data breaches

Threats to business cybersecurity and a strategy for resiliency

October 4, 2018 by securewebsite

Imagine going into work, settling into your routine, and realizing you can’t access your email. You try refreshing your browser, logging out and then back in again, only to realize something malicious has happened. You start to panic. You can’t work, don’t understand how this could have happened, and wonder what the cost to your business will be.

Email is arguably the most vital tool used in modern business. It helps us communicate with our customers, collaborate internally, and keeps the information we need to move forward flowing like the blood in our veins. Without it, the livelihood of our business is at stake.

What has become the lifeblood of today’s businesses, Cybercriminals are using to become just as successful. According to the report The State of Email Security 2018 by Mimecast, email is the main way hackers initiate attacks to defraud businesses such as phishing scams, malware delivery (such as ransomware), and impersonation. As a matter of fact, the report shows a whopping 90 percent of global organizations studied in the 2018 report described consistency or rise in the number of phishing attacks experienced in the previous year.

BEC and EAC Threats
The 2017 Internet Crime Report issued by the United States Federal Bureau of Investigation’s Internet Crime Complain Center confirms email is a major target of bad actors. The report shows business email compromise (BEC) is a huge trend. This sophisticated scam targets organizations that frequently work with foreign suppliers and/or businesses and perform wire transfers on a regular basis. A variation of the threat, known as email account compromise (EAC) specifically targets individuals who regularly make wire transfers.

The FBI warns that though some businesses report using checks rather than wire transfers, cybercriminals will very casually employ the method that your business typically uses to steal your funds so as not to draw attention to themselves. They do this by compromising your “legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

Hacking and Spoofing
In 2013, the FBI’s report shows victims indicated the email accounts of Chief Executive Officers (CEOs) and Chief Financial Officers (CFO’s) were often spoofed or hacked.

When an email is hacked, criminals can intercept important messages and data. One example is Climategate. This occurred when email archives from the Climatic Research Unit at the University of East Anglia were copied by the thousands. The breach occurred just before the Copenhagen Summit on climate change. Skeptics used information from the stolen emails as grounds to argue that global warming was a scientific conspiracy.

Email spoofing, or impersonation, is the forgery of an email header so a message appears to have originated with someone other than the actual source. This is a common tactic used by cybercriminals in phishing campaigns and spam emails because employees with access to data and/or funds are likely to respond to emails from supervisors or clients. A bad actor may spoof the email header of a CEO and send an email to someone that often handles wire transfers within the company, demanding an immediate wire transfer to avoid an emergency situation. In addition, spoofing can also be used by bad actors to fraudulently invoice business customers for goods or services with the funds going directly to accounts they have set up in order to steal money from the pockets of your unsuspecting clients.

Attackers are becoming ever more clever in the way they deceive victims. With social engineering, cybercriminals are learning to target specific individuals in a company by impersonating them online. In the last year, nearly 40 percent of organizations have seen impersonations of “finance/accounts” personnel and 28 percent report C-suite executives as targets of impersonations. Another 25 percent of organizations reported impersonations of human resources staff. In total, 20 percent of respondents studied in the Mimecast report suffered a direct financial loss as the result of an impersonation attack.

Phishing by Numbers
Phishing is another form of email threat. Phishing occurs when someone sends an unsolicited email, text message, or telephone call that is purportedly from a legitimate company. Such phishing messages may request personal or financial information or even login credentials. An online article by TripWire reported that three-quarters of organizations experienced phishing attacks in 2017. This number held steady from the previous year.

A study by Dr. Zinaida Benenson, a professor at the University of Erlangen-Nuremberg who leads the “Human Factors in Security and Privacy” research group, demonstrated that 45 percent of people will click on a malicious link if it includes their name. In a second study where the recipient name was not used, 20 percent of people still clicked on the link. She suggested companies employ a “reporting” feature to flag suspicious emails or that utilize digital signatures to stop them before employees have a chance to get click happy.

Ransomware
Ransomware is a form of malware. It targets weaknesses by both security technology and human users. This malicious type of malware is typically delivered through vectors such as remote desktop protocols which allow computers to connect to one another across networks. Additionally, ransomware can also be sent through phishing emails that are sent to an end user resulting in the rapid encryption of sensitive data or files in a network.

Cybercriminals seize control of a business’s data in these ways and then hold it for ransom, often demanding large sums of money to restore access. Some cybercriminals even threaten to release proprietary information or data if a ransom is not paid within a given timeframe. Aside from that, the Mimecast report shows an average downtime three days after a ransomware attack which can cost your business even more money.

WannaCry, also known as WannaCrypt, was one of the major ransomware attacks in the history of IT. It affected several hundred thousand machines around the world bringing businesses from banks to law enforcement agencies as well as infrastructure companies to their knees.

Internal Threats
The Mimecast report also demonstrates that internal threats are also on the rise. Of the organizations studied, 88 percent reported internal threats caused by careless employees over the course of the last 12 months. To make matters worse, another 80 percent reported accounts had been compromised and 7- percent identified malicious insiders as a cause of internal issues during the same period.

Insiders have a distinct opportunity to wield emails. They can steal information and send it to outsiders or publish it for their own gain. This is where using the practice of least privilege can help protect your business.

Prevention is the Best Medicine
It’s been said that the best defense is strong offense. That is particularly true when it comes to cybersecurity. Just as you inoculate a child against disease with vaccinations, businesses should employ preventative measures to reduce the odds of an attacker getting in through their email.

Oddly enough, businesses have taken a more reactionary approach to cybersecurity and it’s costing them big time. Changes in data storage technology such as migrating email to platforms such as the Cloud or Microsoft Office 365 is leading businesses to oversimplify their security strategy. Business leaders believe they can save money and minimize the complexity of managing their cybersecurity by employing a defense-only model. This way of thinking falls short of providing the forethought and prevention the best security has to offer.

“Attackers are leveraging these same changes and are working in real-time to exploit gaps in your security program,” warns the Mimecast report, which predicts that 50 percent of organizations will suffer a negative business impact from an email-borne attack this year.

Education is Key
While email is unequivocally a major business tool, it can also be a major security threat. Of the organizations studied for the Mimecast report, “61 percent were hit by an attacker where malicious activity was spread from one infected user to other employees via email.” That is why cybersecurity awareness training is so imperative to a solid business security strategy, especially for business leaders.

According to Mimecast, nearly 40 percent of organizations see the CEO of their organization as a “weak link” in the cyber security chain. In fact, the study showed 31 percent of C-level employees have unintentionally sent sensitive information to the wrong person in the last year compared to 22 percent of other employees. This is due in part to corporate level employees having access to more sensitive business data than the average employee. Over the last 12 months, the report also showed 20 percent of organizations had C-level employees send proprietary data via email in response to a phishing email.

All employees should receive regular cyber security awareness training to prevent breaches before they can happen. While every employee needs regular training to keep up on the latest threats, this is especially true for C-level employees and those with access to sensitive data. You want to ensure there is security expertise at the leadership level of your business and the right training can get you there.

Cyber Resilience is Everyone’s Job
Implementing a solid cyber resilience plan is the responsibility of every employee. It doesn’t just fall to one person or department. Of businesses that have employed a cyber resilience plan, 80 percent feel prepared to fight ransomware and are confident that their sensitive data and files are properly backed up and encrypted, according to the report by Mimecast.

There are several steps to implementing a cyber resilience plan for any business based on the four dimensions of cyber resilience: Threat protection, adaptability, durability, and recoverability. Those steps include ensuring:

• The right security services are in place before an attack happens.
• A durability plan to keep email and business operations running during an attack or security breach.
• The ability to recover data and other corporate IP after a cyber incident or breach occurs.

Extra Tips
Here are a few more tips from the State of Email Security report to help close the security gaps at your business:

• Place cybersecurity into the function that manages overall risk mitigation for your business.
• Understand upper management sets the tone for company culture including security.
• Benchmark your security controls and risk management programs against similar businesses on a regular basis.
• Engage your security team on a regular basis to discuss your security program and requirements as well as the need for changes.
• Leverage internal marketing to communicate that security is everyone’s responsibility.

For more information on implementing a winning cyber resilience strategy for your small business, contact Oram now at (617) 933-5060.

Ransomware: A Guide for Protecting Todays Businesses

August 21, 2018 by securewebsite

Ransomware has become one of the top threats to businesses in today’s global and digital society. It has become such a danger in fact that a late 2017 report from Cybersecurity Ventures predicted that the global cost of cybercrime would reach $6 trillion by 2021 with ransomware playing a major role in that total. Furthermore, Cisco’s 2017 Annual Cybersecurity Report showed ransomware is increasing by 350 percent each year and a business falls victim to a ransomware attack every 40 seconds. Last year’s worldwide attack in May 2017 of the WannaCry ransomware caused complete and utter chaos around the globe and begged the question of what’s next.

So what is a business owner to do? For starters, you must know what you’re up against. Next, there are steps for preventing the threat from opening the door to your business. Here’s your guide to ransomware and how to stop it before it stops your business.

What Ransomware Is
Ransomware is a malicious malware that targets the private files of your business. While malware can cause some annoying problems or create more malicious issues such as reformatting a disk or deleting files, ransomware is different. Ransomware is a malware that infects computers and restricts access to files, stopping businesses in their tracks.

When you run into ransomware, you will know it because it will notify a system’s user that it has been attacked. The notification will come after the damage has been done and your information is already encrypted. A cybercriminal will use the ransomware to demand a ransom, typically money or cryptocurrency, in exchange for the safe return of files. If the funds are not paid, the cybercriminal responsible may delete or publish your private business files. If you do pay, you may still not get your data back anyway as the hacker responsible can simply take the money and run.

Like a virus that can attack the body, ransomware can attack an entire network. And like viruses, ransomware can morph and adapt from the way they spread to the way they encrypt data. This means a business must approach protection on a multitude of fronts and be ready to adapt to new protections as they are developed.

Means of Protection
Your IT provider should offer you protection through at least six areas. By securing a variety of entryways and providing layers of protection, your business will be safer from all threats including ransomware. At Oram, we take a six-step approach to protecting our clients against ransomware and other cyber threats.

Patching
The most basic layer of security is to monitor and patch all computers and applications on an ongoing basis. We address all known operating system security vulnerabilities with the latest patches. This measure is the first step in protecting your operating system particularly when a flaw has been uncovered. Your company’s outside business IT partner or in-house professionals should be providing the latest patches to ensure your operating systems are running at peak performance while ensuring any system vulnerabilities are addressed.

Anti-Virus and Network Monitoring
Businesses are being targeted every day through a plethora of avenues: email, ad networks, mobile applications, etc. This is why the second part of a best-in-class security network employs both anti-virus and network monitoring. These two pieces of the security puzzle examine all traffic on your business network and all files. The anti-virus employs a filter to protect them from all known threats. Your anti-virus should be updated regularly in order to identify the latest viral threats.

Backup and Disaster Recovery
One of the things cybercriminals bank on is that your business didn’t think ahead in terms of implementing backup and disaster recovery. That’s why this step is a must, especially where ransomware is concerned. There can sometimes be gaps between when a threat is introduced to your network and remediation of the full system.

To ensure that your data is safe, it’s best to have a full system backup in place to protect your back-office systems. This will enable your business to stay on top of things if and when an attack occurs and it provides a recovery option for unknown threats. In the event of a catastrophic failure or a ransomware attack, a good backup can get your business back online fast.

Endpoint Backup
Though backup and disaster recovery provides a layer of protection for your back-office systems, businesses should also have backup and recovery of data for all devices. Devices such as laptops and tablets create, share, and store business data. Should a device become lost or a cybercriminal capture your proprietary data and sensitive information from these devices, your business will still be covered. This can have a significant impact on your business productivity and profitability. Your endpoint program should offer real-time data backup on such endpoint devices to prevent the compromise of business-critical information and keep your organization moving full-steam ahead.

Secure File Sync and Share
In today’s global society, being able to work remotely, collaboratively, and securely from any device anywhere is a modern business necessity. With the proper software in place, your employees can securely collaborate from any location on any device including their smartphones and tablets. Such a system can allow you to grant access and editing controls for specific documents including those in Word, Excel, and PowerPoint. Such software also allows you to recover documents employees may have accidentally deleted or that have been lost due to malicious activity.

Education and Awareness
One of the best steps you can take in protecting your business against ransomware or other digital threats is to educate and train your employees. With proper cybersecurity awareness training, you can turn your employees into your most important layer of defense. They should be trained and provided with educational materials about cybersecurity risks, new ransomware strains, and the best practices for spotting phishing attempts, suspicious emails, and other security risks. Additionally, they should be provided a simple and quick way to report any suspicious activity. By empowering your employees with such training, they can become proactive in the fight against cyber threats to your business.

Small ransoms are just the beginning of the ransomware threat and it is only expected to get increasingly worse. This is why it is so imperative for businesses to stay ahead of cybercriminals when it comes to security. While such protection may seem overwhelming, it’s nothing when compared with the downtime, stress, and financial cost of dealing with a ransomware attack. If you need assistance in protecting your business against ransomware, contact Oram Corporate Advisors today for a free consultation at (617) 933-5060.

Cybersecurity Awareness Training: How proper training can turn employees into your best security asset

August 10, 2018 by securewebsite

Cybersecurity has become a major focus for business leaders today and rightly so with the number of major data breaches on the rise. Just look at the number of breaches in the first six months of 2018 from an infiltration of U.S. power companies by Russian hackers to 150 million users of Under Armour’s MyFitnessPal app having their personal data stolen. The threat to today’s businesses is very real but employees can be a business’s best security resource if properly trained.

The report, Magic Quadrant for Security Awareness Computer-Based Training, by Garner, a leading computer trends analyst, reported, “People impact security outcomes much more than any technology, policy, or process. People play an undeniable role in an organization’s overall security and risk posture. This role is defined by both inherent strengths and weaknesses: People’s ability to learn and their capacity for error.”

The Human Factor
Human error leads to breaches all the time. Whether an unsuspecting employee in your business clicks on a phishing link that exposes your entire network to a malicious virus or someone misplaces a phone, tablet, or laptop with unsecured access to proprietary data, human error can lead to big security problems.

Study after study shows the largest threat to any business, by far, is the people who work there. The 2018 Data Breach Investigations Report by Verizon shows malicious employees were responsible for 28 percent of attacks. In addition, the same report revealed human error was responsible for another 17 percent (or nearly one in five) breaches studied in the report.

Though these types of statistics show the desperate need for ongoing, repetitive, and engaging cybersecurity awareness training, many business leaders fail to see its importance and value.

Terrible Training Stats
Employees should be the first layer of security for every business but the fact of the matter is they have become the largest threat to business security today in major part due to a lack of proper cybersecurity awareness training. A report by SolarWinds MSP, Cybersecurity: Can Overconfidence Lead to an Extinction Event?, demonstrates that despite how important cybersecurity awareness training is, only 16 percent of respondents in the study considered it a priority.

An incredible 71 percent of companies studied in the SolarWinds investigation admitted to including such training only as part of the onboarding process or as a one-off annual event. Another 13 percent of organizations studied said that they offered no cybersecurity training to employees at all.

Why Training is Imperative
As mentioned earlier, breaches among businesses of all sizes are on the rise and the costs to remediate such attacks are also increasing. The FBI reported a 2,370 percent increase in exposed losses between January 2015 and December 2016. Additionally, a total of more than $5 billion was stolen from businesses in cyber theft between October 2013 and December 2016. That meant there was an average loss of $100,000 per incident and losses are projected to top $9 billion this year alone.

With this in mind, the primary goal of cyber security awareness training is to change the behavior of your employees so they are less susceptible to social engineering: Being manipulated, influenced, or deceived by someone to take action that isn’t in the best interest of your business. Some of the most common examples of social engineering attacks include phishing or spear-phishing by phone, email, postal service, or direct contact in order to trick people into doing something that will harm your company. You have the power to stop this by incorporating cybersecurity awareness training into your business before it’s too late.

When to Train?
The most-effective cybersecurity awareness training programs are ongoing. The first training for every employee should occur during the onboarding process. Thereafter, there should be frequent training opportunities and reminders, even if they are brief such as a once-a-month, computer-based training that only takes a few minutes.

Every employee should be offered a deeper training annually to update them on the latest threats to businesses in their industry and remind them of what they can do to help prevent attacks. There should also be additional trainings whenever a potential threat is identified or a cyber incident has occurred within the company so there are no repeat events.

What Should Be Covered?
One of the best ways companies can mitigate their cybersecurity risk is through proper training. The wrong way to approach training is as a once-a-year or semi-annual exercise where everyone is gathered for a training involving a long, boring PowerPoint presentation. This can feel more like a punishment for your busy employees rather than a valuable learning opportunity.

Not only should training be consistent with frequent, easy-to-follow training sessions, it should vary by topic and address the particular access to valuable data each employee has due to their individual role. Not everyone learns in the same way and not everyone needs to learn the same material.

Offer trainings aimed at specific roles taking into consideration how much access each has to valuable data and how they are most likely to be targeted by hackers. By offering interactive, role-based training in small, digestible portions with greater frequency, your employees will see it as valuable and easier to implement.

There should also be an emphasis on defeating social engineering attacks such as phishing emails that could lead to network-wide disaster. The aforementioned Verizon report determined that while 78 percent of people don’t click on a single phishing campaign all year, an average 4 percent of targets in any given phishing campaign will click it. Even more astonishing, it was found that the more phishing emails someone has clicked, the more likely they are to do so again.

Assess for Success
Cybersecurity training should also be assessed with frequent, short quizzes through training and reinforced through pen testing. This ensures employees absorb the valuable lessons being taught so they can act as the business’s first line of cyber defense.

How to Train
One of the most effective and more commonly used methods of cybersecurity awareness training being utilized by businesses today is interactive, computer-based training. It wields modern technology such as laptops, tablets, smartphones, and Internet of Things (IoT) devices to engage your employees in learning about the invaluable role they play in protecting your business.

“Showing a trainee how to recognize that out of nearly 20 types of files an email attachment could come in, the only one that is absolutely safe to open is a file ending in .txt can be a security game changer,” according to the whitepaper How to Fortify Your Organization’s Last Layer of Security- Your Employees. “Providing short, three- or four-question quizzes at regular intervals during a training module helps employees review and reinforce their understanding of particular training elements and can increase their trust in the impact the course is having and motivate them to complete it, thanks to congratulatory messages after each quiz.”

At the end of the day, human beings can become your best means of defense only when the proper security awareness training is employed. It can show them how they may be susceptible to social engineering, which is considered to be the single greatest security risk in the years to come, and that they can defeat it. Such training also demonstrates that you are willing to invest in them as much as you are in the technology they utilize each and every day. With such insight and education, your employees will feel empowered to protect the business you all are working so hard for.

If you need assistance with developing and implementing an effective cybersecurity awareness training program, contact Oram today at (617) 933-5060.

Multi-factor authentication: A necessity for today’s businesses

July 9, 2018 by securewebsite

Just recently I had a client contact me here at Oram about a serious security issue. Another business they work with was hacked and it nearly ended up costing my client big money. The worst part about the whole situation is that with the right technology in place, it could have been easily prevented.

The Problem Hack

The client called in to say he had wired his travel agent about €1.4 million (or roughly $1.63 million U.S.) for an extended European family vacation. Well, lo and behold, the travel agency’s email was hacked. Turns out a hacker, not the travel agent, had been communicating with my client for the entire month. My client thought he was planning this event with the travel agent when, in fact, he was communicating with a cybercriminal. Everything culminated when the hacker, posing as the agent, sent my client the wiring instructions for the funds.

The way that this hack presented itself was that a person in Germany deployed a phishing scheme to compromise the travel agent’s email. The hacker had been monitoring the agent’s email for a number of weeks and was just waiting for some event like my client’s to occur so they could then interrupt the communications.

The reason the travel agent was none the wiser is that the hacker also set up rules in the mailbox so that any time a communication came in from my client, it would go straight into the deleted items. This made it so the travel agent had no idea that someone else was communicating by email with my client.

Luckily, this scenario ended on a positive note. My client was able to get all of his money back. The FBI is now involved with the situation to try and catch this criminal. Without Oram, the travel agency would never have been alerted to the hack and may have seen more of its customers defrauded of their funds.

Passwords Aren’t Enough

The reality is that the majority of data breaches occurring today are the result of compromised authentication. Though having a strong password is a great start for implementing security, just having this one step in place can leave your network incredibly vulnerable. That’s why multi-factor authentication (MFA) is so important, particularly for securing your business’s most valuable data.

According to the 2017 Cost of Data Breach Study by the Ponemon Institute, data breaches cost businesses millions of dollars each year in the U.S. alone. The study also shows the likelihood of a business experiencing a recurring material data breach within the next two years after an initial hack is nearly 28 percent. Data breaches are the most expensive to deal with in the United States and Canada, costing $225 million and $190 million respectively. The average total organizational cost of breaches in the United States found in the 2017 study was a whopping $7.35 million.

Why Your Email Is Key

The reason hackers want into your email is that it can lead to a huge payday. With access to your email, a cybercriminal can log into any account you have by simply clicking on “forgot my password.” This allows them to create a new password using your email.

Access to your email allows criminals to create new, fraudulent accounts in your name. They can use your identity and email address to open new accounts and create their own passwords. From there, the possibilities are limitless from ordering goods online to withdrawing your entire life savings.

In addition to your business being negatively impacted, the friends and connections in your email network can also be put at risk for infection. Or, in the case of my client, hackers can steal access to your clients and could possibly ruin solid business relationships. Many criminals even sell access to hacked email accounts on the black market. The amount of damage that can be done in less than an hour is astounding.

How It Works

Multi-factor authentication is a security system that requires more than one method of authentication to verify a user’s identity. This can range from requiring passwords that must periodically be changed by legitimate users to requiring a one-time PIN provided via smartphone for access.

Without having all of the required pieces of information, a user would not be able to log in successfully. This means better protection for you and your business. Multi-factor authentication can help secure everything on your business network from logging into your server to shared resources and employees who bring their own devices to work. Some larger organizations that use MFA that you are probably familiar with include Google and PayPal. Most financial and medical institutions also employ MFA as well.

Our Recommendation

The moral of the story is that whether you are using personal email or corporate email, you need MFA. Had my client’s travel agent employed MFA, this hack would likely have never occurred. The would-be criminal would have likely hit a brick wall of security and moved on to a less secure target.

While Oram already recommends multifactor authentication, going forward, we are requiring our clients to utilize MFA for everything possible from email and icloud accounts to banking and financial sites. The reasoning behind this is that MFA significantly reduces the risk that a cybercriminal could access your most important systems. Additionally, it adds extra layers of security that will make your network and other proprietary systems that much more difficult to breach.

If you would like to learn more about multi-factor authentication or other ways to better secure your business, we are happy to assist you. Call Oram today at (617) 933-5060 or visit us online.