Month: August 2017
A new study has been published in the Journal of Psychosocial Research on Cyberspace on the problem of cyberloafing, highlighting not only the cost to business but also the cost to individuals. Cyberloafing is a major drain on productivity, yet it is all too common. Employees who engage in cyberloafing can also seriously damage their career prospects.
The Business Cost of Cyberloafing
Employers are paying their employees to work, yet a significant amount of time is lost to cyberloafing. Cyberloafing dramatically reduces productivity and eats up company profits. The study was conducted on 273 employees and cyberloafing was measured along with the traits that led to the behavior.
The study revealed a correlation between dark personality traits such as psychopathy, Machiavellianism and narcissism, but also showed that employees are wasting huge amounts of time simply because they can get away with it. The sites most commonly visited were not social media sites, but news websites and retail sites for online shopping.
In an ideal world, employees would be able to do their jobs and allocate some time each day to personal Internet use without any losses in productivity. Some employees do just that and curb personal Internet use and do not let it interfere with their work duties. However, for many employees, cyberfloafing is a problem and huge losses are suffered by employers as a result.
A 2013 study on cyberloafing conducted by Salary.com showed that 69% of employees waste time at work every day, with 64% visiting non-work related websites. Out of those individuals, 39% said they wasted up to an hour on the Internet at work, 29% wasted 1-2 hours, and 32% wasted more than 2 hours a day.
Cyberloafing can make a huge dent in company profits. A company with 100 employees, each of whom spend an hour a day on personal Internet use, would see productivity losses of in excess of 25,000 man-hours a year.
Productivity losses caused by cyberloafing are not the only problem – or cost. When employees use the Internet for personal reasons, their actions slow down the network resulting in slower Internet speeds for all. Personal Internet use increases the risk of malware and viruses being introduced, which can cause further productivity losses. The cost of resolving those infections can be considerable.
What Can Employers do to Reduce Productivity Losses?
First of all, it is essential that the workforce is advised of company policies relating to personal Internet use. Informing the staff about what is an acceptable level of personal Internet use and what constitutes unacceptable behavior ensures everyone is aware of the rules. They must also be advised of the consequences of cyberloafing.
The Journal of Psychosocial Research on Cyberspace study suggests “a worker’s perceived ability to take advantage of an employer is a key part of cyberloafing.” By increasing monitoring and making it clear that personal Internet use is being noted, it serves as a good deterrent. When personal Internet use reaches problem levels there should also be repercussions for the employees concerned.
If there are no penalties in place for employees that break the rules and company policies are not enforced, little is likely to change.
As for what those penalties are is down to the employer. Action could be taken against the individuals concerned via standard disciplinary procedures such as verbal and written warnings. Controls could be put in place to curb Internet activity – such as blocks placed on certain websites – social media sites/news sites for example – when employees are spending too much time online. Those blocks could be temporary or even time-based, only allowing personal Internet use during breaks or at times when workloads are typically low.
WebTitan – An Easy Solution to Improve Productivity Restrict Cyberloafing Losses
Such controls are easily applied with WebTitan. WebTitan is an Internet filter for enterprises that can be used to reclaim lost productivity and block access to web content that is unacceptable in the workplace.
WebTitan allows Internet controls to be easily set for individual employees, user groups, or the entire organization, with the ability to apply time-based web filtering controls.
Preventing all employees from accessing the Internet for personal reasons may not be the best way forward, as that could have a negative impact on morale which can similarly reduce productivity. However, some controls can certainly help employers reduce productivity losses. Internet filtering can also lower legal liability by preventing illegal activities and the accessing of adult content in the workplace and can help to prevent the development of a hostile work environment.
If you are interested in improving productivity and enforcing Internet usage policies in your organization, contact TitanHQ to discuss your options.
A new Facebook Messenger malware and adware campaign has been detected by Kaspersky Lab. The malware is capable of gathering information about the user and directing them to websites that offer downloads tailored to the users’ operating system and browser. Landing pages are also customized to maximize the probability of the user taking the required actions. This advanced Facebook Messenger malware and adware campaign works on Windows PCs and Macs and is not dependent on the browser being used.
The Facebook Messenger malware and adware campaign starts with a Messenger message containing a link to a video file, with that link pointing to Google Docs. Since Facebook Messenger is used with Bitly URLs it is hard for users to determine that the links are not what they seem.
Cleverly, a picture is taken from the user’s Facebook page which is incorporated into a dynamic landing page that is tailored to the individual. The landing page appears to host a playable video file. Clicking on the video will direct the user to a website where information is gathered on their environment, including their operating system, browser type and other information. The user is then directed to another website that is tailored to the information obtained from the first website.
Windows users using Firefox are directed to one website, IE users to another, and Mac users elsewhere. Those sites offer updates such as Flash downloads and malicious Chrome extensions. At present, these campaigns are being used to download adware, although they could easily be tweaked to install malware.
The Chrome extension is adware, but also includes a downloader which will allow further payloads to be delivered to the user’s device. What is not currently known is how the messages are being sent via Messenger. David Jacoby, the Kaspersky Lab researcher who discovered the Facebook Messenger malware and adware campaign, said, “It may be from stolen credentials, hijacked browsers or clickjacking. At the moment, we are not sure because this research is still ongoing.”
While the messages could be sent by unknown individuals, they may also be sent from Facebook contacts whose accounts have been compromised. Any hyperlinks sent via Messenger should therefore be treated with suspicion, especially when they appear out of the blue.
This new campaign is clever, although it is just one of many that are distributed via Messenger. Businesses can protect themselves against Facebook Messenger malware campaigns by using a Web Filtering solution such as WebTitan.
Many businesses choose not to block Facebook due to the negative impact it has on staff morale. However, with WebTitan it is possible to block Facebook Messenger without blocking the Facebook website. Employees can still access Facebook, while employers are protected from malicious messages that could result in malware downloads.
With the volume of cyberattacks increasing and heightened pressure on businesses to offer family-friendly WiFi access, a partnership with a company that offers Internet filtering for managed service providers is now a must.
Businesses that offer WiFi access to customers provide greater value and are more likely to attract customers. Younger age groups in particular are more likely to choose an establishment that allows them to connect to the Internet and not use their own data allowance. Coffee shops, restaurants, bars, and retail outlets now appreciate that providing WiFi access brings in more customers.
However, it is becoming increasingly important for secure WiFi access to be provided. Customers are now demanding more. They want reassurance that efforts are being made to make WiFi networks secure. Parents also want to make sure their children will not be exposed to harmful website content when hooking up to WiFi networks.
With demand for a filtered Internet service high, it is an easy sell for managed service providers. Further, Internet filtering brings in regular monthly revenue for next to no effort. Once the service is set up there is very little maintenance. Due to the low maintenance overhead and ease of implementation, Internet filtering for managed service providers could even be provided as part of an existing security suite to give clients even greater value for money.
Visiting clients to install solutions and perform updates is costly and eats into profits. It can also be difficult to convince businesses to pay out for an appliance to keep customers safe online. Free WiFi may increase footfall, but having to pay for a $500 appliance is a difficult sell.
However, with a cloud-based filter there is no need for any hardware purchases, no need for MSPs to visit their clients for an installation, and all settings can be changed remotely via an online administration control panel. Customers can even be given their own logins so they can tweak their own settings and whitelist and blacklist certain webpages at will.
WebTitan Cloud for WiFi – Internet Filtering for Managed Service Providers Made Simple
WebTitan Cloud for WiFi has been developed to make Internet filtering for managed service providers as simple as possible. This go-to-market content filtering solution can be set up for each client in around 20 minutes, with no need for site visits or any software downloads. WebTitan Cloud for WiFi is also supplied with a full set of APIs for easy backend integration and reports can be scheduled and sent automatically.
Each client can have their own administration control panel to tweak their content filtering settings, and since the interface is non-technical, there is no steep learning curve. Internet filtering controls are applied by category, so configuration is a quick and easy process.
Content filtering with WebTitan Cloud for WiFi has no discernible impact on Internet speed, there is no limit to the number of WiFi points that can be protected and no limit on bandwidth.
Setting different web filtering controls for different users and user groups is straightforward, since the solution integrates with LDAP and Active Directory. Filtering settings can also be set by the time of day or night.
If you want to offer your clients real-time spyware, malware and virus protection and allow them to carefully control Internet access to keep customers safe online and avoid legal liability, WebTitan Cloud for WiFi is the ideal choice.
To make it even better for MSPs, WebTitan Cloud for WiFi can be supplied in white label form ready to accept MSPs branding and there is a choice of hosting options, including the option of hosting the solution in your own environment. Add to that Industry leading customer service and you have the complete package.
If you are an MSP and are Interested in offering Internet filtering to your service stack or are looking for a lower cost service provider with better margins, contact the MSP team at TitanHQ today and find out how easy – and profitable – Internet filtering for managed service providers can be.
The cost of a malware attack is difficult to predict. There are many factors that affect the cost. The type of malware, whether data were stolen, the extent of the infection, how easy it is to mitigate, and how much business is lost while the infection is resolved. For many companies, the customer churn rate increases after a cyberattack, and certainly one in which sensitive data are stolen.
For Maersk, the NotPetya attack did not result in any theft of customer data. Consequently, there was no need to pay for credit monitoring services or mail breach notification letters to customers – Two additional and sizable costs associated with a malware attack. That said, the cost was considerable. Maersk has estimated the NotPetya wiper attack has cost as much as $300 million.
NotPetya was initially thought to be ransomware. The malware had a number of similarities to Petya ransomware – The malware overwrote and encrypted the master file table and a ransom demand was issued. However, in the case of NotPetya, paying the ransom would not result in keys being sent to unlock the encryption. The purpose of the attack was sabotage. The attackers had no intention of providing keys and allowing firms to recover their data.
For A.P. Møller – Maersk, the consequences of the attack were considerable. After its systems were taken out of action, the company was unable to load and unload its cargo ships in ports around the world. Many ships had to be rerouted as a result of the attack. Systems had to be rebuilt and the firm suffered considerable disruption while the infection was resolved.
A Model Response to A Cyberattack
Maersk was extremely quick to announce it had been attacked. The attacks occurred on June 27, 2017 and Maersk announced the following day that it had been affected. The company also maintained transparency throughout the following days and weeks while it attempted to recover, giving frequent updates on its progress in resolving the infection. The transparency has been applauded, with many security experts saying the company executed a model breach response. Not all companies were nearly as transparent.
The company recently issued an interim statement explaining how severe the attack was and how it would dent profits saying, “Business volumes were negatively affected for a couple of weeks in July. We expect that the cyberattack will impact results negatively by $200-$300 million.”
Nuance Communications was also affected, and similarly gave frequent updates to its customers on the impact of the attack and its efforts to resolve the infection. That communication undoubtedly reduced customer churn, although with its systems taken out of action for more than three weeks, many customers were forced to seek alternate vendors. Whether they will return remains to be seen. Nuance believes its Q2 profits are down about $15 million as a result of the attack, although losses are likely to be ongoing and the attack will certainly affect its Q3 profits. The manufacturer Reckitt Benckiser has estimated the NotPetya attack has cost the company around $129 million in lost revenue.
These are just three large companies to have disclosed the cost of the malware attack. Logistics firm TNT suffered considerable disruption as a result of the attack, as did FedEx, Mondelez, Merck, Heritage Valley Health System, WPP, Rosneft, DLA Piper, Saint-Gobain and many firms in Ukraine – the country worst affected by the attacks. The total cost of these malware attacks will certainly be measured in billions.
The Ponemon institute calculated the average cost of a malware attack that results in a data breach to be $3.62 million. This malware attack clearly shows the devastating effect of a malware attack and why it is so important for companies to invest improving policies, procedures and cybersecurity defenses.
From May 25, 2018, all companies doing business with EU residents must comply with the General Data Protection Regulation (GDPR), but how can companies protect personally identifiable information under GDPR and avoid a penalty for non-compliance?
The General Data Protection Regulation
GDPR is a new regulation in the EU that will force companies to implement policies, procedures and technology to improve the privacy protections for consumers. GDPR also gives EU citizens more rights over the data that is recorded and stored by companies.
GDPR applies to all companies that do business with EU citizens, regardless of whether they are based in the EU. That means a company with a website that can be accessed by EU residents would be required to comply with GDPR.
Personally identifiable information includes a wide range of data elements relating to consumers. Along with the standard names, addresses, telephone numbers, financial and medical information, the GDPR definition includes IP addresses, logon IDs, videos, photos, social media posts, and location data – essentially any information that is identifiable to a specific individual.
Policies must be developed covering data subjects (individuals whose data is collected), data controllers (organizations collecting data) and data processors (companies that process data). Records must be maintained on how data is collected, stored, used and deleted when no longer required.
Some companies are required to appoint a data protection officer (DPO) whose role is to ensure compliance with GDPR. That individual must have a thorough understanding of GDPR, and technical knowledge of the organization’s processes and procedures and structure.
In addition to ensuring data is stored securely and consumers have the right to have their stored data deleted, GDPR will also force companies to disclose data breaches quickly – within 72 hours of a breach being discovered.
Failure to comply with GDPR could result in a heavy fine. Fines of up to €20,000,000 or 4% of a company’s annual revenue are possible, whichever is the greater.
Many companies are not prepared for GDPR or think the regulation does not apply to them. Others have realized how much work is required and have scrambled to get their businesses compliant before the deadline. For many companies, the cost of compliance has been considerable.
How Can I Protect Personally Identifiable Information under GDPR?
GDPR imposes a number of restrictions on what companies can and cannot do with data and how it must be protected, although there are no specific controls that are required of companies to protect personally identifiable information under GDPR. The technology used to protect data is left to the discretion of each company. There is no standard template to protect personally identifiable information under GDPR.
A good place to start is with a review of the processes and systems that collect and store data. All data must be located before it can be protected and systems and processes identified to ensure appropriate controls are applied.
GDPR includes a right to be forgotten, so all data relating to an individual must be deleted on request. It is therefore essential that a company knows where all data relating to an individual is located. Controls must also be put in place to restrict the individuals who have access to consumer data. Training must also be provided so all employees are aware of GDPR and how it applies to them.
Companies should perform a risk assessment to determine their level of risk. The risk assessment can be used to determine which are the most appropriate technologies to implement.
Technologies that allow the pseudonymisation and encryption of data should be considered. If data is stored in encrypted form, it is not classed as personal data any more.
Companies must consider implementing technology that improves the security of systems and services that process data, mechanisms that allow data to be restored in the event of a breach, and policies that regularly test security controls.
To protect personally identifiable information under GDPR, organizations must secure all systems and applications used to store or process personal data and have controls in place to protect IT infrastructure. Systems should also be implemented that allow companies to detect data breaches in real time.
Compliance with GDPR is not something that can be left to the last minute. May 25 is a long way off, but given the amount of work involved in compliance, companies need to be getting to grips with GDPR now.