Tired of being the main target of cybercriminals and other mean characters of the virtual world, SMBs are reconsidering their stand of security and starting to seriously apply it to their corporate infrastructures. These are the finding of a new survey conducted by Applied Research and published by Symantec. The new report shows that SMBs views have drastically changed over the past year, leading to more spendings on IT security and giving security policies a higher priority.

“Last year when we conducted this survey, a lot of SMBs were very confident in their security posture, but they weren’t always clear on the threat,” says Monica Girolami, senior product marketing manager at Symantec, who worked with Applied Research on the study. “This year they realize that they have gaps in their security stance, and they’re getting more serious — in fact, they rated data loss and cyberattacks as their top risks, even above natural disasters.”

If you’re wondering why this major shift, ask your self no more! It’s a mere cause and effect phenomenon: 42% of SMBs have lost data and the cost of a breach exceeds 188,000 USD. So insted of paying for the damages, better invest less in security and prevent them. Although it is happening rather late, it is still a smart move!

The respondents ranked data loss and cyberattacks as their top business risks, ahead of traditional criminal activity, natural disasters, and terrorism, according to the report. SMBs are now spending an average of $51,000 a year — and two-thirds of IT staff time — working on information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness.

When it comes to high-level executives, the rules of the game often change. They are used to ask for exceptions to be made for them, backdoors to be opened and a whole different set of rules to be applied. This is what turns them in one of the biggest threats to corporate security.

According to Jayson Street, CIO and managing partner of Stratagem 1 Solutions, senior executives often circumvent security rules and policies to suit their needs and whims at the expense of security. The negative effect is that the special treatment leads to enabling cybercriminals to easily gain access to corporate networks by impersonating as management personnel. That is why, because of their systems privilege and access rights, they become ideal targets for all those wanting to hack into corporate networks.

“[Hackers are] not going after the bank teller, [they are] going after the bank president, because the tellers have USB drive rights deactivated, they have controls on where they can go on websites.” Street recounted how he was able to access the server room of a hotel simply by gathering information through social networks such as LinkedIn and Twitter of the owner, then sending an email to the access control personnel masquerading as the CEO of the tech support organisation. When the staff was later asked why he allowed Street access, he said: “Because [the boss] sends email messages like these all the time! He asked, and he’s the owner — you have to let him do what he wants.”

What can companies do to stop turning their top dogs into easy targets? Jayson Street recommends that IT security experts should stop enabling them and instead explain how fast they can become victims of cybercriminals. Lower rank employees should also be encouraged to report abnormal behaviors in order to maintain a safe environment. Also, educating all users about how and social engineering, impersonation, identity theft and other such menaces occur could also prove to be very effective.

There have been so many news lately about stolen hardware with important data, server hacks, security threats embedded in any new gadget that gets launched (like the iPad), that it could make anyone think all security companies and experts care about is pointing warning fingers towards anything cool someone would think of using. With all these stories, some of which we’ve shared on our Twitter stream, security becomes this two-headed monster that’s there to kill the fun in technology.

But that’s far from being true! Effective security is about playing it smart: seeing what could happen and preventing it, while allowing people to still have their share of fun. We tend to forget that, but that is the purpose to security in general and endpoint and data security in particular. iPods, iPads, colorful USB sticks, netbooks, smartphones, cameras, you should use it all as long as they help you work better and make your life easier. You should use them at home, in the office, while commuting, the idea is to know what threats they pose and how to prevent them.

Security experts to concentrate on everything bad that’s happening. The reason is simple, if companies and individuals don’t fear the consequences, they tend to ignore the risks. The all present mantra “It can’t happen to me” is their shield against all attacks and breaches. So there is a reason and a purpose behind showing off all the bad stuff, but that should never cast a shadow over the real goal of security: making your life safer and better.

The USB ports leading to the computers in your network are somewhat of a hell hole, opening up the way to scary security breaches. It all comes down to the use of portable devices that can store large amounts of data that employees and visitors carry around, plug in and use, regardless of all the security red alerts popping up each step of the way.

But completely cutting access to USB ports, although still used, is not a smart move if you’re trying to protect your data against accidental loss or theft. Lawsuits, fines and seeing your customers drop like flies are all scary scenarios, but fear should never prevent you from playing it smart.

Thinking about it for a while, cutting USB access also means printers. So your employees cannot get their laptop connected to any office printer and start printing reports, contracts and offers. They need to only use some authorized printers, through the network, causing long queues, angry comments and general discomfort. Their way of working might be affected, rendering them less productive.

And almost always, all prohibitions turn people against the person making the decision and encourage attempts to circumvent them. I am sure you’ve all worked in companies where some people could circumvent the firewall to download movies and play online games! And I am sure you’ve heard all the nasty comments when some random policy was enforced causing more harm then good.

Plus, the data security you dream of is just an illusion. People can still email sensitive documents, use the very printers you have authorized to print out all your client list and take it to the competition. You might monitor such activity, but if you think you’re safe, why would you?

Why upset your employees with don’ts and forbiddens for a false sense of security when you can allow them to use authorized devices and monitor file activity and transfers instead? Why worry when you can use a file whitelisting system to make sure they can’t really access sensitive information? Why not use a data loss prevention and device control solution to allow the to use the latest technology and stay safe at the same time?

When it comes to security, nothing seems better when it comes to marketing your product than having a free version to offer. Especially when you’re not the major market share holder, giving products away works miracles. At least that is the hypothesis of a recent DarkReading article.

But is this a new approach? Not exactly. From home user solutions to enterprise class security software, the smartest of the pack have a free version.

And why does this work? Simple. Why trust a sales pitch and a nicely designed demo when you can just download and install the product, test it, see how it works with your current infrastructure, then decide to buy. From one month demos to free, limited editions, this is the miracle of free: real results, real tests, no post-demo surprises.

Check out the success stories on DarkReading for more expamples of how free works in the security field.

When it comes to security breaches leading to data loss, accidents caused by insiders are more frequent and generally do more damage than those caused by insiders with malicious intents, shoes a new study published by industry research firm IDC industry research firm and sponsored bu RSA.

According to a report, 52 % of respondents characterized their insider threat incidents as predominantly accidental, while only 19% believed the threats were deliberate. Another 26 % said their insider issues were an equal combination of accidental and malicious threats.

“One of the things that jumped out at us from the study was how many insider incidents are unintentional,” says Chris Young, senior vice president of RSA products, quoted by Dark Reading. “These are individual actors who often are just trying to do their jobs and don’t understand that what they are doing is dangerous.”

“Employers view their relationship with employees as one of trust and recognize their people are their biggest asset,” said Chris Christiansen, program vice president of security products at IDC. “But the vast nature of an organization’s infrastructure, coupled with a dispersed, often global, employee base and complex internal user mix of employees, consultants, partners, and outsourcers make addressing the risks posed by its internal users the biggest security challenge that CXOs currently face. Whether the risk is intentional or not, it’s there. It’s real.”

The study also showed that in the past 12 months the 400 respondents that took part in the study admitted to 6244 incidents of unintentional data loss, 5830 malware/spyware attacks from within the enterprise, and 5794 incidents of risks created by excessive privilege and access control rights. The total number of internal security incidents was of a whoooping 57485 issues for the year.

As a response to this huge number of security only 40% plan to invest more in their on better handling their internal security risks. We would have definitely expected a higher percentage, given said number of incidents!

The White House might have a bright, shiny plan for cybersecurity, but it seems unable to keep the security heads it needs to manage and further implement it. No less than the people holding key positions related to the USA’s cybersecurity have resigned in the past few months.

The trend was started in March by Rod Beckstrom, who at the time resigned from his position as head of the National Cybersecurity Center within the Department of Homeland Security. The said center coordinates the defense of civilian, military, and intelligence networks. The reason for Beckstrom’s resignation? As he stated in a letter quoted by the Register, the post was underfunded and unduly controlled by the National Security Agency.

The next person to announce their resignation was Obama’s top cybersecurity director, Melissa E. Hathway. What led to her decision was the long months of delays by the Obama administration in appointing a permanent director to oversee the safety of the nation’s vital computer networks. As the Register points out, Hathway was one of the best candidates for the “cybersecurity czar” position. The czar would hold the authority for securing networks and infrastructure that serve US banks, hospitals and stock exchanges.

The third and most recent top cat in the US government to go is Mischel Kwon, the head of the US Department of Homeland Security’s Computer Emergency Readiness Team. Washington Post rumor has it that Kwon  had grown frustrated by bureaucratic obstacles and a lack of authority to fulfill her mission. And it seems people in her position don’t stick around for too long, she was the fourth US-CERT director in five years.

Hopefully, the critical cybersecurity plan will eventually be implemented, without any further delays and resignations. Let’s keep our fingers crossed!

Buying second hand PCs might be quite an adventure. Especially if they contain sensitive information that could blow one’s mind out, as it happened for a group of researchers from the University of Glamorgan in Scotland. According to a DarkReading article, the researchers found their used hard drives to contain details of test-launch procedures for a U.S. defense missile.

The researchers have included these findings in the results of a a five-year study that aimed to show the dangers of poor hard drive and device data-wiping and disposal practices. Acording to this years’ results, which are not yet final, the research also led them to sensitive data from Ford Motor, Laura Ashley, and other businesses.

This year, the researchers found personal or sensitive data on 34 percent of 300 hard disks bought randomly at computer fairs and online auctions in the U.K., U.S., Germany, France, and Australia. The information was enough to expose individuals and firms to fraud and identity theft, they said.

So if someone indulged in the idea of starting a fraud or theft based scam, all they needed is to start buying used computer parts. It’s easy and far less dangerous than actually atemtping to steal the data directly from the businesses currently using them.

…70 GB of stolen data behind a new botnet that has caught researchers’ full attention. Security researchers have managed to infliltrate, through the Torpig botnet, one of the well known zombie networks in the virtual world. According to their findings, this impressive amount of data was stolen in only 10 days.

As the Register reports, Torpig bots manage to steal more than 8,300 credentials corresponding to 410 different financial institutions.  The research team from the University of California at Santa Barbara, over 21% of the accounts belonged to PayPal users. Almost 298,000 unique credentials were intercepted from more than 52,000 infected machines.

How could this happen so fast? It’s all due to the “unusually large haul is Torpig’s ability to siphon credentials from a large number of computer programs”.

After wrapping its tentacles around Mozilla Thunderbird, Microsoft Outlook, Skype, ICQ, and 26 other applications, Torpig constantly monitors every keystroke entered into them. Every 20 minutes, the malware automatically uploads new data to servers controlled by the authors. Because the software runs at such a low level, it is able to intercept passwords before they may be encrypted by secure sockets layer or other programs.

Definitely scary!

The Dard Reading reporters have set their mind on educating their readers and helping them understand IT security better. The series is also designed to help IT people explain such topics to atechnical employees easier and faster. They have started with a piece explaining Data Loss Prevention (DLP) – the concept, what DLP solutions can and can’t do.

Here’s a short excerpt of the article defining and explaining what a Data Loss Prevention solution is and does:

In a nutshell, DLP is a type of software that is designed to seek out sensitive data — either traversing the network or sitting idle on your computer systems — and enforce policies for handling it. If a user attempts to send out sensitive data via email, post it to a Website, or copy it to a USB storage drive, DLP technology can identify that activity and record it.

More important, most DLP applications are also designed to prevent the user from executing tasks that might compromise the data or cause it to leak out to unauthorized sources. The DLP software might turn off the “write” capability that would allow a PC to copy certain data to an external storage device, or it might disallow an email user from sending the data to another user.

Read more on Dark Reading and make sure to read the next articles on this subject as well.

Photo credit.