Security

What is Botnet? How to Prevent Botnet attacks?

Think of the damage that a hacker can do. Right from, breaking into people’s accounts, spreading fake websites, sending out dangerous spam to tricking people into handing out personal information, infecting millions with malware, and even denying access to the internet. Now imagine what a hacker can do with an army of computers at their disposal, strengthening his resources on an order of thousands and millions. This army of computers actually exists, and these are called “Botnet(s)”.  

What is Botnet?

Basically, a botnet is a network of infected computers which, under the command of a single master computer, work together to accomplish a goal. It may seem simple, but it is the powerhouse behind some of the worst attacks’ hackers can attempt.

A botnet includes groups of computers that have been infected with malware. A hacker remotely controls all of the computers in the group to do things like sending spam messages, generating fake web traffic, conducting DDoS attacks, serving ads to everyone in the botnet, or even forces payment from users to be removed from the botnet.

A botnet relies on two things:

First, it needs a large network of infected devices, called “zombies”, to do the grunt work for whatever scheme the hacker has planned.

Second, it needs someone to actually command them to do something, which is called the Command and Control center, or “bot herder”.

Once these things are in place, a botnet is ready to bring chaos and do harm to people and systems.

How do Botnets work?

There are two primary ways that botnets are set up, the Client-Server model and the Peer-to-Peer model.

  • Client-Server Model: This is an old-fashioned way, where “zombies” receive their instructions from a single location, usually a shared server or website. So, if you want to shut down a botnet, just take down the website or server and the whole system would crumble.
  • Peer-to-Peer Model: In this system, each infected machine communicates directly to a few others on the network. Those few others are connected to a few more until the whole system is strung together. So, removing one or two devices is not a problem in this model, as others can pick up the slack.

In both cases, the Command and Control owner can command and control the network. This is the reason why they use digital signatures to ensure that only commands issued by the hacker or whoever he sold the botnet to are spread through the entire network.

5 ways to stop Botnets from stealing Data

Botnet attacks are generally combined with other cyber threats, which makes its detection challenging. However, eliminating botnet threats can help businesses to stay protected from such attacks.

  1. Windows firewall: This is the basic defensive tool against network-based security threats. However, users sometimes prefer to disable them to establish easy network connections. Organizations must have alternative firewall protection and also, ensure the appropriate configuration of firewalls.
  2. VPN with a kill switch: A VPN (Virtual Private Network) allows access to private data through a public network. If the VPN provider has a kill switch to stop access to confidential information, the switch will hinder the transfer of data from VPN to any unsecured connection.
  3. Network compartmentalization: Enterprises must have secure external and internal network communications. Compartmentalizing a network facilitates in putting up access controls to limit internal communication and also monitor tracks of unexpected connections, thus highlighting the presence of a cyberattack. By limiting broad access to internal machines, the botnets can be stopped from spreading.
  4. Plan a secure baseline strategy against BEC attacks: BEC (Business Email Compromise) is a common form of cyberattack that targets businesses relying on wired transactions with international suppliers. Such attacks are not easy to defend. Therefore, to end such attacks, Organizations need defensive gateway web tools.
  5. A dedicated system to block fraudulent emails: Many busy users click on emails without paying much attention to them. In an Organisation, having a policy against opening random emails is not enough. While raising awareness can be of some help, the employees should be able to report suspicious emails. Additionally, employees should be prompted to update their login credentials with strong passwords, so as to create awareness of different kinds of cyberattacks and their respective real-time solutions.

Botnets are difficult to stop once they have taken control of user’s devices. So, to reduce phishing attacks and other issues, make sure each of your devices is guarded well against this malicious hijack.

Neumetric, a cybersecurity services, consulting & products Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

Indian Data Protection Bill – How to comply with The New Data Law?

The Indian Government is all set to legislate the Personal Data Protection Bill of 2019, which seeks to protect the privacy of personal data, regulate the processing of critical and sensitive personal data and establish a Data Protection Authority of India (DPAI) for regulations.

In other words, the bill would control the collection, storage, usage, processing, transfer, protection, and disclosure of personal data of Indian residents. This is an important development for global managers.

What does the Indian Data Protection Bill provide?

The Indian Data Protection Bill highlights some key features:

  • Promote concepts of consent, storage limitation, purpose limitation, and data minimization.
  • Put down obligations on agencies that collect personal data required for a specific purpose only, with the express consent of the individual.
  • Grant rights on obtaining personal data of the individuals, make corrections to inaccurate data, update data, erase data, port data to other fiduciaries, and also the right to prevent the disclosure of personal data.
  • Grant right of grievance to individuals to complain against data fiduciary.
  • Authorize the central government to exempt any government agency from applying the proposed law.
  • Establish Data Protection Authority of India (DPAI) to prevent misuse of personal data, protect the interests of individuals, ensure compliance, and promote awareness about data protection.
  • Empower the Data Protection Authority of India (DPAI) to specify the code-of-practice to promote good practices of data protection.
  • Update social media intermediary as a significant data fiduciary whose actions have a significant impact on electoral democracy, the security of the state, public order, or sovereignty and integrity of India.
  • Authorize Adjudicating Officers for deciding on penalties and award compensation for violations and Appellate Tribunal to hear appeals against these.

What’s in for Organizations?

Unlike Chinese regulations that follow the isolationist framework and prevent global players like Facebook and Google from operating within its borders, India has followed the EU’s General Data Protection Regulation (GDPR) in allowing international digital companies to conduct business under certain conditions. Yet, the bill carries additional provisions beyond the EU regulation. And India would always treat the data generated by its citizens as a national asset, store and guard it within national boundaries, and reserve the right to use that data to safeguard its defense and strategic interests.

The Indian Data Protection Bill or Personal Data Protection Bill (PDPB) has many features that will require organizations to change their business models, practices, and principles. Many others will have to add operational costs and complexity. The concerns being raised will act as a primer for what Organizations need to keep in mind about India’s new regulation and the increase in data protection regulation around the globe. Additionally, understanding these issues will help digital companies to plan ahead, address future regulations, and decide whether to enter or exit certain markets.

Organizations need to Gear Up

The need to secure Data Privacy is quite urgent for Organizations, considering the emerging threat scenarios and implications of a data breach. With growing instances of data center decommissioning and migration to the cloud, companies are going through a technological shift. According to a study, by the year 2025, 80% of enterprises are expected to migrate away from on-premises data centers to the cloud. IT asset migration with faster device refresh cycles highlights residual data leakage as a key issue linked to disposal workflow.

Keeping these intrinsic data privacy challenges in mind, lack of awareness, technological shift, and usage patterns in the emerging policy framework for data protection, it is obvious that most companies are not yet prepared to tackle them.

Unlike America and Europe, where data privacy laws have been for long and now going through iterations to govern data handling at the micro-level, we are yet waiting for our first data protection statute. So, Organizations in India will have to scale up their skills, systems, practices, and policies to fall in line with the Personal Data Protection Bill. But there’s a whole lot that Organizations will need to understand to fall in line with the new law. Let’s have a closer look.

Ownership of Personal Data

The Bill proposes that the data provider is the owner of their own personal data. Now, this notion can impose an enormous implementation burden for digital companies. Organizations in the digital world would have to figure out how to comply with this requirement when the user demands erasure or recall of their personal data from a digital company. Digital companies will also have to think beyond their own data storage and usage, as they might have sold the data to a third party.

Three Classes of Data

According to the Personal Data Protection Bill, there are three categories of data from which a principal can be identified, Sensitive Data, Critical Data, and remaining data. Sensitive data includes data on financials, health, genetics, sexual orientation, transgender status, caste, and religious belief. Critical data includes data that the government stipulates from time to time as extraordinarily important like military or national security data. The third is a general category that is not defined but contains the remaining data. As mentioned above, the bill prescribes specific requirements that data fiduciaries must follow for the storage and processing of each data class.

All sensitive and critical data is supposed to be stored in servers located in India. While critical data can’t be taken out of India, sensitive data can be processed outside the country but must be brought back for storage. For general data, there are no restrictions. Currently, digital companies operate in a seamless cyber world, where they store and process their data wherever is economically most efficient. However, the locational divide proposed by the Personal Data Protection Bill will impose additional costs on digital companies.

This might result in subeconomic storage and processing capacities and may lead to “splinternet” or fragmentation of global digital supply chains.

Key Principles for processing of Personal Data

  • Transparency: Data controllers and data processors should provide a privacy policy for handling personal and sensitive information and must ensure that the policy is available to the subject who has provided the information by lawful contract. The policy should be published on the website of the company or person on its behalf. The policy must provide:
    • Readily accessible statements of the policies and practices of the data controller.
    • Types of personal data collected by the body corporate and purpose of collection and usage of such information.
    • Reasonable security practices and procedures.
    • Disclosure of information including sensitive personal data as and when it is requested by the data subject.  
  • Lawful Basis of Processing: The body corporate must obtain consent in writing from the data subject for the specific purpose for which the data would be used, before the collection of data. Sensitive personal information may only be collected if considered necessary. The companies must ensure that the information is being used only for the purpose for which it is collected. 
  • Purpose Limitation: The body corporate holding personal data should not retain that information for longer than it is required for which the date should be used lawfully. Although a specific time frame for the retention of personal information has not been provided yet.
  • Retention: The IT Act does not provide any specific guidelines regarding the time frame for the retention of personal data. As per the IT Act, an intermediary is required to preserve and retain the information in a format for a period of time as prescribed by the Central Government. Intermediaries include telecom service providers, network service providers, web hosting companies, search engines, online marketplaces, and cyber cafes.

Registration Formalities

Depending upon volume and sensitivity of data processed, risk of harm from processing to data principals, types of technologies used by the data fiduciary, and turnover, the data protection authority will notify some data fiduciaries as significant. This notification would require the data fiduciary to register with the authority, as specified. As per Section 38, data protection authority would require registration by any data fiduciary at its discretion, even if it is not notified as a significant data fiduciary.

For data processors and controllers, there are no statutory registration requirements. If a data fiduciary contravenes registration requirements, it will be liable to a penalty that may extend up to Rs. 50 million or 2% of its total worldwide turnover in the preceding financial year, whichever is higher.

Limits on how Start-Ups can monetize Data

While large companies, including Indian information technology companies and global Internet giants, may not have to put too much effort to tweak their systems to comply with the proposed Indian law, start-ups may find it tough to put systems in place. The government will likely give companies up to 2 years to be fully compliant with the proposals in the Data Protection Bill after it passes Parliament and becomes law.

Indian startups will have to significantly restructure the way they capture data, store it, and have set up the consent mechanism. They will also require manpower who can well understand the law and rules. A cost element will also be involved and they may have to budget for storage and compliance cost, as well.

Once the Personal Data Protection Bill is in force as a law, the start-up companies will only be able to collect personal data for clear, specific, lawful, and communicated purposes. Companies can collect only that data which is required for processing. The data cannot be repurposed for another use without informing the user of that change

This can be particularly relevant for pilot projects that collect data without a definite purpose, in the hope of monetizing that data at some point in time. As per the new law, start-up companies will have to anticipate and inform consumers of the use cases and purposes of data collection in advance, even before processing any data, so as to ensure that the user consent that they obtain is valid.

The real challenge is with government agencies and state government departments and large tech giants who deal with a lot of user data. Start-ups will have additional cost burden, but the implementation of privacy provisions will not be a challenge.

The new data protection bill will have significant consequences for start-ups, but at the same time companies will benefit from engaging with the shaping of the Personal Data Protection Bill. Learn more about the details of PDPB.

5G IoT Security – What’s in it for CISOs?

While 5G digital cellular networks are being set up around the world, it will surely take years for widespread coverage. This is the best time to find a way to ease into it while keeping cybersecurity in mind.

A New World of Opportunities, but with Risks

The digital cellular network, 5G opens up a whole new world of opportunities for services that take advantage of the higher speeds and lower latencies that the digital cellular network will offer. But with most significant technology advances there come risks for both network operators and users.

For the network operators, the architecture of the 5G network for tomorrow is going to be complex. While the infrastructure that supports the service ‘slices’ will be virtualized and orchestrated, the Multi-Access Edge Computing required to support new services will open up mobile infrastructure to a broader range of vendors. The intricacy of the control-plane to manage services and end-point connectivity will increase and so will the potential for cybersecurity issues from compromised or poorly behaving devices and applications.

For consumers, privacy would become a big issue. One of the main uses of 5G is massive machine type communications that support the ongoing proliferation of a large number of low power, low-cost IoT devices.so, we can expect a growth in information gathering and exchange.

Organizations will be able to gather a lot of data about online and offline activities. This will allow them to create a more detailed picture of customer behavior. This will allow services tailored to consumer needs, habits, and locations, but it will also enable a new wave of social engineering attacks that would target individuals and the businesses they work within.

However, the major concern is that even if that data is anonymized, it is possible to construct a virtual identity for a user, which can be used to drive analytics and other decision-making systems. This is where regulation needs to be evolved. Users may need protection from pseudo-automated discrimination that can occur without reference to their real-world identity.

5G IoT Security Worries

While massive machine type communication networks are not expected to be deployed widely before 2021, they should eventually become omnipresent. They need to pave the way for wider IoT device usage by public entities, enterprises, industries, and so on. Increased scale for device connectivity and interconnectivity together with “slicing” will enable a new range of IoT services and applications. As most of the existing IoT devices are not developed with cybersecurity as a priority, these devices themselves will be one of the security weak points.

When it is all about consumer-focused IoT, the concerns are evident in any conversation with a network operator who is looking to roll out 5G. Keeping in mind the amount of traffic these 5G connected IoT devices can generate and the potential for the synchronicity of action that can cause resource exhaustion within some aspect of the infrastructure, it is quite clear that these vulnerable devices pose a threat to mobile networks.

Neumetric, a cybersecurity services, consulting & product Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

The cybersecurity experts at Neumetric believe that at the most basic level and to protect the device fleet against the vast majority of common attacks and mass-malware outbreaks, Chief Information Security Officers should:

  1. Select manufacturers or vendors who can assure that they provide ongoing support and software updates for the devices.
  2. Use up-to-date software and put up a process in place to assess new vulnerabilities that are disclosed so that they can be managed appropriately.
  3. Have a visibility solution or service in place so that the behavior of devices can be monitored so as to spot and investigate deviations from the norm.

Data Protection from Security People

Talking of modern security tools that scan millions of devices every day and gather intelligence on billions of events, these devices have grown increasingly capable. While the whole idea is to bring more information together for threat intelligence, it is equally important to understand how all this data protection can be practiced.

When Data keeps streaming in

Organizations never delete the data, they are always adding more, with more devices and applications. They collect, store, and access information from many locations. Many Organizations lack control over employee-owned devices, which may be used to access key data. This makes malicious insiders a real threat to companies, especially those who hold vast amounts of sensitive data. Trend Micro and Twitter are two examples of a long and growing list of Organizations that have abused legitimate access to enterprise systems and information.

With a lot of sensitive data streaming in, it is crucial that security companies re-evaluate how they store the data and who can access it. For some Organizations, this demands a closer look at the IT department, where too much access to data is provided to IT pros, who develop and test new applications.

Why do Data Breaches happen?

This might be risky in many ways. When you provide access to coders and developers to production data, you allow them to see sensitive information and bring the data into potentially risky situations. Sharing data inappropriately with unauthorized entities creates a vulnerability, but this is not the only consequence.

This violates many growing data protection laws and regulations, according to which companies can only use personal data for the purposes for which it is collected. Using data to test new applications and updates is usually not the only purpose. Sharing a single user ID and password for each system is still a pretty common practice among IT and development teams. The problem that arises is, if something happens to the data, there is no way to find out who was behind the malicious activity.

Data Protection from Insiders

With multiple people using the same user ID, there is no chance of keeping accountability for those using that ID. This makes it hard to ascertain if someone used that ID to steal key information. Failing to implement controls can make it easier for an insider to get away with data leakage or theft. Therefore, people who can access sensitive data should have their access monitored. Using individual IDs can facilitate keeping a track of employees who obtain certain types of data or share it outside the Organization.

Usually, data backup is one area where insiders can take advantage, but Organizations should take into consideration the fact that which data needs to be protected. There are many companies that have strong controls on their data that is used for production for daily work activities, but their backups are left wide open. Additionally, access to backup data is not prohibited to employees and access is granted to many people who can obtain personal information or corporate secrets.

Separation of Duties & Access – First step towards Data Security

There are many ways Organizations could put data at risk and there are some ways they can protect it.

Maintaining a historical record of all assets connected to the Internet, communications between them and who owns them can actually enable customers to identify unknown assets and potentially malicious traffic.

Engineering and data science employees who have access to back-end systems should sign an agreement. This agreement should be separate from the employee contract and must highlight the fact that they can’t use the data outside certain applications. This is your first step towards Data Security and Protection. The number of people in the Organization who could access the data is relatively small. Systems should also be segmented so that employees who do not require certain data, should not have access to it. For instance, members of the marketing team should not be able to reach back-end systems.

Lastly, the audit ensures that systems are behaving as expected. The security manager does his compliance and audit checks, but third-party pen-testing and security checks are also advisable. Maintaining separation of duties will ensure people who have access to sensitive data are different from the ones who approve that access. Offboarding and onboarding controls are also important to ensure sensitive data stays where it belongs.

Financial Services

Security Companies are already facing new laws and protocols that will dictate how data collected by security tools will be protected. The financial services industry is also responsible for vast amounts of sensitive data and has been tightly regulated. Therefore, there is a lot to learn from an industry that uses organizational controls and peer-to-peer collaboration to protect data.

Just like Cybersecurity Companies depend on their customers’ trust in their responsible data management, financial companies depend on public trust in the financial system. This industry has evolved “trust-building” mechanisms that allow members to share intel in a trusted network without the fear of that information being leaked or used against them.

According to Neumetric, one of the top cybersecurity companies in Bangalore, the industry has always been heavily regulated and therefore, many individual financial companies have invested in personnel, services, infrastructure, and also protocols to protect customers and themselves.

In security financial service companies are implementing new technologies including cloud computing, artificial intelligence, and machine learning for data protection.

These new technologies provide potentially game-changing business opportunities, but at the same time, they also bring new risks that institutions must manage if they are to maintain the trust of their customers. Building a strong peer-to-peer network and sharing intel is the key to mitigating risks.

Neumetric, a cybersecurity services, consulting & product Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

What is Cybersecurity Leadership?

For organizations today, cyber risk is everywhere. Nevertheless, for every investment they have done to secure the systems and protect customers, entrepreneurs are still struggling to make cybersecurity a hands-on part of operations and strategy. There are basically two reasons behind this, first that cybersecurity is still treated as some back-end job and second that your IT department is ill-equipped to exert strategic influence.

 

In most businesses, cyber leaders are expected to secure the business, but when the company board makes big, strategic decisions about the business model, product, and digital strategy, cybersecurity is just an afterthought. This clearly states that companies are losing out on the value that the function can provide. Now, this approach was acceptable in the past, when threats were slower and less complex, but today it is not sufficient.

 

Today cyber leaders should be proficient enough to embed security throughout the business operations, rapidly respond to threats, and influence fellow senior leaders. And therefore, companies need to hire and develop security executives for their IT department who have the skills to do so. It’s time for the company boards to retune their expectations about how cybersecurity is positioned and what would be the role of their cyber leader in this risky scenario.

Here are some pointers that are sure to facilitate businesses to set a framework as to what business leaders should do to spur cybersecurity success.

Your Cybersecurity Strategy: First thing that you need to ask yourself is what outcomes are you seeking. Every business has a unique risk portfolio and there is absolutely no one-size-fits-all strategy. However, there are some primary options that all companies should consider while building their strategy. For instance, the strategy should be built around business continuity, compliance, brand protection, and bottom-line growth. You may want to think about factors like risk exposure, regulatory pressure, and customer value. Entrepreneurs must thoroughly analyze as to why they would need cybersecurity for their business, and they should be clear with their choices.

Cybersecurity function must influence: It may be easy to default to position cybersecurity within the IT function, but putting security and IT operations under the same roof, with the same budget can cause problems. Even before you decide where cybersecurity would be positioned, determine the types of influence you want it to have. Businesses operate in extensive ecosystems, where data and digital infrastructure are not neatly contained. Therefore, cybersecurity needs to be customized to specific elements. For instance, if your cyber needs are high in R&D, customer support, and manufacturing, you will have to position cybersecurity for lateral impact. Cyber leaders and programs also require proper authority, some political sway, and a top-level mandate so as to orchestrate change across the business. And most importantly, business leaders should incentivize the right stakeholders to work closely with the function.

Right Cyber Leader: It is quite crucial for boards and C-suite executives to prioritize mindset over technical skills while considering and evaluating cyber leaders. Skills like an expansive worldview, eagerness to help others grow, understanding how neuroscience can improve leadership, and having a voracious hunger for learning; should be taken into consideration. Businesses do require skills like threat intelligence, network security, and incident response, but these should not be the benchmark to measure cyber leaders. Cyber leaders should appreciate the technical capabilities, but they themselves need to be someone with an influential voice in business strategy, enterprise risk management, and technology decisions.

Cyber leaders should focus on building right relationships across the business ecosystem alongside structuring, empowering, and growing teams. They should be able to translate abstract technical concepts into messages that can illuminate senior leaders both logically and emotionally and elicit their contribution.

Neumetric, a cybersecurity services, consulting & products Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

 

The Cybersecurity Experts at Neumetric believe that this framework can help mitigate business risk, lay guardrails for technology and security, reduce friction with regulators, and also increase competitive advantage.

Cyber Risks Heating Up for Businesses with International Tensions Flaring

You might be aware that security issues (Cyber Risks) have been moving from Trojans and Phishing to explosions at night. The military action involving Iran and the United States led many to speculate about possible cybersecurity repercussions. However, experts have a question as to whether the threat landscape has actually changed or not.

In the Cyberworld, there is a war going on all the time and there are attempts of nation state-backed attacks happening all the time. Players like Iran, China and others are always engaged. Threat actors are always probing and poking to see which data is visible and which opportunities are available. This constant probing in the cyber world has marked a clear difference from the situation when there was a cold war era and the battlefields were pretty defined. Now the Internet is the battlefield and most of the businesses are on this battlefield, whether or not they are a direct target.

But why are these businesses at risk of threats related to international socio-political affairs? What does that overall threat landscape look like to enterprises?

Attacks from different Directions


It may seem like the biggest immediate risk is criminal Organizations, which have an ultimate, straightforward goal to extract data or behavior from the company that can be converted to money. But, these nation-state sponsored attacks are going to be more specific. These would be financially focused and would be looking to impact the Organization they are attacking along some other line, whether that is to make a statement and cause panic. Making a statement is like attacking from different targets than most criminals might have in their sights. Panic may point to the large-scale economic disruption that might result from DDoS attacks against financial services institutions.

Apart from traditional IT targets, many industrial infrastructures around the globe are also open to cyber risks and most of these industrial environments are underprepared to defend themselves. These industrial targets are vulnerable and their vulnerability may have wide-ranging impacts. Just one or two systems that haven’t been protected or haven’t been patched will allow the attackers to wreak and cause whatever type of havoc they have at their disposal. This havoc can extend well beyond the shop floor.

The top Cybersecurity company in Bangalore, Neumetric believes that an Organization should always remember that every IoT device is part of the network and at the same time, it is the gateway of choice of the attacker to penetrate the network.

Defending the Enterprise From Cyber Risks

In the year 2012, the Disttrack attack against Saudi Aramco that devastated the company had put all of Saudi Arabia on its heels for half a year, but it led to a better successful defense of Bahrain. Before the Saudi Aramco attack, Middle East computer security was worse and was almost non-existent.

But losing 32,000 computers, workstations and servers in one of the world’s first nation-state attacks and the shutting down of the number one wealth producer for the country has a way of creating a spotlight.

Layers of security are critical for protecting both IT and OT infrastructures. These days, many enterprises and Organizations are focusing on network security solutions to secure the network and are also adding another layer of security embedded into each and every device. One thing that every enterprise should understand is that cybersecurity is cultural and it needs to be recognized that technologies are tools in the battle and not the battle.

The security culture should extend to the C-suite and the executive board. The day is not far when companies will be evaluated on their cybersecurity and resilience, just as they are evaluated for their financial statements. Organizations need to evolve the debate from whether we do cyber in enterprises to how we can create value from it.

Neumetric, a cybersecurity services, consulting & products Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

With Cyber Threats Evolving Increasingly, Effective Risk Management is The Masterkey

Corporate information security risk management is undoubtedly a tough job, especially when we know that Businesses keep generating large volumes of data and allow cyber threats to evolve.

 

Now some people may blame control frameworks, but these are simply cataloging the possibilities. But I would say that broken risk models are to be blamed. They leverage a “need to catch them all approach” and pretend that there is a linear relationship between loss exposure and security controls. This ignores many crucial variables like attacker capability, frequency of attack, and the organization’s tolerance for loss.

Now, this approach finds its way into auditing frameworks very often, but it treats every missing or deficient thing as a risk, and this has allowed risk statements to express zero appetites to make their way to corporate boards and senior executives. For any Organization with a limited budget, the risk appetite statements “we don’t accept any cyber-related risk” are virtually impossible to put into action. This means that they will have to spend every dime to avoid a loss, but still, no one can guarantee a future with zero incidents.

However, statements about loss and risk should focus on the range of the amounts that could be lost and the timelines over which these losses may occur. This is where effective risk management plays a vital role.

Effective Risk Management

Effective risk management allows any Business to attain an acceptable amount of loss over time with the least amount of capital expenditure. It helps balance the money spent today to reduce risk against the probability of some amount of loss in the future. Good risk management is not about perfect risk avoidance, because this notion would choke off innovation and good Business management.

Risk reduction investments are all about curtailment. Business innovation can be curtailed without the right amount of freedom to operate without safeguards in place.

Navigating Risk


Do you know what is the most important thing if you intend to navigate risk and approach risk elimination through a security control process? Having a good model that represents the nature of risk accurately. But that’s not all. This model should support the modern needs of Organizations, like a budget for risk allocation or the purchase of cyber insurance.

 

The cybersecurity experts at Neumetric believe that effective risk management can help an Organization to get where it wants and avoid pitfalls and surprises along the way. This way Organizations can achieve their Business objectives and with effective risk management, there will be more informed risk-taking and decision making. 

 

Neumetric, a cybersecurity services, consulting & products Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

GDPR for Sales – How GDPR affects Cold Emailing & Calling?

If your sales process relies heavily on cold emailing or calling prospects, then there is something crucial for you to know about the European General Data Protection Regulation (GDPR).

At the most basic, the GDPR changes the way outbound sales teams can collect and use personal data like name, ID, email addresses, and other details. So, whether you buy lists of leads to fill out your pipeline, automatically add new inbound contacts to your sales funnel or search prospects from social media platforms, the sales strategies that you have been using to turn prospects into customers are going to have to dramatically change.

There are a lot of questions about how the General Data Protection Regulation can affect salesforce. Here are the 10 biggest concerns that sales teams have about staying compliant while prospecting.

Q. What does the GDPR cover and do I need to care about it if I’m outside of Europe?

It provides EU citizens more control and transparency over who can use and store their personal data. This means using personal data to build contact sales leads, a company has new responsibilities around collecting and processing that data. Personal data includes names, phone numbers, IDS, email addresses, IP addresses, mobile device IDs, and even encrypted data.

For any sales team, personal data is crucial for outbound sales. Under this protocol, you cannot use personal data (like a phone number or email address) without the consent of the person to be contacted by you. This may sound like no more sending out cold prospecting emails, product demos, or quick catch-up without that person opting into receiving your messages. But here are a few things that you must understand about the General Data Protection Regulation.

GDPR is only for your sales prospecting towards citizens of the EU. You need to be concerned about the  guidelines if your business either:

  • Offers services or products to EU citizens.
  • Has an established presence in the EU.
  • Use their personal data in some other way like monitoring or profiling them.

You may still be able to contact prospects if you have legitimate interests. If your company’s legitimate interests are not overridden by the individual’s fundamental rights and freedoms, then you may be able to use the contact data. In a scenario, where a prospect sends a complaint about your outreach, the company should be able to argue that communication was legal. Therefore, it is crucial that you document your legitimate interest, make it clear in the communication, and offer an easy opt-out.

We are not sure about the final effects until the ePrivacy directive is finalized.  This protocol is just a starting point for new regulations around personal data. We are still unaware of the final impact that it may have on outbound sales and marketing, until another regulation. In other words, there is still more change ahead.

Q. How do I get consent from my prospects?

Under the General Data Protection Regulation, the only way your sales team can do any sort of outbound sales is if you have consent from the prospects to contact them. Therefore, the consent should be

  • Given freely
  • Transparent and specific about what it will be used for
  • Easy to withdraw at any time

To show that the consent was given freely, your lead has to openly click an opt-in to receive communications from you. This means that consent to receive sales emails or calls cannot be a requirement for using your services.

When a prospect gives you consent, you should be open and transparent about what you are using that consent for. For instance, if a prospect has given you their email to send them an eBook, it cannot be used to send sales emails or unrelated content.

Lastly, your prospects should have the ability to withdraw consent at any time, like unsubscribing the link on emails or some other way of contacting you to get off your list. So, if a prospect emails you and asks why you have their personal information, you should be able to say, “Here’s where we got your data. Here’s the link to our privacy notice and here’s the link to unsubscribe.”

Q. Do I need consent only for sending bulk emails? What about individual outreach?

Fundamentally, there is no legal difference between bulk emailing and one-to-one emailing, when it comes to cold outreach under this protocol. So, just-reaching-out emails need to have prior consent in order to be legal.

Q. How to build the outbound sales funnel under GDPR?

It might seem impossible to build an outbound sales funnel under this protocol, but there are still ways to grow your leads.

  • Focus more on content marketing and inbound sales: Moving forward, inbound marketing and sales are going to become more important. Organizations should take time to ensure that all the forms are set-up to properly gather personal data and get consent.
  • Buy relevant lists with documented consent: You can still buy lists of leads under this protocol, but you must ensure that those lists come with attached metadata explaining how and when each person gave consent. If you can prove that clients consented to receive emails from you, the list is fine to use.
  • Advertising on sites that are relevant to customers: While advertising and getting inbound sales leads is legal with this protocol, you just need to ensure that you gather and track consent whenever you get a new lead.

Q. How will GDPR affect cold calling?

If you are a part of all those sales teams that are already seeing success with cold calling, then you must be happy to know that cold calling isn’t as restricted under General Data Protection Regulation as cold emails. And if cold calling is not yet a part of your sales process, you might want to consider it now.

But you still need to identify and tell your prospect who you work for, why you’re calling, and how you got their information. You also need to ensure that you are only calling companies who have either consented to receive your calls or who aren’t registered on a no-call list. For this, you may have to look on a nation-by-nation basis.

While cold calls are not heavily scrutinized under this protocol, this will probably change when the ePrivacy Regulation finalizes next year. According to the proposed Regulation, unsolicited direct marketing by any means like SMS, email, or automated calling machines will be prohibited unless direct consent is given.

GDPR may be bringing some major changes to the way outbound sales teams work. Don’t think of it as something meant to kill the outbound sales process. Rather, it is a shift in the way you think about who your ideal customer is and how to get in touch with them.

Neumetric, a cybersecurity services, consulting & product Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

How Organizations are Helping Networking Hacking?

With the constantly evolving technology, Hacker’s techniques are also advancing. And this is something that puts tremendous pressure on Organizations to constantly update their security measures so as to keep their data secure from network hacking.

 

Hackers can not only expose crucial company information, but sensitive customer data as well, that can lead to potentially devastating effects. Therefore, any Business in any industry must realize that cybersecurity is an important aspect. Without proper prevention, you may fall prey to network hacking in the near future.

 

Most of your employees might be aware of not sending a password via email or opening a strange attachment from someone they don’t know. But do they know that posting photos of their badges on social media or revealing details about internal software in job descriptions can cause a lot of harm. There are many ways Organizations and their employees unknowingly give cybercriminals a helping hand. Here are five ways your Organization may be risking your network’s security:

A Picture or a Video can say a lot

The most common slipup that happens in companies is oversharing online, especially on social media. For instance, Human Resources sharing photos and videos to attract job applicants, interns posting photos of new badges or employees sharing photos of any office celebration.

 

Attackers can use a lot of things from these photos and videos to their advantage, like company badges or information on whiteboards. Office pictures can show an attacker how desks and cubicles are laid out, what type of computers are used by employees, the programs, email clients, and browsers they’re running. Employees accidentally make it easy for hackers to duplicate and impersonate and have knowledge they shouldn’t have.

Overly detailed Job Postings

An innocuous job posting may give attackers the exact information they need. Many Organisations go into very specific detail about the internal software they use, which gives a lot of insight to attackers about the internal structure. An attacker with knowledge of the company’s software will know exactly what he needs to break in. If he doesn’t want to develop malware, he may use this knowledge to create a phishing campaign and lure victims based on the software they’re using.

Your Email Signature

Many employees respond to phishing emails in order to prove that they can’t be fooled, instead they play right into attackers’ hands. It proves to intruders that a legitimate person is at the other end. They understand the company’s email format, which is more like a formula they can use to identify and target other people within the same Organization and they may also target other details like office phone number and extension, mobile phone number, social media handles, and/or website link in a signature, which can be fruitful for future network hacking or phishing attacks.

Out of Office Emails

Automatic replies and out-of-office emails are the most common ways companies make themselves vulnerable. Employees often include a precious amount of detail, which is enough for an intruder to take advantage. For example, “Hi, this is John. I am away for vacation. For project X, contact X person at X email address; for project Y, contact Y person at Y email address.”

Full names, project names, and even contact details in an automatic reply makes it easy for attackers to target people. Using this information, they can email another employee with the company and pretend to be working with John on a project, obtain sensitive data, or request a wire transfer.

Failing to Verify Callers

One of usual pen-testing tactics is caller ID spoofing. If someone calls, people usually don’t question, they are used to seeing that IT is calling or human resources is calling. Security training programs tell employees not to share their passwords, but they do not emphasize the importance of questioning and verifying phone calls. Caller ID spoofing and SMS spoofing are huge and both are fairly easy for an attacker to pull off.

Education is the first step towards preventing employees from accidentally leaking data. Beyond educating employees, companies should also teach them what to do if they spot them. Actionable policies should dictate the steps for employees to take when they fall for a phishing scam.

Cybersecurity Experts at Neumetric suggest that teaching employees not to share information that could be used to assume their identities is the first step. But along with this, employees should adopt multi factor authentication, so that it is harder for attackers to pretend to be someone they’re not.

Neumetric, a cyber security services, consulting & products organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Have You Heard About the Whale Phishing Attack?

A whaling attack, also known as a whale phishing attack, is a common cyber-attack that targets high-profile employees, like CEO or CFO, as they’re likely to possess access to more confidential data, intellectual property, and other sensitive information. In many cases, the attacker’s goal is to influence the victim into authorizing high-value wire transfers to the attacker.

 

Many whale phishing emails are designed to support fraudulent wire transfers. Do you know what exactly is a whaling attack and how can you stay protected? Let us find out.

How does a Whaling Attack work?

A whaling attack is a type of phishing attack that targets wealthy, prominent, and high-profile individuals. In this cyber-attack, a highly customized phishing email which includes the target’s name, job title, and other relevant information, is sent to the high-profile targets. This email includes a link that redirects the targets to a phishing page that harvests the corporate or personal information of the target.

Due to their highly targeted nature, whaling attacks are usually very difficult to detect than standard phishing attacks, because the sender’s email address and the links used in the email are designed to look very legitimate.

Whaling attack history

In 2016, Snapchat’s payroll department received a whaling email that purported to come from the CEO asking for employee payroll information. In response to the email, the payroll staff disclosed all of the company’s payroll data to a scammer.

 

In March 2016, an executive at Seagate responded to a whaling email that requested the W-2 forms for all current and former employees. This incident caused a breach of income tax data for almost 10,000 Seagate employees.

Toy giant, Mattel lost over $3 million after a senior finance executive fell victim to a whaling email attack. The email claimed to come from the new CEO and requested a wire transfer.

Defending against Whaling attacks

Neumetric, a cybersecurity services, consulting & product organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Cybersecurity experts at Neumetric recommend to never click on links or attachments in emails that come from anonymous sources. It is always best to verify the legitimacy of the source before responding to an email. Any email that asks for personal or financial information should be avoided.

High-level executives should take extra caution while posting and sharing personal information on social media. Additionally, educating employees on how to identify phishing emails is highly recommended. To keep at bay from whaling attacks, you can implement a good anti-phishing software and can also flag emails that are sent from outside of the corporate network.

So, if you are also in need of cybersecurity, contact us today and get a free assessment.  

Scroll to top