Social media is often the lifeblood of a small business or brand, sometimes as the only direct line to customers or clients available. So if your social media accounts were to get hacked, it isn’t just your business that’s in danger, it’s your reputation and your online relationships as well.

Here is my best advice to make sure YOUR social media accounts stay in the right hands:

1. Pick a good password manager

Within a small business, different people may handle different accounts and know different passwords. This may mean that while the part-time IT guy created the password to your mail server, and you know the password to Twitter, the summer intern may have been the one who set up the Facebook page. Do you know that all of those passwords are secure as well? It isn’t just about picking a strong password that contains numbers and funky characters, because we know how hard it is for everyone to remember those.

What your organization needs is strong password management software. I like Passpack because it helps a whole team easily and efficiently manage and share a variety of passwords. You can tag logins to sort them by team or project, protect all of your accounts with one extra-strong master password, and one-click login to sites. Plus, Passpack supports smartphones and tablets so you’re covered on mobile as well!

2. Two-step authentication on social accounts

Even if your passwords are strong, there still could be a weak link in the system: someone logs in using a compromised computer, a disgruntled ex-employee takes revenge, or a hacker gains access by resetting your password. How do you protect against attacks like those? Using two-step authentication. Typically passwords rely solely on something you know, as in a password or PIN you’ve memorized. Better security involves either something you are, like a fingerprint or retinal scan, and something you have, like a pass card. While computers today are pretty advanced, your webcam isn’t exactly equipped to scan your retina and your laptop is unlikely to have a fingerprint scanner. But what about a thing you have? Today, most of us have smartphones and tablets that can serve as excellent security devices in a two-step authentication scheme.

In two-step, instead of just knowing a password, you also need to have your phone ready to receive a text message or similar electronic communication. When you log-in with your password, you then will also have to enter a second code delivered securely to the device in your pocket. This means that unless a hacker both knows your password and has access to your phone, they’ll be locked out your account. Google, Apple, Facebook, and others already support two-step authentication, and others like Twitter are working to add it soon. I know that it can be a hassle to get used to using your phone and entering two passwords, but two-step authentication will have a huge impact on your social media security.

3. Secure your communication with VPN

VPN (Virtual Private Network) is a term most of us associate with ultra-secure communication and large companies—it involves a lot of extra security beyond what is usually called for because it encrypts all of your Internet communication through a secure tunnel. VPN solutions also used to be very expensive and difficult to implement. But many times, a good VPN is exactly what’s required. If you have employees who work from coffee shops, airports, hotels, or other places where you can’t control the security of a wireless, then you’re putting your social media accounts at risk. You need to ensure that your employees are using secure networks whenever possible, and a VPN solution is the perfect way to do that.

One inexpensive service I like is Private WiFi  which offers a free trial and starts at under $10/month. For your money, you get great security when browsing the web no matter where you are. Plus, their mobile apps will secure your communications when logging in to your social media accounts while on-the-go as well.

Your organization may have slightly different needs and require different solutions to helpsecure your social media accounts. Do you have questions about how you can make sure you’re totally secure? Leave them in the comment section below and I’ll be sure to get back to you!

Mario Armstrong, Digital Lifestyle Expert, is an Emmy Award winning, tech commentator for the TODAY show, CNN, HLN and Fuse. An entrepreneur by nature, Mario made his passion his career by quitting his day job and founding Mario Armstrong Media. Follow Mario at @MarioArmstrong. AT&T has sponsored this blog post.

If your business has anything worth protecting, whether it’s money, intellectual property, or a trusted reputation, you need to be concerned about the security embedded in your organization.

No company wants to experience a data breach – that much is obvious. As it is well-known by now, a data breach can have a major impact on a business. Perhaps most notably, an organization that experiences a data breach will likely see its reputation suffer, and will quite possibly receive serious fines from the federal government or other regulatory bodies. Depending on the nature of the data exposed and the consequences of the event, a business may also eventually face lawsuits from affected individuals.

As serious as these consequences are, they do not represent the total effects that an organization may experience in the wake of a data breach. In many cases, an incident can have far-ranging, costly, difficult-to-predict effects, which is all the more reason why firms of all kinds should invest in a security strategy.

Balancing protection and productivity

With the number of mobile devices now in the hands of consumers and employees alike, data security is more important than ever before. How much is your data worth? You need to protect it against accidental loss and theft from both insiders and outsiders. Plus, more and more people are working away from the office. Without data, employees can’t work. How do you balance protection and productivity?

Mobility is having an extraordinary impact on the nature of computing in the twenty-first century. It offers many dazzling opportunities that also bring with them some profound challenges related to security and privacy. What are these challenges and how are they manifesting in enterprises throughout the world?

Take steps to safeguard your assets

I recently came across this article reporting that each mobile computing mishap In your company could cost almost half a million dollars. Like the author suggests, the number is too large to ignore. Companies that have jumped into a mobile workforce must take these steps to safeguard their assets:

1. Don’t overlook mobile security; it’s too important to your company
2. Build a successful enterprise strategy for mobile security
3. Educate employees about their personal responsibilities
4. Raise end-user awareness about emerging threats and corporate mobile device security policies
5. Proactively prevent mobile security breaches

While there are challenges to meet, mobile computing offers dazzling opportunities that will impact, businesses and users in every country and will continue to blur geographic boundaries. Where will it end? The possibilities are endless.

Does your company have a mobile security strategy in place? Have you considered the consequences of not making it a top priority?

A long time ago in a place not so very far away…

Near the dawn of historical time, people lived in extended family units. The men, mostly, went out and killed wild beasts to bring home meat for the family while the women and children, mostly, gathered the fruit and berries that were the gastronomical main stay.

Hunting was a high risk activity, since both the prey and their natural predators tended to travel together.  People would, more often than not, be injured or die while hunting prey, or the predators (let’s call them lions) would drag off a family member while they were preparing meat from the hunt.

At some point, the family group decided to reduce the risks and started to capture and keep the animals they were hunting. This took some time, but eventually we settled down into villages where food could be grown and meat was readily available. Living in villages allowed multiple families to live together and helped reduce, but not eliminate, threats from predators.  On occasion, the lions would sneak into the village at night to steal meat, and sometimes even a village member!

Threats come from inside as well as outside

To protect the people, the village elders decided to put a fence up around the village that could be closed at night to keep the lions out.  This strategy reduced the risks by protecting against the threat of lion theft and attacks. It worked until a dead villager was found and their meat was missing. Lions were blamed until no signs of a lion attack were found. At this point, the villagers realized that, though not as numerous, there were some serious risks inside the village gate.

The walls get stronger

This fence-and-gate mentality was expanded, as villages grew into cities and elders became knights, dukes, and kings. As the leaders became more important, the fence was replaced with walls and a castle with a fortified tower. The castle was stronger than the fence. However, in the heat of battle between two opponents, there was always the chance that someone from inside the castle walls would let the attackers in, resulting in significant loss. These risks were considered minor, until that breach occurred, and then were recognized as an acceptable risk. As defenses were expanded, technology kept up with new methods of attacking. Within a castle, more layers of defense could be put in place between the attackers and their new methods of attack (not just lions any more), and the goal of their conquest (food, gold, fair maiden, the king).  With multiple defensive layers, the risk of a successful attack was reduced to an acceptable level. Over time, as technology continued to evolve, so did our means of protecting ourselves.

Protecting the keys to the kingdom

Eventually, in business, as in life, we realized that all types of fortification were only as strong as the walls protecting them. This was the catalyst to the invention of encryption. Encryption allowed us to hide messages in transit and protect information at rest while still in our keeps. This focus on layered security continued as information technology infrastructures for business were developed. Security has often been considered a business inhibiter — curtailing the use of new technology and innovation. With the use of electronic networking, the battle between security and business continues to grow. Evolution of networking

Networking today has evolved so that the gate, or wall, around our business is assumed to be breached. We are electronically connected to our business partners at a system level, and most of us are accessing our email from smart mobile devices we keep in our pockets. The current industry trend is that smart mobile devices and tablet computers are going to replace the PC and laptop. This means that critical business data will need to be, or is, housed in a shared information system in a corporate data center or in “the cloud” where the security around it is further out of your control.

Evolution of security

As with the path from moveable structures to villages and castles, security innovation continues to evolve.  As a result, IT security professionals are adapting to keep pace with this evolution.  They are beginning to focus on business risks and are partnering with other business units to allow new innovations to be used quickly while allowing the business to operate inside their acceptable risk parameter.

The bottom line

We need to start looking at security not as breach prevention or loss prevention, but as an integral part of the business decision-making process to identify and mitigate, or lessen, business risks not just protect information needed to run the business.

To learn more about the evolution of IT security to IT risk management and learn about a new approach that protects critical business data in an edgeless environment while allowing for innovation, please register for the April 30^th webinar IT Risk and Security Rewards.

To me, this means that many of the incidents could be preventable.

Although healthcare organizations are not often a primary target of hackers, electronic data in the healthcare sector is among the most vulnerable according to multiple reports, including a year-long investigation by The Washington Post. In fact, of all data breaches in the United States, healthcare entities accounted for the highest percentage of incidents, more than one-third of all data breaches in the country. One study reports that an astounding 94% of healthcare entities have experienced security or privacy breaches with their data.

And we’re not even talking about sophisticated cyber attacks over the Internet, but compromised data due to human error. A majority of healthcare security breaches have resulted from stolen and lost devices, such as laptops, desktops and smartphones — which often are not encrypted or even password-protected.

Despite frequent warnings from the Department of Health and Human Services and the U.S. Department of Homeland Security, the healthcare industry lags behind other sectors in implementing some of the basic security precautions when it comes to protecting patient data.

Of healthcare organizations surveyed in a 2012 study on cyber crime, fewer than half performed an annual security risk assessment — the most effective way to detect a security breach. In fact, 52% of the organizations that conduct one of these audits discover a security breach as a result.

The high costs of security breaches

Who in the industry is most vulnerable to security breaches? According to a 2012 HITRUST analysis: everyone. Even larger hospitals that have security measures in place may be exposed by trends such as shared electronic health records or community health records. Some eye-opening statistics:

• Hospitals and physician practices were responsible for 32% and 28% of the total breaches in healthcare, respectively.
• Government institutions (including VA hospitals) have experienced the greatest loss of records (40%).
• Since July 2011, physician practices have become the most breached organization type, surpassing hospitals/health systems.
• Insiders were responsible for 23% of breaches, accounting for 13% of records breached.

In addition to causing potential harm to patients such as financial identity theft and medical identity theft, security breaches incur huge financial expenses. The average economic impact of data breaches over a two-year period was $2.4 million, a 15% increase compared to 2010.

Call in the data security experts

The problem is that many healthcare organizations, especially smaller physician practices, don’t have access to sufficient resources dedicated to data security. Even at larger healthcare organizations, it’s difficult to expect staff IT professionals to manage all the necessary security projects — threat management, mobile security, storage, and data recovery — to help keep the organization safe from breaches.

To make any significant headway and close the gaps in healthcare data security, I believe it is critical for healthcare organizations to partner with established, proven technology providers to find practical and affordable solutions to help keep our data secure.  We can’t afford not to. Once again, it’s a case for working with a trusted technology partner, so healthcare organizations can focus primarily on providing care to patients, while your technology partner does what they do best: help protect your information.

Is your information protected? What security projects do you need to tackle to make sure your organization is safe from cyber attacks?

Orbital Security allows you to create an IT security strategy based on the relationships your company has with clients, competitors, employees and suppliers, and enables you to prioritize risks and build policies that define various levels of access to your applications.

Join Steven Hurst, CISSP, Director of Security Services and Technology for AT&T, for “IT Risk and Security Rewards: Navigating a Rapidly Changing Cyber Environment.” This webinar explores the three key elements contributing to increased risks—elements you can’t afford to ignore—and shows you how and why an Orbital Security approach can help you combat those risks.

Discover the pros and cons of DIY v. Cloud solutions in our new podcast. For even more information on this important topic, check out our recent webinar, now available on demand, and read the Nemertes white paper that served as its source.

Doesn’t make much sense, right?

I watch, and participate with, organizations trying to push ropes forward, and I watch cats scurrying all over the place as one or three people chase the cats in an effort to herd them into one direction toward a common goal.

It’s hard enough to reach a common goal where disparate groups are actually striving to achieve the same thing, but then throw into this mix an added complexity when the groups are trying to achieve totally different objectives. Now, add the complexity of integrating all the “pieces and parts” of the Cardholder Data Environment (CDE) in a properly scoped Payment Card Industry (PCI) assessment and you have a real challenge on your hands! The scope of a PCI assessment must include:

“The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.” (Source)

Here are 3 essential tips to avoid the “herding cat syndrome” and ensure a successful PCI assessment for your business:

1. Communicate from the top down.

Make sure you clearly communicate that achieving PCI compliance is important to the organization and MUST be prioritized, achieved, and sustained. This effort is not effective, and it is extremely difficult to achieve, when an individual without top management support attempts to attain this.

2. Appoint one person to facilitate.

This person should drive this effort through the organization, and must have enough authority to ensure the assessment remains both a high priority for the teams involved, and must be able to drive operational process changes to ensure compliance is met and sustained.

3. Be clear about expectations.

Ensure that each team responsible for the various sections of the Payment Card Industry Data Security Standard (PCI DSS) requirements understands:

• Why PCI compliance is important to the organization,
• The PCI requirements they are responsible for maintaining, and
• How their team ensures compliance with those requirements, not just at assessment time, but throughout the year.

I am a PCI assessor and trusted advisor; however, I come from an operations-focused, Information Technology Infrastructure Library (ITIL) background where I was accountable for helping an organization to achieve compliance with various certifications, laws, regulations, customer requirements, business requirements, and so forth. In this role, I always strived to make assessments easier on my organization. I made sure the assessments took less of our peoples’ time and kept the assessment cost down, but still offered a true view of our risk as an organization. Most importantly, I always strived to avoid the 5 p.m. nightly news headline that contained the words “breach,” “sensitive data,” and “<insert your company name here>.”

Your organization has two choices. You can herd cats, push ropes, and wait until the Qualified Security Assessor (QSA) arrives onsite to ask what they need. Or, with top-down support, you can make this a priority, appoint the appropriate facilitator for the effort, ensure your teams are prepared, and have everything ready when your QSA arrives.

For your next PCI assessment, will your company’s PCI assessors be sitting idly in your conference room charging you an hourly rate while your people gather data, or will they be sitting in your conference room assessing the evidence presented immediately upon arrival?

How will you prepare your organization for a successful PCI assessment? Have you prepared your team for a successful assessment?

KNOX incorporates security enhanced (SE) Android developed by National Security Agency (NSA), and integrity management services implemented in both hardware and the Android framework. At the application layer, KNOX offers a container solution that separates business and personal use of a mobile device. The Samsung container and container strategies from other mobile management vendors, such as VMware and Good Technologies, are meant to provide robust security while allowing the consumer to use its personal applications as it normally would. Samsung’s container also helps IT and developers deploy applications quickly and securely because it requires zero change to the application source code.

The evolving world of security

It’s now fundamentally more difficult for corporations to protect corporate resources. The recent Sophos 2013 Security Threat Report said “Another trend we are seeing is the changing nature of the endpoint device, transforming organizations from a traditional homogeneous world of Windows systems to an environment of diverse platforms. Modern malware is effective at attacking new platforms and we are seeing rapid growth of malware targeting mobile devices. While malware for Android was just a lab example a few years ago, it has become a serious and growing threat. With this in mind, IT organizations should secure their Android devices against malware, data loss, and other threats”.

It makes sense for Samsung to take matters in its own hands and attempt to secure the Android operating system to stimulate business demand. It’s noteworthy that Samsung and Blackberry are discussing security at the device, operating system and application layer. Blackberry’s Balance and Samsung KNOX both allow IT to separate and secure corporate data from an employee’s personal data. The challenge for enterprises today is that they need to manage and secure more than Samsung and Blackberry devices. Enterprises will have a mixture of devices and will most likely select either a mobile device management or a mobile application management solution to help them support all major operating systems from a wide range of device manufacturers. However, it’s still important and necessary for all device manufacturers to directly focus on preventing security issues within mobile platforms.

What does KNOX mean for the mobile and the security industry?

My take is that the Samsung news represents the new reality of mobile security. It’s not enough for a IT to say “I’ll secure the device” and it’s not enough to say “I’ll just secure the content”. Security must be built into every layer of the communications from the device, through the cloud and into the corporation. Many customers I speak with are building Apple iOS strategies and are contemplating the future of Blackberry support. Businesses are also looking for a way to secure and manage the Android environment. KNOX provides one method for this but only if you are using Samsung devices. The reality is the device landscape will continue to be heterogenous and firms will need enterprise mobility management solutions that can handle the breadth of operating systems.

What should businesses do?

IT leaders should define what apps will be accessed on mobile devices, what kind of data will be stored on the device, as well as what regulations the business is required to support. CIOs need a comprehensive mobile-security solution that provides protection on four levels by preventing unauthorized access to:

1) The device and its data –including data on removable storage

2) Data as it transits the network,

3) The corporate network and

4) Securing the application and/or content if necessary.

IT leaders should look for mobile management solutions that support centrally defined and distributed security policies, device and removable-media encryption and two-factor authentication such as biometrics if deemed necessary. Solutions should also provide containers, app wrapping or some technique that allows IT to separate and manage corporate data on BYOD devices. While a company might choose lighter security constraints, it is important that the vendor a business selects offers a rich portfolio of security solutions in case the company’s needs change. Mobile is the new reality and mobile security solutions are evolving to meet this demand.

How are you securing mobile today and do you feel any safer? Post a comment here or send me a message on Twitter @MaribelLopez.

Maribel Lopez is the CEO and mobile market strategist for Lopez Research, a market research and strategy consulting firm that specializes in communications technologies with a heavy emphasis on the disruptive nature of mobile technologies. AT&T has sponsored this blog post.

We expect 2013 to be even more exciting based on the following Top 10 security challenges identified by AT&T Information security researchers and engineers. Let’s review this list of challenges and evaluate how to reduce risks and protect the critical information that manages our business.

1. State-sponsored espionage: This challenge highlights the need to protect critical data from politically or financially motivated threats. Critical data includes the information needed to run network attached infrastructure as well as the intellectual property used to manage business and drive innovative solutions.

2. DDoS attacks: Security professionals in the financial services industry are likely to agree to our second challenge: monster DDoS attacks. We can expect to see a higher risk of business impacting threats with the shift from computer-based attacks, generating large number of lower bandwidth events, to virtual server or cloud-based attacks, generating ultra-high bandwidth events. With these new attack vectors it becomes even more beneficial to identify and mitigate large DDoS events while traffic is in the network cloud.

3. Cloud migration: 2013 is being promoted as the year companies will move critical systems into the cloud. This migration into virtual shared infrastructures changes how we address information security and risk management. The challenge is that cloud security processes and solutions are still being developed. Ultimately, with innovation and planning, cloud services could reduce business risks by providing greater flexibility, resiliency and security.

4. Password management: Our challenge is putting in place and enforcing stronger user-controlled passwords that are less likely to be broken. This educational and administrative challenge requires creative solutions and enforced policies.  Or, we can look at alternatives to traditional passwords, such as the use of Federated ID’s.

5. Sabotage:  Sabotage of computer networks can affect critical infrastructure and ultimately impact corporate and backbone networks. This challenge is so potentially perverse because it combines social engineering with software based tools to provide a complex multi-vectored attack profile.

6. Botnets: Botnets are everywhere. The challenge is that many botnet owners design systems that are more adaptive and redundant than many corporate and government networks.  Controlling this agile attack vector before it can be used as an Advanced Persistent Threat (APT) and migrates into smart mobile devices is crucial.

7. Insider threat: A dissatisfied employee base provides a vector for insider security events, while the inadvertent injection of malware through removable media or Web interconnections can make any employee the origination point for a network security violation.

8. Mobility: Management and security of mobile networks and smart mobile devices becomes even more challenging when employees want to use their own devices for business purposes. The Bring Your Own Device (BYOD) trend exasperates this challenge when we look at protecting the critical information needed to manage the organization and the network without sacrificing the privacy of employee’s personal information and activities.

9. Internet: One of the greatest challenges to security professionals is the perception that the Internet, a best effort network, is a secure critical infrastructure.  The Internet is an open connection of diverse networks.  The 2013 challenge is to start treating critical networks as if they are critical to our operations. We need to put into effect policies that distinguish platforms and security levels based on business criticality.  Control networks need different security than general business communications.  This includes using network embedded security controls to help reduce risks and to simplify security infrastructure.

10. Privacy laws: This final challenge is currently being legislated worldwide.  We need to balance privacy with the need to gather information that can help address security breaches or fraud, while complying with associated legislation.

All of these challenges will affect how we treat risk and security this year and in the years ahead. By leveraging network embedded and end-point security solutions with innovative thinking, we can all be part of the solution that overcomes this year’s security challenges.

For more information on the AT&T 2013 Top Security Challenges visit http://www.att.com/ThreatTraq and look for show “Top Security Challenges for 2013 – 12/20/2012” or visit us at www.att.com/security.

This blog was originally published on SC Magazine.

“Human factor” is often cited as one of the weakest links in security. With the proliferation of mobile devices and the rise of a digital identity, users find it difficult to manage their passwords. As a consequence, many users resort to a simple but insecure practice of not using passwords or passcodes on their mobile devices.

Enforcing complex or frequently changing passwords exacerbates the issue. An optimal solution is always a compromise between usability, security, and cost.

It is imperative that proper risk management be applied, and security controls implemented, to maximize the benefits while minimizing the risks associated with such devices.

Use it; don’t lose it.

Losing your smartphone or tablet, or the information on it, can be a hassle. If you lose your mobile device, you not only have to replace it, but you could also lose the sensitive information you had stored on it, including account numbers and confidential work information. So, why do so many of us leave our mobile devices unprotected and not use mobile security?

Most of us now understand that we need to protect our computers from the myriad of threats that we see each day. But many of us don’t realize that we face the same threats, as well as a host of new ones, with our mobile devices.

Considering how much we rely on our mobile devices, and how much opportunity cybercriminals have to launch attacks against them, you’ll want to make sure you are protected.

Manage your risk exposure

As mobile technology companies continue to innovate over the coming years, organizations using these technologies will need to continuously assess the security implications of adopting these advancements. A consistent and agile multiperspective mobile security risk assessment will enable evaluation of the risk exposure in these systems.

Mobile devices have been, and continue to be, a source of security incidents. These stem from issues such as device loss, malware, and external breaches. As the availability of human resources and systems continue to be critical to society and business operations, it stands to reason that mobile device usage will continue to escalate, as will the features these devices offer, and the potential for compromised security.

As a user of a mobile device, start with the basics. Begin by using a strong password! What other human-factor security solutions can you think of?