How to customize Windows 8.1 Start screen and keyboard shortcut tricks

Since some of you may be new to Windows 8.1 and may not have a touchscreen monitor for your desktop, then here are some handy tips, tricks and shortcut keys that will hopefully make your experience with the new OS somewhat less painful or frustrating. We’ll start with the Start button where you can choose to customize your Windows 8.1 experience.

Windows 8.1 Start button customizations

Windows 8.1 right-click on Start buttonRight click on the Start button to shut down, access Device Manage, Command Prompt, Control Panel, Run and other secondary feature options.

If you click on the Start button once, then it will take you to the Start screen.

Windows key + I opens Setting charmIf your Start screen is tiles, and you hate the Live Tiles, then that too can be tweaked under Taskbar and Navigation. The “long” way around is Windows key + i to open the Settings charm  and access Taskbar and Navigation. You can also move the mouse cursor to either of the right-hand hot corners to get to settings. The fastest way is to right-click the taskbar and then select Properties.

Next, to boot-to-desktop instead of Live Tiles, click on the Navigation tab and go down to “Start screen.” Select “When I sign in or close all apps on a screen, go the desktop instead of Start.” You can also choose to “Show my desktop background on Start” and/or “Show the Apps view automatically when I go to Start.” Since the apps menu can be annoying, you might also select “List desktop apps first in the Apps view when it’s sorted by category.”

Windows 8.1 Pro Taskbar & Navigation to boot to desktop

Search keyboard shortcuts

Windows 8.1 search keyboard shortcutsThere’s nothing quite like being rather competent on a computer and then installing an OS that makes you feel like a clueless noob. At some point you will surely want to search for something, so here are the search keyboard shortcuts.

Windows key + S will open the Search charm to search “Everywhere.”

Windows key + W will open the Search charm on the upper right side to search “Settings.”

Windows key + F will open the Search charm to search “Files.” You can right-click on a file to “Open file location” and go to its folder if you didn’t want to directly open the file for which you searched.

The “easiest way to search your PC” is by using the Windows key + start typing.

Windows key + Q will search within an open app.

Other Windows 8.1 keyboard shortcuts

Windows key + D will open the desktop.

Windows key + H opens the Share charm. Windows key + H opens the Share charm

Windows key + C will open the charms. In an app, it opens the commands for the app.

Windows key + period (.) will cycle through open apps.

Windows key + Shift + period (.) snaps an app to the left.

Windows key + Tab will bring up Search and apps. This is where you can clear out your search history.

Windows key + Ctrl + Tab will cycle through recently used apps (except desktop apps).

Windows key + Shift + Tab will cycle through recently used apps (except desktop apps) in reverse order.

Windows key‌ + Spacebar will switch input language and keyboard layout.

Windows key‌ + Ctrl + Spacebar will change to a previously selected input.

Windows + K opens Devices charmWindows key + O will lock the screen orientation into landscape or portrait.

Windows key + Z will show the commands available in the app.

Windows key + K will open the Devices charm.

Setup a local account

If you haven’t installed 8.1 yet, then don’t be suckered into thinking you must use a Microsoft account to do so. If you did set it up that way and want to change it, then here’s how to change Windows 8.1 to local account with no Microsoft email account required.

Is Texting PHI HIPAA Compliant?

 

The short answer is yes (maybe).

Compliance with the HIPAA Security Rule is not an attribute of a particular application or device, but rather of a system of physical, administrative and technology safeguards that support the HIPAA-compliant use of electronic communication. Texting can be a useful means of communication, but texting PHI presents a number of risks. Organizations must thoroughly analyze these risks and develop appropriate policies. Where an organization decides to permit texting, it is essential that the associated privacy and security risks are effectively managed.

Some examples of texting safeguards that may form part of a risk management plan:

Banning the texting of ePHI entirely, or limiting the texting of identifiers, diagnosis and other information

Requiring deletion of texts (policies also need to address circumstances where HIPAA requires ePHI in texts be included in the medical record to address individual patient rights)

Device Passcode protection

Device Encryption

Secure disposal of devices  Registration of devices, including personally‐owned devices

Use of a third-party secure messaging solution

Regular training on the CE’s policies and procedures is essential to promoting organizationwide compliance and minimizing risk.

As regards totexting, it is critical that a workforce clearly understands the organization’s policy and receives the training necessary for compliance. A substantial proportion of reported security breaches are due in part to insufficient training of workforce. It is also important that there be sanctions for noncompliance. Risk management is a process. To ensure continued compliance with security standards, organizations must conduct ongoing monitoring of their information security risk to determine whether it is being effectively managed by existing safeguards, or whether those safeguards need to be strengthened. Changes in the regulatory environment, such as enforcement actions or the issuance of additional guidance, also need to be monitored. Practices should also ensure the risk analysis is updated regularly as technology and health care delivery change.For example, in response to the greater care coordination required with accountable care. Conclusion Compliance with the HIPAA Security Rule is not an attribute of a particular application or device, but rather of a system of physical, administrative and technology safeguards that support the HIPAA compliant use of electronic communication. Texting can be a useful means of communication, but texting PHI presents a number of risks. Organizations must thoroughly analyze these risks and develop appropriate policies. Where an organization decides to permit texting, it is essential that the associated privacy and security risks are effectively managed. Resources for Encryption and Sanitation Requirements Encryption, which must be addressed as part of an organization’s HIPAA security compliance, can be used to secure data in transmission (such as PHI sent by a mobile device) and data at rest (such as PHI stored locally on a mobile device).

The risk analysis should identify threats and vulnerabilities to ePHI, assess the sufficiency of current security measures, determine the likelihood and potential impact of threat occurrence, assign levels of risk to these threats and identify and implement appropriate corrective actions.

With regard to texting, key risks include the risk of loss, theft or improper disposal of the mobile device containing unsecured PHI and the risk that individuals other than the intended recipient may gain access to PHI stored in texts as a result of lack of safeguards (for example, someone who steals the phone, or a family member who borrows the phone). Another possible risk is that, while in transit, PHI could be intercepted by unauthorized persons. Also, telecommunications vendors or wireless carriers that store texts containing PHI may need to execute business associate agreements.

The major wireless providers such as Verizon, Sprint, AT&T, Metro PCS, or T-Mobile all claim to not store text messages on their servers. However other locally contracted messaging services may not follow that model. If you are using a major carrier then interception and storage issues relating to texts becomes inconsequential to individual practices. Larger organizations such as hospitals, insurance companies, and health care systems may wish to execute HIPAA agreements. For smaller messaging service providers we suggest a HIPAA agreement relating to the security of the messaging system

Windows XP Now a Serious Security Risk

If you are hanging on to XP because you are afraid of moving to Windows 7 or 8 you should read the rest of this. It will change your mind.

Everyone complains about how hard it is to run Windows 8x on a non-touch screen computer. After using it for about 3 months I have to say that if a person takes the time to learn the system it is elegant, efficient, and, most importantly, secure.

It seems that all we want is to have another version of the operating system that we are using without having to learn anything new. I submit that it is not all that hard. Some things are not as compact as Windows 7, but on the whole Windows 8 does a great job once you learn it and customize it for your needs and tastes. It might even be more compact. If you have a touch screen computer and really want to do something productive it is the best thing out there.

After analyzing online security threats encountered across the globe from January to June 2013, on more than 1 billion systems, Microsoft’s Security Intelligence Report volume 15 is broken down into “in-depth perspectives” on vulnerabilities, exploits, malware, email threats, malicious websites, cloud security and best tips for mitigating risk.

New for this report, Microsoft talks about “encounter rates;” the total number of computers that encountered malware, compared to the total number of computers infected with malware and cleaned with Microsoft’s Malicious Software Removal Tool. Worldwide, 17 out of every 1,000 computers encountered malware, but only six out of every 1,000 were infected and cleaned. In the U.S., during the first half of the 2013, 11.51% of PCs encountered malware, but only 8 of every 1,000 were infected and cleaned.

The evils of still running Windows XP play nicely into this malware infection encounter rates theme. If you are still running XP, then Microsoft answers this conundrum with the need to update to Windows 8.

But, according to Tim Rains, director of Microsoft Trustworthy Computing, the data from this newest Security Intelligence report illustrates “the positive impact that security innovations in newer operating systems are having. Modern operating systems such as Windows 8 include advanced security technologies that are specifically designed to make it harder, more complex, more expensive and, therefore, less appealing for cybercriminals to exploit vulnerabilities.” In fact, a large portion of Rains’ post is devoted to the dangers of clinging to XP.

Avoiding Holiday Bandits on the Internet and At Your Local Store

Holiday security risks are in the real world too, not just online

By Taylor Armerding, CSO December 09, 2013 05:22 PM ET CSO –

The ubiquitous warnings about online shopping risks are well founded. As numerous experts are reminding consumers and businesses, the high season for shopping is also the high season for cybercrime. To paraphrase the song playing in the mall, “It’s the mo-oo- ost dangerous time of the year.”

In a nut shell:

Online

  • Email offers that sound to good to be true, are!
  • Don’t go to, or use, password protected sites while connected to public WIFI Internet access. [Starbucks is the wrong place to check bank accounts]
  • Be Careful with eCards. Make sure they are from a friend and a recognized eCard site. [Check site if you are not sure before you open the card]
  • Watch out for any Email that solicits any personal information regardless of who it’s from. [Go to the website or call on the phone if you are not sure]
  • Do not open attachments or click on links in emails. [Go directly to the site on your own]
  • All of the above applies to your cell phone/pad too. [Checking you bank account with 3 or 4g internet access provided by cell service provider is secure]

In The Mall [or wherever]

  • Look at card swipe machines to see if they look right. Bring any concerns to the attention of management
  • Watch for any unusual behavior of sales persons with your credit/debit card. Report concerns to manager.
  • Don’t leave your purse or wallet in the shopping cart while looking at all that great stuff. [DUH]

Read All About it Here!

IT crime is not limited to the cyber world. There are real-world risks as well, from sophisticated hardware that can steal your personal information just as effectively as any online scam. That doesn’t mean the major focus on cyber risks is misplaced they are more varied and abundant than realworld threats.

As CSO reported recently, millions of spoofed emails are already clogging in-boxes, purporting to be from online retailers or shipping notifications from FedEx, UPS and others. Cyber criminals are all over social media sites, trying to get you to click on links from your “friends,” or to open up fake e-cards. Or, they’re trying to scam you into purchasing fraudulent gift cards for unbelievably low prices.

There are also multiple risks from specialty mobile apps, which tend to collect much more information from devices than their users may know, including contact lists.

And the dangers from public Wi-Fi are, or ought to be, well known. They have spawned yet more revised versions of holiday jingles like, “You better watch out, you better not cry, you better not use that public Wi- Fi…” Anyone who enters user names, passwords or credit card numbers while using such a service is asking for trouble. But it is also important to be aware of physical risks, besides those from parking-lot thieves hoping you’ll leave a bunch of parcels in your car and then return to the mall to do some more shopping.

These are more subtle. As is the case with most online theft, they are designed to steal your credit or bank card information without stealing your card. By the time you are aware of it, some or all of your money is gone or fraudulent purchases have been made on your cards. [Retailers tracking customers via Wi-Fi suggests that privacy really is dead]

One of the most popular is the so-called skimmer, which is used on point-of-sale (POS) credit card devices, ATMs and gas pumps. Security blogger Brian Krebs, who has written about them multiple times, had a recent post on one that he described elegantly simple “little more than a false panel which sits atop the PIN pad and above the area where customers swipe their cards,” which could be installed and removed in seconds. “The underside of the device includes a tiny battery and flash storage card that allows the fake PIN pad to capture the key presses, and record the data stored on the magnetic stripe of each swiped card,” he wrote. [Eight tips for more secure mobile shopping]

These are obviously attractive to crooked employees, who could install them when nobody is watching and then remove them if a manager drifts into the area. Or, thieves posing as customers can install them while their partners distract the salespeople. Chester Wisniewski, senior security adviser at Sophos, said thanks to technology like 3D printers, skimmers like this are well within the reach of the common criminal. “The parts aren’t much more complicated than a cassette tape read head and an Arduino computer board,” he said.

So, while retail managers should check POS devices regularly and monitor them with security cameras, Wisniewski said shoppers can check the POS device themselves. “Aside from giving it a good once over before inserting your card, we recommend giving it a wiggle,” he said. “The part of the machine that accepts your card should not move or look like it has been bolted on.”

But skimmers don’t always have to be on the device itself. Robert Siciliano, CEO of IDTheftSecurity, said some of them are body worn or hand-held. A crooked employee, with access to hundreds of credit card transactions every day, “can easily double swipe card data on hand held or body worn skimmers fast enough that cameras, fellow employees or the customer would never notice,” he said. The only good news about most skimmers is that there are limits to the damage they can do. “They often are simplistic, and can only get credit-card numbers and not the CSC, CVD or CVN numbers on the back of the card to verify the transactions,” said Chris Strand, security compliance practice manager at Bit9. “Unless the exploit is using camera technology to record both the card swipe and the back of the card, which is often more physically detectable, these common skims limit the use of the stolen data to transactions where the card verification or security code is not needed,” he said, noting that requiring the CSC or CVD code within transactions especially online is becoming commonplace. [Slideshow: 5 risks to avoid for the holidays]

Besides skimmers, experts say the other major physical threat is from cameras. “All it takes to log someone’s keystrokes is a strategically placed web/security/spy camera,” Wisniewski said. “And a smartphone can be easily reconfigured into a rogue access point for supposedly free Wi-Fi. It doesn’t always require specialized equipment.”

How can retailers and customers detect and defeat threats like these? A good way to start is with the same kind of healthy suspicion that should apply to unsolicited emails. “You are not being paranoid, they are out to get you,” Wisniewski said. A big piece of that should fall to retail management, Siciliano said. “Managers, coworkers and customers must be trained on the risks posed by skimming in general,” he said. “Daily checks of existing hardware and close monitoring of employees are essential.” Strand said technology can help as well. “The best way to defeat them is to ensure that hardware or fixedfunction devices are limited in their interface to allow only customer input via the keypad or close proximity RFID input,” he said. “Limiting the common interfaces that many of these devices have, such as open wireless ports, physical inputs like USB ports, and any other interface to access the device, reduces the possible access points that cyber thieves may use to compromise a device.” [The 12 scams of Christmas]

Monitoring can help as well, he said, “to detect if the device is attempting to run a process that is either prohibited under the business logic of the machine, or that is suspicious.” Experts agree that there is little hope that law enforcement can cut off or even curb the supply of these devices. The highly publicized recent shutdown of the online black market Silk Road will make little difference, they said. “The darkweb is exponentially larger than what everyday consumers have access to,” Siciliano said. “The tools to search and navigate via TOR (The Onion Router) are getting better every day.” Strand added that other illicit marketplaces, “will easily fill the void that Silk Road left when it was shut down.” And even if those markets disappeared, “many of these devices can be constructed using home-based manufacturing techniques,” Strand said. “The devices and the tools used to create them are becoming more simplified making them more difficult to trace.” All contents copyright 1995-2013 Network World, Inc. http://www.networkworld.com

Cyber Security Order and Health Care

Obama cybersecurity executive order may have healthcare implications

Don Fluckinger, News Director
Published: 09 Apr 2013
  • At the State of the Union address earlier this year, President Obama announced a cybersecurity executive order, Improving Critical Infrastructure Cybersecurity, in the wake of failed efforts to pass cybersecurity legislation in 2012. If it hasn’t already been assumed to be a part of it, healthcare may soon be pulled into it, creating a new layer of compliance mandates and, possibly, grant funding to ease capital investments needed to comply, said speakers at the PHI Protection Network’s recent forum in Cambridge, Mass.
The executive order basically has the government getting its house in order; there are no regulations that have come out from it [yet].Josh Magri, ISA

In a nutshell, the order began by assigning the National Institute of Standards and Technology (NIST) the development of a cybersecurity framework, which involves working with leaders of various industries to develop common digital information security risk assessments and best practices. The key phrase for healthcare CIOs and compliance leaders to watch is “critical infrastructure,” Josh Magri, associate vice president of the Internet Security Alliance (ISA), told SearchHealthIT.

Magri pointed out that the executive order (in Section 2) does not specifically name hospitals and other healthcare providers when it declares that “critical infrastructure” systems or assets that, if taken offline, would have a “debilitating impact on … public health or safety.” But as federal agencies such as the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS) sit down with NIST to develop the framework, they could easily declare healthcare providers subject to the order.

In discussions with the DHS, Magri said it’s likely healthcare providers “can look forward to more regulations coming down the line.” But incentives to adopt the common cybersecurity framework could very well be in the offing, too.

“The executive order basically has the government getting its house in order; there are no regulations that have come out from it [yet],” Magri said, adding that he encourages healthcare CIOs to adopt cybersecurity best practices as outlined in the SANS 20 and the Verizon Data Breach Investigations Report, not only in order to protect their patients and network infrastructure, but also to be in an early position for incentives.

Health IT leaders can help steer the process

Magri also encourages healthcare IT leaders to get involved in discussions with government officials developing the plan. Hospital leaders can potentially help steer the terms of the regulations as well as the incentive program parameters if they get involved now, suggesting they might possibly lower eventual compliance burdens.

“The timelines on the executive order for deliverables — such as incentives, such as identification [of who falls under critical infrastructure] — are all within 120 days or 150 days” from Feb. 14 when Obama issued the order, Magri said. “You really have got to get going.”

He added that deliverables will have to be completed 30 days prior to those deadlines, so the corresponding agencies in charge of them (HHS, DHS, NIST) have time to review the documents and sign off.

In a presentation at the conference, compliance expert and Santa Fe Group CEO Catherine Allen said she believes hospitals, ambulance services and medical communities already fall under the executive order.

“It will mean increased costs; it will mean increased regulatory oversight in some form, and I think within the next year we’ll see most of the new rules coming out,” Allen said.

Zombie Browser Problem Increasing and Ignored by Anti Virus Companies

Researcher warns “zombie browsers” are skyrocketing

Malicious brower extensions ae skyrocketing, says IT security consultant Zoltan Balazs

By Ellen Messmer, Network World
October 31, 2012 01:34 PM ET

  • 1 Comment
  • Print

.

MIAMI — Some Web browsers can be tricked into using so-called “malicious extensions” that can give hackers the ability to hijack the user’s session, spy on webcams, upload and download files, and in the newer mobile-device area, hack into Google Android phones.

Zoltan Balazs, IT security consultant at Deloitte Hungary, spoke about the topic he calls “zombie browsers” during this week’s Hacker Halted Conference in Miami. He said up until a year ago, only 10 of these browser malicious extensions were known to exist, but this year has seen 49 new ones already. “It’s skyrocketing,” Balazs noted, and he faulted the anti-virus vendors for allegedly not addressing the issue at all.

Researcher shares blow-by-blow account of advanced persistent threat

 

To continue reading, register here to become an Insider

It’s FREE to join

 

Learn More

Already an Insider? Sign in

MIAMI — Some Web browsers can be tricked into using so-called “malicious extensions” that can give hackers the ability to hijack the user’s session, spy on webcams, upload and download files, and in the newer mobile-device area, hack into Google Android phones.

Zoltan Balazs, IT security consultant at Deloitte Hungary, spoke about the topic he calls “zombie browsers” during this week’s Hacker Halted Conference in Miami. He said up until a year ago, only 10 of these browser malicious extensions were known to exist, but this year has seen 49 new ones already. “It’s skyrocketing,” Balazs noted, and he faulted the anti-virus vendors for allegedly not addressing the issue at all.

Researcher shares blow-by-blow account of advanced persistent threat

“Even after two years, none of the anti-virus vendors detect these,” he said, saying he’s issuing a plea for them “to try harder on detecting malicious extensions.”

Related Content

In his talk, Balazs explained how malicious extensions in Firefox, Chrome and Safari have been created by attackers that try to get them added to the user’s browser through Web-based drive-by downloads or infected attachments. The result might be giving the attacker a way to steal data or spy on you, he said.

In terms of advice to companies concerned their user base might fall victim to this, he said setting controls on applications can help, plus in Chrome it’s possible to control the extensions the user can use.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about security in Network World’s Security section

 

Line blurs between insider, outsider attacks

Underground forums provide insider access to enterprises
By Taylor Armerding, CSO
October 25, 2012 07:40 AM ET
The insiders strike again. But this time it’s not the malicious insider, but insiders’ access to corporate data, and it is for sale in the cybercrime underground.
15 of the worst data breaches
Security experts have been saying for years that while technology is a key element in protecting enterprises from online attacks, human insider carelessness, vulnerability or hostility can always trump it.
One of the most destructive examples of that in recent months was the cyberattack in August on the state-owned oil company Saudi Aramco, which erased the data on about 30,000, or three quarters, of the company’s corporate PCs using a virus named Shamoon, and replaced it with an image of a burning American flag.
U.S. Defense Secretary Leon Panetta, in a recent speech warning of a possible “cyber Pearl Harbor,” called the attack “probably the most destructive attack that the private sector has seen to date.”
Nicole Perlroth at The New York Times wrote this week that the attack was made possible through the privileged access of insiders.
“After analyzing the software code from the Aramco attack, security experts say that the event involved a company insider, or insiders, with privileged access to Aramco’s network. The virus could have been carried on a USB memory stick that was inserted into a PC,” she wrote.
Insider access, involuntary or not, is now becoming commoditized — a service offered in the marketplace of the cybercrime underground. CSO Online reported this week on security blogger Brian Krebs’ findings that “for just a few dollars, these services offer the ability to buy your way inside of Fortune 500 company networks.”
[See also: Tough economy heightens insider threat]
Krebs wrote that he had analyzed one service that was “renting access to nearly 17,000 computers worldwide, although almost 300,000 compromised systems have passed through this service since its inception in early 2010.”
Some studies, including one released this past June by Cyber-Ark Software, have said the malicious insider threat is large and growing, but others pointed out at the time that this ran counter to the results of Verizon’s 2012 Data Breach Investigations Report, which found that only 4% of data breaches in 2011 involved insiders.
Krebs and others say that low number was based on the definition of insider. Some are on the inside to start, while those he was writing about hacked their way in. He told CSO Online that he was writing about services that “allow outsiders to become insiders by gaining instant access to behind-the-firewall and perimeter security defenses.”
“If the victim organization has architected its network in such a way that lets that insecure system communicate with other portions of the targeted network, then I suppose you could say a service like this could increase the insider threat,” he said.
Mark Baldwin, CISSP and principal researcher and consultant for InfosecStuff, agrees. “This is not a case of insider threat,” he said. “These systems have been compromised by external actors.”
Matt Johansen, manager of threat research at WhiteHat, said traditonal insider threats are not the issue here. “A computer is much more likely to be compromised via the Web, phishing attacks, and malware before an insider,” he said. But he added: “Techniques needed to exploit a computer and become an insider to a network yourself are becoming more freely available, easier to master, and therefore lowering the bar to be a black hat hacker.”
Adam Bosnian, an executive vice president at Cyber-Ark, said he believes the difference is becoming irrelevant. “We’re starting to grapple with the fact that it is a blurry line. The traditional sense of insider attack is somebody who is already an employee who is disgruntled and goes rogue for some reason,” he said.
“But it really doesn’t matter whether an attack starts on the inside or the outside. It doesn’t matter if an insider is malicious or inadvertently compromised [by an outside attack], because the result is the same,” he said.
“I think the concept of inside vs. outside will dissolve on its own,” Bosnian said, adding that the more relevant key for enterprises is not where the attack originates, but the protection of user credentials.
All contents copyright 1995-2012 Network World, Inc. http://www.networkworld.com

CYRSS Blog | Records, data, and systems security that makes sense.

CYRSS Blog | Records, data, and systems security that makes sense.

Your realy ought to read this article. Even if you are in the cloud you can be held accoutable if your practice is compormised and passwords to your cloud provider service are discovered. The cloud provider could be compromised and your practice’s records stolen.
Small-company security problems can threaten large corporate nets

Stepping-stone attacks exploit business-partner relationships

 

By Tim Greene, Network World
April 30, 2012 12:17 PM ET

Attackers used smaller businesses with less stringent security as gateways to their ultimate targets — large corporations or governments that hold valuable secrets, according to a  report on Internet security.

 

In addition, adversaries target lower-level employees because they are more likely to open up malware attachments to emails that compromise their machines and then their networks, according to “Internet Security Threat Report: 2011 Trends,” put out by .

 

Already an Insider?

Attackers used smaller businesses with less stringent security as gateways to their ultimate targets — large corporations or governments that hold valuable secrets, according to a report on Internet security.

In addition, adversaries target lower-level employees because they are more likely to open up malware attachments to emails that compromise their machines and then their networks, according to “Internet Security Threat Report: 2011 Trends,” put out by .

BY THE NUMBERS: The impact of data breaches

Half the targeted attacks were directed at companies with fewer than 2,500 employees, the study says, and while they may not own assets that the attackers want, they may represent back doors into larger businesses that do own such assets.

Related Content

“It is possible that smaller companies are targeted as a stepping-stone to a larger organization because they may be in the supply chain or partner ecosystem of larger, but less well-defended companies,” according to the report.

This was the case with the attack on RSA that resulted in its two-factor token code being stolen. The network of an RSA partner company was compromised and an email sent from that company to an RSA employee contained an attachment that led to the breach. The RSA breach, in turn, led to the breach later last year of Lockheed Martin’s network.

SLIDESHOW: The most mortifying moments in IT security history

The individuals targeted are generally not high-level employees with direct access to valuable information, although 25% are aimed at executives.

Instead, attackers target a range of those who are likely to open attachments on emails from strangers, such as HR professionals who routinely receive emails with resumes attached that are sent by job applicants, the report says. HR workers are targeted 6% of the time, the study says. Shared mailboxes receive 23% of the attacks.

Data breaches resulted in the personal information of 232.4 million people being exposed, with each breach averaging the exposure of 1.1 million identities, the  report says. The cost to U.S. companies that lost personal data was $194 per individual.

Healthcare organizations suffered the lion’s share of the breaches — 43%, but computer software and IT companies suffered the greatest percentage of individual identities compromised with 44% and 41%, respectively.

Other stats from the report:

·       The number of machines compromised by bots shrank from 2010 to 2011 from 4.5 million to 3.06 million.

·       The total number of attacks  blocked jumped 81% from about 3 billion in 2010 to about 5.5 billion in 2011. The unique variants of malware jumped from 286 million in 2010 to 403 million in 2011. “Malware authors effectively use toolkits to create new versions of malware,” the report says.

·       Mobile vulnerabilities jumped from 163 in 2010 to 315 in 2011. Many of these were spyware that collected information from phones and sent it to attackers, but 24% of mobile malware sent premium text messages. These messages are sent without the owner’s knowledge, and result in the owner being billed.

Read more about security in Network World’s Security section.