Phishing attacks, despite their long history, continue to be one of the greatest threats to data security. More than 200,000 new viruses are discovered every day, according to malware experts, and they’re usually out of circulation by the time they’re detected.

So how does an organization protect data from vicious phishing and spear-phishing attacks?

Here’s a comprehensive data loss protection plan:

1) Protect your organization’s computers. Shop for the newest software that provides spam filters, firewalls, anti-virus, anti-spyware and reputation services. Look for data protection programs that offer automatic updates and free patches from manufacturers to fix problems.

2) Consider hiring a vendor that specializes in software data security. Data security firms can go beyond traditional data protection programs and conduct audits to determine your risk for phishing and data breach. They can isolate emails that have been quarantined and scan outbound emails to see if any data has been extracted outside of your organization. As experts, they can also provide technical support with the latest email data security technology. Be careful, however, not to overlap your own software with that provided by the vendor or you may be spending too much.

3) Educate your computer users. Data security software is far from full proof so perhaps the most important cyber security strategy is to keep educating your users. Remind them:

• To be suspicious of emails with generic salutations, typos or those that try to create a sense of urgency.
•  Not to open attachments they aren’t expecting. If the attachment looks legitimate, ask your users to call the person to verify that they really did send it.
• To be wary of email links. Instead of clicking on the link, users may want to visit the website manually by typing the address into their browser. They can also check a link by hovering their mouse over it to see where it came from.

Just as technology is continuously evolving, so are the wily ways in which fraudsters circumvent the safeguards for changing technologies.  Symantec’s study Internet Security Threat Report offers a review of where cyber thieves are finding new opportunities and, accordingly, where experts believe the thorniest security trouble spots lie.

According to Symantec, here are the top five threats to beware of:

1. Targeted attacks continue to evolve.  While targeted attacks on the large infrastructures of corporations are attempted almost every day, companies are increasingly being attacked to specifically gain access to their intellectual property.  A prominent example of this would be last year’s “Hydraq” attack on Google, a suspected politically motivated attack to steal sensitive information from Gmail accounts, which prompted Google to threaten to pull its operations out of China.  Given that this attack wouldn’t have been successful without convincing recipients that links and attachments in an email were from a known source, the lesson for future attackers is that the biggest security vulnerability to exploit is our trust of friends and colleagues.

2. Social networks + social engineering = compromise.  Hackers are getting better at learning who we are through social media outlets and posing as friends.  So-called social engineering attacks are becoming more sophisticated and harder to detect.

3. Hide and seek (zero-day vulnerabilities and rootkits).  In order to be successful, targeted attacks must penetrate an organization and remain undetected for as long as possible.  So-called “zero day vulnerabilities” help hackers maintain a game of hide and seek.  Zero days occur when a hacker discovers (and exploits) a security vulnerability in a software program before the program’s engineers do, although some believe that the fear of these vulnerabilities as a basis for attacks are worse than the reality.  Rootkits, software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications, are also helpful in keeping hackers undetected.

4. Attack kits get a caffeine boost.  Hackers are profiting on security vulnerabilities by packaging their discoveries into easily downloadable attack kits that are sold in the underground fraud economy.  Symantec believes that these kits played a role in creating over 286 million variants of malware last year.

5. Mobile threats increase.  With the explosive usage of smart phones and other mobile devices, hackers are naturally becoming ever more drawn to this territory as a platform for fraud.   Sophisticated operating systems mean that vulnerabilities are plentiful, and Trojans hidden in legitimate applications sold on app stores offer an effective means to multiply the damage.

Fraudsters will never stop finding ways to capitalize on security weaknesses and wreak havoc on privacy and bottom lines, which is why every business should work with security experts to stay ahead of these threats.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The number of breaches reported so far in 2011 is down from 2010, yet 2011 is still considered by many to be yet another “Year of the Breach”.    Several high profile events throughout the year have kept the spotlight on the issue of data exposures, especially those where millions of consumers information was obtained by malicious hackers.  Although the information involved, emails and passwords, does not rise to the level of a “personal identifying information” (PII) breach, it is definitely troubling that such a large number of consumers may become targets of phishing and related attacks, which do attempt to get consumers PII.

More and more entities are now tracking data breach occurrences by:

• Industry sectors (categories): Business, educational, government, medical, financial
• Breach “type” (method of access): hacking, insider, portable device (“data on the move”), accidental exposure, subcontractor, and lost or stolen.  In some cases, discarded paper documents.
• various attributes: paper or electronic, encrypted, password-protected, number of records unknown or published

While most definitions and terms are relatively consistent between these monitoring sources, there are some notable differences.  Differing filters applied by each monitoring entity as to what qualifies as a data breach on any given list create some divergence in comparison of breach lists.  These filters may range from whether the incident involves specific types of exposed PII to whether a designated minimum number of records have been compromised (i.e. 10 or 500 minimum).

Often it is how a “record” is defined that yields the greatest disparity in determining the number of “records” exposed.  Many breach analysts consider “records” to those persons whose sensitive personal identifying information (PII), such as Social Security numbers, debit or credit card numbers, financial account numbers, medical record numbers, and driver’s license or state identification numbers have been exposed.  How then, does one then account for compromised non-PII information, such as email addresses, user names, or other non-financial account information?

Many hacking incidents this past year didn’t target personal identifying information, but instead focused on emails addresses, passwords and other pieces of non-sensitive personal information.   The challenge for many who analyze breach incident statistics is how to “quantify” the number of breached records that do not involve PII.  Should emails and passwords be counted as “records” in the same way as Social Security numbers and financial account numbers?   As of now, most state laws do not include non-sensitive personal information as triggers for breach notification therefore there is no obligation to report the incident.

“The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers,” says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams, in a recent interview with BankInfoSecurity.   “But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing.

The challenge then for the incidence response team is determining if a breach notification is required.  If so, “what happened?”, “who needs to be notified”, “what specifics are required?”, “when do we do it?”, “how did it happen?”, and “what have we done to make sure it won’t happen again?”  The answers to these questions should all be part of an established Breach Response Plan.  Other pieces of this plan should include best practice protocols, procedures, corporate training guidelines and employee education.  In addition, an organizational ethic must be created so that all employees realize the importance of protecting personal information.  A corporate environment must be maintained which fosters and strengthens information security awareness at all levels of the organization.

Another important issue to consider in your company’s incident response plan is whether it is in the best interest of the company to report a data breach incident when there is no legal obligation to do so.  Under these circumstances, it is critical that the response team identify the best notification and crisis management tactics before a breach ever occurs.   Those companies with strong incident response plans are able to react more quickly and accurately, prevent further data loss (and potential fines), and present factual reporting to the public that minimizes customer backlash and negative publicity.

With the flood of online shoppers comes the accompanying tidal wave of fraudsters washing over the cheerful holiday landscape.  Hidden behind the online mistletoe, cyber-thieves lurk with seasonal scams, virtual Scrooges with plans to spoil holiday shopping for consumers and retailers.

Here, according to McAfee, are 12 common holiday scams to beware of:

1. iPad scams.  Watch out for bogus offers for free iPads on social media sites and via spam.

2. “Help! I’ve been robbed” scam. Fraudsters send emails appearing to come from the account of friends which state that they’ve been robbed while traveling abroad and need money to be wired in order to get home.

3. Fake gift cards. With these scams, cybercriminals promise fake gift cards in exchange for personal information that can be used for identity theft.

4. Holiday job offers. Fake, high-paying, work at home jobs are offered in exchange for personal information.

5. “Smishing.” Scammers “phish” via text message, or smish, often posing as a bank or online retailer requesting personal information to address a problem with a target’s account.

6. Holiday rental scams. Fake, attractive rental properties at low prices are advertised on phony websites in order to lure deposits via wire transfer.

7. Recession scams.  Financial “help” is offered to targets in the form of pay-in-advance credit schemes and pre-qualified low-interest loans, all in exchange for an upfront processing free.

8. Grinch-like Greetings. Fake e-cards are loaded with links to computer viruses and other malware.

9. Low price traps. Auction sites and phony websites are used to offer too-good-to-be-true prices on holiday gifts; the scammers walk away with information and/or money.

10.  Charity scams. Solicitations for phony charities play on the spirit of holiday giving and philanthropic generosity.

11. Dodgy holiday downloads. Watch out for holiday-themed jingles, screensavers and animations distributed via downloads, spam or dubious websites – they could contain malware.

12. Hotel and airport Wi-Fi. During this season of high travel, Wi-Fi hotspots are criminal hangouts, with scammers eager to hack into unprotected networks.

This holiday season, make sure that you, your employees and your customers are on high alert for the seasonal scams that turn up with the regularity of fruitcake…and are just as unwanted.

Mobile devices are important tools to efficiently manage a business and to quickly meet the needs of a customer.  Think about the hit in productivity you’d take if you lost your smart phone or PDA.  Several weeks ago I wrote about the importance of implementing a wireless data policy to protect employee account data from being used to defraud a company.  However, a recent warning issued by the FBI’s Internet Crime Complain Center points to another danger associated with mobile devices.

Cybercriminals have been increasing their attacks on mobile devices through SMS text messages and fraudulent voice messages.  These tactics are very similar to traditional email phishing scams and ask the recipient to respond to verify an address, credit card number or other form of PII.  For example, through a process called smishing, a mobile subscriber receives a text message stating, “ABC credit card is confirming your purchase” and asks the user to visit a URL or call a phone number to verify a credit card number.

Obviously these attacks have serious implications for employees on a personal and professional level.  The financial impact to a company could be huge if an employee innocently provided a corporate bank account number as a response to a fraudulent SMS text message.

Fortunately, there are several steps employees can take to prevent the chance of becoming a victim. For example, you can advise employees not to respond to text messages or automated voice messages from unknown or blocked numbers.

Advise your employees about these potential dangers before any damages are done.