Across all industries, small businesses are increasingly facing new threats related to cyber security. Whereas some have taken minimum steps to address these threats but most have not. New security threats and incidents are reported every day in news reports and a many remain unreported. This underscores the need for cyber security education of small business owners and managers. These threats have potentially serious consequences and could lead to unrecoverable damage to small businesses.

What are some consequences of the lack of basic cyber security controls?

• Loss or stolen customer data
• Loss of intellectual property
• Decreased productivity
• Legal liability
• Regulatory sanctions and fines
• Computer systems downtime
• Loss of reputation and customer confidence
• Loss of revenue
• Banking Fraud

Could this happen to you?

It is very important to understand that neither size nor industry guarantees protection from an attack. The use of computer systems and the Internet makes you vulnerable to attacks and other threats.

A 2010 survey conducted by the Ponemon Institute and Guardian Analytics of over 500 SMBs surfaced these alarming statistics:

• 55% experienced a fraud attack in the last year
• 58% of the incidents involved online banking
• Over 50% experienced multiple incidents
• 87% failed to fully recover lost funds

You are not a big, well known business. Why would anyone attack you?

While it might be the case that well trained hackers are not very interested in your small company, most online attacks aren’t carried out by expert hackers. Attacks are perpetrated by low-skilled, common criminals with access to pre-packaged hacking tools, thereby casting a wide net in hopes of finding an unprotected computer system or network. These tools are easy to use and readily available on the Internet, often times free of charge. The anonymity of a cyber attack makes it even more attractive to criminals. Many attackers use safe havens in foreign countries which do not have strong cyber crime laws.

Malicious software like viruses, worms, trojan horses, spam, bots are all vectors of cyber attacks that are indiscriminately spreading across the Internet. These attacks don’t only target your small business computer systems but also seek to use your unprotected systems to launch attack on others.

Hasn’t IT guy(s) already dealt with this issue?

Although cyber security includes traditional “IT”related issues, it primarily focuses on protecting your valuable information from all threats including physical attacks, data corruption, equipment failure, social engineering, and bad security choices due to insufficient security awareness education. Effective cyber security management requires specific training related to threats, vulnerabilities, and risks affecting computer systems, business operational processes, and most importantly you and your employees. One’s security problems cannot be addressed solely by off the shelf products. Security must be addressed in the boardroom before it is addressed in the computer room.

What are the benefits and cost of cyber security?

Besides avoiding some of the devastating consequences mentioned earlier, good security is simply good business. It does far more than increase customer confidence and protects the integrity of your businesses brand. A secure business increases customer confidence, loyalty and adds to the businesses bottom line.

Responsible businesses understand that risk management mandates that all threats, including cyber threats, be assessed and managed to protect the business, employees and customers.

The potential cost of inaction far outweighs the cost of action. Analyzing your businesses risks allows you to weigh the costs and benefits and make informed decisions.

Where do you start? Where can you get help?

Although improving your security may seem a daunting task, it doesn’t have to be. Increasing cyber security awareness helps small and medium sized businesses proactively implement simple best practices to protect their businesses. Security should be built into your business processes, information technology (IT), and most importantly your employees and contractors. Each business is unique and faces challenges particular to their operations. There is no magic pill that guarantees 100% security. The SMB Cyber Security Alliance have security experts available to help you understand your unique risks and implement solutions that work your your particular business environment.

Visit us today and sign up for your free membership at http://www.smbcybersecurity.org

The SMB Cyber Security Alliance is volunteer-run organization seeking to increase cyber security awareness in small business communities through education, awareness training, free resources and consultations, and active engagements between small business owners and local security professionals.

Have you ever used your Google search history? If you are logged into any Google service, Google automatically keeps a history of your search queries ad web activities.

According to Google, Web History allows the following:

• View and manage your web activity.
  You know that great web site you saw online and now can’t find? From now on, you can. With Web History, you can view and search across the full text of the pages you’ve visited, including Google searches, web pages, images, videos and news stories. You can also manage your web activity and remove items from your web history at any time.
• Get the search results most relevant to you.
  Web History helps deliver more personalized search results based on the things you’ve searched for on Google and the sites you’ve visited. You might not notice a big impact on your search results early on, but they should steadily improve over time the more you use Web History.
• Follow interesting trends in your web activity.
  Which sites do you visit frequently? How many searches did you do between 10 a.m. and 2 p.m.? Web History can tell you about these and other interesting trends in your web activity.

If you don’t care to have that information recorded, you can and should “pause” it.

https://www.google.com/history

I completed an Internet Forensics training course this past week where the instructor made that statement. Of the twenty students in the class, only the instructor raised his hand. To which he declared ” Anyone who didn’t raise their hand is a liar!!” He was probably right.

I often fault security professionals and educators who speak in absolutes when trying to increase security awareness. Human nature isn’t absolutist. Any security doctrine that doesn’t account for reasonable human behavior is doomed to failure. Never do this! Never do that! Never use the same password with more than one account! And be sure to change them periodically. Naturally they must be complex passwords including upper and lower case letters, numbers and special characters. Really?

It’s not unusual today for an average Internet user to have 10 or more online accounts. That would mean 10 complex, constantly changing passwords. That would also mean the user will write them all down in a place that is readily available. Oh, I forget the never write passwords down mantra. Sigh.

I’ve taught course where as I went through my list of  “never do’s”, I would watch students’ eyes move from the gleam of interest to dull hopelessness. ” I could never do all THAT!”, someone would say.  Another would chime in, :” That’s why I don’t do online banking!”

Is have the same password for your Facebook and Twitter accounts the harbinger of doom??  Probably not. Myspace and your online bank account? That’s an absolute NO NO.

How do we increase security awareness in average computer users thereby strengthening the “weakest link” in our security posture? We certainly can’t continue to do it by burying them in an avalanche of rules.

From the following article: http://wcbstv.com/seenat11/internet.passwords.microsoft.2.1633927.html

“The study concluded someone hacking into your computer and stealing your password is similar to a crook getting your house key.

The crook will likely use it right away and not wait until after you’ve changed the locks.

“As soon as they’ve got it, they’re using it and then they’re gone,” said Lance Ulanoff, editor of PC Magazine.

Ulanoff advises people to get stronger passwords in the first place. ”

The so-called “expert” advise: Use stronger, more complex passwords.

I guess he is not familiar with the fact that stolen account credentials are bartered and traded like goods in the hacker underground. Ofscourse you should use complex passwords. But it’s still a good practice to change it occasionally.

These types of attacks have become the norm on Facebook.  Last week, I posted on a similar scam involving Whole Foods Grocery.

This particular  scam page had taken in more than 37,000 users by last Friday, offering them a $1,000 gift certificate in exchange for promoting Ikea to  friends. At that time, the page was gaining new fans at the rate of about 5,000 per hour. The promotion, the page said, was only available for one day.

To participate, users must become a fan of the fake Ikea page, hosted on Facebook, and then invite all their friends to become fans. They are then directed to an affiliate marketing page hosted by GiftDepotDirect.com, where they are asked personal information such as name, address, date of birth and home telephone number.

After that step, the victim is told to sign up for two online marketing offers – these ones with legitimate websites such as Netflix and CreditReport.com – in order to claim the gift card.

The promised cards in these scams never show up. Who would have thunk it??

** Cross-posted from www.secur3t.com**

Facebook users are expressing strong disapproval of proposed privacy changes will let the site share some user information with third-party Web sites and applications. Have you added your voice? These social networking sites have a captive audience which many businesses will pay a pretty penny to have access to and get information about.

When Google decided to unilaterally opt Gmail users into Buzz and share your contact information, it received bad press and an FTC filing. I can only hope the same and more happens here.

Under Facebook’s current rules you’re asked first if you want to share information (your name, photos and friends list) with third-party sites. The proposed policy, which Facebook hasn’t implemented yet, would bypass asking you for approval when visiting some sites and applications Facebook has business relationships with, sharing limited personal information automatically.

Tell Facebook how you feel about it here: http://blog.facebook.com/blog.php?post=376904492130

“I think the social networking sites are good to have,” she said. “You just have to be smart about it. Because just because you’re trustworthy and a nice person does not mean everyone on your Facebook is. So you can’t put your address — my address wasn’t even listed — or your phone number or that you’re home alone or going out of town.”

That’s a quote from a woman whose house was robbed by a Facebook “friend” after she updated her status indicating she was on her way to a concert. She appeared on the CBS Early Show this morning. The robber  had contacted her six month previously claiming to be long lost neighbor from 20 years ago. Fortunately for her, she had cameras installed at home and recorded  the culprit in the act.

I can’t stress enough the importance of limiting the information you put out there. With friends like these, ….

Source: CBS NEWS

Here’s an interesting story. Who didn’t see this coming?

“Police say a hacking investigation in Fairfax County, Virginia started with a Facebook pregnancy announcement. But, it turns out the woman is not expecting a baby.

According to police, someone hacked into her Facebook account and posted the fake status update. The victim, who is from Springfield, also claims someone accessed her Hotmail account and sent out nasty emails.

All of the victim’s classes at Northern Virginia Community College were canceled by the hacker.

Police are investigating the Facebook and Hotmail hacking claims, but so far no charges have been filed.”

Source: http://www.myfoxdc.com/dpp/news/local/woman-says-facebook-account-was-hacked

There have been numerous stories recently about the fact that the feds are trolling the social networking scene looking for…..whatever it is feds look for. I’m not sure why this is news or even unexpected. This is standard fare offline why should it be any different online where it is a lot easier to people to connect and share ideas good or bad. Is Facebook and Twitter sharing all my activities with the Man.? If so then they will have already sen this post before you did because my blog posts are automatically published on Facebook, Twitter, Myspace, Friendfeed, and a few more. Hey, I’m just trying to spread the word here. Are any of the folks you follow on Twitter under suspicion by the feds for…..whatever feds suspect folks of? How about your friends or fans on Facebook or some other networks? How would you know if they are? Man, this could get messy. But honestly, if they listen to your phone calls, why wouldn’t they track your online activity. I fully understand and appreciate the privacy concerns but I’m a realist. It’s happening, folks.  Don’t plan any federal crimes on Facebook!

Check out FBI Going Rogue on Facebook on DarkReading.com

Facebook is warning users to avoid bogus apps that claim to allow users to see who is viewing their profile. In a statement, Facebook said:

“Don’t believe any applications that claim they can show you who’s viewing your profile or photo. They can’t.”

Maybe it’s time Facebook reviewed it’s policy regarding vetting third-party applications.