Uncategorized

ICYMI: A roundup of the SaaS & security insights you cared about in 2019

It’s nearly impossible to be successful as a company without paying attention to what’s happening in the industry and what our competitors are doing. But it’s truly impossible to be successful without paying attention to what you care about. Our customers, subscribers and supporters are crucial to our success, so noticing what resonates with you – what you engage with, what excites you, what you want to talk about – will continue to drive our organizational focus.

So as 2019 draws to a close, we wanted to take a look back at our most popular content of the year and give you another chance to check it out, just in case you missed it the first time around. 

  1. An interview with Scott Coons, Co-Founder of Applogie “I believe customers will always tell you what you should build. You just have to be paying attention.”
  2. New feature: Protect your corporation with data breach discovery “When you know that an account has been a victim of a data breach somewhere else online, you can prompt that employee to change his or her corporate password immediately, greatly reducing the chance that your own corporate systems are at risk of a breach as well.”
  3. Five ways to encourage security at your organization “One of the biggest problems is that people are now so comfortable working, communicating and conducting business online, they’ve become overconfident in their immunity to risk.”

Happy New Year to all of you, and thank you for your continued support of Applogie throughout 2019.

If you haven’t tried Applogie yet, why not start your 2020 off right? Sign up for your free trial today!

Uncategorized

Which of your employees are out to get you? Tips for identifying and understanding malicious insiders

Not to sound like a broken record, but protecting your organization’s information is a pretty big deal. Recent data breaches have cost corporations millions of dollars, and the trust of thousands of people. Like we’ve pointed out in the past, many of these breaches are caused by your employees and the other people who have access to your systems – the insiders. These insiders fall into four broad categories – and two of them aren’t even threatening your security on purpose. Those inadvertent insiders are the categories Applogie protects against. 

But what about the other two categories? The malicious insiders and the professional insiders? There are fewer people who are actively scheming to steal your company data, but they are out there – and they’re motivated. 

Okay, so the Applogie platform isn’t going to track down the people who are hellbent on stealing your information, but we’re experts in data protection, and we want to make sure you’re educated about all the ways in which your data could slip through the cracks. That’s why we want to run through some tips for spotting and understanding insider threat. It’s time to get to know your malicious insiders. 

Who are they? 

Research done by Carnegie Mellon University’s CERT Insider Threat Center states “the employees that pose the greatest risk for insider threat/theft include technical staff such as engineers and scientists, managers, sales personnel and programmers,” and warn organizations to pay particularly close attention to employees with administrative rights and specialized users of IT systems, because “these employees know the strengths and vulnerabilities of the systems.”

What’s their motivation?

The CERT Insider Threat Center has identified four categories of motivation for someone stealing corporate data: 

  • IT sabotage: When an insider wants to steal code, proprietary programs or other IT assets as retribution against the company for a perceived slight.
  • Business advantage: When an insider takes corporate data to use as an advantage at a new job (probably with one of your competitors) or to start a new business of their own. 
  • Financial gain: When an insider steals Social Security numbers, credit card data or banking information in order to defraud your company of money. 
  • Espionage: When an insider is spying on your company and taking its information to “the enemy” for corporate advantage, political gain, or financial reward. 

How do they do it? 

Malicious insiders steal and move corporate data in a variety of ways, including: 

  • Over email: Email is one of the easiest ways to transfer smaller amounts of data (less than 10 GB). 
  • Via FTP (File Transfer Protocol): Malicious insiders who know what they’re doing are likely to upload stolen data to an FTP site.
  • With removable media: Physically transferring data to a USB drive, cell phone, tablet or external hard drive is an easy way to copy data and carry it out of the office. It’s also tough to track and trace. 
  • By accessing your systems remotely: If your data is in the cloud (and it probably is), employees likely have access to it from anywhere, meaning they can download and save it to personal devices, machines and servers. 
  • On paper: Sure, it’s old-school, but it still works. Malicious insiders can easily grab paper documents containing your information and pass them into the wrong hands. 
  • Taking pictures and screenshots: Taking a picture of information on a computer screen with a personal cell phone is one of the easiest, quickest ways to get proprietary data off-site, and it’s nearly impossible to track. 

How do you spot a malicious insider? 

A 2019 Security Today article points out risk signs that an employee might be up to no good or desperate enough to feel that stealing from your company is their best option. These risk signs include: 

  • Extreme interest in matters outside their role and job duties
  • Working odd hours without authorization
  • Excessive negative commentary about the organization
  • Signs of drug or alcohol abuse, financial difficulties, gambling, and poor mental health

As with all cloud and cybersecurity matters, reducing your risk of a data breach by malicious insider isn’t just one person or one department’s job. 

“HR and IT security teams should be vigilant in the wake of significant organizational events, such as a layoff or if an employee believes they are going to receive a promotion and do not,” says Security Today. “Most important is coordination between HR and IT security around these events.”

Of course, it’s important to remember that two-thirds of total data records compromised in 2017 were the result of inadvertent insiders. So while there’s still a significant chance of purposeful, malicious breach, it’s probably more important to defend your organization against the people who don’t know any better. Here are some steps to take to do so, and here’s how the Applogie platform puts automated protection in place. Try it today for free!

Uncategorized

Five ways to encourage security at your organization

Your employees are all smart, savvy people, right? You probably wouldn’t have hired them otherwise. While this intelligence and shrewdness keeps your organization running, it can also work against you in certain situations – when it comes to cybersecurity, for example.

“That doesn’t make sense – my people have been working digitally for years – they know how to protect themselves and the company,” you might think. But Verizon’s 2018 Data Breach Report found that an average of 4% of targets in a phishing campaign will click, and that people who have clicked once are more likely to click again.

Last year, 60% of security professionals responding to the EY Global Information Security Survey ranked employee carelessness or negligence as a top threat, up from 44% in 2015. And their wariness isn’t misplaced: a 2017 report from Willis Towers Watson found 66% of all cyber insurance claims stemmed from employee negligence or malfeasance, and the FBI reported a staggering $12.5 billion lost in 2018 due to business email compromise alone.

One of the biggest problems is that people are now so comfortable working, communicating and conducting business online, they’ve become overconfident in their immunity to risk.

“Most modern workers think they know how to avoid security threats,” says Dark Reading. “We no longer have an awareness problem: Workers have heard the basics about phishing. We have a false confidence problem. Knowing about security threats is only half the battle. Employees also have to know what actions to take.”

Making sure your employees know what actions to take, and encouraging them or requiring them to do so, is primarily the responsibility of your organization. Here are five steps you can take to build and maintain a culture of true, educated, actionable cybersecurity at your organization:

  1. Conduct regular, relevant, updated training: We’ve all seen the dated training videos about cybersecurity risks … like leaving confidential documents sitting on a fax machine … and we’ve all laughed at them and zoned them out. It’s worth investing in personalized training that takes your organization’s policies, practices and risk factors into account. When employees feel that a trainer or training program really understands company culture and any potential threats, they’re much more likely to pay attention.
  2. Require password updates and security measures: Nobody likes a forced PC restart due to an antivirus software. People really don’t like being forced to choose a new 15-character password with at least one number and one special character every three months. But these measures are extremely important for maintaining protection over your organization’s information. Unique passwords (that aren’t the same as passwords your employees use for banking, shopping and accessing medical records) can help discourage breaches from occurring, and company-wide antivirus software installation and maintenance can help protect you from threats that do manage to break through.
  3. Start from the top:  Corporate cybersecurity cannot be a ‘do as I say, not as I do’ situation. Employees need to see your organization’s leadership following best practices too. When good behavior is modeled for them and they see executives following the same policies they are told to follow, they are more likely to do so.
  4. Remind employees it’s about them too, not just the company: No matter how loyal your people are, the idea of a threat to their personal bank accounts or identifying information will probably encourage action better than if they think only corporate information is at risk. Remind them that because so much of our lives are lived online these days, a breach to their corporate accounts can mean increased risk to their personal accounts.
  5. Invest in a solution to monitor individual security breach risk: On the flipside of that, if an employee’s information is compromised elsewhere on the internet, your organization is more at risk. With Applogie’s data breach discovery feature, you can get alerted when an employee account has been compromised somewhere else online. Then you can prompt that employee to change his or her corporate password immediately, greatly reducing the chance that your own corporate systems are at risk of a breach as well.

We all think we’re smart enough to avoid security threats online, but we all get careless. The right corporate policies and solutions can help your employees shoulder less of the responsibility, and the right educational tactics and behavior modeling will encourage them to be as safe as possible with your organization’s systems and information.