Email Security: It’s Every Employee’s Business

April 4, 2013

Email security has become part of the job description for every employee. All it takes is one employee to cause a breach that opens up the entire company. For example, consider The New York Times: the recent breach by Chinese hackers was done via a phishing or spear phishing email. All that was necessary was that one email to be opened, and The New York Times network was accessible to the hackers. And once an attacker is behind the firewall, then the hacker can do anything.

Recently, hackers have been getting even more creative. One of the students in the information security class I teach showed me an email that she received. It contained a message about email phishing schemes and what to look for. The subject line was incorrect when compared with previous emails from the same organization. The body of the email had an incorrect logo and a slightly incorrect signature line. Also, there was a link with a call to action that requested my student to sign in to her account and learn more. She reported this email to the company who allegedly sent it. Had my student not been aware of phishing schemes, she might have clicked on the link and opened up her system to hackers.

Without proper training, it is easy for an employee to accidentally open and launch a window for a hacker. It is the duty of every personnel department to train new employees as to what to look for when receiving email messages. This information should be included in employee manuals and should also be posted on lunch room walls as reminders. With the volume of emails we all receive on a daily basis, it is very easy to forget that one of the emails could be a “Bomb” that could cause a breach. And a network breach can lead to data loss, loss of reputation, and denial of services for your employees and clients.

There are two types of phishing email messages: phishing and spear phishing. Phishing is a generic type of email that is sent to everyone in a company with the hope that someone will open the email and click on a link or open an attachment. There are no names attached to it, the subject line is generic, and the TO: line usually says recipients_not_disclosed. That’s a dead giveaway! Finally, the FROM line does not conform to corporate email standards.

The second form of phishing is called spear phishing. This type of email is more insidious. Someone or some organization has taken the time to find information about a specific employee and personalize an email message to make it look like it has been sent to that person from someone he or she knows. As a result, the email looks legitimate. This email is designed through a few methods. The attacker scours Facebook, LinkedIn, Twitter, and possibly financial information sites, such as, Hoovers. The hacker may make calls to a company’s receptionist to find other pertinent information regarding the email recipient, possibly email address and/or phone number. In bigger companies, they may even call the IT department and claim that they are the person of interest and forgot their email password and ask for it to be reset. Hopefully, there are policies in place with the IT department that make it impossible for someone to change a password without multifactor authentication (multiple types of ID must be given before the password can be changed – this is an issue for another post). Spear phishing emails are usually sent to management-level employees since they tend to have more network privileges.

Once again, even with spear phishing, the questions one must ask include: Are you expecting an email from this person and do you even know him or her? Is there a link in the body of the email? If yes, do not click on it. If you really must know what the link is, send it to the IT department or your security team and let them confirm if it is legitimate. Due to the speed of business these days, it may be difficult to remember what to look for, but it’s also difficult to recover from a breach. It can happen to anyone, don’t let it be you for your company’s sake.

Host computers should all have a good virus scanner to scan inbound emails and attachments. After that, here are some things to look for when determining if you’re looking at a phishing email. Does the email address in the FROM: line correspond to the corporate email layout? This may mean: last name first, or first name last. When a message is sent to you, are you expecting an email from that person or is the email coming from someone you don’t know? Look at the subject line of the email: Are there any misspellings in the subject line, and does it make sense?

Make it a policy to never click on live links within an email message. A live link (one that is colored and underlined) could look like a legitimate link but the actual link may send you somewhere else. If you really must know what the link is, copy and paste it into the notepad program. This will show where the link is actually pointing you to. Hovering the mouse over the link will reveal the actual URL. However, if the URL is embedded in an image within the email, you will have to retype the entire URL. There are two other options for shortened links (for example, bitly.com or goo.gl).

Sometimes emails arrive in your inbox under the guise of legitimacy. They appear to come from somewhere within your organization, but they’re not. An email arrives and asks to change your security credentials – but don’t be fooled. First of all, there should be a general announcement regarding this topic distributed company-wide to all users. It will be sent out by one person, not from “The Security Team.” Be aware of that. Emails regarding this sensitive issue must be sent by individuals, not groups, and an email sent by an internal employee will adhere to corporate email structure, fakes do not.

Many breaches come from an email that looks legitimate from an internal employee. So, look at the signature line at the bottom of the email. If it isn’t the standard signature line that your company uses for all emails, it’s probably suspect. I realize that checking an email to be sure that it’s real can be time-consuming, but the more you look for errors, the better you become at spotting them.

The larger a company is, the harder it is to remind employees about staying vigilant. But in the long run, what’s worse: reminders or hackers? You do the math.

______________________________________________________________

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Changes Big Data And Technology Have Brought Into The Retail Industry

April 3, 2013

There was once a time when retailers relied on large spreadsheets to keep track of things. Critical employees had to fly around in order to find the best products and maintain the best inventory. Today, the scenario is totally different. Big Data has played a large part in the changes witnessed in the retail industry.

Some have adapted well to the changes (some have even taken advantage of the changes) and some have struggled with them. Marianne Bickle (Contributor, Forbes.com), looks at some of the changes that Big Data and technology have brought about…

1. Retailers are finding it more difficult to make predictions. This might actually come as a surprise to many considering that Big Data actually empowers retailers to pinpoint what a particular customer wants. What many people do NOT realize is that it is “a two-edged sword.”

A consumer group might be lost simply because they have moved to a different mobile device which isn’t supported by their current retailer. In this case, it might be difficult to predict how many customers you’ll lose (or have lost).

2. Poor customer experience reports now spread like wild fire. It’s no longer the case of one unhappy customer telling ten other people. With social media, it could be a few millions before your company prepares an official position. There are instances of viral videos that have “hurt” businesses.

3. Trends are changing faster and businesses have many more tools that can help them gather vital information about the trends (Twitter, Facebook, email, etc).

4. It is now critical that the analysis of data provides insight into why and how consumers buy a particular product. Such analysis should also provide their demographics and psycho-graphics. Otherwise, money spent on advertisement will be a waste.

To read the rest of this article, go here…

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Revealed: Secret PIIs in your Unstructured Data!

March 26, 2013

Personally identifiable information or PII is pretty intuitive. If you know someone’s phone, social security, or credit card number, you have a direct link to their identity. Hackers use these identifiers, along with a few more personal details, as keys to unlock data, steal identities, and ultimately take your money. In some of my recent blogging, I’ve referred to the blurring of lines between PII and non-PII data. Case in point: it’s been known for at least 10 years that there are specific pieces of data, which in isolation may appear anonymous, but when taken together they’re just as effective at identifying a person as traditional PII.

The easiest to understand of these so called quasi-PIIs is the trio of full birth date, zip code, and gender. If a company  published a dataset that had been “de-identified” by removing all the standard PIIs, but left those three data items alone, a smart hacker could with very high likelihood find the name and address of the person behind that data.

Why would this work?  At a very basic level, the identity thief is effectively doing the work of a detective–essentially going through lists looking for matches. The lists in this case are voting records, which are available from most US towns and counties at a nominal fee– typically around $40. Voting records contain name, address, and most importantly full birth date; zip codes can be easily determined from the address.

By looking for matching birth dates and zip codes, savvy hackers narrow down the search to a few names. Add gender information and for most zip codes in the US, hackers can arrive at a unique name. Of course, the more additional information or clues gathered, especially taken from social media and other web sites, the easier it is to filter out names when there’s more than one candidate.

A quick back of the envelope calculation tells you why one might do very well with this approach. Taking 365 days—ignoring leap years—and multiplying by an average age of 80, it works out that a complete birth date gives 29,200 “bins” to place a zip code’s worth of people. If you have gender information, you double the number of slots, to 58,400.

I can hear nitpickers out there saying that voting rolls contain names of those over the age of 18, so you would have to remove 6570 slots. True enough, but researchers have shown it’s possible to exploit Facebook’s leaky handling of data on school age minors to partially address this gap.

In any case, based on the last US census, there are over 40,000 zip codes, with an average of only 7000 people per zip code. On a gut level, it seems there’s a good chance most of those 7000 people will find themselves alone in one of those 58,400 slots. In other words, the odds are very good that most of them won’t share the same date of birth, zip code, and gender.

The real validation of this type of  hacking attack came from Carnegie Mellon University computer science professor and data privacy expert Latanya Sweeney, who ran the numbers back in 2000. Using then current census data (broken down by zip codes and age groups), she was able to identify 87% of the people in the US working with just those three non-PIIs.

Fortunately, Sweeney’s research and results from other experts have made their way to policy makers. For example, when medical research on patients is published, HIPAA’s Safe Harbor de-identification rules say that no geographic unit smaller than a state can be included in the public data. Full dates (e.g., admission, birth) must also have the year removed.

With US regulations on PII varying by the particular legislation, this is by no means a universal rule. However, the Federal Trade Commission, an influential regulatory agency on privacy matters, has recently issued new best practices on data de-identification. They’ve called for all companies to achieve a “reasonable level of confidence” that their public data can’t be linked back to an individual. Clearly, the combination of birth date, zip code, and gender would fail that test.

Are there other quasi-PII’s out there? Of course! The larger problem is that consumers are sharing all kinds of information about themselves on web sites and social forums. In a possible scenario, think of an online retailer collecting preference data about its customers—sports interests, hobbies, etc.—along with geographic data and perhaps income information.

These data items would not be considered traditional PII.  If hackers pulled this “anonymous” data from a poorly permissioned file on a server, you could imagine them mining various special interest sites, looking for names that match up based on those interests and geo data.  Once they have a match, the next step might be a phishing attack, with the hackers pretending to be the retailer.

For companies that want to stay ahead of the coming stricter de-identification rules—that are being considered here in the US  and will likely become law in the EU—it would be worth their while to start carefully reviewing their non-PII data. Wherever that data might be on their file system.

2 Comments | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

CURATED SOCIAL COMMERCE: WHAT ZUMBA COULD LEARN FROM BRAZILIAN RETAIL GIANT MAGAZINE LUIZA (VIDEO)

March 7, 2013

Looking for social commerce inspiration?  Here’s an interesting initiative from Magazine Luiza, Brazil’s4th largest retailer , that builds on the curated commerce trend.

Last year and bucking the trend of bringing social to the store, Magazine Luiza brought the store to social, by inviting people to curate their own mini-store on Orkut and Facebook.

The ‘Your Store’ (Magazine Você) initiative invited consumers to stock their own mini-store with up to 60 items from Magazine Luiza’s inventory.  Users could personalise the store, offer personal reviews and comments, and get 2.5% – 4.5% commission for any sales made.  Fulfilment and logistics was handled by Magazine Luiza.

Contagious Magazine reports that whilst the idea was popular – 53,000 stores were opened, and whilst conversion rates were 40% higher than traditional stores, only a total of 10,000 products were sold.

Whilst this could be seen as another nail in the coffin of the ‘bring the store to social’ variant of social commerce, we think it points to an opportunity.

How about if the idea was tweaked – a la OpenSky – to offer member organisations/certification bodies for independent professionals a simple solution for their members  (Think personal trainers, caterers,  yoga/Zumba instructors, photographers, hairdressers, educators). Self-employed professionals depend on, and use their social networks and followers to build their businesses, so there would be a natural fit for curated store on a blog, linked from YouTube, or even Facebook.

If you’ve ever been to a Zumba instructor event, you’ll see why this would work.  Instructors buying sack loads of Zumba gear to sell to their members.  It’d be a useful benefit from the Zumba Instructor Network if they could do this without having to manhandle the gear themselves – and it’d keep member dues coming in.

As the science of promotions shows, the key to success will, of course, be to run any such store with two-sided promotions, both the curator and customer should get a better price than can be found elsewhere. Otherwise the idea is dead in the water.  But done right, here’s a real opportunity in the social commerce space.

 

Thanks to social commerce today.

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Connecting the world a Microsoft documentary

February 14, 2013

This video documentary by Microsoft explores how digital and specifically, Interaction Design, is and will change our lives in an ever connect world. It’s 18 minutes long but well worth a watch. I thought I’d paraphrase a few of the most thought provoking comments from the documentary below:

“‘Without humans there’s nothing interesting to talk about.”

“We are in the phase where we are a little confused about what’s important in life.”

“It’s about understanding that ecosystem where the human is at the centre.”

“It’s about getting more of the physical world connected with the digital world.”

“What we design as a man-made object is only complete when there are people using it”

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , | Permalink
Posted by david ricketts

GOOGLE DOMINATES THE MOBILE APP MARKET, HAS 5 OF THE TOP 6 APPS IN THE U.S.

January 24, 2013

Mobile Apps Rankings

Wondering why Apple (AAPL) is sinking so much effort into building its own Maps application? Because it doesn’t want Google (GOOG) to gobble up all the revenue from big-name mobile applications. ComScore has published its most recent monthly review of the top iOS and Android apps in the United States ranked by unique visitors and has found that Google captured 5 of the top 6 spots with Google Maps, Google Play, Google Search, Gmail and YouTube. In fact, Facebook (FB) was the only non-Google app to crack the top 6, although it also had the benefit of being the most-visited app in the entire country by a margin of more than 10 million unique visitors. iTunes was the only Apple app to crack the top 10, meanwhile, as it ranked eighth with roughly 46 million unique visitors last month.

Leave a Comment » | Application Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Mobility and Big Data: Why They Need Each Other to Thrive

January 9, 2013

Mobile devices and apps will generate seven exabytes of data by 2015, a number that will continue to double and perhaps triple each year. Not only are huge volumes of data/content being communicated through mobile networks, but there has been unexpected growth in related communications and transactions, such as:

  • Salesforce.com getting 60 percent of its “transaction volume” from mobile devices
  • Pandora delivering 60 percent of its music minutes to mobile devices
  • Facebook getting 30 percent of its traffic from mobile
  • Twitter getting 55 percent of tweets from mobile

This dramatic growth, coupled with low-cost, large-scale data architectures, is making it possible for “Big Data” to capture, analyze, and act in real-time to maximize the impact for business. But I would argue that big data and mobile are also intertwined, and the total societal impact of one depends on the other.

The unique benefits of mobile—ubiquity, immediacy, and relevance—are magnified by big data. To fully leverage these attributes, mobile solutions need to be location-aware (ubiquitous), real-time (immediate), and context-aware (relevant). Seventy percent of mobile apps are abandoned within the first two months after being downloaded, due in large part to the fact that they are not enterprise-class, not connected to the data and analytics that make them engaging, and therefore not leveraging the attributes of mobile. Big data is becoming a critical element in meeting these demanding expectations from the user.

Together, mobile and big data provide an opportunity to not only offer users convenience and utility, but to actually drive behavior change. A health insurance company, for example, might deploy a consumer-facing app that mashes up claims data with public health data and personal fitness/wellness data from other consumer apps. This creates the opportunity for powerful analytics to help guide the consumer to make better health decisions based on a real-time view of their current condition and available options.

Sustaining behavior change is critical to virtually every industry, whether it’s getting a patient to follow their prescribed therapy (only 70 percent do so in the U.S.), encouraging an employee to save more for retirement (there is only a 3.6 percent savings rate in the U.S.), or getting an energy customer to make more efficient decisions (the average U.S. household wastes 25 percent of its energy). This is where mobile and big data can play a significant role. By marrying context, personalization, and knowledge of potential actions/offers using mobile and big data/analytics, the impact of retail, healthcare solutions and beyond could be improved drastically.

Where big data is accelerating the sustaining of behavior change, it is also accelerating the convergence of people and objects. There are now nearly 10 billion things connected and only about half of them will be mobile phones. Yet up until now, the hundreds of millions of connected objects—truck fleets, environmental sensors, smart meters, etc.—were considered part of the closed “Machine-to-Machine” or M2M world. This is changing. Fueled by the integration of technologies such as Wi-Fi, Bluetooth, QR Codes, and NFC into mobile devices, we are lowering the barrier for people to interact with objects, and opening up a new category of innovations we call P2M, or “People to Machines.”

Very soon, we will not talk about mobility or big data but just real-time, personalized interactions that drive business impact, anywhere, anytime, on any screen. Now that’s powerful.

via Mobility and Big Data: Why They Need Each Other to Thrive | Xconomy.

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Banks See Social Media as Big Data Opportunity

November 6, 2012

Last month I attended a digital advertising conference here in NYC which was swarming with social media benchmarking vendors. If you wanted to learn more about software that measures how your company or brand is faring on Twitter, Facebook, or Pinterest, then this was the place to be. These buzz-monitoring apps make perfect sense for consumer-focused product companies (sneakers, clothing, soft drinks), but I didn’t necessarily connect the dots between social media content and big data for financial service firms.

That is until I saw this article in American Banker on big data in the banking world. Specifically, BNY Mellon Bank ($1.4 trillion assets) is launching its own big data project, which will involve collecting and aggregating transactional information from customers across many different systems—their web site, ATM network, customer service, trading desks, and any other relevant interaction points.

The goal is to pull these separate data streams into a centralized data store, and then mine it to learn customer behaviors and preferences. The results will be fed back to their marketing department to help pinpoint customers who would most likely be interested in new bank offerings. BNY Mellon will also use this data to gain more complete awareness of customer needs in their future interactions with the bank.

It doesn’t stop there. BNY Mellon has extended the scope of its big data project beyond its own internal IT operations by harvesting content from the social world—blogs, Twitter, LinkedIn, and other online forums.

How much data can be found in Tweets and posts that would be useful for banks and financial companies?

This is hard to gauge. But according to an IDC report referenced in the American Bank piece, 1.8 trillion gigabytes of data was generated in 2012 with the majority of that considered unstructured social data.

These numbers for social data sound about right. Earlier in the year, Twitter reported its users were sending 340 million tweets per day. Doing a quick back of the envelope calculation—340 million x 140 x 365—I come up with at least 10,000 gigabytes of data just from Twitter alone. Then if you start adding Linkedin with its 175 million users and Facebook’s close to 1 billion users and the millions of active blogs out there, it’s easy to see how unstructured text from social begins to reach the volumes in the IDC range.

For large financial firms with millions of their own customers, filtering out, processing, and storing what’s relevant clearly falls in the big data solution space. The larger point is that banks are looking at this public data as an auxiliary treasure trove from which they can supplement their existing records with more granular details about their own customers, and even perhaps find potential new markets. Like everyone else they are also concerned about their brand and the buzz around it.

Lessons learned? Here’s one: even those companies most closely associated with large traditional fixed-field databases —in this case, a financial institution, but also consider, say, insurance, power utilities, and telecom carriers—will by necessity also have to deal with petabytes of content in order to complete the big data puzzle.

1 Comment | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

The Social Brand Value of the World’s Leading Brands

October 4, 2012

The Social Brand Value of the World's Leading Brands Infographic

In November 2011, social media consultancy Sociagility looked at the social brand value of 50 of the world’s leading brands, creating a revised top 50 ranking according to their social media performance, as measured by the consultancy’s PRINT Index™ KPI. The PRINT system compares brands on five key dimensions or ‘attributes’ of social media performance – popularity, receptiveness, interaction, network reach and trust – across multiple platforms. The Sociagility Top 50 report analyses the social brand value of the world’s leading brands and the competitive influences that determine their social media performance. Here’s a visual representation of just some of the report highlights

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Kelloggs: The Special K Tweet Shop

October 1, 2012

 

This isn’t the first Tweet Shop, but its probably the second or third ever, and a very cool pop-up style store turning customers social currency into real goods and positive sentiment… Passers by can walk into the store, sample the range of new cereal crisps and then tweet about them to buy a box to take home. It’s a little contrived, but then again, experiences like this will probably generate Tweets and Facebook posts without the mandatory requirement too… I know I would… Thoughts?

 

Leave a Comment » | Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 752 other followers