Cyber criminals are stepping up smaller, more targeted attacks according to the latest Internet Security Threat report from Symantec Corporation. During the second half of 2005, attackers continued to move away from broad attacks seeking to breach corporate systems, and they are now taking aim at desktop computers and web-based applications. Why? They want to avoid detection and reap bigger profits by stealing personal and financial information.
Malicious code such as viruses, worms and Trojan horses can unearth confidential information from a user's computer. These threats account for 4 out of 5 malicious software code attacks. Scams such as phishing attacks that trick users into revealing information such as passwords, credit card information and other financial information are also on the rise.
Companies protect themselves from these external threats using firewall hardware and software to keep unauthorized users out of their systems. Desktop and laptop computers have anti-virus software running on them to detect and reject malicious code. Some organizations use third-party services such as AITP member Network Vigilance to monitor their network connections for cyber criminals trying to break in.
Visa and MasterCard require companies to protect all credit card information in computer systems by encrypting it for storage and transmission. Only employees who have a legitimate "need to know" should be able to view a complete credit card number once it's entered into a system. Great care must also be taken with credit card information maintained in paper documents and files.
These are just some of the steps that organizations take to protect the personal and financial information of customers and employees. What can you do to help?
Make sure that personal and confidential information entrusted to IT is properly protected. Never share customer or employee information with anyone who doesn't have a legitimate "need to know" it.
Never give out information over the telephone, or transmit it electronically, just because someone asks for it. Ask yourself: "Is this a legitimate business request?" ... and then validate it.
Protect computer login information, and change passwords periodically. Most experts recommend at least once every 90 days. You can change them sooner.
Despite automated intrusion detection systems, you may be the first person to see a problem. If you suspect a problem with a computer, or you believe someone might be trying to obtain information through phishing or other schemes, report it to the appropriate manager in your organization. Instruct users not to try fixing problems themselves. With malicious code, it's important that they protect the evidence of a problem until someone from IT technical support or security looks at the computer.
Every AITP member has a role to play in protecting his or her organization's computers and networks, as well as the personal and financial information maintained on them. Working together, we are a strong line of defense against cyber criminals.