Alarmingly Low Rate of Employees Receive Security Awareness Training

exclamation point

With the state of the economy, it is not too shocking that only 43% of employees receive security awareness training. Many companies have been faced with reducing their workforce and running “leaner and meaner,” thus devoting all hours of the workday to improving the companies bottom-line. It is hard to believe that such an important element has gone the way of the Dodo bird. One would think that more time would be dedicated to security training given the recent and highly publicized security breaches at other companies.

However, the results of a recent survey by Enterprise Management Associates (EMA) show that 56% of corporate employees have not received any security awareness or policy training.

A recent article from SC Magazine explains EMA’s findings, “Security Awareness Training: It’s Not Just for Compliance, 45 percent of employees received their training in a single annual session. But a one-off training session that covers a broad swath of security issues likely isn’t effective.”

According to the report, the average cost of providing security training is only $50. This seems like a small price, but multiply that by a few hundred users and you start to see why this simple exercise in protecting their company may be overlooked. Yet, providing the staff with proper training could result in saving the organization from the far greater expense of a data breach.

“35 percent said they clicked on an email from an unknown source and 33 percent have the same password for both work and personal devices.” White goes on, while “30 percent still leave mobile devices unattended in their car. They need to know why security is important.”

While under-education of the population at large can seem startling, a best practice for increasing security within any environment is to have a strong password policy that includes specific password expiration increments. In order to deploy such a password policy, the company must first roll out a self-service password reset program. Many companies turn to the authentication experts at PortalGuard for their self-service password reset needs and other authentication solutions.

EU Behind the Times for Cyber Security

Night view of Europe

 

Often in our blog we focus on what is happening here in America, but we work with companies all over the globe. Recently, there was a survey done by the  where they questioned over 27,000 people in the European Union about their internet use, security attitudes and experiences. 1  The survey showed that individuals in the EU were behind the times when it came to cyber security.

Just over a quarter those surveyed only use their own hardware to go online, and just under that figure (24%) use unique passwords for different sites. Does this remind you of any recent breaches?

“Of those surveyed 48% of web users said they had not changed any of their online passwords in the last year. Out of those who had made changes, the highest figure was for webmail (31%) with social networks just behind on 26%. Online banking passwords were less likely to be changed, with only 20% changing in the last 12 months, and shopping site passwords were rarely changed, at only 12%. “1

These numbers seem slightly off because you would think the information that could obtained from hacking into your bank account would be more detrimental than a social media account.  The website Naked Security adds that maybe this is a sign that there is a need for more education.

Most of the statics in the report point back to the fact that there is a common fear of the risks associated with using the internet, so they put off taking advantage of all that it has to offer.  The catch is that most of these people are not even doing the basics to protect themselves.

If you have a fear about using the internet take the time to educate yourself and those around you, whether it’s your family or co-works.  Make sure you have strong passwords in place that cannot be easily guessed. And if you do not have anti-virus software installed on your machine then definitely take the time to do so.

You can read the full report here, for more statistics.

Resources:

1.)    http://nakedsecurity.sophos.com/2013/11/27/only-24-of-europeans-use-different-passwords-for-different-websites/

2.)    http://ec.europa.eu/public_opinion/archives/ebs/ebs_404_en.pdf

CJIS and Advanced Authentication – Approaching Deadline

February was the month of the deadline for the new Advanced Authentication requirements being enforced by the CJIS, one of the largest divisions of the FBI, which has now been postponed to September of 2013 due to most local governments not being able to meet these requirements by this time. The requirements are now requiring that in order to access any sensitive data in the CJIS database requires Advanced Authentication (AA), also known as two-factor or multi-factor authentication. The requirement is being put in place to protect the data and require the user to really prove who he/she claims to be.

As defined in one of our previous posts (What is two-factor/multi-factor authentication?) the new AA implementations will need to require at least two out of the three authentication factors to prove a user’s identity. Here is the definition directly from the FBI standards:

“Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or “Risk-based Authentication” that includes a software token element comprised of a number of factors, such as network information, user information, positive device identification (i.e. device forensics, user pattern analysis and user binding), user profiling, and high-risk challenge/response questions. Advanced Authentication is also called Multi-Factor or Two-Factor authentication.”

Many times the existing authentication for building access, such as smart cards  will be able to be leveraged, but these are not as convenient for the mobile workforce the requirements are targeting. The penalties for not being compliant are severe including no access to the CJIS database. CJIS will not help you choose the best authentication solution but can help you determine if you are in compliance when using it.

The key to a good solution really will be the flexibility it offers. Due to the target users being mobile and usually working from a car or on the road the second factors you put in place need to not only be secure but usable. Many are leaning towards biometrics but with limited vendor options on the market which are proven it is difficult to feel secure with these solutions, not to mention the cost which can be incurred when purchasing these solutions. It is also important to choose a vendor who can provide various authentication methods so you are not forced to purchase disparate solutions to achieve one goal.

I’d suggest that you take a look at the following links to help you understand the guidelines as well as take a look at PortalGuard’s example of meeting CJIS compliance requirements:

CJIS Security Policy: http://www.cjin.nc.gov/infoSharing/Presentations/CJIS%20Security%20Policy%20v5%201_07132012_-ns[1].pdf

PortalGuard’s CJIS Guidelines: http://portalguard.com/pdfs/CJIS%20Compliance.pdf

PortalGuard’s Two-factor Authentication: http://www.portalguard.com/two-factor_authentication.html

FIDO & DARPA Setting Multi-factor Authentication Standards

biometricsComing back from the RSA Conference 2013 this year gave us a renewed look on authentication and IT Security. One which was mentioned that I recently saw prior to the conference was on the Fast Identity Online Alliance (FIDO) and the Defense Advanced Research Project Agency (DARPA). Mentioned at our booth by a foreign government employee, it seems there are some initiatives to follow the FIDO’s initiative to eliminate passwords and improve online security with “a standard of interoperable authentication protocols”.

With a recent hot debate on whether passwords are enough these two organizations are working to implement stronger authentication in the form of two-factor and two-factor authentication alternatives, such as biometrics.

This initiative is picking up interest as DARPA and FIDO look for a seamless integration from a biometric application. The drive behind the biometric desire is to really be able to prove a user is who they say they are when making an authentication request.

As mentioned in the article however, and as I have seen in my two-factor market research there are major hurdles which are going to keep organizations from implementing stronger authentication especially biometrics. The article mentioned cost as a huge barrier as well as it not being an option for the larger audience of customers. Even with that though some are saying, “the pain is finally getting bad enough, the criminals are getting good enough and the public is no smarter, so in the next five and more likely 10 years we should see significant change.”

Read More…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Where are You in the Authentication Race?

Mobile-Banking

A recent four part panel with security leaders from the banking industry had an interesting second part which discussed the race for authentication and how it is about staying ahead of regulations and risks. The idea is to be at the head of the pack when it comes to authentication and making sure you are aware of the methods and attacks which exist. Related to the banking industry, this is one industry which is usually ahead of the curve, especially with the strict FFIEC guidelines. However these security leaders argue that it is not enough to meet the regulated requirements but you should actually be going above and beyond.

With hackers being almost impossible to beat, having time, creativity, and funding on their side, it is important to make it difficult for them to breach your authentication tactics and make sure they leave your customers alone. Of course no matter how hard you try this can still be a very daunting task. This has become especially true as customers and employees now demand web and mobile services with seamless communication and transactions.

Some solutions implemented in the banking industry have been enterprise-wide identity management which provides single sign-on, fingerprint biometric authentication for certain applications, and a focus on internal authentication where many attacks begin. Read More…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, transparent user authentication,  self-service password management, two-factor authentication, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Why should you implement single sign-on?

There are many benefits to implementing a single sign-on solution.  A few keys reasons include reducing cost associated with multiple passwords, enhancing the user experience while increasing productivity, increasing security around a single point of access and simplifying auditing and compliance.  Read more…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, self-service password reset, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://www.linkedin.com/company/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

 

Single Sign-On: Boost your compliance efforts

Gartner is predicting the number of regulatory requirements directly affecting IT will double over the next few years.  Single sign-on helps alleviate some of the challenges of regulatory compliance such as SOX, HIPAA, GLB and FFIEC.  Single sign-on by itself does not imply compliance, however when implementing single sign-0n you are creating a centralization of authentication.  Read more…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, self-service password reset, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://www.linkedin.com/company/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

Make Sure Your Software is Secure for Customers

This is an interesting first-hand account of what it feels like when the software you are selling to customers, turns up to not be secure enough. A security manager discusses how after a complaint from a customer to the senior vice president he became responsible for cleaning up the mess that was made.

The customer had implemented the solution and then went through a compliance audit, after which the software was found to have security issues. The one that stood out more than others was that the product was vulnerable to SQL injection attacks.

So let me ask the software developers out there…do you think it is better to tackle security and authentication on your own, or purchase a plug-n-play SDK to provide those services for you?

Read More

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, self-service password reset, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://www.linkedin.com/company/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

The Cost and Loss of Not Using Single Sign-On with Two-Factor Authentication

Do you know how much passwords are costing your organization?  Passwords are a much larger source of cost and loss than most people realize. Multiple passwords cost you not only hundreds of help desk calls annually, they also result in a loss of productivity and can be a source of severe loss of security.  Check out PortalGuard’s webcast on the cost and loss of not using single sign-on with two-factor authentication.  Read more…

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, self-service password reset, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://www.linkedin.com/company/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169

FTC General Guidelines for Mobile App Security

8 Steps to Promote Secure Mobile AppsWhen creating a mobile app, especially in the banking industry, it is important to keep security in mind. There is a new publication out from the FTC called “Marketing Your Mobile App: Get it Right from the Start” which highlights eight guidelines that all app developers should follow. This guide was meant to help the ever increasing number of app developers who consist of many small organizations or individuals. The article goes on to mention that this is the responsibility of the app developer as they are the only ones who know how secure and private their app really is.

Suggested Guidelines:

1. Tell the truth about what the app can do.

2. Disclose key information clearly and conspicuously.

3. Build privacy considerations in from the start.

4. Offer choices that are easy to find and easy to use.

5. Honor privacy promises.

6. Protect children’s privacy.

7. Collect sensitive information only with consent.

8. Keep user data secure.

Read More

###

The PortalGuard software is an authentication platform which is focused on enhancing usability, while maintaining a balance between security, auditing, and compliance for your web and desktop authentication requirements. PortalGuard provides capabilities including multi-factor authentication, self-service password reset, password synchronization and single sign-on which can be seamlessly configured by user, group, or application.

http://www.PortalGuard.com

Subscribe to our newsletter: http://portalguard.com/contact_us.php

https://twitter.com/portalguard

http://pinterest.com/pistolstar/portalguard

http://www.facebook.com/pistolstar.authentication

http://www.facebook.com/pages/PortalGuard/240761992635169