The Software Patch is a Nuisance and a Necessity

Valentine’s Day kicked off a big week for software patch fans, as Apple sent out a patch for its operating systems and Microsoft pushed a flurry of patches for Windows.

The Software Patch is a Nuisance and a NecessityIf you are not a software patch fan, you should be. The seconds you spend patching work and personal devices can save thousands of dollars and dozens of hours cleaning up from cyber criminals who exploit vulnerabilities. Yes, patches are a nuisance and more common than most would like them to be, but they are also a necessity if you care about cyber security.

Why Do I receive so many software update requests?

Responsible software makers continually evaluate threats to their systems and issue software patches to fix them. Apple was tipped off to a flaw in its operating systems that could allow hackers to install and execute code on an unpatched device. This patch fixed what is known as a Zero-Day Flaw or Zero-Day Exploit, which is a flaw that exists in software when it ships. Hackers carefully review every new piece of software to find vulnerabilities in security, as do researchers familiar with vulnerabilities. Apple issued its software patch in response to findings by a researcher who recognized the potential risk.

Microsoft, as usual, is furiously patching its most recent Windows release to close 75 security gaps, including some that would allow a hacker to bypass Windows malware filters or access system functions.

Patching Protects Against Phishing

Everyone who uses Windows or iOS should apply these software patches immediately. Doing so, on personal devices as well as work-issued devices, delivers two real benefits. First, it blocks a potential risk to cyber security that is known to and in use by criminal hackers. Second, it nullifies some phishing attacks by making it impossible for hackers to deliver malicious software.

The exploits patched by Apple and Microsoft may require users to visit a compromised website or download software that can exploit the known vulnerability. A software patch removes the vulnerability, so even if an employee clicks on a compromised link, the hacking attempt fails.

Every business should make software patches mandatory for all personal and work devices, particularly personal smart phones and laptops, which may access business WiFi or networks when employees come to the office. Software patches are usually sent out by software manufacturers automatically, but users may find them a nuisance and ignore them. Businesses can assist with updates by emailing staff when security patches are sent out. Ask employees to update their devices and provide links to download sites and additional information from manufacturers.

Patches may arrive at inconvenient times and employees may consider them a bother, but they are an essential piece of overall cyber security. Be aware that failure to patch can violate a cyber liability policy or expose a business to government fines if an unpatched exploit leads to a data breach.

Installing software patches is good cyber hygiene and part of employee cyber security awareness. Protect Now has developed an employee training program that changes culture by changing the way employees consider cyber security. We go beyond concepts and hypotheticals to help employees understand their attitudes about cyber security and the need to apply the same standards they use in their personal lives to data protection in the workplace. Contact us online to learn more, or call us at 1-800-658-8311.

Tax Season Is Cyber Crime Season

As tax season begins, cyber crime targeting W-2 forms is on the rise. Criminals want W-2 forms so they can file fraudulent tax returns and cash the refund checks. Victims find out about these scams when they attempt to file their legitimate returns, only to be told that a return has already been filed.

tax securityThe U.S. Justice Department, citing Internal Revenue Service data from 2013, reported that 5 million tax returns were filed fraudulently, seeking $30 billion in refunds. Cases of this fraud are believed to be much higher today, leaving victims to wait out a lengthy process of reconciliation before they can get the tax refunds they deserve.

Anyone who issues or distributes W-2 forms needs to take exceptional care with them. Because they contain Social Security numbers and personally identifying information, they are considered protected personal information under state laws.

How to Protect and Safely Distribute W-2 Forms

Criminals attempt to steal W-2 forms in two ways: online and in person. In-person theft simply involves stealing W-2 forms from someone’s mailbox. Criminals know when to look, but they may not know what they are looking for.

You can prevent mailbox theft by distributing W-2 forms online, or by handing them to employees in the office. If you must mail W-2 forms, it is best to do so in a plain envelope with a handwritten return address that looks like a personal letter. Avoid envelopes that look corporate, and absolutely avoid windowed envelopes that show the form or that have printed messages stating that a W-2 is inside.

If you distribute W-2 forms electronically or provide self service for your employees, follow these tips:

  1. Give employees a link instead of emailing a W-2 form. Most payroll providers include password-protected individual employee accounts as part of their service. Take advantage of these so that employees have to download their forms, rather than sending them via email.
  2. If you must email, be sure the email is encrypted. This prevents thieves from capturing the documents in transit. Send W-2 forms only to employee email accounts that you manage, not third-party accounts or free email services that are more easily compromised.
  3. Encourage employees to file early. Early filing is the best defense against a fraudulent claim, and criminals tend to file very early in the season.
  4. Beware of phishing and social engineering scams. Criminals may attempt to harvest W-2 forms by pretending to be accountants, representatives of online filing services such as TurboTax or state or Federal tax agents. Remember that no one will ever contact you by phone, email or text with a legitimate request for someone’s tax documents.
  5.  Warn employees of tax season scams. Send a reminder email that no one from the company and no legitimate government agent will ever contact them to ask for a copy of a W-2, and advise them to be careful responding to requests from trusted contacts, such as their own lawyers and accountants. Follow one simple rule whenever you receive a request for personal information: Call to verify.

Many employees and a large number of business professionals are unaware of the growing number of scams targeting tax documents. These forms contain one of the most valuable pieces of personal information: an individual’s Social Security number. If an attempt to steal employee tax forms from an organization succeeds, it must be treated as a data breach and reported to law enforcement. Employees will need to inform the Social Security Administration of the compromise as well.

W-2 theft is another aspect of phishing and social engineering that businesses can fight with cyber security awareness training. Our CSI Protection Certification succeeds where other programs fail by tapping into the personal desire employees have to keep their own data safe and showing them how those instincts apply in workplace situations. Contact us online to learn more or call us at 1-800-658-8311.

Cyber Insurance Companies Go to Court to Block Claims

Cyber insurance may not offer the protection you expect. In a case that has far-reaching implications for all policyholders, leading cyber insurance providers challenged a New Jersey court ruling ordering them to pay damages for the 2017 “NotPetya” attack that led to $1.4 billion in losses for pharmaceutical company Merck & Co, The Wall Street Journal reports.

Insurers claim that the attack is not covered because it was an act of war committed by a foreign adversary. U.S. government officials attributed NotPetya, a Windows ransomware attack that encrypts operating systems and data, on the Russian government. Insurance companies believe this triggers the “war exclusion” common to many types of insurance policies that blocks claims resulting from military action. Though written to cover damage from bullets and bombs, cyber insurance underwriters now seek to apply that exclusion to damage from state-sponsored cyber attacks.

Should insurers prevail, businesses of all sizes could find themselves without protection for any cyber attack attributed to a foreign government.

Read the Fine Print on Your Cyber Insurance Policy

Few insurance buyers take the time to fully read their policies, and fewer inquire about the extra coverage, which comes at a higher cost, that protects against uncommon risks. This can leave businesses vulnerable if they file a claim in the wake of a cyber attack.

Foreign adversaries may be the least of your cyber worries, but you should understand that a cyber policy is not guaranteed protection, but a relationship between your business and your insurer that demands certain actions on your part to keep the policy in effect. These inevitably include the following:

  1. You will take reasonable steps to secure your cyber infrastructure. This includes setting up secure systems, maintaining security certificates and updating software regularly to apply security patches. A recent attack that brought down servers worldwide took place because some users did not apply a security patch issued in February 2021. Those who failed to apply the patch could have their insurance claims denied.
  2. You will limit access to your systems to essential personnel. This includes password security as well as role-based authorizations. As a rule, employees should only have access to the systems and data they need to do their jobs. Shared passwords, poor password security or unchecked access to data could leave you paying out of pocket if you suffer a data breach.
  3. You will take steps to protect customer data. This includes how you collect data, how you transmit it online, how you store it and how long you retain it. Best practices vary depending on the type of data collected, with the strongest protections required for sensitive personal data such as credit card numbers and financial information.
  4. You will verify security with all third-party providers. This requires you to understand the security practices of your vendors and, in some cases, to get regular statements from them attesting to their cyber security. Vendors include your phone company, your Internet service provider, web hosts and software vendors. Expect a request for cyber security documentation from all vendors if you ever need to file a claim.
  5. You will train your employees in cyber security awareness and phishing protection. This requires annual or semiannual in-depth training on recognizing and stopping social engineering and phishing attacks. Your policy may mandate training within a certain period of time for all new employees, as well as regular refresher courses.

Know What Your Insurer Expects of You

If sitting down to untangle the language in your cyber policy is too daunting, speak to your insurance agent and ask for a full list of your responsibilities and the agent’s recommendations. Recognize that things like training and software updates are in your control, while natural disasters and acts of war are not. Insurance policies protect against everyday risks, not exceptional ones, but that protection is only available if you do your part to comply with your policy’s requirements.

A hack or data breach is stressful enough without worrying over whether your insurance policy covers the damage.

Protect Now provides Cyber, Social and Individual (CSI) Protection Certification, a cyber awareness training program that changes employee attitudes toward security by making data protection personal. This affordable program was built to serve businesses that have significant public interactions and need to protect their clients’ personal data. Learn more by calling us at 1-800-658-8311 or contacting us online.

Feds Take Down Ransomware Gang, Aid Victims

In a sign of its aggressive new posture against cyber criminals, the United States government infiltrated and compromised the Hive ransomware gang, blocking hundreds of millions in ransomware payments and seizing control of the gang’s website. No arrests were announced, but authorities in Germany and The Netherlands were able to seize the ransomware gang’s servers.

Hacking the Ransomware Hackers

Ransomware attacks are among the most costly for businesses and organizations. These attacks typically begin with criminals using stolen passwords found on the Dark Web or acquired through phishing attacks. Once ransomware hackers have access to online systems, they encrypt all of an organization’s data and lock it behind a password. They then demand a ransom in cybercurrency, such as Bitcoin, in exchange for a key that will unlock the encrypted data.

To shut down Hive, U.S. investigators infiltrated the gang’s network. They learned about planned attacks, including a Texas school district and a Louisiana hospital, then stole the ransomware decryption keys and gave them to the targets. When the ransomware attacks began, organizations were able to immediately restore their systems with the encryption keys, saving millions in ransomware payments.

The operation represents a significant shift in how Federal authorities approach cyber gangs. In the past, U.S. authorities attempted to recover ransoms after payment, with limited success. The move against Hive ransomware represents a significant escalation in response, known to be part of the Biden Administration’s draft cyber security plan,  that sees law enforcement partner with victims ahead of an attack to prevent damage and financial loss.

Ransomware Risks Remain

While Hive was one of the better-known ransomware gangs. there are many more carrying out these attacks who will not be deterred by a single U.S. government success. A Verizon report on cyber crime in 2022 found that ransomware attacks rose by 13%, a larger increase than the past 5 years combined. Criminals can now buy ransomware online, in late 2022 a Microsoft study found criminals using it to steal data and wipe systems clean, removing all traces of their activity, without making a ransom demand.

Regardless of the nature of the attack, ransomware victims tend to have a few things in common:

  • They operate critical infrastructure used by the public.
  • They appear to have budgets that support multimillion-dollar ransom requests.
  • Their cyber defenses have vulnerabilities ripe for exploitation.

Verizon reported that 20% of data breaches resulted from social engineering. Public-facing organizations face greater risks for intrusions and compromise due to the nature of their work, which makes cyber security awareness training essential.

Aggressive action from the Federal Government against cyber criminals is a positive development, but businesses and organizations cannot rely on it to ensure security. Employee training, strong cyber defenses and advance warnings from Dark Web monitoring still provide the best protection against intrusions and fraud. Protect Now provides support for small- and medium-sized business that work extensively with the public. Contact us online or call us at 1-800-658-8311 to improve your cyber security.