turning to it to shore up their defenses against the crime that inevitably follows.

As traditional company barriers broke down, and remote working became the norm, the threat landscape rapidly changed, bringing cybersecurity to centre stage for every digital organisation.

To be resilient in this hybrid working paradigm, businesses need to react to this evolved landscape as threats continue to grow both in size and complexity. Threats now exist both from within and externally, from individuals, cybercrime organisations and even nation states. The existing norms of securing organisational IT will not stand to test in this new reality. Enter cybersecurity solutions infused with artificial intelligence, powered by the cloud.

Enterprises that employed “business composability” were more likely to succeed during the volatility caused by the pandemic, according to Gartner. That volatility is here to stay, so now is the time to get ready for it.

Nearly two years after a massive disruption hit enterprises, a few lessons are evident. Some organizations quickly adapted to the circumstances, recognized the opportunities available, and acted to capitalize on them. Other organizations were caught unprepared for the unexpected and struggled to keep going. Some of them shut down.

What separated the successful organizations from the organizations that subsisted or didn’t make it at all? One factor might be what Gartner is calling “business composability,” or “the mindset, technologies, and a set of operating capabilities that enable organizations to innovate and adapt quickly to changing business needs.” This composability was a major theme at the Gartner IT Symposium/Xpo Americas, and Gartner is promoting the concept of business composability as the way for businesses to thrive through disruption in 2022 and beyond.

“Business composability is an antidote to volatility,” says Monika Sinha, research VP at Gartner,. “Sixty-three percent of CIOs at organizations with high composability reported superior business performance, compared with peers or competitors in the past year. They are better able to pursue new value streams through technology, too.”

Sinha compares the concept of composability to the way toy Legos work. She told InformationWeek in an interview that composability is about creating flexible and adaptive organizations with departments that can be re-arranged to create new value streams. She says organizations should target the following three domains of business composability:

1. Composable thinking

“This is the ability to be dynamic in your thinking as an organization,” Sinha says. This kind of thinking recognizes that business conditions often change, and it empowers the teams closest to the action to respond to the new conditions. “Traditional business thinking views change as a risk, while composable thinking is the means to master the risk of accelerating change and to create new business value.”

2. Composable business architecture

This is the ability of organizations to create dynamic ways of working, Sinha says. For instance, during the pandemic, some retailers were able to pivot quickly to providing curbside pickup, and some healthcare providers pivoted to providing telehealth appointments.

“Organizations looked at different types of models in terms of delivery,” she says. “In these types of organizations, it is really about creating ‘agile’ at scale, and agile types of working in the organization.”

Sinha notes that digital business initiatives fail when business leaders commission projects from IT and then shirk accountability for the implementation of results, treating it as another IT project. “High-composability enterprises embrace distributed accountability for digital outcomes, reflecting a shift that most CIOs have been trying to make for several years, as well as create multidisciplinary teams that blend business and IT units to drive business results,” Sinha says.

3. Composable technology

This is the IT architecture or technology stack, says Sinha. Technology is a catalyst for business transformation and thinking, and developing a flexible and modular technology architecture enables bringing together the parts needed to support transformation.

Distributed cloud and artificial intelligence are the two main technologies that a majority of high-composability enterprises have already deployed or plan to deploy in 2022, according to Gartner’s CIO Agenda survey. Gartner notes that these technologies are a catalyst for business composability because they enable modular technology capabilities.

Tech investments for 2022

Another major technology at the top of the list of planned investments for 2022 is cyber and information security, with 66% of respondents saying they expect to increase associated investments in the next year.

“Many organizations were dabbling with composability before the pandemic,” Sinha says. “What we saw was that those that were composable came out ahead after the pandemic. The pandemic highlighted the importance and the value of composability.”

Now, as many organizations look to find what is the “new normal,” it’s important to understand that there may not actually be one.

“This type of volatility is here to stay,” Sinha said. With IT budgets higher than they’ve been in the past 10 years, according to Gartner, now is the time to “leverage technology as a catalyst for creating more composable businesses.”

Sources:
(1) Informationweek
(2) technologyrecord.com
(3) Business Insider

Picture: <a href=’https://www.freepik.es/fotos/tecnologia’>Foto de Tecnología creado por rawpixel.com – www.freepik.es</a>

Common IAM Challenges Facing Businesses Today

Common IAM Challenges Facing Businesses Today

Managing identities and access entitlements is becoming increasingly challenging in a rapidly changing business, regulatory and IT environment, but those challenges are compounded for multinational organisations due to the distributed nature of their operations.

Identity and access management (IAM) is especially challenging for multinational companies that need to manage the identities of employees, partners, customers, consumers and devices wherever the company does business, while also complying with a range of data security and privacy regulations.

The domain of Identity and Access Management (IAM) has evolved over the past two decades. In the beginning, its primary purpose was to meet simple authentication requirements. As the adoption of IAM solutions increased across multiple industries, the need to meet several other requirements became apparent: service password management, single sign-on, multifactor authentication, entitlements, role engineering, authorization, life cycle management, access certification and more.

The accelerated shift to work-from-home due to the pandemic also means that SMBs are now more prone to cyberattacks, and the solutions that cater to organizations of all sizes are scant. The landscape of IAM is only becoming more convoluted and straying further away from simple and holistic security.

Converged IAM is one solution to this predicament. An IAM product that converges full suite of access management, authentication, authorization, IGA, PAM and risk analytics solutions in one platform can empower organizations to mature their overall security posture quickly, support identification of indicators of compromises (IOC) proactively and strengthen external as well as internal security maturity. It can also increase employee productivity with daily application usage, password management, single sign-on, access requests, approvals, reviews and more.

The future of IAM is not in fragments of different niches stitched together to cover various functionalities. It is in providing a single platform to meet all the IAM demands of today’s digital landscape that is constantly being encroached by threat actors.

Within the broader IAM challenge, there are several other specific challenges facing multinational organisations, often related to the fact that IAM is run differently in each region or location where the company operates. These specific challenges include:

  • Being able to deal with customers and employees with identities originally registered in one geography using their identities to access services and systems in another geography.
  • Delivering IAM services using different IAM technology stacks, processes, operating models and maturity levels across different company locations.
  • Supporting different languages in the different countries where the company operates.
  • Ensuring fast time to market for products and services requiring consistent IAM for employees, partners and customers in response to market needs and opportunities.
  • Enabling fast, simultaneous rollouts for new applications to new markets.
  • Standardisation and automation to reduce costs and risk of in-house solutions.
  • Built-in support for the internet of things (IoT), DevOps models and local DevOps teams.
  • Retaining control of infrastructure, changes, deployments and interfaces.
  • Complying with specific regional and local regulatory requirements in addition to global regulatory requirements in terms of data protection, information security, product safety and quality assurance, export regulation and financial regulation.

Identity and access management is a very common element to regulations, with each type of regulation often setting some requirements for managing IDs, onboarding, identification of customers, authentication, access control and access governance.

To deal with these regulations, multinational companies need a strong IAM that is flexible enough to be strong in some regions, but more relaxed in others.

Identity-as-a-service (IDaaS) solutions have appeared on the market in recent years, in line with the as-a-service trend. These IDaaS solutions offer several key benefits that could help multinational organisations to tackle the challenge of running a global IAM service.

Since first appearing on the market, IDaaS offerings have gradually matured to include identity management, entitlement management, authentication and authorisation, which are the key components of IAM, adding the depth required by modern enterprises to reduce security and compliance risk.

The IDaaS market has registered significant growth in the past few years because of the ability of IDaaS to enable organisations to:

  • Achieve better time-to-value proposition over on-premise IAM deployments.
  • Extend IAM capabilities to meet the security requirements of growing software as a service (SaaS).
  • Adopt global IAM standards and practices with access to industry expertise.
  • Reduce internal IAM costs and efforts to keep up with the market trends.
  • Limit internal IAM failures in project delivery and ongoing operations.

The shift of business workloads to the cloud, however, is a long-term journey for most businesses. Similarly, the shift from on-premise IAM to IDaaS services, while at the same time delivering comprehensive support for IAM capabilities across all target systems, regardless of their deployment model, is also a multi-step journey.

 

Sources:
(1)  Computerweekly
(2)  Forbes

Picture: <a href=’https://www.freepik.es/fotos/tecnologia’>Foto de Tecnología creado por rawpixel.com – www.freepik.es</a>