Month: September 2020

With Cyber Threats Evolving Increasingly, Effective Risk Management is The Masterkey

Corporate information security risk management is undoubtedly a tough job, especially when we know that Businesses keep generating large volumes of data and allow cyber threats to evolve.

 

Now some people may blame control frameworks, but these are simply cataloging the possibilities. But I would say that broken risk models are to be blamed. They leverage a “need to catch them all approach” and pretend that there is a linear relationship between loss exposure and security controls. This ignores many crucial variables like attacker capability, frequency of attack, and the organization’s tolerance for loss.

Now, this approach finds its way into auditing frameworks very often, but it treats every missing or deficient thing as a risk, and this has allowed risk statements to express zero appetites to make their way to corporate boards and senior executives. For any Organization with a limited budget, the risk appetite statements “we don’t accept any cyber-related risk” are virtually impossible to put into action. This means that they will have to spend every dime to avoid a loss, but still, no one can guarantee a future with zero incidents.

However, statements about loss and risk should focus on the range of the amounts that could be lost and the timelines over which these losses may occur. This is where effective risk management plays a vital role.

Effective Risk Management

Effective risk management allows any Business to attain an acceptable amount of loss over time with the least amount of capital expenditure. It helps balance the money spent today to reduce risk against the probability of some amount of loss in the future. Good risk management is not about perfect risk avoidance, because this notion would choke off innovation and good Business management.

Risk reduction investments are all about curtailment. Business innovation can be curtailed without the right amount of freedom to operate without safeguards in place.

Navigating Risk


Do you know what is the most important thing if you intend to navigate risk and approach risk elimination through a security control process? Having a good model that represents the nature of risk accurately. But that’s not all. This model should support the modern needs of Organizations, like a budget for risk allocation or the purchase of cyber insurance.

 

The cybersecurity experts at Neumetric believe that effective risk management can help an Organization to get where it wants and avoid pitfalls and surprises along the way. This way Organizations can achieve their Business objectives and with effective risk management, there will be more informed risk-taking and decision making. 

 

Neumetric, a cybersecurity services, consulting & products Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

GDPR for Sales – How GDPR affects Cold Emailing & Calling?

If your sales process relies heavily on cold emailing or calling prospects, then there is something crucial for you to know about the European General Data Protection Regulation (GDPR).

At the most basic, the GDPR changes the way outbound sales teams can collect and use personal data like name, ID, email addresses, and other details. So, whether you buy lists of leads to fill out your pipeline, automatically add new inbound contacts to your sales funnel or search prospects from social media platforms, the sales strategies that you have been using to turn prospects into customers are going to have to dramatically change.

There are a lot of questions about how the General Data Protection Regulation can affect salesforce. Here are the 10 biggest concerns that sales teams have about staying compliant while prospecting.

Q. What does the GDPR cover and do I need to care about it if I’m outside of Europe?

It provides EU citizens more control and transparency over who can use and store their personal data. This means using personal data to build contact sales leads, a company has new responsibilities around collecting and processing that data. Personal data includes names, phone numbers, IDS, email addresses, IP addresses, mobile device IDs, and even encrypted data.

For any sales team, personal data is crucial for outbound sales. Under this protocol, you cannot use personal data (like a phone number or email address) without the consent of the person to be contacted by you. This may sound like no more sending out cold prospecting emails, product demos, or quick catch-up without that person opting into receiving your messages. But here are a few things that you must understand about the General Data Protection Regulation.

GDPR is only for your sales prospecting towards citizens of the EU. You need to be concerned about the  guidelines if your business either:

  • Offers services or products to EU citizens.
  • Has an established presence in the EU.
  • Use their personal data in some other way like monitoring or profiling them.

You may still be able to contact prospects if you have legitimate interests. If your company’s legitimate interests are not overridden by the individual’s fundamental rights and freedoms, then you may be able to use the contact data. In a scenario, where a prospect sends a complaint about your outreach, the company should be able to argue that communication was legal. Therefore, it is crucial that you document your legitimate interest, make it clear in the communication, and offer an easy opt-out.

We are not sure about the final effects until the ePrivacy directive is finalized.  This protocol is just a starting point for new regulations around personal data. We are still unaware of the final impact that it may have on outbound sales and marketing, until another regulation. In other words, there is still more change ahead.

Q. How do I get consent from my prospects?

Under the General Data Protection Regulation, the only way your sales team can do any sort of outbound sales is if you have consent from the prospects to contact them. Therefore, the consent should be

  • Given freely
  • Transparent and specific about what it will be used for
  • Easy to withdraw at any time

To show that the consent was given freely, your lead has to openly click an opt-in to receive communications from you. This means that consent to receive sales emails or calls cannot be a requirement for using your services.

When a prospect gives you consent, you should be open and transparent about what you are using that consent for. For instance, if a prospect has given you their email to send them an eBook, it cannot be used to send sales emails or unrelated content.

Lastly, your prospects should have the ability to withdraw consent at any time, like unsubscribing the link on emails or some other way of contacting you to get off your list. So, if a prospect emails you and asks why you have their personal information, you should be able to say, “Here’s where we got your data. Here’s the link to our privacy notice and here’s the link to unsubscribe.”

Q. Do I need consent only for sending bulk emails? What about individual outreach?

Fundamentally, there is no legal difference between bulk emailing and one-to-one emailing, when it comes to cold outreach under this protocol. So, just-reaching-out emails need to have prior consent in order to be legal.

Q. How to build the outbound sales funnel under GDPR?

It might seem impossible to build an outbound sales funnel under this protocol, but there are still ways to grow your leads.

  • Focus more on content marketing and inbound sales: Moving forward, inbound marketing and sales are going to become more important. Organizations should take time to ensure that all the forms are set-up to properly gather personal data and get consent.
  • Buy relevant lists with documented consent: You can still buy lists of leads under this protocol, but you must ensure that those lists come with attached metadata explaining how and when each person gave consent. If you can prove that clients consented to receive emails from you, the list is fine to use.
  • Advertising on sites that are relevant to customers: While advertising and getting inbound sales leads is legal with this protocol, you just need to ensure that you gather and track consent whenever you get a new lead.

Q. How will GDPR affect cold calling?

If you are a part of all those sales teams that are already seeing success with cold calling, then you must be happy to know that cold calling isn’t as restricted under General Data Protection Regulation as cold emails. And if cold calling is not yet a part of your sales process, you might want to consider it now.

But you still need to identify and tell your prospect who you work for, why you’re calling, and how you got their information. You also need to ensure that you are only calling companies who have either consented to receive your calls or who aren’t registered on a no-call list. For this, you may have to look on a nation-by-nation basis.

While cold calls are not heavily scrutinized under this protocol, this will probably change when the ePrivacy Regulation finalizes next year. According to the proposed Regulation, unsolicited direct marketing by any means like SMS, email, or automated calling machines will be prohibited unless direct consent is given.

GDPR may be bringing some major changes to the way outbound sales teams work. Don’t think of it as something meant to kill the outbound sales process. Rather, it is a shift in the way you think about who your ideal customer is and how to get in touch with them.

Neumetric, a cybersecurity services, consulting & product Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

How Organizations are Helping Networking Hacking?

With the constantly evolving technology, Hacker’s techniques are also advancing. And this is something that puts tremendous pressure on Organizations to constantly update their security measures so as to keep their data secure from network hacking.

 

Hackers can not only expose crucial company information, but sensitive customer data as well, that can lead to potentially devastating effects. Therefore, any Business in any industry must realize that cybersecurity is an important aspect. Without proper prevention, you may fall prey to network hacking in the near future.

 

Most of your employees might be aware of not sending a password via email or opening a strange attachment from someone they don’t know. But do they know that posting photos of their badges on social media or revealing details about internal software in job descriptions can cause a lot of harm. There are many ways Organizations and their employees unknowingly give cybercriminals a helping hand. Here are five ways your Organization may be risking your network’s security:

A Picture or a Video can say a lot

The most common slipup that happens in companies is oversharing online, especially on social media. For instance, Human Resources sharing photos and videos to attract job applicants, interns posting photos of new badges or employees sharing photos of any office celebration.

 

Attackers can use a lot of things from these photos and videos to their advantage, like company badges or information on whiteboards. Office pictures can show an attacker how desks and cubicles are laid out, what type of computers are used by employees, the programs, email clients, and browsers they’re running. Employees accidentally make it easy for hackers to duplicate and impersonate and have knowledge they shouldn’t have.

Overly detailed Job Postings

An innocuous job posting may give attackers the exact information they need. Many Organisations go into very specific detail about the internal software they use, which gives a lot of insight to attackers about the internal structure. An attacker with knowledge of the company’s software will know exactly what he needs to break in. If he doesn’t want to develop malware, he may use this knowledge to create a phishing campaign and lure victims based on the software they’re using.

Your Email Signature

Many employees respond to phishing emails in order to prove that they can’t be fooled, instead they play right into attackers’ hands. It proves to intruders that a legitimate person is at the other end. They understand the company’s email format, which is more like a formula they can use to identify and target other people within the same Organization and they may also target other details like office phone number and extension, mobile phone number, social media handles, and/or website link in a signature, which can be fruitful for future network hacking or phishing attacks.

Out of Office Emails

Automatic replies and out-of-office emails are the most common ways companies make themselves vulnerable. Employees often include a precious amount of detail, which is enough for an intruder to take advantage. For example, “Hi, this is John. I am away for vacation. For project X, contact X person at X email address; for project Y, contact Y person at Y email address.”

Full names, project names, and even contact details in an automatic reply makes it easy for attackers to target people. Using this information, they can email another employee with the company and pretend to be working with John on a project, obtain sensitive data, or request a wire transfer.

Failing to Verify Callers

One of usual pen-testing tactics is caller ID spoofing. If someone calls, people usually don’t question, they are used to seeing that IT is calling or human resources is calling. Security training programs tell employees not to share their passwords, but they do not emphasize the importance of questioning and verifying phone calls. Caller ID spoofing and SMS spoofing are huge and both are fairly easy for an attacker to pull off.

Education is the first step towards preventing employees from accidentally leaking data. Beyond educating employees, companies should also teach them what to do if they spot them. Actionable policies should dictate the steps for employees to take when they fall for a phishing scam.

Cybersecurity Experts at Neumetric suggest that teaching employees not to share information that could be used to assume their identities is the first step. But along with this, employees should adopt multi factor authentication, so that it is harder for attackers to pretend to be someone they’re not.

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Have You Heard About the Whale Phishing Attack?

A whaling attack, also known as a whale phishing attack, is a common cyber-attack that targets high-profile employees, like CEO or CFO, as they’re likely to possess access to more confidential data, intellectual property, and other sensitive information. In many cases, the attacker’s goal is to influence the victim into authorizing high-value wire transfers to the attacker.

 

Many whale phishing emails are designed to support fraudulent wire transfers. Do you know what exactly is a whaling attack and how can you stay protected? Let us find out.

How does a Whaling Attack work?

A whaling attack is a type of phishing attack that targets wealthy, prominent, and high-profile individuals. In this cyber-attack, a highly customized phishing email which includes the target’s name, job title, and other relevant information, is sent to the high-profile targets. This email includes a link that redirects the targets to a phishing page that harvests the corporate or personal information of the target.

Due to their highly targeted nature, whaling attacks are usually very difficult to detect than standard phishing attacks, because the sender’s email address and the links used in the email are designed to look very legitimate.

Whaling attack history

In 2016, Snapchat’s payroll department received a whaling email that purported to come from the CEO asking for employee payroll information. In response to the email, the payroll staff disclosed all of the company’s payroll data to a scammer.

 

In March 2016, an executive at Seagate responded to a whaling email that requested the W-2 forms for all current and former employees. This incident caused a breach of income tax data for almost 10,000 Seagate employees.

Toy giant, Mattel lost over $3 million after a senior finance executive fell victim to a whaling email attack. The email claimed to come from the new CEO and requested a wire transfer.

Defending against Whaling attacks

Neumetric, a cybersecurity services, consulting & product organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Cybersecurity experts at Neumetric recommend to never click on links or attachments in emails that come from anonymous sources. It is always best to verify the legitimacy of the source before responding to an email. Any email that asks for personal or financial information should be avoided.

High-level executives should take extra caution while posting and sharing personal information on social media. Additionally, educating employees on how to identify phishing emails is highly recommended. To keep at bay from whaling attacks, you can implement a good anti-phishing software and can also flag emails that are sent from outside of the corporate network.

So, if you are also in need of cybersecurity, contact us today and get a free assessment.  

Scroll to top