The Importance of Having an Effective Data Destruction Policy

The Importance of Having an Effective Data Destruction Policy

Never before in the history of the world or business has this much data existed. Today’s data includes everything from basic and general information on customers to much more sensitive, personally identifiable data. This data helps businesses do their work more efficiently, but it also creates the risk that sensitive data may leak to third parties that might want to use this information for malicious purposes. In response to this threat, governments worldwide have begun tightening the rules and regulations that govern the use of data. The most prominent of these regulations is the General Data Protection Regulation (GDPR) that was introduced by the EU to protect the data of its citizens. In turn, this has created the need for businesses to invest in better practices when it comes to working with and destroying customer data.

Read More

3 Ways to Avoid Fraud While Traveling

3 Ways to Avoid Fraud While Traveling

As I sat in the taxi in Jackson, Mississippi, waiting for the cab driver to “call in” my credit card because he had no credit card machine or app on his flip phone, I cringed. Just four days prior, I was teaching an ACFE webinar on travel fraud and here I was, hamstrung by an antiquated process that put my credit card at risk.

Read More

4 Resources to Help You Prepare for the GDPR

4 Resources to Help You Prepare for the GDPR

According to the regulation’s detailed website full of helpful tips and background information, the European Union’s (EU) General Data Protection Regulation (GDPR) was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. But, as i-Sight’s Dawn Lomer recently pointed out, fewer than half of the companies recently surveyed were prepared for the regulation that comes into effect May 25.

Read More

Cybersecurity Expert Warns GDPR Could Create New Extortion Opportunities

Cybersecurity Expert Warns GDPR Could Create New Extortion Opportunities

Dr. Jessica Barker addressed hundreds of anti-fraud professionals yesterday at the 2018 ACFE Fraud Conference Europe and told them that a new weak point in organizations’ cybersecurity might stem from an unlikely source — General Data Protection Regulation (GDPR) compliance. “One of the speculations about what we will see with GDPR is more extortion around hacks,” she said.

Read More

Understanding and Mitigating Smartphone Risks

ONLINE EXCLUSIVE

Nikola Blagojevic, CFE, CISA

In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."

Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:

  • Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
  • User identification and passwords (to emails, social networks, etc.).
  • Mobile applications that record PII.
  • Geolocation data about the smartphone user.

Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.

So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.

Understanding and mitigating the risks

The European Union Agency for Network and Information Security (ENISA) has defined 10 major risks for smartphone users:

  1. Data leakage resulting from device loss or theft.
  2. Unintentional disclosure of data.
  3. Attacks on decommissioned smartphones.
  4. Phishing attacks.
  5. Spyware attacks.
  6. Network spoofing attacks.
  7. Surveillance attacks.
  8. Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
  9. Financial malware attacks.
  10. Network congestion.

We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.

Here are various measures that can help reduce the risks associated with mobile devices:

  • Encrypt mobile devices.
  • Regularly update mobile devices' applications and operating systems.
  • Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence.  For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be:  "t@1rbfw@1pc."

CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)

Find even more tips on how to guard your PII in the full article on Fraud-Magazine.com.