Cyber Liability – Zero Trust Security Explained
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Traditional cybersecurity protocols can’t keep up with the rapidly evolving modern workplace environment. The complexity of hybrid work, the rising number of fully remote employees and the dramatic increase in the use of cloud-based systems make traditional perimeter security ineffectual. A new security model is needed to keep the corporate network safe. This model is “zero trust.”
Zero trust is adapted to the modern workplace. It embraces mobility and protects people, networks, applications and devices, regardless of their location. Review the following guidance to learn why zero trust is important, how it works and how it can benefit your organization.
What Is Zero Trust?
Traditional network security trusts the identity and intentions of users within an organization’s structure. This puts the organization at risk from malicious internal actors and rogue credentials by allowing unauthorized and uncompromised access to the organization. The phrase “trust, but verify” is often used to describe traditional network security approaches.
The zero-trust approach removes the concept of trust from within an organization’s structure. With zero trust, a data breach is assumed with every access request. Every access request must be authenticated and authorized as if it originated from an open network. The concept “never trust, always verify” is emblematic of the zero-trust approach.
What Are the Benefits of Zero Trust?
The zero-trust approach is one of the most effective ways for organizations to control their network, applications, and data.
This is especially important today, as companies expand their infrastructure to include cloud-based applications and servers. The growing usage of locally hosted machines, VM and Software-as-a-Service products, and a dramatically increasing number of remote employees have made it difficult for organizations to secure their systems and data.
Implementing a zero-trust approach benefits companies in a wide range of ways, including:
- Minimizing your organization’s attack surface—By granting the lowest level of access possible for users and devices to perform their essential functions, organizations can minimize the affected area within their organization should a breach occur.
- Improving audit and compliance visibility— The first step to implementing zero trust is for an organization to know what devices exist and which credentials are on each device. In this way, devices are constantly kept in an audit-ready state.
- Reducing risk, complexity and costs—All access requests are vetted prior to allowing access to any company assets or accounts. This dramatically increases real-time visibility within the organization and helps prevent costly data breaches.
- Providing Layer 7 threat prevention— Layer 7 refers to the application level of the Open Systems Interconnect model. This layer identifies communicating parties, supports end-user processes and applications, and consults privacy and user authentication. By establishing who can access the different levels of your organization at any given time the zero-trust approach stops unauthorized users or applications from accessing your organization’s crucial data and prevents the unwanted exfiltration of sensitive information.
- Simplifying granular user-access control— Zero trust requires an organization to define which users may access certain aspects of an organization. As a rule, each user is granted the least privilege possible to perform their necessary functions.
- Preventing lateral movement—Segmenting the network by identity, groups and function allows organizations to contain breaches and minimize the damage from a hacker who was allowed to move freely within the organization’s perimeter.
How Does Zero Trust Work?
By combining a wide range of preventative techniques, including identity verification, behavioral analysis, microsegmentation, endpoint security, and least privilege controls, implementing a zero-trust approach can significantly reduce an organization’s risk of becoming a data breach victim.
Zero trust relies on three essential principles:
- Verify explicitly. Every user request must be authenticated and authorized using all available data points. This step is designed to ensure the person or application requesting access is who they say they are.
- Use least privileged access. Users should be given the least amount of access necessary to perform their authorized functions. Just-in-time (JIT) and just-enough access (JEA), risk-based adaptive policies and data protection can all help secure data and user productivity.
- Assume breach. Use end-to-end encryption to prevent data from flowing to undesired endpoints. Use analytics to drive threat detection, improve visibility and enhance defenses.
How Can I Implement Zero Trust?
Zero trust is relatively simple to deploy. Adopting the principles of zero trust doesn’t require any costly products. Use the following principles to employ zero trust at your organization:
- Define the attack surface. To adopt a zero-trust framework, your organization’s critical data, assets, applications and services must be identified. This critical information forms a “protect surface,” which is unique to every organization.
- Create a directory of assets. Determine where the sensitive information lives and who needs access to it. Know how many accounts there are and where they connect. Consider removing old accounts and enforcing mandatory password rotation.
- Adopt preventative measures. Give users the least amount of access necessary to do their work. Use multifactor authentication to verify accounts. Establish micro-perimeters to act as border control within the system and prevent unauthorized lateral movement.
- Monitor continuously. Inspect, analyze and log all data. Escalate and store logs with anomalous activity or suspicious traffic. Have a clear plan of action for how to handle anomalous activity.
For additional risk management guidance and insurance solutions, contact us today.
- Published in Blog
Considerations for Using ChatGPT and Other AI Tools in the Workplace
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Artificial intelligence (AI) chatbot ChatGPT has recently made waves for producing human-like text and communications from user inputs. Accessible to anyone with a computer and internet connection, ChatGPT produces usable written material on a wide range of topics and helps make decisions. These functions are leading many employers to consider ways to incorporate this technology into their organizations to enhance workflows, streamline operations and improve customer experience.
Since this technology is accessible to employers of all sizes, it presents an opportunity for organizations that strategically leverage it. However, AI tools have certain limitations and potential risks that employers need to consider carefully before embracing this technology. Even if employers don’t plan on incorporating AI technology into their business operations, it’s still wise to understand these tools and their limitations because employees may use them without their employers’ knowledge or permission.
This article explains what ChatGPT is and outlines considerations for using AI technology in the workplace.
What Is ChatGPT?
ChatGPT is a natural language chatbot, meaning it uses a natural language processing system to respond in a conversational manner to user inputs. This allows it to imitate human dialogue and decision-making. ChatGPT is capable of performing or helping with a variety of tasks. For example, ChatGPT can write articles, poems and songs; perform calculations; explain difficult concepts and subjects; automate tasks; and converse with users. This technology is advancing quickly and could have a major impact on how employers run and structure their organizations.
ChatGPT is a network machine learning model trained using data sets to generate human-like text on various subjects. The chatbot is trained from books, websites and articles to create questions, answers, summaries, translations, calculations, code generation, conversations and more. Its knowledge is limited to information that was available when it was trained, and it’s unable to access new information. As a result, some of the information and answers ChatGPT providers users may be outdated or inaccurate. The current version of ChatGPT launched in November 2022 and is a free research preview. It uses approximately 100 trillion machine learning parameters, but this information is current only up to 2021. OpenAI, the creator of ChatGPT, may soon offer a professional version.
Workplace Applications of AI Tools
The significance of AI technology for employers cannot be understated, as it could change almost every aspect of how organizations operate and conduct business. Many employers, especially larger ones, have been using this technology for years; however, ChatGPT is not only making this technology readily available to employers of all sizes but also more accepted than in the past.
Incorporating AI technology can enable employers to run more efficiently and economically by automating many tasks currently performed by employees. AI can not only automate and streamline manual, error-prone tasks but also augment how employees work. This could potentially change the way employees work, allowing them to focus on higher-value tasks. Instead of replacing employees’ jobs, tools like ChatGPT will likely alter the work employees do and the value they offer their employers.
Nearly every facet of an organization—including HR, marketing, accounting, legal and software engineering—could be impacted by AI technology. Specifically, this technology could change how employers operate in the following departments:
- Customer support—AI chatbots can provide information and answer customer questions quickly and effectively, allowing customer support employees to focus on more important or nuanced tasks. They may also provide internal support for employees by answering questions they may have about benefits and other HR-related topics.
- Sales—AI technology can be used to generate sales leads, qualify prospects and guide customers through the purchase process.
- Recruitment—Employers can automate many aspects of the recruitment process, such as generating job descriptions and evaluating resumes to find qualified applicants, allowing HR teams to save time and resources.
- Marketing—Tools like ChatGPT can produce usable written documents on a range of subjects. Employers can leverage this technology to create and improve their marketing efforts, including copy and content generation, search engine optimization, keyword search data and ad content optimization.
- Software development—AI technology can write and correct basic software code to help organizations build websites, develop apps and fix software bugs. This enables individuals without computer programming knowledge or experience to generate code.
Additionally, organizations can use this technology to help create employment policies and handbooks and calculate payroll deductions. Some AI technology can provide organizations with real-time insights into market trends and customer behavior by conducting research and data analysis.
Employer Considerations
The accessibility and capabilities of tools like ChatGPT allow employers to experiment with and assess how their organizations can benefit from incorporating this technology into their day-to-day operations. Despite the potential benefits, ChatGPT and other AI chatbots have considerable limitations that employers must consider before adopting them. While AI technology can replicate many human-like behaviors and capabilities, it lacks essential skills like critical thinking, strategic decision-making and creativity. Being aware of these limitations can help employers evaluate and determine whether to use AI technology in their workplaces.
Errors and Outdated Information
Technology like ChatGPT creates the impression that it can do more or is more reliable than it is. AI’s knowledge is limited since it’s based only on the information used to train it. Therefore, the information AI tools provide users may be low quality or outdated, or it may contain errors. As a result, employers cannot be certain that the information this technology provides or what it produces is accurate. In some cases, AI-generated errors can be costly, subjecting organizations to government audits, fines and penalties. Employers would be wise to verify the information produced by AI tools before using it.
Technological Limitations
AI models like ChatGPT require extensive training and fine-tuning to perform at levels employers need to be reliable and effective. It’s currently unclear whether ChatGPT and other AI chatbots can accurately assess the information it provides to users; thus, employers need to be cautious about using AI tools for important or consequential matters. While this technology can be a valuable resource to prepare businesses or employment-related documents and streamline processes, the information produced by AI tools should only be considered a starting point. Employers will likely still need human oversight to review information and content created by AI to evaluate its accuracy before it’s used.
Legal Considerations
Additionally, this technology can create potential legal and privacy issues employers must consider. AI-generated content can violate copyright laws and create privacy issues for organizations. For example, the conversations employees have with AI chatbots may be reviewed by AI trainers, inadvertently disclosing sensitive and confidential business information and trade secrets to third parties. This could potentially expose employers to legal risks under privacy laws. Before using AI technology, employers should consider reviewing and updating their confidentiality and trade secret policies to ensure they cover third-party AI tools. Organizations can also train employees on potential copyright and privacy issues or restrict access to AI tools to reduce legal risks.
Employer Takeaway
AI tools like ChatGPT have the potential to change nearly every aspect of employees’ work and increase organizational efficiency. This technology is relatively new, and there’s still much uncertainty surrounding it; however, it will likely continue to improve and become more reliable over time. As such, savvy employers will closely monitor AI technology’s developments and the potential issues surrounding them.
For more workplace resources, contact RISQ Consulting today.
- Published in Blog
Smishing Explained
This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.
Most businesses and individuals are familiar with phishing, a cyberattack technique that entails cybercriminals leveraging fraudulent emails to manipulate recipients into sharing sensitive information, clicking malicious links or opening harmful attachments. While these email-based scams remain a pressing concern, a new form of phishing—known as smishing—has emerged over the years, creating additional cyber exposures for businesses and individuals alike.
Smishing relies on the same tactics as phishing. The sole difference between these two cyberattack techniques is that smishing targets victims through text messages rather than emails. As a growing number of individuals utilize their smartphones for both personal and work-related purposes (e.g., interacting with colleagues and clients on mobile applications), smishing has become a rising threat. In fact, recent research found that nearly three-quarters (74%) of organizations experienced smishing incidents in the past year, while just 23% of the workforce recognizes this term.
With these numbers in mind, it’s evident that businesses need to address smishing exposures within their operations. The following article provides an overview of smishing and offers best practices for businesses to protect against this emerging cyberattack technique.
What Is Smishing?
Smishing follows the same format as phishing, using deceiving messages to manipulate recipients. These messages are generally sent via text, but can also be delivered through mobile instant messaging applications (e.g., WhatsApp). In these messages, cybercriminals may implement a wide range of strategies to get their targets to share information or infect their devices with malware. Specifically, they will likely impersonate a trusted or reputable source and urge the recipient to respond with confidential details, download a harmful application or click a malicious link. Here are some examples of common smishing messages:
- A message claiming to be from a financial institution, saying the recipient’s bank account is locked or experiencing suspicious activity and asking them to click a harmful link to remedy the issue
- A message impersonating a well-known retailer (e.g., Amazon, Target or Walmart), encouraging the recipient to download a malware-ridden application to receive a gift card or similar prize
- A message claiming to be from an attorney or law enforcement, saying the recipient is facing legal trouble or criminal charges and urging them to call an unknown number for more information
- A message impersonating the government, asking the recipient to click a suspicious link for details on their taxes or participation in a federal loan program
- A message claiming to be a research organization, requesting the recipient download a malicious application to complete an informational survey
- A message impersonating a delivery service, informing the recipient that they are receiving a package and providing them with a fraudulent link for tracking the item
If a recipient is tricked into doing what a smishing message asks, they could end up unknowingly downloading malware or exposing sensitive information, such as login credentials, debit and credit card numbers or Social Security numbers. From there, cybercriminals may use the information they obtained from smishing for several reasons, such as hacking accounts, opening new accounts, stealing money or retrieving additional data. Since individuals may use their smartphones for work-related tasks, smishing has the potential to impact businesses as well. For example, an individual who falls for a smishing scam could inadvertently give a cybercriminal access to their workplace credentials, allowing the criminal to collect confidential data from the victim’s employer and even steal business funds.
The nature of smishing has made this cyberattack technique a significant threat. This is because individuals are typically not as careful when communicating on their smartphones compared to their computers, often engaging in multiple text conversations at a time (sometimes while distracted or in a rush). After all, research from Experian found that individuals between ages 18-24 exchange around 4,000 texts each month. Considering these findings, individuals may be less wary or observant of a text message from an unknown number than an email, making them more likely to interact with a malicious text.
Furthermore, many individuals falsely assume that their smartphones possess more advanced security features than computers, thus protecting them from harmful messages. However, smartphone security has its limits. Currently, these devices are unable to directly safeguard individuals from smishing attempts, leaving all smartphone users vulnerable. That’s why it’s important for businesses to take steps to protect against smishing.
How to Protect Against Smishing
To effectively minimize smishing exposures and prevent related cyberattacks, businesses should:
- Conduct employee training—First, businesses should educate employees on what smishing is and how it could affect them. Additionally, employees should be required to participate in routine training regarding smishing detection and prevention. This training should instruct employees to:
- Watch for signs of smishing within their text messages (e.g., lack of personalization, generic phrasing and urgent requests)
- Refrain from interacting with or responding to messages from unknown numbers or suspicious senders
- Avoid clicking links or downloading applications provided within messages
- Never share sensitive information via text
- Utilize trusted contact methods (e.g., calling a company’s official phone number) to verify the validity of any request sent over text
- Report any suspicious messages to the appropriate parties, such as a supervisor or the IT department
- Ensure adequate bring-your-own-device (BYOD) procedures—Apart from providing smishing training, businesses should establish solid BYOD procedures to ensure employees act accordingly when utilizing their personal smartphones for work-related purposes. Such procedures may include using a private Wi-Fi network, implementing multifactor authentication capabilities, conducting routine device updates and logging out of work accounts after each use. These procedures can help deter smishing attempts and decrease the damages that may ensue from smishing incidents.
- Implement access controls—Another method for limiting smishing exposures is the use of access controls. By only allowing employees access to information they need to complete their job duties, businesses can reduce the risk of cybercriminals compromising excess data or securing unsolicited funds amid smishing incidents. To further protect their information, businesses should consider leveraging encryption services and establishing secure locations for backing up critical data.
- Utilize proper security software—Businesses should also make sure company-owned smartphones are equipped with adequate security software. In some cases, this software can halt cybercriminals in their tracks, stopping smishing messages from reaching recipients’ devices and rendering harmful links or malicious applications ineffective. In particular, smartphones should possess antivirus programs, spam-detection systems and message-blocking tools. Security software should be updated as needed to ensure effectiveness.
- Purchase sufficient coverage—Finally, it’s vital for businesses to secure proper cyber insurance to protect against potential losses stemming from smishing incidents. Businesses should reach out to their trusted insurance professionals to discuss specific coverage needs.
Conclusion
In summary, smishing is a serious cyber threat that both individuals and businesses can’t afford to ignore. By staying aware of smishing tactics and implementing solid mitigation measures, businesses can successfully protect against this rising cyberattack technique, deterring cybercriminals and minimizing associated losses.
For more risk management guidance, contact us today.
- Published in Blog