White hat, black hat, and the emergence of the gray hat: the true costs of cybercrime

White hat, black hat, and the emergence of the gray hat: the true costs of cybercrime

Posted: August 8, 2018 by 
Last updated: August 6, 2018

This post was written by Michael Osterman of Osterman Research.

Osterman Research recently completed a major survey on behalf of Malwarebytes to determine the actual cost of cybercrime to businesses. Many studies have focused on the cost of lost reputation, lost future business, and other consequences of cybercrime—and while these are certainly valid considerations—we wanted to understand the direct costs of cybercrime. To do so, we surveyed mid-sized and large organizations on a variety of issues, but focused on three cost components:

  • Security budgets
  • The cost of remediating “major” events, e.g., events like a widespread ransomware infection or major data breach that would be highly disruptive to an organization and might take it offline for some period of time
  • The cost of cybercrime perpetrated by “gray hats;” those employees who dabble in cybercrime without giving up their day job as a security professional

Here’s what we discovered:

Cybercrime isn’t cheap

Organizations of all sizes can expect to spend significant amounts on various cybersecurity-related costs. For example, our research found that an organization of 2,500 employees in the United States can expect to spend nearly $1.9 million per year for cybersecurity-related costs (that’s nearly $760 per employee).

While the costs are lower in most of the other countries that we surveyed, the global average exceeds $1.1 million for a 2,500-employee organization.

Gray hats are a problem

Globally, one in 22 security professionals are perceived by their security-professional peers to be gray hats, but this figure jumps to one in 13 for organizations based in the United Kingdom. Mid-sized organizations (500 to 999 employees) are getting squeezed the hardest, and this is where the skills shortage, and the allure of becoming a gray hat, may be the greatest.

Underscoring the depth of the gray hat problem is the fact that 12 percent of security professionals admit to considering participation in black hat activity, 22 percent have actually been approached about doing so, and 41 percent either know or have known someone who has participated in this activity. This is by no means a rare or isolated problem!

Once more unto the breach

We found that the vast majority of organizations have suffered some type of security breach and/or attack during the 12 months preceding the survey. The most common avenue of attack was from phishing, but others that were experienced included adware/spyware, ransomware, spearphishing, accidental and intentional data breaches, nation-state attacks, and hacktivist attacks.

Only 27 percent of organizations reported no attacks during the 12 months leading up to the survey, and even that figure may underestimate the depth of the problem: some organizations can be infiltrated by stealthy attacks that may not be discovered for several months after the initial infiltration.

The middle child syndrome

Corroborating what Osterman Research has discovered in other research, mid-market companies—those with 500 to 999 employees—face the most difficult challenges from a security perspective. They encounter a higher rate of attack than smaller companies and similar rates of attack as their larger counterparts, but they have fewer employees over which to distribute the cost of the security infrastructure.

In short, mid-market organizations have big company problems and small company budgets with which to solve them.

Major attacks

We found that a “major” attack occurs with alarming frequency. Globally, we found that during 2017, such attacks occurred to the organizations we surveyed at an average of once every 15 months. But US organizations were the hardest hit in 2017, with an average of one attack every 6.7 months. These are highly disruptive events that can take a company off-line for days or weeks.

As just one example of such an attack, consider the City of Atlanta that was infected with ransomware in April 2018 and has spent more than $2.6 million on remediating the compromise. The attack impacted five of the City’s 13 departments and the police department’s records system, as well as causing other mayhem for city employees and the public.

The bottom line is that cybercrime costs enormous amounts that go well beyond the annual security budget. And if companies don’t find a way to put a stop to the cybercrime happening both inside and outside of their walls, they’ll have to pay the price.

ABOUT THE AUTHOR

8 everyday technologies that can make you vulnerable to cyberattacks

8 everyday technologies that can make you vulnerable to cyberattacks

Posted: August 9, 2018 by 
Last updated: August 8, 2018

The technological advances of the modern world make for an exciting and convenient lifestyle. With each new development, from artificial intelligence to the Internet of Things, we make the mundane and tedious more manageable.

The security vulnerabilities of the latest tech have been well documented. But what about everyday technologies that have been around for a while or are widely adopted? Those familiar devices and programs can also put you at risk of being targeted by hackers.

Here are eight commonly-used tech conveniences that are not as ironclad as you might hope.

1. Smart speakers

Smart speakers like Google Home or Amazon Echo, feature countless capabilities meant to assist users. However, cybersecurity experts also warn they’re vulnerable to numerous types of attacks.

Some involve threat actors controlling the speakers with supersonic commands that humans can’t hear, but smart speakers recognize when embedded into YouTube videos, white noise, or other content.

Researchers also discovered hackers could engineer smart speaker apps that seem legitimate but actually come straight from those orchestrating cyberattacks. Sometimes, even when users close out of the apps, they keep recording conversations and other sounds happening in the home and sending them to criminals silently in the background.

2. Smart security systems

Smart security systems let you keep an eye on your home while at the office or vacationing in another country. These systems allow users to sort through hours of footage stored in the cloud or can use artificial intelligence to learn familiar faces who arrive at your door.

However, even security systems can have flaws. A cybersecurity research team in Europe found a bug in Swann smart security cameras that allowed footage from one home to be broadcast to other homes. If hackers had discovered that problem instead of the researchers who verified its existence, they could have used the vulnerability to intercept footage and spy on homeowners. Then, it’d theoretically be quite easy for them to move beyond hacking into the realm of burglary.

3. USB drives

USB drives increase the capabilities of your computer, specifically by being able to move files from one location to another, or to increase storage capacity. They’re also relatively easy for hackers to corrupt by loading worms or other kinds of malware onto them. The US military even knew of the potential danger they posed and banned the use of thumb drives a decade ago.

Unfortunately, many individuals and businesses do not understand the genuine risk of letting employees connect to the Internet while using unsecured USB drives. Instead, they view USBs as tools of convenience, not gadgets that could infect their computers or networks. For example, if a USB drive is connected to a machine that’s infected with ransomware, the files on that drive will also become infected. Moving that drive from one computer to the next, then, could spread the infection beyond a single endpoint to multiple systems.

4. Dongles

Where USB drives give you more room to store files on a computer, dongles plug into USB ports and increase functionality by providing extra content or features. For example, smart TV dongles give you extra channels and movies to enjoy.

A few years ago, cybersecurity experts hacked a dongle provided to car owners by an insurance company to track their driving habits. The experiment allowed researchers to control the windshield wipers of the vehicle fitted with the dongle and—much more alarmingly—enable and disable its brakes.

A more recent problem affected the Amazon Fire Stick. In that case, threat actors installed cryptomining malware that didn’t show up in users’ lists of running apps. Besides making the Fire Stick and its Internet connection sluggish, the malware sometimes made itself known by displaying the word “test” on the screen, accompanied by the Android bot icon. Fortunately, it’s reportedly fixable by restoring the dongle to its factory settings.

5. Shared media files

Cybercriminals consistently engineer new ways to trick people into giving up their passwords, credit card numbers, and other personally identifiable information (PII) through phishing attempts. Phishes typically show up in victims’ inboxes and look exactly like legitimate emails, down to the color schemes, buttons, and headers.

You might already know that downloading an unfamiliar email attachment increases the possibility of being infected, but perhaps you let your guard down when using a well-known file-sharing service like Dropbox. Hackers send malicious emails seemingly originating from Dropbox, too.

Once people click on links within those messages, their browsers go through a redirect process and proceed to download a JavaScript file put there by cybercriminals. Lo and behold, passwords and other credentials entered to access the “Dropbox” folder will be scraped and sent off to those crafty criminals, who can sell them on the black market to the highest bidder.

6. Wi-Fi networks

People use Wi-Fi networks every day and scarcely think about the consequences. Unfortunately, hackers often take advantage of that dependence. Sometimes they create illegitimate, publicly accessible Wi-Fi networks with official-sounding names, like Philadelphia Airport, and hope people will connect to those without verifying they’re real.

Other disturbing research reveals ex-partners are wreaking havoc via remotely-managed instances of domestic abuse. The people affected are collectively known as smart home abuse victims. A study about the matter emphasizes how an individual need only know a home’s Wi-Fi network password and have a corresponding smart home app on their phone to make the lights turn on and off, crank the thermostat up to an unbearably hot temperature, or otherwise make life extremely unpleasant.

7. Smart phones

Like many people, you probably think of your smart phone as much safer from malware than your computer. However, the very thing that makes smart phones “smart,” the Internet, is what makes them vulnerable. Often, infiltration happens when threat actors create apps that look legitimate, but are actually a front for loading all kinds of malware in the background, from cryptominers to adware and even ransomware.

In addition, criminals can infect your phone through smishing, or SMS phishing, where malicious links are texted to individuals under the guise of a great promotion or pretending to be from a credible institution, such as a doctor’s office or bank.

A case involving activists working for Amnesty International revealed hackers installed a kind of spyware called Pegasus through WhatsApp (the real app, not a spoof). Moreover, there are nearly 200 publicly-reported cases of nonprofits being targeted through WhatsApp by that spyware or similar form of malware.

8. Web browsers

Using the Internet would be substantially more cumbersome and maybe even impossible without the invention of the web browser. However, just like the other items on this list, web browsers can also serve as gateways through which hackers enter. One bug that made headlines in April 2018 involved hackers compromising Windows computers through a vulnerability in Internet Explorer, which allowed users to be infected by a malicious Microsoft Word file.

Another kind of malware called Vega Stealer snatches credit card details input into fields when people use the Chrome or Firefox browsers. It can also take data from Word and Excel files and show it to outside parties.

Finally, criminals have found another route to infect users via browser by creating rouge plugins that often make their way past official review for listing in browser web stores by appearing to be legitimate. However, once approved and adopted by the stores, threat actors flip the switch and add malicious updates, infecting any users who download the plugins for additional browser functionality.

Many issues discovered by researchers

If there’s a positive side to several of the vulnerable tech items on this list, it’s that cybersecurity researchers uncovered their vulnerabilities and notified the appropriate parties. Of course, it’s worse when device owners are the ones who learn that problems exist when their computers, phones or other tech helpers start behaving strangely.

In any case, now that you know about some of the things cybercriminals do to unsuspecting users of technology, aim to be more aware of when things seem amiss. Being proactive can sometimes prevent small issues from becoming gigantic catastrophes.

ABOUT THE AUTHOR

Tech journalist covering AI, the IoT, and cybersecurity. In addition to being a senior writer for MakeUseOf, Kayla is a regular contributor at Digital Trends, The Next Web, VentureBeat and TechnoBuffalo.

8 everyday technologies that can make you vulnerable to cyberattacks

 

Introducing: Malwarebytes Browser Extension

Introducing: Malwarebytes Browser Extension

Posted: July 26, 2018 by 

Are you tired of all the unwanted content the world wide web offers up, whether you like it or not? It is our privilege to introduce you to the Malwarebytes Browser Extension (BETA). Or, better said, the Malwarebytes Browser Extensions, because we have one for Firefox and one for Chrome.

Introduction

Malwarebytes Browser Extension delivers a safer and faster web browsing experience. It blocks malicious websites and filters out unwanted content (resulting in up to three times faster webpage load times). The filtering is not based on definitions, so the extensions can block previously-unidentified fake tech support scams and their tactics.

What will it do for your browsing experience? It prevents pop-ups, browser hijackers, and browser lockersfrom harassing you and interrupting your surfing. It also blocks clickbait links and fake news content, stops in-browser cryptocurrency miners, and gives other malicious content the boot. All this while relying on threat behavior patterns rather than on researchers who have to track down, identify the malware, and add it to a database of known threats. (We still need those researchers to make our products better. This is just a different, faster method.)

Speaking of behavior patterns, our browser extension is the first that heuristically identifies and blocks tech support scams‘ browser-locker pages, which scare users into calling fake tech support scammers. So it protects you from unwanted social engineering tactics as well.

Why should I use it?

This is where Malwarebytes Browser Extension can help you:

  • Protection from tech support scammers: Blocks browser hijackers, and browser lockers, which are used by scammers to drive victims to call centers that use scare tactics to sell expensive technical support (that you don’t need).
  • Faster web page load times: Popular websites download a lot of unwanted content in the background. By filtering out clickbait and ads, Malwarebytes Browser Extension BETA can speed up your webpage load time, saving your sanity and bandwidth.
  • Prevents visits to malicious pages: Protects you from inadvertently visiting bad websites that host malware content, steal your identity (phishing), load Bitcoin miners in the background, which slow down your computer, and a long list of other obnoxious behaviors that can make your online experience less than stellar.
  • Keeps your privacy private: Blocks third-party ad trackers that follow you around the Internet and target you with the same ads over and over again.

And these are the features it has to offer:

  • Malware protection: Blocks malicious programs or code that can damage your system.
  • Scam protection: Blocks online scams, including technical support scams, browser lockers, and phishing.
  • Advertising/tracker protection: Blocks third-party ads and third-party ad trackers that monitor your online activity. The number of blocked ads/trackers for a website will show beside the Malwarebytes logo in your browser.
  • Clickbait protection: Blocks content and websites that often display behavior of questionable value.
  • Potentially unwanted program (PUP) protection: Blocks the downloading of potentially unwanted programs, including toolbars and pop-ups.

Download and install

Chrome

The Chrome extension can be downloaded from Google’s webstore.

Malwarebytes Browser Extensions in the webstore

Installing the extension is pretty easy. Just follow the prompts when you click “ADD TO CHROME” in the webstore.

Confirm that you want to add the Chrome extension

Confirm that you want to add the Chrome extension

 

And you should see this prompt when the install is complete.

And you should see this prompt when the install is complete.

To double-check whether the installation was successful, you can check under Settings (use the icon that looks like three vertical dots) > More Tools > Extensions. You should find this entry:

installed Chrome extension

Firefox

The Firefox extension can be downloaded from the official Firefox Add-ons page. On the Add-ons page, click the “+ Add to Firefox” button and follow the prompts.

downloading Firefox add-on

Click “Add” to confirm that you want to install the Firefox add-on.

Click “Add” to confirm that you want to install the Firefox add-on.

And you should see this confirmation:confirmation Firefox add-on

To double-check whether the installation was successful, you can check under the Menu icon (otherwise known as a hamburger, which looks like three horizontal bars). Look for “Add-ons,” and you should find this entry:

Malwarebytes Browser Extensions Firefox add-on

Fine-tuning

In both Chrome and Firefox, you can make adjustments to the settings of Malwarebytes Browser Extension for more granular control. To reach the settings menu, click the blue Malwarebytes logo in the browsers’ menu bar. This will show you the current protection status and two additional links.

Malwarebytes Browser Extensions protection status

To enable or disable individual protection features, click the “Settings” link in that prompt. This will show you a menu:

Malwarebytes Browser Extensions settings

Here, you can also find information about what each protection mode guards against.

Under the “Allow List” tab, you can allow individual domains and IPs manually (in case we block something that you don’t want to be blocked). You can remove them from the list as well, if you change your mind.

allowed list

Under the “About” tab, you can check the version information and, importantly, allow the telemetry from the Browser Extension to be sent to us anonymously. This will help the researchers I mentioned earlier to assess whether a domain or IP should be blocked permanently.

telemetry

Functionality

When the browser extensions block a site, they will show you a warning similar to this one:

Malwarebytes Browser Extensions block

The dangers are classified along the lines of the major risks that a web browser might run into:

Adware
Compromised
Exploit
Fraud
Hijack
Malvertising
Malware
PUP
Pharma
Phishing
Ransomware
Riskware
Spam
Spyware
Trojan
Worm

The “blocked” page will offer a short explanation of these risks in the upper drop-down menu.

But, it’s a BETA

Why, yes, it is! So, you are using it at your own risk. Suffice it to say that both extensions have been downloaded thousands of times, and most complaints so far have been about false positives. All of these have been analyzed, and some have led to changes in the software. On a personal level, false positives are easy to resolve, as the extensions offer you the option to visit the blocked site anyway. Compared to the potential damages done by visiting a malicious site, this seems like small potatoes. It’s also possible to disable some of the features if you find them too aggressive for your liking.

We hope to be able to announce the full, official version of the Malwarebytes Browser Extension soon!

Give the Malwarebytes Browser Extensions a whirl, and stay safe out there!

Introducing: Malwarebytes Browser Extension

 

What’s in the spam mailbox this week?

What’s in the spam mailbox this week?

Posted: July 31, 2018 by 
Last updated: July 30, 2018

We’ve seen a fair few spam emails in circulation this week, ranging from phishing to money muling to sexploitation. Shall we take a look?

The FBI wants to give you back your money

First out of the gate, we have a missive claiming to be from the FBI. Turns out you lost a huge sum of money that you somehow don’t have any recollection of, and now the FBI wants to give it back to you via Western Union.

Sounds 100 percent legit, right? Here’s the email. See what you think:

Attn: Beneficiary

After proper and several investigations and research at Western
Union and Money Gram Office, we found your name in Western Union
database among those that have sent money through Western Union
and this proves that you have truly been swindled by those
unscrupulous persons by sending money to them through Western
Union/Money Gram in the course of getting one fund or the other
that is not real.

In this regard a meeting was held between the Board of Directors
of WESTERN UNION, MONEYGRAM, the FBI alongside with the Ministry
of Finance, As a consequence of our investigations it was agreed
that the sum of One Million Five Hundred Thousand United States
Dollars (U.S.1,500,000.00) should be transferred to you out from
the funds that The United States Department of the Treasury has
set aside as compensation payment for scam victims.

This case would be handled and supervised by the FBI. We have
submitted your details to them so that your funds can be
transferred to you. Contact the Western Union agent office
through the information below:

Contact Person: Graham Collins
Address: Western Union Post Office, California
Email: westernunionofficemail0012@[redacted]

Yours sincerely,
Christopher A. Wray
FBI Director

Sadly, the FBI are not going to discover you’re owed millions of dollars then send you off to deal with a Western Union rep to reclaim it. Additionally, a quick search on multiple portions of the text will reveal parts of the above message dating back many years. It’s a common scam tactic to lazily grab whatever text is available then reword it a little bit for a fresh sheen. For example, here’s one from 2013 that came with a malicious executable attachment.

This one has no such nasties lurking, but someone could still be at risk of falling into a money mule scam, or losing a ton of cash from getting involved. The good news is that ancient text reuse tends to send up the spam filter flags for most email clients, so if you do come across this, there’s a good chance it’ll be stuffed inside your spam bin where it belongs. If it’s in there, hammer the delete button and forget about it.

Let’s go Apple phishing

Next up, a pair of Apple phishes:

apple phishing

Click to enlarge

The first links to a site that’s currently offline, but does try to bait potential victims with a fake transaction for a set of $299 headphones:

fake headphone order

Click to enlarge

As with most of these scams, they’re hoping you’ll see the amount supposedly paid, then run to the linked site and fill in the phishing form.

The text from the second one reads as follows:

Your Apple ID has been Locked
This Apple ID [EMAIL ADDRESS] has been locked for security reasons.

It looks like your account is outdated and requires updated account ownership information so we can protect your account and improve our services to maintain your privacy.

To continue using the Apple ID service, we advise you to update the information about your account ownership.

Update Account Apple ID
For the security of your account, we advise not to notify your account password to anyone. If you have problems updating your account, please visit Apple Support.

A clickable link leads to the below phishing site located at appelid(dot)idnotice(dot)info-account-update-limiteds(dot)com:

apple phishing page

Click to enlarge

Upon entering a username and password, the site claims the account has been locked and needs to be set back to full health.

locked!

Click to enlarge

Potential victims are directed to a page asking for name, address, DOB, payment information, and a variety of selectable security questions.

phish asking for personal info

Click to enlarge

We don’t want anybody handing over personal information to scam mails such as the above, much less any fake login portals further down the chain. Always be cautious when seeing wild claims of payments and mysterious orders you have no recollection of; the name of the game is not so much panic buying as panic clicking, and that can lead to only one thing: hours spent dealing with the customer support section of shopping portals or your bank.

Sexploitation, Bitcoin, and old passwords

Speaking of mysterious behavior you have no recollection of participating in, a recent, massive phish email first hooks users by divulging their real, former password in the subject line, and then telling said recipients they’ve been caught on camera looking at porn and, um, doing other stuff.

Now, the drop of a password, even an old one, is enough to get many readers to raise a brow and open the email. Once opened, though, one of two things can happen. Those who haven’t viewed porn on their computer can breathe a sigh of relief. For the millions of others who have, however, a little panic might ensue, especially when the scammers ask for $7,000 in Bitcoin for hush money.

The email reads as follows:

I am well aware [redacted] is your password. Lets get directly to purpose. You don’t know me and you are probably thinking why you’re getting this email? Not a single person has compensated me to check you.

Let me tell you, I setup a malware on the xxx videos (porn material) web-site and you know what, you visited this website to experience fun (you know what I mean). When you were watching video clips, your web browser began functioning as a RDP that has a key logger which provided me with accessibility to your display as well as web cam. Right after that, my software collected all of your contacts from your Messenger, Facebook, as well as emailaccount. After that I made a double video. First part displays the video you were watching (you’ve got a good taste rofl), and next part displays the view of your webcam, & its you.

You actually have two different possibilities. Shall we review each one of these solutions in aspects:

Very first option is to just ignore this email. In such a case, I will send out your actual recorded material to every bit of your personal contacts and thus think about regarding the embarrassment you will see. In addition if you are in a romantic relationship, how it would affect?

2nd solution is to give me $7000. I will call it a donation. Then, I most certainly will straightaway discard your video footage. You will continue on with your way of life like this never occurred and you will not ever hear back again from me.

You’ll make the payment by Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).

BTC Address: 14Fg5D24cxseFXQXv89PJCHmsTM74iGyDb

[CASE-SENSITIVE copy and paste it]

If you may be wondering about going to the authorities, good, this email can not be traced back to me. I have covered my actions. I am just not attempting to charge you very much, I only want to be compensated. I’ve a special pixel within this email, and now I know that you have read this e mail. You have one day to pay. If I do not get the BitCoins, I will definitely send out your video recording to all of your contacts including friends and family, colleagues, and many others. Nevertheless, if I do get paid, I’ll destroy the recording right away. It’s a non-negotiable offer, thus don’t waste mine time and yours by responding to this message. If you want to have evidence, reply with Yup! and I definitely will send your video to your 9 contacts.

This sextortion scam has been around for quite a while; the new twist is the use of real passwords. According to Krebs on Security, the scammers likely collected these passwords and emails from a data dump possibly dating back 10 years or more. Our own Malwarebytes researchers have been scouring various data dumps looking for the source of the breach, but so far have not found the smoking gun. The problem is that most users’ credentials have been swiped in one breach or another, if not multiple—if not dozens! So it’s difficult to triangulate and trace back to a single source.

The good news is, if you received one of these emails, you simply need only flag it as spam and delete. And if you’re suddenly worried about someone being able to see your nocturnal activities, you can buy a webcam cover for between $US5 and $10.

ABOUT THE AUTHOR


Lead Malware Intelligence Analyst

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.

What’s in the spam mailbox this week?

Can we trust our online project management tools?

Can we trust our online project management tools?

Posted: July 6, 2018 by  
Last updated: July 4, 2018

How would you feel about sharing confidential information about your company on Twitter or Facebook? That doesn’t sound right, does it? So, in a corporate life where we keep our work calendars online, and where we work together on projects using online flow-planners and online project management software, it might pay off to wonder whether the shared content is safe from prying eyes.

What are we looking at?

From the easy-to-use shared document on Google Drive to full-fledged Trello boards that we use to manage complicated projects—basically everything that uses the cloud as a server is our subject here. When evaluating your online project management tools, it is important from a security standpoint to have an overview of:

  • Which online project management platforms are you using?
  • Which data are you sharing on which platforms?
  • Who has access to those data?

Once you know this, you can move on to the main question:

  • Is the data that should stay confidential shielded well enough?

What are the risks?

The risks of using online project management tools are made up of several elements. Once again, a list of questions will help you gage this, including:

  • How secure is the platform you are using?
  • Do the people that have access to the data need to have access? And are they given access to see allthe information that is shared, or just a portion?

As you can see, we are not just worrying about outsiders getting ahold of information. Sometimes, we must keep secrets, even from our own co-workers. Not every company has an open salary policy, for example, so the information how much everyone makes might not be allowed outside of HR.

But the threat of a breach is the most important one. Having the competition know about the latest project your design team is working on can be deadly in some industries. And of course, any project that contains customer data and is not secured can be breached by a cybercriminal. Knowing this, it’s our job to help you find the safest possible tool to perform your job.

Does it make sense to share online?

Are we sharing information online because we need to do it online or just because we can? Sometimes being the cool kids that use an online project management platform that has all the bells and whistles is more a matter of convenience than it is strictly necessary. But if you are:

  • employing remote workers
  • cooperating between offices around the world
  • heavily relying on a BYOD strategy

then online tools maybe the only way to realize your project management goals.

Every ounce of prevention

What you don’t share can’t get lost. And control over what you do share (and with whom) is adamant.

  • Limit the amount of privileged information you are sharing. Make sure that only the information needed for the project is being shared with the appropriate team members.
  • Change the login credentials at a regular interval, and do this in a non-predictable way. Going from “passwordMay” to “passwordJune” at the end of the month will not stop nosy co-workers from digging. Do not post the new credentials on the platform, either.
  • Use 2FA where and if possible to enhance login security.
  • Update and patch the software as soon as possible. This limits the risk of anyone abusing a published vulnerability in the platform.
  • Keep tally of who is supposed to have access at all times, and check this against the connected devices when and if you can.

Breach management

Hardening your online tools against breaches is usually in the hands of toolmakers themselves—the software provider or the cloud service provider with whom you’ve partnered. Therefore, it makes sense to look into the project management tool’s reputation for security, as well as its ability to serve your company’s needs. While you can’t control the security of the tool itself, you can limit the consequences of a mishap, should it occur, by doing the following:

  • Don’t try to keep it a secret when credentials have been found in the wrong hands. Making participants aware of the situation helps them to change passwords and follow up with other appropriate actions.
  • Make sure there are backups of important data. Someone with unauthorized access may believe in burning the bridges behind them.
  • In case of a breach, try your best to find out exactly how it happened. Was there a vulnerability in the tool? Did a team member open up a malicious attachment? This will assist you in preventing similar attacks.

Controlling the risks

Working in the cloud can be useful for project management, but sometimes we need a reminder that there are risks involved. If you set up an online project management tool or other cloud-based project, it’s good to be aware of these risks and give some thought to the ways you can limit them.

When you’re working on a project for your company—whether it’s leading a team or participating in the project’s development—it’s important to make data losses as rare as possible, to learn from your mistakes, and to handle breaches and other security incidents responsibly.

Stay safe out there!

 

ABOUT THE AUTHOR

  
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

Can we trust our online project management tools?

Pin It on Pinterest

Shares
Share This