A couple of clients have recently asked me for advice on how to protect themselves when travelling abroad on company business.
They both had two separate but connected concerns. The first was personal safety and the second was that of security around their work devices and mobile phones.
In dealing with the first “personal safety”issue the advice is to simply carry on as normal, as you would when you perhaps travel to a new city or any new part of a city in the UK. This is best described with the use of a short scenario.
Let’s just say the you arrive at your hotel late in the evening and after unpacking, you decide to go for a short walk, to stretch your legs before dinner.
You come out of the hotel, turn right and wander up the street, browsing in the brightly lit shop windows along the main road. You spend 5 or 10 minutes turning down some smaller side streets, before realising that those streets are slightly darker and less well lit than those before.
It also becomes apparent that the area is becoming more residential and less commercial. After a little while you notice that some of the streetlights are broken, that the cars are less new and more in need of some TLC than those high-value prestige models that you walked past earlier. You also start to notice that some of the windows have tatty curtains or even blankets in them and one or two of the doorways have been boarded up. There is also a slight smell of urine and the area has a decidedly “uncared for” feeling to it.
I would suggest that by now, or possibly some time before, you would be thinking that it’s high time to turn around and make your way back to the bright lights and the main roads? Or maybe your risk tolerance level is such that they are happy to continue, right up until the point that you now notice a couple of unsavoury individuals sitting on a wall or standing in a dimly lit doorway, looking at you (at least that’s what the hackles on the back of your neck are telling you). Maybe that’s the point, that you decide that it’s time for dinner and time to wander back to the main street and your hotel ?
It’s about maintaining an awareness of your surroundings and knowing where you are. Not making ostentatious signs of wealth, (think about leaving the Rolex in the hotel safe, or at least make sure that it’s covered up with the sleeve of your jacket).
Be careful how you carry your camera, with it’s £1000 lens and maybe cover it up with an inexpensive bag of some kind, as opposed to a label that says “money”.
Just follow and apply the rules handed down to your own teenage sons and daughters, about keeping your handbag in front of you and not just on the shoulder. Make sure that your wallet isn’t just in the back pocket and make sure you don’t ride in unlicenced taxi’s!
It’s just about being careful. These rules are good for both the UK and abroad.
Make use of Foreign and Commonwealth Office (FCO) security and travel advice in all instances of foreign travel.
Moving on to security around your work and mobile devices.
The cyber risk posed by hotels is a significant one. There are plenty of reports of attacks on high-profile company executives and employees of government agencies. However, what goes unreported, perhaps because of a lack of an awareness, is of those less well known attacks, on the modern business traveller, with a veritable feast of files and personal information stored on their mobile devices and laptops.
After a long and sometimes fraught journey, these travellers and executives will (irrespective of how well-intentioned they are), let their guard down once inside the relative “safety” of their hotel rooms.
The biggest risk by far is the hotel or coffee shop Wi-Fi network. It is easy and free to download software that will “sniff”a Wi-Fi network and enable a criminal or foreign power, to spy on the communications traffic using that network (it is illegal to do this in the UK).
Users can also be misdirected through rogue (not set up by the hotel or coffee shop) Wi-Fi access points to fake sites or to inadvertently download malicious software to their or your devices.
An encrypted VPN connection is the only effective way to protect your data (or your web surfing) from snooping at the network level. Businesses and IT departments should make sure that employees who travel, have this connectivity. VPN software is easy, cheap and affordable enough that even those travelling for personal reasons, can use this technology to protect themselves.
It’s also good practice to plug in to a wired network port (in my experience, normally next to the kettle!) wherever possible, to reduce the risk of connecting to a rogue access point.
An alternative to using the hotel network is to take your own travel wireless router, although you should make sure that you’ve changed the default username and passwords and enabled encryption. It makes sense also, to avoid software updates whilst travelling also (unless you know what you are doing).
Depending on your data allowance you could also consider creating a personal hotspot or similar and using the Wi-Fi created by your mobile phone for access to emails or the web. Or you could use a Wi-Fi dongle for this access.
Beware of using USB charging stations as these can be used to inject malicious software into the devices travellers plug into them. Either use your own laptop USB ports or if you need to charge multiple devices then consider taking a portable USB charger.
RFID skimmers (imagine something similar to the devices used for touch and go payment cards) are now commonplace and can be used to read data from digital room keys and other access cards. Hidden cameras in bathrooms and hotel rooms have also hit the headlines recently and all but the most conscientious hotel staff would find it very difficult to detect these devices.
Avoid placing sensitive items near obvious places within the room (a wallet on the bed stand). And leave your access work cards and fobs at home. Hidden cameras are a little more difficult and putting the personal privacy issue aside, which is whole other area of risk. Consider placing a laptop slightly off angle on the invariably fixed hotel room desk and continue to use the “privacy shield” you might normally use when travelling on the train. Two factor authentication would also help in this instance, with password identification for any services you plan to use in your room.
Theft and physical intrusion in hotel rooms is a huge problem. Key cards are very easy to duplicate and clone with the skimmers mentioned previously. And hotel staff can come and go with frightening regularity. Portable devices, money, documents and laptops can easily be stolen unless secured in the room safe. If you plan to step outside of your hotel room, for any length of time without taking your digital devices, then lock them away in the safe. And if you can’t do this, make sure that they are protected with robust password protection and preferably, encryption.
Make sure that “full disk encryption” is enabled on your laptop and in addition make sure that you have a suitably short sleep/screen lock period set and that you have to unlock the laptop after this period with a password.
Without encryption, it is a straightforward process for someone to remove the hard drive from the laptop and copy it without leaving a trace (that you will notice). If you have a portable storage device, make sure that encryption is enabled on this also. In both cases, the passwords should be complicated and long. Encryption is seldom broken. Access is invariably made through a weak password!
Depending on the job you do and the data that you have access to and the country you’re visiting, it may also be advisable to travel with “clean”devices only. And when I say clean, this means a device not containing any personal or business related data that might be use to a competitor or foreign government. It means a blank phone or laptop!
For no nonsense practical advice or help with any of the points made in this post please contact ESID Consulting on firstname.lastname@example.org or Telephone 0844 358 2362
Security firm Check Point have identified a number of vulnerabilities in microchips used in Android devices, that allow hackers to gain access to and control the entire device, with the power to change or delete files and apps, access the device screen, its camera, microphone and its data!
With the BYOD (Bring Your Own Device) being so common now within firms, a vulnerability in mobile devices on this scale presents a huge risk to business. This vulnerability gives the criminal potentially unfettered access to entire company systems with relative ease.
Patches have been released by the chip manufacturer (Qualcomm), so that the equipment manufacturers can update the devices affected.
This issue illustrates why IT teams and businesses need to be aware of all the devices being used in their business and on their networks, the data that those devices are trying to share and access, and how up-to-date and secure those devices are.
If you allow BYOD in your business, you need to have robust and enforceable policies in place to protect your data and that of your customers. You also need to ensure that your IT departments are on top of their patching regime (they should have one). The way to do this is to have an Information Security Management System (ISMS) in place that complies with ISO 27001, covering your entire business.
ESID Consulting design and implement ISO27001 compliant Information Security Management Systems within companies and organisations to mitigate these risks and the multitude of others that pose a threat to businesses.
For help and advice on how to protect your information and that of your customers please contact ESID Consulting via email email@example.com or Telephone 0844 358 2362.
The full article for this piece can be found here
Managing the “Insider Threat” means evaluating and managing the “employee risk”, throughout the entire employment lifecycle.
From Pre-Employment Screening and Vetting, to knowing whats going on in your employees private lives, that might have an impact on your business, in order that you can provide support if needed and supervision if necessary.
Its about education and awareness, so that they [your staff] know and understand what you expect of them when handling your clients data and your intellectual property. Its making sure that the processes and procedures that you have in place throughout the organisation are followed and complied with by everyone, from top to bottom.
Lastly, it’s about exit and termination procedures, making sure that an “ex” and possibly “disgruntled” employee, doesn’t leave the organisation with anything that might cause you reputational, financial damage or security concerns at some point in the future.
It needs a holistic approach. It needs an ESID approach! To find out more, please download our whitepaper, “The Insider Threat”
No one has our insider threat management background or experience.
For further information or support contact firstname.lastname@example.org or Telephone 0844 358 2362
Regardless of the results of the Brexit vote, the upcoming changes to the Data Protection Act in 2018, in the form of the GDPR will still affect you if you trade with a member of the European Union.
GDPR will become law in 2018 !
GDPR could be described as the Data Protection Act “plus”and you need to start planning for this now.
If you’d like to know more about the GDPR and how it affects you and your business then contact ESID Consulting for advice and support.
email@example.com or Tel 0844 358 2362
This video contains extracts of an extremely successful “Top Table” event for business leaders in Hampshire and The Isle of Wight, held at The Lakeside Park Hotel and Conference Centre on 24th February 2016.
If you would like to know more about any of the points raised in the video or would like to talk about how you can better protect your business and its information then please contact us on firstname.lastname@example.org or Tel 0844 3582362
Norrie Johnson Recruitment have just published their Cyber Security Report. ESID Consulting have contributed two separate articles to this authoritative report. It is a must read for all those concerned with protecting the enterprise and the data contained within, whether it be company data, sensitive IP or customer information.
Our articles concern “The scale of the cyber security problem” and “The Insider Threat” and can be found on pages 8 to 10.
If you have any questions concerning the articles or you would like to talk to us about protecting your business and information then please contact us at email@example.com or call us on Tel 0844 358 2362
Twice in the last month ESID Consulting has been requested to provide support and advice concerning information security risk assessments performed by other vendors. My being called to assist was due to the fact that the customer didn’t understand the final report they were given (and paid for) and for some reason they didn’t want to or didn’t feel that they could ask the company concerned to explain things to them.
On both occasions the reasons that the customer didn’t understand what they had was because the reports were full of “geek” speak and padding (with useless information and confusing flow diagrams).
The other thing I found was that these so called risk assessments were not what I would call risk assessments.
The first was called “data security risk assessment” and the other a “high level risk assessment”. Now, I suppose if you want to argue it that may well be correct in a grey / wooly sense of the term. But all they served to do was mislead the customer ! They were in fact both “Gap Analysis” assessments, not the same things.
A “proper” risk assessment is mapped against risk, threats and vulnerabilities, takes considerably longer to perform and is asset based, meaning that the organisation needs to know and understand what its assets are in the first place.
This lack of clear description leaves the customer understandably “miffed” when they are told that they need to have another more granular risk assessment done. Now, this may be just down to the language used at the time of sale, and subsequent misunderstanding by the customer. But it shouldn’t ever come to that.
A risk assessment also forms an integral part of an Information Security Management System (ISMS), which is the natural follow up to the risk assessment exercise. An ISMS is entirely risk based, covers the whole business and is integral to all business processes. It is a framework that becomes a business enabler, it drives efficiency, transparency and trust within an organisation. And it provides a framework that secures and protects your business assets and your bottom line.
All of the work performed by ESID Consulting is based on openness and transparency. All of our reports are clear and as free of jargon as possible. We will explain everything and hold your hand through the entire project. We don’t just give you the report and walk away. We very much become part of the team and provide a “shared” CISO / CSO facility for those organisations that either don’t have one or for those that do, we can share the load.
So, if you are currently looking at a risk assessment or report from another company or you are trying to implement an ISMS and you haven’t got a clue of what it means or where to start or go next then call us.
ESID Consulting Tel 0844 358 2362 or email firstname.lastname@example.org
It cannot have escape anybody that data breaches have been a recurring nightmare for consumers and companies alike;
Talk Talk, Vodafone, V-TechTarget, Ashley Madison, etc etc These breaches cost millions of pounds in lost share price, sales and customer churn. What it does is make customers question what actually happens to the data they are handing over.
Customer loyalty is increasingly being entwined with the security of their data. This is therefore a serious issue for companies.
Growing consumer concern
The ever increasing list of data breaches provoking if not quite panic among consumers, at least a growing and serious concern. The latest research into the State of the Data Nation reveals that security fears stop;
It’s never been more important to ensure that data management and protection is up to scratch !
To do this you need to know;
The only way to do that is to have strong data governance practices in place, through the use of a formal Information Security Management System (ISMS), modelled on ISO 27001.
You also need to have an open and transparent relationship with your customers and your staff.
Lastly, you need to have an effective, working “Incident Response and Business Continuity Plan” – and I’m not talking about some 1 page “ticky box” proforma – it needs to be backed up by a proper Business Impact Analysis (BIA) and it needs to have been tested !
Dont know where to start ? Call ESID Consulting for help in designing and implementing a bespoke ISMS which incorporates insider threat management, incident response and business resilience.
Tel 0844 358 2362 or email email@example.com
A new malware attack targeted specifically at businesses and consumers Facebook users has been discovered. And it makes use of social engineering and phishing.
The Comodo Threat Research Lab has found that the Facebook malware tries to represent itself as an email from Facebook which states there is a new message for the recipient. However it’s not any way related with the Facebook company.
The subject headings of the emails are simple: A brief vocal e-mail was delivered; an audio announcement has been delivered; an audible warning has been missed; you got a vocal memo!
Each subject line ends with a set of random characters like ‘sele’ or ‘Yqr’. The malware is in a .zip file, sent as an attachment and contains a variant of the Nivdort malware.
Nivdort is a trojan that interferes with internet connections and prevents the user from accessing websites. It also distributes malicious files throughout a victim’s hard drive, which can be used to exploit the user’s computer to install ransomware applications and other remote controlled malware.
This is similar to a campaign that targeted WhatsApp users earlier in the month. In this phishing attack, cyber-criminals were also sending fake emails to spread malware when victims clicked on the attached “message.”
As previously reported, Phishing attacks are on the rise. The only way of defeating Phishing is through user education and awareness.
Before you click, be cautious ! Look at the information before you. Does it appear legitimate ? Is it something you were expecting ?
If it’s out of the blue or you’re not quite sure about it, for whatever reason ! think twice about it clicking on it and delete it immediately. If it’s that important the person sending it will contact you again another way.
If you’re reluctant to delete, worried that it might be much needed business, then call or contact the person who supposedly sent the message to confirm things first.
Education and awareness forms an integral part of a bespoke Information Security and Insider Threat Management System designed and implemented by ESID Consulting. Contact us at Tel 0844 358 2362 or email firstname.lastname@example.org for help and advice
According to research by Foursys an IT security reseller. Of the 15% of companies it polled that had reported a breach in 2015, 42% were hit by ransomware.
Companies need take steps now to reduce the risks with a layered defence or they may find themselves struggling to cope.”
Cyber criminals will pick “soft targets” . Companies should implement an Information Security Management System (ISMS) which incorporates the whole business and includes user education. Only by doing this will you make yourselves a harder target when compared to your competitors.
Of the 15% that reported a security breach in 2015, 42% claimed to have been hit with ransomware, 10% reported “significant disruption to systems” and 11% said they’d lost data as a result.
Hackers will look for unpatched vulnerabilities in your applications, weak passwords and unsuspecting staff.
Having proper, documented policies and procedures. Keeping patches up to date, running the latest software versions will harden your company against attack.
One of the biggest risks is the human factor. The “insider threat” make sure your staff and users are aware of the threat and its potential impact on your business.
For help and support call ESID Consulting on Tel 0844 358 2362 or email email@example.com
The full article can be read here