How ‘Security Responsible’ are You?

TELUS has released their 6th annual study of Canadian business security practices.

The report focuses on which best practices businesses have in place, that go beyond just compliance (as in, the bare minimum forced on you by the government.)

Ideally, your business is in the quadrant with the *.

How does your small business compare?  Take this test to find out.

Give yourself a score between 0-7 (0 being terrible, 7 being excellent), then compare how you operate to other Canadian businesses.

Do you…

1 – monitor and/or have rigorous procedures to act on new threat information

2 – understand the security drivers impacting your business

3 – conduct regular security awareness training for employees

4 – involve security early and throughout the development of new infrastructure/systems

5 – communicate social media policies to their employees

6 – have and/or execute on a comprehensive mobile security strategy

7 – conduct enterprise mobility security testing and Threat Risk Assessments (TRA)

Now compare:

The more “security responsible” companies have: less breaches, retain staff longer, better managed risk, and are positioned better to take new risks (side-note from me: they have better business karma, because accepting a credit card and being careless and lazy about it is terrible.)

And ideally, you have ongoing employee training sessions, because the human is always the weakest link.

Note:

This is an excerpt from my interview with Hernan Barros, Directory of Security Solutions at TELUS, and Walid Hejazi, Associate Professor, Rotman School of Management, University of Toronto, about their new study, the 2014 TELUS-Rotman IT Security Study.

The study is in its 6th year, and TELUS remains the country’s only telecom to proactively study security, and this is the only Canadian study this in-depth on a single country.

How it was conducted: 400+ security professionals were surveyed in the 2nd half of 2013, looking for both qualitative and quantitative data on how companies are executing their security strategies. Respondants were Private 48%, Government 23%, Publicly Traded 20%, and Non-profit 9%.

Blog tag = TELUS Security

 

 

About the HeartBleed Vulnerability

What is it

It is not a virus, it’s a bug in OpenSSL. It is potentially the largest vulnerability in the history of the internet, affecting an estimated two-thirds of secure websites worldwide.

Heartbleed is:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

As security expert Bruce Schneier says “‘catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”

Very basically – an attacker can move in and out, stealing sensitive data and passwords, and leave zero trace.

Sites that have little lock icon in the URL bar are what’s affected, seen when using HTTPS (like email, Facebook or banking).

Learn More

Mashable – here / Bruce Schneier – here / Heartbleed site here

Check if Your Site is Vulnerable

Here – Filippo.io

What to do

Everyone: change any passwords that may use OpenSSL. Mashable has a list of affected sites here.

Small Business Owners: you need to call your IT guy now. Now. If you are taking credit cards, or any sensitive or private data, you have a responsibility to protect your customers who have trusted you.

Judging eyes :|

A Rant

This Shangri-lala land we’re living in will soon end, maybe with a massive, worldwide compromise, that will force us to change the way the way we conduct ourselves online.  One day, you’ll tell your grandchildren, of a time when people’s passwords were all the same 

This Heartbleed bug is the beginning of that. Go change your passwords.

</rant>

(via XKCD.com)

Imagination.

 

 

Talking with Telus About Security

Last week, Telus invited me to to an information security talk at Reasearch House, one of North America’s largest data-collection facitilities.

I said yes, without fully understanding what I was walking into; check this out:

Sooo, basically I sit in this comfortable chair, on the good side of one-way-glass, and straight-up get to stare and people-watch, while they talk about my favourite topic?  Yesssss.

These are senior-level Security and IT decision makers, from 6 large Canadian organizations, that I know you know.

Security is a difficult discussion for companies to have publicly, because when you point out your vulnerabilities, it opens the door to potential attacks.

That’s why I’ve blurred out their names and faces (learn how to edit a photo you’re posting online here)

These are the kind of guys who protect the company’s information, and yours.  They’re not a help desk, and every phone call they receive is a, “it’s the end of the world” call. Maybe bring them doughnuts sometimes.

Today’s topic was BYOD – Bring Your Own Device.  

Example: your personal cel phone, (not supplied by your employer),
is allowed to send and receive corporate email,
and connect to the corporate network

AKA: Bring Your Own Disaster

EMPLOYEES

BYOD is a bigger deal than you may realize.  Thousands of devices, that are probably less-than-secure, connecting to the corporate network and WiFi.  That’s now at least 3 more operating systems to accommodate, manage, and secure. Even worse, now confidential company information is walking around in someone’s pocket, going to the bar, you have a lock on your phone, right.

Mobiles are not immune to malware and virus’.  One click on something stupid in social media land, and the virus comes in through your phone, out to the company network, and off it goes spreading bad news.

(One day, you’ll connect through a VPN. We’ll get into VPNs here soon)

EMPLOYERS

Maybe re-visit your employee-exit policies and procedures.  I feel this might be a hole that needs plugging.

Even if you are parting on friendly terms, you still must immediately address the large amount of sensitive information on their personal device(s), and what those devices have access to.

I talked about this in my Autonet.ca article, “Toyota Secure Website Hacked”:

“If he was fired Thursday, and he used his passwords to enter the site at midnight, that would make it seven hours during which his credentials weren’t changed. That is not best practice for employee termination; account access should be immediately disabled upon notification of termination.”

And to terminated employees: don’t be offended when they do this, it’s best. You don’t want the responsibility of owning that information, especially on a mobile device.

If you take only one thing from this post:

Much of your company’s security comes down to you, the end user / employee / weakest link.  I know practicing good security can be annoying and slow things down, but there’s more resting on your shoulders than you may realize.

And thanks for having me Telus, this was so neat.