Thursday, 29 September 2016

Does your personality make you more likely to get hacked?

Released on the eve of National Cyber Security Awareness Month, a new survey from LastPass, makers of the world’s most popular password manager, explores the intersection of consumer psychology, behaviour and attitudes when it comes to personal passwords.

Despite high-profile, large-scale data breaches dominating the news cycle – and repeated recommendations from experts to use strong passwords – the study’s findings reveal that consumers have yet to adjust their own behaviour when it comes to password reuse.

The survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits.

Password Paradox: You know it’s bad but you do it anyway

  • 95% of respondents recognise the characteristics of a strong password but 47% use their initials, friends or family names, 42% use significant dates and numbers and 26% use pet names. – This information is easily obtainable through social media sites or a casual acquaintance
  • 91% know there is a risk when reusing passwords but 61% continue to do so
  • Only 29% of consumers change their passwords for security reasons – the #1 reason people change passwords is because they forgot it (46%)
  • 69% of respondents prioritised their financial accounts over retail (43%), social media (31%) and entertainment (20%) – If passwords are being reused across accounts, cybercriminals who hack a lower-prioritised account can easily gain access to something that is more critical, like a savings or credit card account
  • More than a third (39%) of respondents said they create more secure passwords for personal accounts over work accounts

Your personality will determine why – but not how – you get hacked 

Based on extensive personality questioning, the 2000 global respondents were placed into two categories.

  • Personality types don’t seem to impact our online behaviour, but does drive our rationalisations of poor password habits:
TYPE A TYPE B
 

Type A bad password behaviour stems from their need to be in control. Even though they reuse passwords, they don’t believe they are personally at risk because of their own organised system and proactive efforts

 

·         35% reuse passwords so they can remember them

·         49% have a personal system for remembering passwords

·         2/3 are proactive to help keep personal info secure

·         86% believe a strong password makes them feel like they’re protecting their family

 

 

Type B personalities rationalise their bad behaviour by convincing themselves that their accounts are of little value to hackers. This enables them to maintain their casual, laid-back attitude toward password security

 

·         45% think they’re not worth a hacker’s time

·         43% choose an easy to remember password over a secure one

·         50% limit online activity due to fear of a breach

·         86% feel other things apart from a weak password could compromise online security

Developing poor password habits is a universal problem affecting users of any age, gender or personality type,” says Joe Siegrist, VP and GM of LastPass. “Most users admit to understanding the risks but continue to repeat the behaviour despite knowing they’re leaving sensitive information vulnerable to potential hackers. In order to establish more effective defences, we need to better understand why individuals act a certain way online and a system that makes it easier for the average user to better manage their password behaviour.”

The post Does your personality make you more likely to get hacked? appeared first on IT SECURITY GURU.



from Does your personality make you more likely to get hacked?

Survey reveals only 50% of UK technology decision-makers use data encryption in their companies

PKWARE, a global leader in encryption software, today releases the results of a survey that examines the data security knowledge and best practices of UK-based technology decision-makers. The survey suggests that nearly a quarter of tech senior decision-makers in the UK don’t fully understand what encryption is. *

This number increases to 40% in the retail sector and half in the healthcare sector. Overall, only 50% of respondents said they encrypt their customer data.

“These results are mind boggling,” said Miller Newton, CEO of PKWARE. “It’s hard to believe how many companies are still scraping by with such lax security when handling their customers’ valuable data. Just being compliant with basic security regulations isn’t enough anymore. As demonstrated by numerous high profile cyber-attacks, organisations need to encrypt their data and have foolproof security measures in place.”

Additionally, the survey revealed that 40% of UK tech senior decision-makers agree with the Investigatory Powers Bill, which would allow the government to bypass encryption. This demonstrates a lack of understanding of what encryption is and why it should be used.

Additional findings from the survey include:

  • Less than half of all tech decision-makers train their staff in security measures.
  • Only 40% of companies implement a clean desk policy – a move which doesn’t require any investment.
  • Only 35% of tech decision-makers think their staff definitely knows enough about data security and encryption to avoid a cyber-attack.

*According to the results of a survey of 250 senior technology decision-makers conducted by CensusWide on behalf of PKWARE in August 2016.

The post Survey reveals only 50% of UK technology decision-makers use data encryption in their companies appeared first on IT SECURITY GURU.



from Survey reveals only 50% of UK technology decision-makers use data encryption in their companies

98 per cent hoodwinked as phishing challenge indicates SMEs at risk

Results of a survey challenging respondents to spot fake emails used for phishing have indicated that a massive 98% of respondents (including a number of IT professionals) failed to recognise email phishing attempts.

The focussed survey, ‘Real or Steal’, conducted last week by leading London-based IT services company, Conosco, targeted a group of senior individuals across a range of SME companies, to gauge how well this ‘IT savvy’ group could identify  increasingly sophisticated hacking attempts.  70% got more than half the answers right but only 6% (2 people) managed 100% success, indicating that businesses remain exposed to risk.  In fact, lack of staff awareness/training was highlighted as a significant security concern.

The Real or Steal challenge involved participants judging a series of emails and trying to decide whether or not each email was genuine. Out of the examples, most people (93%) correctly identified a PayPal email as being fake.  This suggests that either they are already wary of fake PayPal messages or that they are more suspicious when money is mentioned in an email. On the other hand, most participants were fooled by a phony LinkedIn message, with 63% getting it wrong, possibly indicating that when money is not explicitly involved barriers are lowered and complacency rises.

Phishing is an increasingly worrisome problem, particularly in the UK, as the annual Internet Security Report from Symantec (April 2016) points out.  In the report, the UK was ranked as ‘the most targeted nation for spear phishing attacks and ransomware in 2015’.  Experts believe that SMEs are fast becoming the favoured targets of phishers as they often are perceived as ill-prepared or under-trained.  This is backed up by the latest Government Security Breaches Survey, which found that nearly three-quarters (74%) of small organisations reported a security breach in the last year; an increase on both the 2013 and 2014 surveys.

Max Mlinaric, Managing Director for Conosco said, “When there is a security breach in blue chip companies you tend to hear of it, and can wrongly assume large companies are most commonly targeted.  SMEs often present easier pickings for the hackers, as IT skills, security levels, awareness and sometimes personnel training are sometimes lower than in large companies which have deeper pockets.  It is crucial that SMEs ensure their IT is as secure as possible, that complacency is battled and their staff are regularly trained in resisting phishing attempts.”

The issue of cyber security for small businesses has been given even greater focus by new European Data Protection regulations which will come into force in 2018.  Companies could be fined up to €20m or 4% of their annual turnover, whichever is greater, for allowing any security breaches to compromise their customer data.  (Although it’s worth noting that this is subject to change depending on how Brexit policies proceed.)

To view tips on how to detect potential phishing emails view

http://www.conosco.com/checklist-how-to-identify-a-phishing-email/

What is phishing

*CERT UK’s definition of phishing “is a particular type of email scam, whereby victims are targeted from seemingly genuine persons or services, with the aim of tricking the recipient into either providing personal details or clicking on something that will allow the attacker to do something you may not be aware of.  Spear phishing is a more targeted version of this attack and is often directed at specific people or organisations as opposed to the more blanket campaigns associated with phishing. Some examples might include:

  • An email claiming to be from a bank requesting you log in to verify your account due to fraudulent activity that has taken place; a link provided will direct to a website that looks similar to the genuine site which logs your genuine details once inputted
  • An email stating that you have been charged for a service you didn’t use, with an attached document that is supposed to be an invoice; upon opening the attachment malicious code then installs on the computer without the user’s knowledge
  • An email that appears to come from a high ranking person within your own organisation that requests a payment is made to a particular bank account; this is more commonly associated with spear phishing”

The post 98 per cent hoodwinked as phishing challenge indicates SMEs at risk appeared first on IT SECURITY GURU.



from 98 per cent hoodwinked as phishing challenge indicates SMEs at risk

NHS Digital aims to put healthcare on firm cyber security footing

NHS Digital set to work closely with National Cyber Security Centre (NCSC) to boost healthcare sector cyber security capabilities.

View full story

ORIGINAL SOURCE: Computer Weekly

The post NHS Digital aims to put healthcare on firm cyber security footing appeared first on IT SECURITY GURU.



from NHS Digital aims to put healthcare on firm cyber security footing

Yahoo CEO questioned by senators over timeline of data breach

Senate Democrats on Tuesday asked Yahoo for answers about its handling of the recently revealed data breach that resulted in more than 500 million accounts being compromised by hackers.

View full story

ORIGINAL SOURCE: Washington Times

The post Yahoo CEO questioned by senators over timeline of data breach appeared first on IT SECURITY GURU.



from Yahoo CEO questioned by senators over timeline of data breach

FBI reports more attempts to hack voter registration system

The U.S. Federal Bureau of Investigation has found more attempts to hack the voter registration systems of states, ahead of national elections. The agency had reportedly found evidence in August that foreign hackers had breached state election databases in Illinois and Arizona, but it appears that there have been other attempts as well, besides frequent scanning activities, which the FBI describes as preludes for possible hacking attempts.

View full story

ORIGINAL SOURCE: Network World

The post FBI reports more attempts to hack voter registration system appeared first on IT SECURITY GURU.



from FBI reports more attempts to hack voter registration system

More privacy problems for WhatsApp

On August 25, WhatsApp published a blog post detailing its new terms of use. These types of posts rarely generate buzz, but this post detailed end-to-end encryption, exploration of business, and connecting your phone number with Facebook’s systems.

View full story

ORIGINAL SOURCE: Kaspersky

The post More privacy problems for WhatsApp appeared first on IT SECURITY GURU.



from More privacy problems for WhatsApp