Employee Security Training

Cloud Security

Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.

Your Name*

Your Email Address*

I accept Cyber Sierra's terms and conditions*

Today, we all use cloud services in our individual capacity or at work. Companies typically use cloud service providers like Amazon Web Services, Microsoft Azure, and Google Cloud to host their cloud computing services.

A lot of sensitive details, ranging from our personal data, emails, customer data, etc. are stored on servers beyond our immediate vicinity.

Cloud security is aimed at protecting data, applications, tools, and environments in the cloud through services, policies, technology, and security controls.
Cloud services providers and the customers of these providers have a shared responsibility when it comes to cloud security. Cloud services providers are generally responsible for the security of the platform, infrastructure, and applications while the customers are responsible for the security of endpoints, user and network security, applications developed on the cloud platform, and data.
A few common threats faced by companies using cloud services include:

Hijacking of account:
There are a lot of weak passwords utilized by employees which makes it easy for anyone to breach employee accounts on the cloud. Sometimes, cloud-based deployments are outside a customer’s network and accessible by anyone on the internet. Weakly configured security can enable an attacker to gain access without the organization’s knowledge

Denial of service attacks:
A successful denial of service (DoS) attack on cloud infrastructure can affect multiple companies. A DoS attack is done by flooding a target with traffic higher than the manageable level of traffic. This causes the target to shut down.

Data loss:
Loss of account access and breaches can lead to the loss of important data stored in the cloud such as personal information, activity logs, and system backups.

Protection against these threats includes:

Education on cyber hygiene
Human errors account for a significant portion of breaches and losing access to an account on the cloud can cause major breaches. Being educated on best security practices reduces this risk by a huge margin.

Maintaining data protection policies
Having data protection policies classifies different types of data based on how sensitive they are. These policies can ensure that highly sensitive data is not stored on the cloud where the risk of breaches is high

Subscribing to a reputable cloud security solution
Cloud security providers constantly update their solutions based on the latest threats and subscribing to a cloud security solution would ensure all-around protection of cloud services.

Srividhya Karthik

Srividhya Karthik is a seasoned content marketer and the Head of Marketing at Cyber Sierra. With a firm belief in the power of storytelling, she brings years of experience to create engaging narratives that captivate audiences. She also brings valuable insights from her work in the field of cybersecurity and compliance, possessing a deep understanding of the challenges and pain points faced by customers in these domains.

Find out how we can assist you in completing your compliance journey.

Request Demo

Employee Security Training

Ransomware

Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.

Your Name*

Your Email Address*

I accept Cyber Sierra's terms and conditions*

Ransomware is defined as a type of malicious software designed by threat actors to block access to a computer system until a sum of money is paid.

Threat actors include individual hackers, hacker organizations, government entities, and terrorist organizations.Over the last few years, ransomware has become a major cybersecurity threat to companies and people alike.

According to SonicWall, there were around ~600 million ransomware attacks in 2021! One of the prominent cases of ransomware was the attack on Colonial Pipeline in Texas, US which led to a severe crunch in gasoline supply in 18 states in the US.

Given the rapid rise of ransomware, here’s a short explainer of how it works:

The threat actor infiltrates network security and looks for systems that are vulnerable or directly exposed to the public internet.
Subsequently, the vulnerabilities and the protection level of the system are analyzed to see what type of code would stay undetected and breach the system.
Malicious software is installed on the system which stays dormant for a period of time until it gets executed.
Upon execution, the malicious software encrypts a large number of files in the system. The owner of the system would not be able to access the files without decrypting the files.
Malicious software displays a message on the system stating the ransom required to release the files. The ransom is usually paid in cryptocurrency.
The owner of the system pays the ransom to the threat actor and the threat actor sends a decrypting tool to access the files again.

How to Protect Yourself from Ransomware:

Install the latest software and firmware updates
Installing the latest software and firmware updates ensures that there are minimal vulnerabilities and better detection of malicious software.

Back up important data online:
Backing up your data regularly will allow you to revert back to a safe version of the a system without malicious code. However, the limitation of this is that you would not know when the malicious software was installed as it could have stayed dormant for days or months before being executed.

Use modern security solutions that are updated regularly:
Using the latest security solutions vastly increases the likelihood of detecting malicious software which can be blocked from being installed on the system.

In the event you are a ransomware victim, here are a few options to explore:
1. Isolate the affected system and consult experts on the next step
2. Secure existing backups of data and software
3. Change all your passwords linked to that system

What is Ransomware and How Can I Protect Myself against it?
As the name implies, ransomware actually refers to malicious software that is designed to block access to a computer system until the ransom is paid. In a typical ransomware scenario, the attacker demands a form of payment before releasing access to critical software containing valuable information and managing important processes.

Common ransomware attacks include:

Sending a phishing email with an attachment and taking over the victim’s computer and demanding a ransom to restore access
Exploit security gaps to infect computers without the need to trick users
The attacker threatens to publicize the user’s sensitive data unless a ransom is paid

What should you do?
1. Keep your operating system patched and updated
2. Install antivirus software
3. Be very careful about admin privileges and limit that strictly
4. Back up your files
5. Invest in cyber insurance

Srividhya Karthik

Find out how we can assist you in completing your compliance journey.

Request Demo

Employee Security Training

Best Practices for Social Media Usage

Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.

Your Name*

Your Email Address*

I accept Cyber Sierra's terms and conditions*

Social media is deeply ingrained in our lives - whether it’s for personal usages like Instagram or TikTok or for professional purposes like LinkedIn.

Losing access to a social media account due to a cyber-attack may bring multiple problems to deal with.

For example, if an individual loses their account access to an attack, the hacker could then send out phishing links to coworkers or extort the company’s information from coworkers. This shows how easy it would be for a threat actor to inflict damage on an organization by hacking an employee’s social media accounts.
To mitigate the risks, key security practices can be adapted for social media that would bolster the general security of an individual and the employer. Such practices include:

Setting strong passwords for social media accounts and corporate accounts:

Using multi-factor authentication (MFA)
Opting for MFA means that you would need access to your phone or email address before logging into your accounts. This makes it significantly harder for threat actors to steal access

Being cautious on social media platforms
Exercise basic caution and in case of links or messages that seem suspicious, either ignore them or report them to the platform. Even a trusted coworker could have been hacked and links from them could be part of a phishing attack.

Never post sensitive information about your work online
Details around how the internal systems or credentials to access any or a set of systems shouldn’t be posted online or even kept in private messages. In the event of a data breach, such information can potentially land with the hackers who may try to breach the system

Review your privacy and security settings regularly
Social media companies release updates to their apps and websites regularly and the privacy and security settings may get more features and changes. Review these settings regularly to ensure that you’re protected from any security vulnerability

Srividhya Karthik

Find out how we can assist you in completing your compliance journey.

Request Demo

Employee Security Training

Reporting A Data Breach

Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.

Your Name*

Your Email Address*

I accept Cyber Sierra's terms and conditions*

Data breaches occur in various manners and the specific definition of a data breach varies from company to company.

Please refer to your Company’s Information Security Policy for details on what the firm defines as a data breach and how to escalate/respond to it. Here, we cover general information about a data breach and steps you can take to report it.

What is a Data Breach?
Conventionally, people think of hackers, who use complex tools to access company systems and extract data, in relation to a breach. However, any unauthorized access to your company’s data may constitute a breach. Some examples include:

Employees leaving the company with sensitive information and no prior authorization.
A database with personal information of customers being available publicly (with no prior consent of customers)
Emailing company or customer information to the wrong party
Unauthorized access by cyber threat actors (aka hackers), who exfiltrate data and use it wrongfully with no consent from the company or its customers.

Notice that some breaches relate to company information, while others to personal data. You have an obligation to report both.

How can I report a data breach, and to whom should I report this?
Please note, based on your country of operation, reporting a data breach may be legally mandatory. The best ways to be sure of your responsibilities are to:

Refer to the cyber laws of the countries your company has operations in
Check with your IT team or your Company’s Data Protection Officer (DPO)
Visit the regulatory authority’s – typically Personal Data Protection Commission (PDPC) or its equivalent – website to learn of your responsibilities. Example – A tool like this, from the Singapore Government’s PDPC, is a relevant reference.

Generally, authorities get involved when the personal information of individuals is compromised. The best first step is to escalate any breach internally to your Management, who can then decide on appropriate next steps.

Srividhya Karthik

Find out how we can assist you in completing your compliance journey.

Request Demo

Employee Security Training

Safe Browsing Habits

Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.

Your Name*

Your Email Address*

I accept Cyber Sierra's terms and conditions*

Many of us spend significant time on the internet for work and leisure.

This makes internet browsers a potential target for cyber attacks as well as information farming for advertisers and data brokers.

To ensure a safe, privacy-preserving internet experience, there are a few best practices that we can keep in mind as listed below:

4 Safe Browsing Habits:

1. Update your browser’s privacy and security settings:
Almost all modern browsers have a section to update the privacy and security settings. These settings correspond to having controls over browsing data, safe browsing practices, and managing security keys among other options.

2. Block pop-ups:
Pop-ups in the milder form are mostly invoked to redirect traffic to an inappropriate website or farm the user’s data. In some cases, the pop-ups also lead to potentially downloading malware on the user’s systems. Hence, it’s generally a good practice not to allow pop-ups as a default option.

3. Avoid suspicious websites:
Modern browsers have in-built capabilities to identify websites that are potentially suspicious or shady. However, it’s important to exercise extra caution when navigating sites that seem suspicious. Hence, be extra wary of websites that aren’t running on HTTPS or have their SSL Certificates expired.

4. Keep the browser updated:
Most browsers have the option to have it updated automatically. It’s advisable to keep the option of automatic updates to be on as it minimizes the possibility of a breach happening because of potential vulnerabilities in the older versions.

Srividhya Karthik

Find out how we can assist you in completing your compliance journey.

Request Demo

Employee Security Training

Password Management

Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.

Your Name*

Your Email Address*

I accept Cyber Sierra's terms and conditions*

Just like email, passwords are intricately part of our digital experiences. These days, each individual has dozens of services that require password usage.

This ranges from our social media accounts to our financial applications, tools, and services we use at work.Hence, password security and management have become an important part of digital security.

A multi-billion dollar industry is now in place working on effectively and safely managing passwords through companies like LastPass, Dashlane, etc.
Ensure passwords being created and maintained are strong, stored safely, and changed on a periodic basis. Weak passwords being breached either because of poor storage or brute force are a common phenomenon. In fact, the SolarWinds hack from 2020 was partially attributed to a weak password, solarwinds123, being used on an internal system that hackers got access to.
To ensure internal systems being used at the workplace have a safe, strong, and confidential password, organizations should have a password policy in place. A good password policy should cover the following aspects of password management:

What Makes a Good Password:

1. Length of the password:
A good password should ideally be at least 8 characters with different types of characters being used (alphabets, numbers, special characters)

2. Password active duration:
The passwords can be toggled regularly so that the chances of an old password being used across multiple systems reduces, thereby strengthening the security of the systems.

3. Blocklist:
A good password policy can also include a set of weak yet most commonly used passwords as part of the block list. This would ensure that the employees don’t end up getting a weak password making the system potentially vulnerable.

4. Secure Storage:
To store the passwords, it’s advisable to use password managers like LastPass or Dashlane against written passwords on an Excel spreadsheet or post-it notes. In the event of the system being hacked or breached, the passwords stored in dedicated password management systems would still remain safe but passwords stored in plain text in note-making tools are a security risk.

Srividhya Karthik

Find out how we can assist you in completing your compliance journey.

Request Demo

Employee Security Training

Common Cyber Security Attacks

Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.

Your Name*

Your Email Address*

I accept Cyber Sierra's terms and conditions*

Cybersecurity attacks happen in a variety of ways. Most of these happen through systems that you use regularly.

These include SQL Injection, MITM, and DDoS. We will cover these attack vectors in the below sections:

Ensure your company has a policy for Third Party Risk Management (TPRM) with clearly defined controls that apply to TPRs.
Maintain a central repository for TPRs and analyze the cybersecurity risks they pose and subsequently, apply appropriate controls to each party, with reference to TPRM or best practices you are familiar with.
Third parties are not just ‘vendors’. Any supplier, IT service provider, associate, affiliate, or consultant is also part of the same set of third-party relationships. Controls in your organization’s information security policies should apply to all.
Apply controls across the relationship. The importance of cybersecurity controls is normally overlooked, especially during and in the terminal phases of the relationship.
Require your third parties to inform you of their security practices and in particular, any breaches, especially in relation to data concerning your customers or organization.

When cyber attacks occur in your supply chain of TPRs and if the data compromised concerns your business or its customers, your organization is likely to suffer impact too and may even be held liable.

As a result, watch out for the parties you are interacting with within the course of business and be mindful of cyber risk in this sphere.

Srividhya Karthik

Find out how we can assist you in completing your compliance journey.

Request Demo

Employee Security Training

Sensitive Data Handling

Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.

Your Name*

Your Email Address*

I accept Cyber Sierra's terms and conditions*

For clarity on what ‘sensitive data is, refer to your Company’s Information Security policy. It should also stipulate guidelines, specific to your org, on how to handle sensitive data.

Generally, any data that helps identify individuals, their residency, banking, or health information is considered sensitive. Also, information that can risk the competitive advantages or reputation of the organization is sensitive.

As an employee, here are 11 steps you can take to handle sensitive data well, to mitigate the risk of a breach:

Ensure devices have encryption.
Use synthetic data, instead of actual, where possible. This way, any leakage does not risk real people.
When sharing information internally, and especially externally, only pass on what is needed. Remove non-relevant content.
Secure/Wipe the hard drive before disposing of old devices.
Restrict locations to which work files with sensitive information can be saved or copied.
Use application-level encryption to protect the information in your files.
Develop the habit of deleting unnecessary files, which no longer serve your business purpose. Note to check for storage rules in your Company’s information security policies first.
Use Virtual Private Networks (VPNs) when logging in from outside the workplace.
Limit sharing of data externally. If possible, consider using data leakage prevention tools.
Stop using USB drives altogether, or limit the storage of sensitive information on unencrypted devices.
Use separate wifi for Guests/Customers.

As you may notice in the steps above, developing a more proactive, defensive approach to data is most helpful, especially where sensitivities are high.

Srividhya Karthik

Find out how we can assist you in completing your compliance journey.

Request Demo

Third Party Risk Management

Cyber Risk ThroughThird Party Relationships

Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.

Your Name*

Your Email Address*

I accept Cyber Sierra's terms and conditions*

Every cybersecurity risk that your organization faces, is likely present in companies or individuals it works with. Increasingly, breaches happen because of vulnerabilities present in the network of Third-Party Relationships (TPRs) you have.

As a result, the following are important points to note when you interact with parties outside your organization.

Ensure your company has a policy for Third Party Risk Management (TPRM) with clearly defined controls that apply to TPRs.
Maintain a central repository for TPRs and analyze the cybersecurity risks they pose and subsequently, apply appropriate controls to each party, with reference to TPRM or best practices you are familiar with.
Third parties are not just ‘vendors’. Any supplier, IT service provider, associate, affiliate, or consultant is also part of the same set of third-party relationships. Controls in your organization’s information security policies should apply to all.
Apply controls across the relationship. The importance of cybersecurity controls is normally overlooked, especially during and in the terminal phases of the relationship.
Require your third parties to inform you of their security practices and in particular, any breaches, especially in relation to data concerning your customers or organization.

As a result, watch out for the parties you are interacting with within the course of business and be mindful of cyber risk in this sphere.