mitigate risk

Threats to business cybersecurity and a strategy for resiliency

October 4, 2018 by securewebsite

Imagine going into work, settling into your routine, and realizing you can’t access your email. You try refreshing your browser, logging out and then back in again, only to realize something malicious has happened. You start to panic. You can’t work, don’t understand how this could have happened, and wonder what the cost to your business will be.

Email is arguably the most vital tool used in modern business. It helps us communicate with our customers, collaborate internally, and keeps the information we need to move forward flowing like the blood in our veins. Without it, the livelihood of our business is at stake.

What has become the lifeblood of today’s businesses, Cybercriminals are using to become just as successful. According to the report The State of Email Security 2018 by Mimecast, email is the main way hackers initiate attacks to defraud businesses such as phishing scams, malware delivery (such as ransomware), and impersonation. As a matter of fact, the report shows a whopping 90 percent of global organizations studied in the 2018 report described consistency or rise in the number of phishing attacks experienced in the previous year.

BEC and EAC Threats
The 2017 Internet Crime Report issued by the United States Federal Bureau of Investigation’s Internet Crime Complain Center confirms email is a major target of bad actors. The report shows business email compromise (BEC) is a huge trend. This sophisticated scam targets organizations that frequently work with foreign suppliers and/or businesses and perform wire transfers on a regular basis. A variation of the threat, known as email account compromise (EAC) specifically targets individuals who regularly make wire transfers.

The FBI warns that though some businesses report using checks rather than wire transfers, cybercriminals will very casually employ the method that your business typically uses to steal your funds so as not to draw attention to themselves. They do this by compromising your “legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

Hacking and Spoofing
In 2013, the FBI’s report shows victims indicated the email accounts of Chief Executive Officers (CEOs) and Chief Financial Officers (CFO’s) were often spoofed or hacked.

When an email is hacked, criminals can intercept important messages and data. One example is Climategate. This occurred when email archives from the Climatic Research Unit at the University of East Anglia were copied by the thousands. The breach occurred just before the Copenhagen Summit on climate change. Skeptics used information from the stolen emails as grounds to argue that global warming was a scientific conspiracy.

Email spoofing, or impersonation, is the forgery of an email header so a message appears to have originated with someone other than the actual source. This is a common tactic used by cybercriminals in phishing campaigns and spam emails because employees with access to data and/or funds are likely to respond to emails from supervisors or clients. A bad actor may spoof the email header of a CEO and send an email to someone that often handles wire transfers within the company, demanding an immediate wire transfer to avoid an emergency situation. In addition, spoofing can also be used by bad actors to fraudulently invoice business customers for goods or services with the funds going directly to accounts they have set up in order to steal money from the pockets of your unsuspecting clients.

Attackers are becoming ever more clever in the way they deceive victims. With social engineering, cybercriminals are learning to target specific individuals in a company by impersonating them online. In the last year, nearly 40 percent of organizations have seen impersonations of “finance/accounts” personnel and 28 percent report C-suite executives as targets of impersonations. Another 25 percent of organizations reported impersonations of human resources staff. In total, 20 percent of respondents studied in the Mimecast report suffered a direct financial loss as the result of an impersonation attack.

Phishing by Numbers
Phishing is another form of email threat. Phishing occurs when someone sends an unsolicited email, text message, or telephone call that is purportedly from a legitimate company. Such phishing messages may request personal or financial information or even login credentials. An online article by TripWire reported that three-quarters of organizations experienced phishing attacks in 2017. This number held steady from the previous year.

A study by Dr. Zinaida Benenson, a professor at the University of Erlangen-Nuremberg who leads the “Human Factors in Security and Privacy” research group, demonstrated that 45 percent of people will click on a malicious link if it includes their name. In a second study where the recipient name was not used, 20 percent of people still clicked on the link. She suggested companies employ a “reporting” feature to flag suspicious emails or that utilize digital signatures to stop them before employees have a chance to get click happy.

Ransomware
Ransomware is a form of malware. It targets weaknesses by both security technology and human users. This malicious type of malware is typically delivered through vectors such as remote desktop protocols which allow computers to connect to one another across networks. Additionally, ransomware can also be sent through phishing emails that are sent to an end user resulting in the rapid encryption of sensitive data or files in a network.

Cybercriminals seize control of a business’s data in these ways and then hold it for ransom, often demanding large sums of money to restore access. Some cybercriminals even threaten to release proprietary information or data if a ransom is not paid within a given timeframe. Aside from that, the Mimecast report shows an average downtime three days after a ransomware attack which can cost your business even more money.

WannaCry, also known as WannaCrypt, was one of the major ransomware attacks in the history of IT. It affected several hundred thousand machines around the world bringing businesses from banks to law enforcement agencies as well as infrastructure companies to their knees.

Internal Threats
The Mimecast report also demonstrates that internal threats are also on the rise. Of the organizations studied, 88 percent reported internal threats caused by careless employees over the course of the last 12 months. To make matters worse, another 80 percent reported accounts had been compromised and 7- percent identified malicious insiders as a cause of internal issues during the same period.

Insiders have a distinct opportunity to wield emails. They can steal information and send it to outsiders or publish it for their own gain. This is where using the practice of least privilege can help protect your business.

Prevention is the Best Medicine
It’s been said that the best defense is strong offense. That is particularly true when it comes to cybersecurity. Just as you inoculate a child against disease with vaccinations, businesses should employ preventative measures to reduce the odds of an attacker getting in through their email.

Oddly enough, businesses have taken a more reactionary approach to cybersecurity and it’s costing them big time. Changes in data storage technology such as migrating email to platforms such as the Cloud or Microsoft Office 365 is leading businesses to oversimplify their security strategy. Business leaders believe they can save money and minimize the complexity of managing their cybersecurity by employing a defense-only model. This way of thinking falls short of providing the forethought and prevention the best security has to offer.

“Attackers are leveraging these same changes and are working in real-time to exploit gaps in your security program,” warns the Mimecast report, which predicts that 50 percent of organizations will suffer a negative business impact from an email-borne attack this year.

Education is Key
While email is unequivocally a major business tool, it can also be a major security threat. Of the organizations studied for the Mimecast report, “61 percent were hit by an attacker where malicious activity was spread from one infected user to other employees via email.” That is why cybersecurity awareness training is so imperative to a solid business security strategy, especially for business leaders.

According to Mimecast, nearly 40 percent of organizations see the CEO of their organization as a “weak link” in the cyber security chain. In fact, the study showed 31 percent of C-level employees have unintentionally sent sensitive information to the wrong person in the last year compared to 22 percent of other employees. This is due in part to corporate level employees having access to more sensitive business data than the average employee. Over the last 12 months, the report also showed 20 percent of organizations had C-level employees send proprietary data via email in response to a phishing email.

All employees should receive regular cyber security awareness training to prevent breaches before they can happen. While every employee needs regular training to keep up on the latest threats, this is especially true for C-level employees and those with access to sensitive data. You want to ensure there is security expertise at the leadership level of your business and the right training can get you there.

Cyber Resilience is Everyone’s Job
Implementing a solid cyber resilience plan is the responsibility of every employee. It doesn’t just fall to one person or department. Of businesses that have employed a cyber resilience plan, 80 percent feel prepared to fight ransomware and are confident that their sensitive data and files are properly backed up and encrypted, according to the report by Mimecast.

There are several steps to implementing a cyber resilience plan for any business based on the four dimensions of cyber resilience: Threat protection, adaptability, durability, and recoverability. Those steps include ensuring:

• The right security services are in place before an attack happens.
• A durability plan to keep email and business operations running during an attack or security breach.
• The ability to recover data and other corporate IP after a cyber incident or breach occurs.

Extra Tips
Here are a few more tips from the State of Email Security report to help close the security gaps at your business:

• Place cybersecurity into the function that manages overall risk mitigation for your business.
• Understand upper management sets the tone for company culture including security.
• Benchmark your security controls and risk management programs against similar businesses on a regular basis.
• Engage your security team on a regular basis to discuss your security program and requirements as well as the need for changes.
• Leverage internal marketing to communicate that security is everyone’s responsibility.

For more information on implementing a winning cyber resilience strategy for your small business, contact Oram now at (617) 933-5060.

Cybersecurity Awareness Training: How proper training can turn employees into your best security asset

August 10, 2018 by securewebsite

Cybersecurity has become a major focus for business leaders today and rightly so with the number of major data breaches on the rise. Just look at the number of breaches in the first six months of 2018 from an infiltration of U.S. power companies by Russian hackers to 150 million users of Under Armour’s MyFitnessPal app having their personal data stolen. The threat to today’s businesses is very real but employees can be a business’s best security resource if properly trained.

The report, Magic Quadrant for Security Awareness Computer-Based Training, by Garner, a leading computer trends analyst, reported, “People impact security outcomes much more than any technology, policy, or process. People play an undeniable role in an organization’s overall security and risk posture. This role is defined by both inherent strengths and weaknesses: People’s ability to learn and their capacity for error.”

The Human Factor
Human error leads to breaches all the time. Whether an unsuspecting employee in your business clicks on a phishing link that exposes your entire network to a malicious virus or someone misplaces a phone, tablet, or laptop with unsecured access to proprietary data, human error can lead to big security problems.

Study after study shows the largest threat to any business, by far, is the people who work there. The 2018 Data Breach Investigations Report by Verizon shows malicious employees were responsible for 28 percent of attacks. In addition, the same report revealed human error was responsible for another 17 percent (or nearly one in five) breaches studied in the report.

Though these types of statistics show the desperate need for ongoing, repetitive, and engaging cybersecurity awareness training, many business leaders fail to see its importance and value.

Terrible Training Stats
Employees should be the first layer of security for every business but the fact of the matter is they have become the largest threat to business security today in major part due to a lack of proper cybersecurity awareness training. A report by SolarWinds MSP, Cybersecurity: Can Overconfidence Lead to an Extinction Event?, demonstrates that despite how important cybersecurity awareness training is, only 16 percent of respondents in the study considered it a priority.

An incredible 71 percent of companies studied in the SolarWinds investigation admitted to including such training only as part of the onboarding process or as a one-off annual event. Another 13 percent of organizations studied said that they offered no cybersecurity training to employees at all.

Why Training is Imperative
As mentioned earlier, breaches among businesses of all sizes are on the rise and the costs to remediate such attacks are also increasing. The FBI reported a 2,370 percent increase in exposed losses between January 2015 and December 2016. Additionally, a total of more than $5 billion was stolen from businesses in cyber theft between October 2013 and December 2016. That meant there was an average loss of $100,000 per incident and losses are projected to top $9 billion this year alone.

With this in mind, the primary goal of cyber security awareness training is to change the behavior of your employees so they are less susceptible to social engineering: Being manipulated, influenced, or deceived by someone to take action that isn’t in the best interest of your business. Some of the most common examples of social engineering attacks include phishing or spear-phishing by phone, email, postal service, or direct contact in order to trick people into doing something that will harm your company. You have the power to stop this by incorporating cybersecurity awareness training into your business before it’s too late.

When to Train?
The most-effective cybersecurity awareness training programs are ongoing. The first training for every employee should occur during the onboarding process. Thereafter, there should be frequent training opportunities and reminders, even if they are brief such as a once-a-month, computer-based training that only takes a few minutes.

Every employee should be offered a deeper training annually to update them on the latest threats to businesses in their industry and remind them of what they can do to help prevent attacks. There should also be additional trainings whenever a potential threat is identified or a cyber incident has occurred within the company so there are no repeat events.

What Should Be Covered?
One of the best ways companies can mitigate their cybersecurity risk is through proper training. The wrong way to approach training is as a once-a-year or semi-annual exercise where everyone is gathered for a training involving a long, boring PowerPoint presentation. This can feel more like a punishment for your busy employees rather than a valuable learning opportunity.

Not only should training be consistent with frequent, easy-to-follow training sessions, it should vary by topic and address the particular access to valuable data each employee has due to their individual role. Not everyone learns in the same way and not everyone needs to learn the same material.

Offer trainings aimed at specific roles taking into consideration how much access each has to valuable data and how they are most likely to be targeted by hackers. By offering interactive, role-based training in small, digestible portions with greater frequency, your employees will see it as valuable and easier to implement.

There should also be an emphasis on defeating social engineering attacks such as phishing emails that could lead to network-wide disaster. The aforementioned Verizon report determined that while 78 percent of people don’t click on a single phishing campaign all year, an average 4 percent of targets in any given phishing campaign will click it. Even more astonishing, it was found that the more phishing emails someone has clicked, the more likely they are to do so again.

Assess for Success
Cybersecurity training should also be assessed with frequent, short quizzes through training and reinforced through pen testing. This ensures employees absorb the valuable lessons being taught so they can act as the business’s first line of cyber defense.

How to Train
One of the most effective and more commonly used methods of cybersecurity awareness training being utilized by businesses today is interactive, computer-based training. It wields modern technology such as laptops, tablets, smartphones, and Internet of Things (IoT) devices to engage your employees in learning about the invaluable role they play in protecting your business.

“Showing a trainee how to recognize that out of nearly 20 types of files an email attachment could come in, the only one that is absolutely safe to open is a file ending in .txt can be a security game changer,” according to the whitepaper How to Fortify Your Organization’s Last Layer of Security- Your Employees. “Providing short, three- or four-question quizzes at regular intervals during a training module helps employees review and reinforce their understanding of particular training elements and can increase their trust in the impact the course is having and motivate them to complete it, thanks to congratulatory messages after each quiz.”

At the end of the day, human beings can become your best means of defense only when the proper security awareness training is employed. It can show them how they may be susceptible to social engineering, which is considered to be the single greatest security risk in the years to come, and that they can defeat it. Such training also demonstrates that you are willing to invest in them as much as you are in the technology they utilize each and every day. With such insight and education, your employees will feel empowered to protect the business you all are working so hard for.

If you need assistance with developing and implementing an effective cybersecurity awareness training program, contact Oram today at (617) 933-5060.