Black Friday and Cyber Monday. We already know how crazy Black Friday can get. One keyword search on YouTube brings up countless videos of people recklessly clawing at each other for electronics, toys, appliances, and other items whose prices have been drastically slashed for the occasion.
Cyber Monday trades the mob mentality of Black Friday for a more concentrated panic online. The consequence is directed at the protection of personal identification and data. This time last year, the National Retail Federation found that 122 million Americans planned to shop online. That number is sure to increase this year, however, that doesn’t necessarily mean consumers aren’t wary of the risks of online shopping.
In a 2016 identity fraud study, it was discovered that there were 15 million victims of identity fraud in the U.S. — 16% more than the year before. Of course, it is the responsibility of the consumer to exercise good password habits, ideally alphanumeric, and routinely changed. They must also exercise good judgement when choosing where to make their online purchases. This isn’t just referring to sketchy retail sites. Legitimate and established online retailers aren’t immune to security breaches. Recently, Forever 21 notified customers that certain stores reported a possible payment data breach due to non-operational security encryption tools that were installed back in 2015. This isn’t the first time Hostway has discussed the topic of data breaches in major enterprises. Recently, we wrote about managed security issues with AWS that led to the exposure of data for several organizations such as Dow Jones and Verizon. And that wasn’t the only Amazon cloud server breach this year.
“Cyber Monday trades the mob mentality of Black Friday for a more concentrated panic online.”
With events like Cyber Monday, it’s important to make sure your business security protocols are up-to-date, scalable, and PCI-compliant. Without taking these precautions, the cost to your business could be substantial. The average cost of a data breach per record — for instance, a single compromised credit card — was $172 for the retail industry in 2016. At that cost, with an average of 122 million online shoppers, that presents a very expensive risk that should not be taken lightly. Not only for profits, but for customer trust and loyalty.
For many businesses that depend on the cloud, it is their obligation to safeguard the customer information stored within it. And the first step is to perform a risk assessment of your infrastructure. Instead of remaining vulnerable to threats, work with a trusted managed security provider that can provide expertly managed cloud solutions that are compliant and secure. This way you can focus more on your business while making sure customers receive the care they deserve.
Finally, in another survey, 57 percent of online shoppers believed the greatest identity theft risk they face is the data breach of an online retailer. Forty percent of those surveyed said businesses are not doing all they can to protect their information. This is a clear call to action from the consumer to the business.
Don’t wait until your organization has become a victim to cyber threats. Experience the Hostway difference and request a free security consultation or contact a Hostway cloud hosting expert at 1.866.680.7556.
October is National Cyber Security Awareness Month (NCSAM). Taking the time to learn about cybersecurity, and how you can protect yourself and your business should be of the utmost importance. It’s an especially important time as breaches and leaks continue to grow and are a major part of our online lifestyle. It doesn’t matter how large, small, or popular a company is, it seems like data breaches and hackers are becoming a part of our daily lives. But there are ways to mitigate security risks.
“With the increase of data being stored online and the recent large-scale compromises of personal information, it's more important than ever to focus on efforts to secure data. Cyber Security Awareness Month is a great way to get more people thinking about how they secure and protect the data they are entrusted with,” says Hostway's Director, Security Services, Peter Marsh.
NCSAM is presented by the Department of Homeland Security and promotes a variety of ways to decrease the likelihood of being hacked through increased awareness and cybersecurity. America isn’t the only country using October to buckle down on safety online. Canada’s Minister of Public Safety and Emergency Preparedness said, “[threats] can rob you of your money and identity and do serious harm to infrastructure, economy, and national security.” The desire to protect data and private information is felt worldwide.
“Staying ahead of hackers, DDoS attacks, internet hijacking, and other cyber-attacks may not be possible for everyone, but there are steps anyone can take to lessen your chances of being hit,” says Marsh.
Get Help and Enjoy Peace of Mind
Whether you’re concerned about your personal computer, company computer, or hundreds of thousands of pieces of data, having your data stored on a managed hybrid cloud will further secure your private personal information. Hostway's team offers managed backup, monitoring, firewalls, and storage to keep your data safe while you carry on with your life.
For more information on Homeland Security’s National Cyber Security Awareness Month, please visit https://www.dhs.gov/national-cyber-security-awareness-month.
To learn more about building a highly secure and scalable hyperscale public cloud solution, contact a Hostway cloud hosting expert at 1.866.680.7556 or chat with us today.
As we edge closer to the holiday season, these next few weeks and months are a critical time of year for website security for eCommerce retailers. Companies are gearing up for significantly boosted online traffic as consumers set out to find the perfect gift for everyone on their lists.
This time of year especially shines a light on security, though, as malicious actors and cybercriminals are also aware of the uptick in sales and online shopping:
So, what can online retailers do to better safeguard their platforms and their customers' information? There are a few essential steps businesses can take right now to better enable security during the holiday shopping season, and Hostway is here to help.
We've created a series of short videos featuring Kai Armstrong, Hostway's eCommerce product manager, that covers best practices you can immediately put into action to ensure a secure shopping experience for your customers.
You’ll get tips on the following:
Watch the full video series here >>>
Learn more about how Hostway can help with an eCommerce platform>>>
Up until now, SSL certificates – the key to turning your HTTP website into a secure HTTPS URL – were a small tax one would have to pay to secure their website and customer data. That is, until Let’s Encrypt entered the fray, and began offering free SSL certificates.
Before we address Let’s Encrypt and its impact on the internet, we should briefly explain the importance of having an SSL Certificate, to begin with. As most already realize, the internet is plagued with hackers, and cybercriminals are lurking around every corner. For websites that collect personal information, an SSL Certificate encrypts the personal information being sent to a server, making it unreadable to everything other than the server receiving the information.
In addition to the encryption of personal data, an SSL Certificate also provides authorization that the website is truly the website and server you want to access, not that of a cybercriminal trying to steal customer information. When a website is shown to have a valid SSL Certificate, it shows visitors that they are in a safe online shopping environment.
Traditional SSL certificate authentication relies on root certificates held by a few companies, meaning any and every HTTPS website ultimately counts on one privately-held company, accountable to investors, not customers. Your SSL certificate acts as the first of many authentication gates, eventually ending with authentication the root-level certificate.
Let’s Encrypt operates on a principal that the encryption at the root-level - the “last stop” in the authorization checklist for secure sites - is distributed among millions of users in pieces, rather than centralized in the hands of one or two entities. Let’s Encrypt not only makes securing your site easy and cost-effective but also takes a step further to ensure the internet is accessible and safe for all who wish to use it.
To that end, Hostway is proud to offer FREE SSL Certificates for all Managed Magento customers in partnership with Let’s Encrypt. It’s never been easier to save money, attract more customers, rank higher in Google search results, and make the internet a more secure place for everyone. Take advantage of Let’s Encrypt and keep your Magento eCommerce online store safe and out of the hands of hackers and cyber criminals.
For more information on SSL Certificates, and how they can benefit your website and search presence, take a peek at an overview of SSL Certifications.
Year after year, CIOs and IT leaders name security as a top priority, both in focus within the business and financial resources allocated. Enterprises are storing more and more sensitive information, creating a pressing need for protection – these details must remain under the business's control, and unauthorized viewers must be kept out.
As the volume of security requirements continues to increase, IT and network administrators struggle to keep up. This is where security-as-a-service can become valuable.
IT research firm Gartner has predicted that security spending will likely reach approximately $75.4 billion by the end of 2015. Driving this rise is the large number of recent high-profile data breaches, as well as government initiatives and new legislation. Overall, this spending benchmark represented an increase of 4.7 percent over 2014.
" IT security spending will likely exceed $36 billion this year."
As we kick off 2016, security is still a priority for enterprises. According to findings from market research firm Ovum, IT security spending will likely exceed $37 billion this year. Ovum's report noted that many of the threats seen in 2015, including cybercriminal activity, state-supported attacks and advanced persistent threats, are here to stay. For this reason, a large portion of this spending will be devoted to managed solutions, including security-as-a-service.
With new vulnerabilities and attack vectors being discovered nearly every day, it's increasingly difficult for enterprise IT staff to ensure total protection. This is an uphill battle that every organization faces. Security-as-a-service solutions are ideally suited to help bridge the gaps in a company's protection capabilities.
TechTarget contributor Joseph Granneman noted that security can be an incredibly labor-intensive process, often coming down to a judgment call. At the same time, labor is a scarce resource among nearly every enterprise. Having a security-as-a-service solution in place can make a huge difference when it comes to under-resourced companies.
"This is where Security as a Service can shine," Granneman wrote. "Security as a Service solutions can dedicate teams to a specific activity, such as monitoring logs, and spread the cost across many different customers, lowering the unit cost for everyone. Security programs can now afford a dedicated log monitoring team where they could not have previously without the cloud-based model. This raises the effectiveness of the security program and frees in-house staff to focus on higher level risk management activities."
In addition to labor, enterprise security increasingly requires the use of advanced tools and knowledge unavailable to many IT administrators. Particularly with the ever-changing nature of the threat environment, it can be incredibly difficult if not impossible to stay on top of emerging vulnerabilities that could impact the business. Without access to the right tools, the company could be completely missing exploitable entry points in its network.
This is another area where security-as-a-service solutions are invaluable. In addition to providing access to the latest and greatest security tools, companies can also gain contextual expertise that they may not be able to obtain elsewhere.
"Information security is a broad subject; there is no practical way for anyone to know every detail on each aspect," Granneman noted. "This knowledge gap can cause serious blind spots where risk is not easily observed nor mitigated. Security as a Service offers organizations the benefit of access to these contextual experts and resources they otherwise could not afford to maintain in-house. This allows the internal security staff to focus less on technical details and more on strategically managing the organization's information security risks."
Overall, security-as-a-service solutions can make a considerable difference for today's enterprises, particularly when it comes to bridging knowledge gaps and ensuring access to the best tools and information. To find out more about how security solutions can benefit your business, contact Hostway, an industry-leading provider of managed security solutions, today.
If you've voted in a national American election since 2000, your name, street address, phone number, date of birth and more may be found in an unsecured, 300 GB database brought to public attention by Austin-based IT specialist Chris Vickery.
Vickery, who in September drew attention to a leak of 1.5 million medical records, reported the database to DataBreaches.net in mid-December. The database is now offline, but no one has taken responsibility for its existence and exposure. While it was online, anyone could obtain the database with no authentication.
In an interview with Reuters, Vickery emphasized that the "alarming part is that the information is so concentrated," removing the deterring expense and time consumption of the task of compiling such a database. A trove of all U.S. voter data could be valuable to criminals looking for lists of large numbers of targets for a variety of fraud schemes.
DataBreaches.net reports that the state of California may take on the investigation of the owner of the database. Laws about securing voter data differ from state to state; in California, voter data must be available only to persons within the United States, a regulation clearly broken in this case. In South Dakota, the access to such data must be restricted, which was not the case here.
We'll update this story in further blog posts as it develops.
UPDATE 1/4/16: Forbes reports that a second database has been discovered, holding as many as 54 million voters' records, and that the researcher who found both believes they are tied to United In Purpose, a pro-conservative group.
Many industries have compliance standards in place that mandate protection of sensitive data and the privacy of those to whom it pertains. These requirements ensure that businesses across an industry utilize the same processes and practices.
The Payment Card Industry Data Security Standard, for example, impacts organizations in and out of the commerce and retail markets, extending to any company that stores, processes or transmits cardholder information. Another common compliance standard is the Health Insurance Portability and Accountability Act and its Privacy and Security Rules. These are applicable to covered entities, business associates and any organization that provides healthcare treatment or payment processing services.
When it comes to compliance, there are a few best practices to observe. It's also imperative that organizations within these and other industries with similar compliance standards understand the potential consequences – to their companies and their clients – if they do not comply. Industry requirements like these should also be factored in when selecting a technology service provider.
According to the PCI Security Standards Council, PCI DSS compliance includes three best practices:
Adhering to PCI DSS can be an individualized process, and businesses should be sure they contact their payment brand or acquirer to find out the exact requirements they need to align with.
The PCI Security Standards Council does not check for compliance, nor does it impose sanctions for those that are not compliant. However, this does not mean there aren't consequences. The Council pointed out that the payment brands companies work with may have their own initiatives through which they are empowered to manage compliance and set forth punishments when necessary. In addition, if a breach occurs because of noncompliance, the retailer's customer base and brand image could suffer severely.
According to Online Tech, HIPAA compliance involves the HIPAA Privacy Rule, which outlines the requirements for storing, accessing and transmitting patients' health data to outside organizations. In addition, the Security Rule lays down the national security standards necessary to safeguard electronic protected health information, or ePHI, when maintaining, transmitting or receiving it.
The American Medical Association noted that there is a wide range of consequences for organizations that don't comply with the rules of HIPAA, including civil or criminal penalties that range in severity according to the offense. For instance, a HIPAA violation that comes in connection with willful neglect carries a penalty of $10,000 to $50,000 per violation – where "per violation" can mean per record exposed. This can pile up quickly, and seven-figure penalties are not unheard of.
"Industry requirements like these should also be factored in when selecting a technology service provider."
Compliance is essential throughout an organization, and even extends to its technology services. Organizations that are governed by industry standards must ensure that the vendors they utilize – particularly for hosting and other services – are compliant as well. However, when selecting a compliant hosting provider, it's imperative to understand that compliance doesn't mean the same thing to every type of data or every industry.
"When thinking about compliance, many companies assume PCI DSS is interchangeable with HIPAA. Otherwise it is assumed that the gap between the two is small," noted Mike Klein, Online Tech president and COO and Data Center Knowledge contributor. "This ignores that HIPAA and PCI DSS compliance protect different types of information, with different audit guidelines, safeguard requirements and consequences for non-compliance or breaches."
Therefore, it's critical that organizations understand their requirements when it comes to industry compliance, and find a hosting provider that offers compliant-specific services.
Hostway offers security solutions specially crafted to comply with the regulations of a number of industry standards, including PCI DSS and HIPAA. Contact Hostway today to find out more about how we can help your company achieve compliance.
Our allies at Magento have issued the following advisory for our Magento Merchant customers:
Today, Magento has released a new security patch (SUPEE-6788) and Community Edition 1.9.2.2 to address over 10 issues identified through our comprehensive security program, including remote code execution and information leak vulnerabilities. This patch is unrelated to the recent Guruincsite malware issue. There are no confirmed reports of attacks related to these issues to date, but it is important that you deploy the patch in order to protect your store. More information about the patch is provided in the Magento Security Center and in the Magento Community Edition release notes.
BACKWARD COMPATIBILITY
This patch breaks backward compatibility in ways that can affect your extensions or customizations (see notes for details). For example, certain updates to admin routing can make improperly coded extensions and customizations inaccessible from the admin panel. We expect that many extensions and customizations will be affected by this change, so we are releasing the patch with it included, but turned off. This lets you immediately benefit from the rest of the patch, while also giving you time to update your code before turning on the admin routing change.
We recommend that you first test the code in a non-production environment with the admin routing change turned on. If it works, deploy the fully enabled patch to production. If you discover issues with accessing extensions or customizations from the admin panel, deploy the patch with the admin routing change disabled. Then work with your developer and extension providers to update impacted customizations and extensions. We urge you to turn on the admin routing change as soon as possible to protect your site from automated attacks, like the malware issue we recently experienced.
DOWNLOADING THE SECURITY PATCH
Patches are available for Magento Community Edition 1.4 and later releases and Magento Enterprise Edition 1.7 and later releases. Before implementing this new security patch (SUPEE-6788), you must first implement all previous security patches. This will ensure that the patch works properly.
To download the patch, choose from the following options:
Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.
Email supports quick communication among those that might be worlds apart, enabling users to attach, transmit, and access messages as well as other assets. However, depending upon the industry in which the organization operates, there may be specific rules that govern the use of email. Healthcare is among the most prominent examples.
Hospitals, doctors, and other practitioners are privy to sensitive patient information that must be kept safe. Healthcare providers are increasingly using email to connect with patients and discuss medical conditions and treatments. These providers must use email in a way that is compliant with industry rules.
"So long as the proper precautions are taken, healthcare providers can leverage email in a safe way that aligns with HIPAA requirements."
For companies in the United States, the most important standard is the Health Insurance Portability and Accountability Act, or HIPAA, which outlines the proper treatment of sensitive patient details and digital records.
What does HIPAA say about email?
HIPAA guidelines don't prohibit the use of email, but ask that healthcare providers observe certain considerations when transmitting sensitive information. According to the HIPAA FAQs page, "The Privacy Rule allows covered healthcare providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. For example, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message."
HIPAA also notes that when patients initiate email contact with the provider, the healthcare organization assumes the responsibility for ensuring that messages are acceptable and that the patient understands the potential risks of using an unencrypted platform. The provider can make the patient aware of these possible threats and let him or her decide whether or not to continue communicating in this manner.
The HIPAA Privacy Rule isn't the only standard that applies here, however. The Security Rule can also come into play, particularly when it comes to sending electronically protected health information, or e-PHI. According to HIPAA, "The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI." This includes not only policies, but encryption as well. Healthcare organizations must use encryption to safely transmit sensitive e-PHI over an open network.
Considerations for compliant email
While much of compliance depends upon usage, the email platform itself must also be compliant. Not all email systems are by default aligned with HIPAA guidelines. In fact, most free services, including Gmail, Yahoo Mail and others, do not have the proper protections in place for sending communications containing e-PHI, either within the body of the email or as an attachment. You should not use these within a healthcare setting.
There are hosted platforms, however, that are HIPAA-compliant. These implement top security measures, including encryption and message expiry to ensure protection of sensitive health information. A message expiry date can be attached to communications that contain e-PHI, allowing them to be remotely deleted after a certain period of time. This prevents protected data from being stored or accessed inappropriately.
But using a compliant email solution isn't just about aligning the organization with HIPAA. This strategy comes with its share of benefits as well, such as streamlined delivery of lab results, enhanced communications among doctors and staff, access to e-PHI while away from the office, and better connections with patients.
Top-tier hosting
One of the best ways to ensure compliance is to leverage the services of a hosting provider. Hostway, for instance, allows healthcare providers to have granular management control, view daily reviews of security event log files, and deploy a robust firewall and intrusion detection and prevention system.
To learn how you can migrate your email platform to a compliant environment that’s monitored 24/7/365 for security risks, contact Hostway for a free assessment today.
An android flaw currently unpatched by major manufacturers would allow hackers to break into your phone without any mistake on your part.
The Stagefright vulnerability impacts 95 percent of existing Android devices – numbering nearly 1 billion phones and other equipment – via multimedia messaging. A malware video file would be processed immediately upon receipt – you won't even have to open the message, if you're using the Hangout application, while if you're using the default messaging application, opening the message will trigger integration of the harmful code.
Once the phone is compromised, a subsequent MMS message would allow the hacker to write code, steal data, record audio or video, or access Bluetooth.
In May, Google accepted the patches required to fix the issues. But Android phone manufacturers including Samsung, Sony, Motorola, LG, Lenovo and HTC have not yet addressed the problem, lacking a financial incentive to do so.