Corporate Cyber Security Leadership Is Lacking, Survey Finds

With Cyber Security Awareness month set to kick off on October 1, a new survey finds that the boards of U.S. companies should pay attention. The Wall Street Journal reports that an analysis by software provider Diligent found 88% of companies listed on the S&P 500 have no directors who are cyber security experts.

The survey defined “experts” as those who had served as a Chief Information Security Officer (CISO) or who had technology experience, including those who had previously held senior roles in technology. The survey also found that 52% of companies had at least one member of the Board of Directors with technology experience “adjacent to cyber security.” NightDragon CEO Dave DeWalt, who commissioned the survey with Diligent, said, “This lack of momentum in the boardroom continues to startle me.”

Without Leadership, Cyber Security Will Continue to Fall Short

If 100% of companies listed on the S&P 500 use technology, 100% should have some cyber security expertise on their boards of directors. These boards exist to set company priorities and guide business growth. Without directors who understand the ever-evolving strategies and techniques used by cyber criminals, it is difficult to take their security measures seriously.

New Securities and Exchange Commission cyber attack reporting rules that went into effect on September 5, 2023, may push some companies to pay closer attention to online security. The rules are a step in the right direction, but they fall short in one regard: A provision that would have required companies to detail cyber security experience on their boards was dropped from the final regulations. The SEC dropped this provision amid complaints that a specific level of expertise was not defined in the rules, that an insufficient number of cyber security experts were available to hold director positions and that the requirement might limit diversity on company boards.

In other words, the Federal government backed off a sensible requirement because businesses said they could not find the right people. The gap in leadership starts with Federal regulators, then trickles down to the companies that face cyber threats.

Shareholders Must Take Notice

One benefit of the new SEC reporting rules is a requirement that publicly traded companies report cyber attacks and their impact on business activities. Shareholders should use this information to probe expertise and cyber awareness of the companies whose stock they hold. Effective immediately, a search of a company’s filings in the EDGAR Database will reveal the number and severity of recent cyber attacks for any publicly traded company. Companies that suffer repeated attacks, or that suffer easily preventable attacks, should be held to account on their security practices and training.

Shareholders have the right to question company leadership and to demand change if they feel threats are not adequately addressed. The SEC disclosure rule puts the needed information in shareholders’ hands, but it is only valuable if shareholders use it to demand accountability.

Not every company needs a CISO on its Board of Directors, but every company should strive to have at least one director with significant cyber experience who can evaluate threats and risks. When that expertise is not available, companies must outsource experienced support.

All too often, companies fail to take action until after a cyber attack occurs. Criminals know this and see U.S. businesses as ripe targets for data theft and ransomware extortion. Solving this problem requires every U.S. business to see security as more than occasional employee training and software updates. The larger the company, and the more it relies on technology, the more critical the need for a comprehensive cyber strategy.

Small businesses have a role to play as well, as they are part of the overall “threat surface” for their clients and partners. Many companies have received letters from partners in recent weeks asking about their security practices and protocols as publicly-traded companies ramp up their compliance. If you need help responding to these requests, please contact us online or call us at 1-800-658-8311.

Social Engineering Eyed in High-Profile Casino Attacks

Social engineering may be behind two high-profile attacks on casino operators Ceasar’s and MGM. In an 8-K filing with the Securities and Exchange Commission, Ceasar’s Entertainment reported “a social engineering attack on an outsourced IT support vendor used by the Company.” Hackers were able to steal data from the Ceasar’s loyalty database around September 7, exposing an unknown number of drivers license and Social Security numbers. The Wall Street Journal reported that Ceasar’s paid around half of a $30 million ransom demanded by hackers to restore systems and delete stolen information. In their SEC filing, Ceasar’s noted that there is no guarantee the criminals will delete the data.

Social Engineering Eyed in High-Profile Casino AttacksElsewhere in Las Vegas, MGM systems, including coded room keys, booking systems and slot machines, were turned off following a ransomware attack. Reuters reported that the ransomware attack was attributed to a group known as Scattered Spider, which has previously targeted telecommunications and business outsourcing firms. Scattered Spider is also believed to be behind the Ceasar’s attack.

Anatomy of a Social Engineering Attack

In an interview with TechCrunch, an alleged Scattered Spider spokesperson took credit for the MGM social engineering attack but denied involvement with the Ceasar’s hack. The spokesperson claimed that they had found information on an employee at an MGM IT vendor via LinkedIn, then called the vendor’s help desk to gain access to that person’s account.

Social engineering attacks are targeted. The criminal is typically armed with some information about an individual they are attempting to impersonate or persuade. The most sophisticated attackers can now employ artificial intelligence tools that synthesize an individual’s voice using just a few seconds of online audio. They will then call people who can grant account access, such as bankers or help desks, using the fake voice in real time to try and gain account access. Employees at companies that are high-value targets, such as hospitals, banks, casinos and telecom providers, and third-party vendors that serve these companies are most likely to be targeted with sophisticated attacks. The larger the potential payout, the more sophisticated the attack will be.

Other social engineering scams are clumsier and should trigger immediate red flags. Someone may call claiming to be a vendor or IT staffer and ask the victim to read out a two-factor authentication code over the phone, defeating the protection this authentication offers. Attacks like this are very common and can happen to any employee in any business.

Scattered Spider is not as sophisticated as some criminal gangs and state-sponsored hackers. They are motivated by money and mainly made up of young people, with one report suggesting they deliberately recruit young teens to avoid significant criminal consequences if they get caught. What business owners should know is that groups like Scattered Spider are sophisticated enough if they can trick employees into providing access or divulging information.

Preventing Social Engineering Attacks

As social engineering attacks become more sophisticated, business owners must double down on cyber security employee training and establish firm protocols that guide information or access requests. Individuals have a responsibility as well, as they must limit the discovery of information that criminals can use in social engineering attacks. Here are five things to do now to reduce your risk:

  1. Review your LinkedIn and social media profiles. Do strangers need to know where you work? Does your profile need to be publicly accessible? For a handful of people, the answer is yes, and those individuals generally take steps to separate their public profile from their private and business profiles. For most workers, the answer is no. Follow this simple rule: The more you share, the less visible your profiles should be. Go ahead and cultivate a professional network on LinkedIn, but limit your visibility to people you know.
  2. Change your passwords. Assume your current username and password are available for sale on the Dark Web. They likely are, making it a matter of time before a criminal connects that information to your workplace accounts. Use separate passwords for work and personal accounts and change them every few weeks, at least four times each year. When criminals see passwords changing, they recognize that you take cyber security seriously and may pass you by in favor of an easier target.
  3. Enable two-factor authentication. This should route access codes to a device that is with you at all times. Never, under any circumstances, share one of those access codes with someone. Two-factor authentication remains one of the strongest protections against account hijacking.
  4. Assess your level of risk. Some companies know they are targets, because they have access to money or personal data. Those companies typically have very strict protocols in place to deter social engineering and phishing attacks. Vendors may not have the same level of protection or training, which gives criminals a back door into secured systems. If you have high-value clients, you must adopt their level of cyber security and train every employee to recognize and respond to attempted cyber attacks.
  5. Require review of access attempts. One of the best protocols to put in place is to require a second set of eyes on any attempt to gain access to accounts via phone, text or email. These requests should route to a higher-level employee who is well-versed in social engineering and phishing attempts. When in doubt, protocols should require a call to the phone number on file for the individual as a final step in approving access. Do not call any other number, and do not use redial, as scammers may spoof an individual’s phone number on your devices.

Sophisticated social engineering attacks work because employees trust and want to do a good job. Training must emphasize that security is equally if not more important than customer service. An inconvenienced person may be upset with you briefly. A cyber crime victim will never forget who allowed the attack to happen.

If you need employee training, anti-phishing training, compliance services or guidance on establishing cyber security protocols, please contact us online or call us at 1-800-658-8311.

When and How to Report a Cyber Attack Attempt

Should you report a cyber attack attempt? Even a small, seemingly insignificant one? The answer is almost always yes.

There are two reasons to report a cyber attack. The first is to show cyber criminals that you take security seriously. The second is to gain safety in numbers. The more people who are aware of current attacks and techniques, the harder it is for criminals to operate. Remember that hackers and fraudsters depend on their victims knowing little no nothing about their scams. Spread the word, and you help others defend themselves. When enough people fight back or ignore scam and hacking attempts, criminals move on to easier targets.

When Should I Report a Cyber Attack Attempt?

You should immediately report any cyber attack that occurs at the workplace, targeting your office phone, personal phone, email, text messages or web browsers. You should consider reporting attacks that target your personal email or phone as well, if you believe the attacker obtained information about you online. Senior executives and those who have access to financial or information-management systems should report every attack on any business or personal device.

What looks like a common malware email, such as “Your package could not be delivered,” or “Your account has been suspended,” takes on an added significance if you are a high-value target. Low-level employees may not need to report mass-email phishing and malware attacks, but should report any attack using a business or personal phone number, particularly if the attacker claims to be a co-worker.

Where Should I Report an Attempted Cyber Attack?

The size of your business will determine how you should report the attack.

For mid-size and large companies: You likely have an internal or external specialist who handles your cyber security. Report all attacks to this individual, no matter how small or obvious they may seem. Do not worry about being a nuisance. It is the cyber specialist’s job to determine how significant or widespread an attack may be, and they can only do their job if they have a complete picture of the threats a business faces. Provide as much detail as possible, including screenshots of emails and text messages, if any.

If someone calls or texts you claiming to be a coworker, report this activity immediately. Targeted pretexting attacks are on the rise, with some criminals using sophisticated software to impersonate the voices of business leaders and public figures. These attacks are resource-intensive and require planning. which makes it more likely that a criminal will target multiple individuals within an organization.

For small businesses: If you work in a small business without an in-house cyber security or IT specialist, you have two options:

  1. If you have an external IT specialist, report the attack to them and ask them to monitor your systems for any signs of unusual behavior.
  2. If you do not have an external IT specialist, send an email to all coworkers advising them of the attack. Send a screenshot of the text, email or website and ask if anyone else has received similar messages. If multiple people in a small business report the same attack, it may be a sign that you have been targeted. Strongly consider professional IT support to identify any possible system breaches or data loss if this occurs.

Reporting Attempted Attacks to Law Enforcement

Every successful cyber attack should be reported to local police. Your cyber insurance policy likely requires this. If customer data are stolen, you must report the attack to police and check reporting requirements under the FTC Safeguards Rule, if you qualify as a Financial Institution, and the SEC Disclosure Rule, if you work for or partner with a publicly traded company. Any significant data breach should be reported immediately to your state Attorney General’s office. In the case of a significant data breach or an attack that compromises critical public systems, you should contact the local Federal Bureau of Investigation field office and your state Attorney General, who will provide support and additional guidance on disclosure. Note that in some cases, cyber attacks and data breaches should not be disclosed to the public without first contacting Federal or state officials.

Whether you should report an attempted cyber attack is murkier and depends on the nature of the attack. If you have publicly traded companies among your clients, or clients covered by the FTC Safeguards Rule, you should report targeted pretexting attacks to their IT or cyber security specialists. Criminals may be attempting to harm your partners by attacking their vendors, clients or associates. Law enforcement agencies generally will not handle this reporting for you. You must do it yourself, and you should do it as quickly as possible, as you may have some obligations to report under the Safeguards Rule or SEC Disclosure Rule. When in doubt, reach out.

Where Else Should Attempted Cyber Attacks Be Reported?

If you work for a franchise business, report any cyber attack attempt to your franchisor’s head office immediately. This is especially critical if the attacker attempts to impersonate a senior employer of the business. Criminals may be launching simultaneous attacks against franchisees. Your quick response could prevent significant damage to the business and your fellow franchisees.

If you are part of a trade association, such as a Bar Association or the National Association of REALTORS®, for example, or if you are a member of a state association or Chamber of Commerce, report any cyber attack that targets your business or employees to the senior officials in your area, and to your local and national headquarters. In recent years, there have been surges of criminal cyber activity targeting specific sectors, such as health care or public schools, or specific regions, such as the recent spate of Vacant Land Scam attempts in the Southwest United States. There is no way to know if an attack on your business is isolated or part of a bigger trend. Spreading the word to professional associates may give them the opportunity to stop similar criminal attacks.

 

Would you know what to do during a cyber attack? Download our free Cyber Crime Response Kit, which includes detailed, step-by-step instructions that will help you prevent an attack from spreading, quarantine infected devices and rebuild systems safely. For more detailed guidance on preventing and responding to cyber attacks, please contact us online or call us at 1-800-659-8311.

Lessons Every Worker Can Take from Realtor Safety Month

September 2023 marks the 20th anniversary of the National Association of Realtors’ (NAR) REALTOR® Safety Month. With more than 1,5 million members, the NAR is the largest trade association in the United States, and it has extensive experience working with real estate professionals, law enforcement and government officials to improve on-the-job safety.

Lessons Every Worker Can Take from Realtor Safety MonthIt should surprise no one that real estate brokers, appraisers, salespeople and property managers are victims of violent crime, with 23% reporting that they feared for their safety, or the safety of their personal information, in the 2022 NAR Member Safety Residential Report. That is nearly 1 in 4 individuals who felt threatened on the job,

Safety Month exists to raise awareness of the common dangers faced by these professionals, who often meet with people alone, in remote locations and in empty buildings. Those situations are not unique to the real estate industry. Safety Month guidelines from the NAR are valuable for any worker who interacts with the public, particularly those who visit clients at home or in remote locations, including delivery drivers, rideshare drivers, plumbers, electricians and salespeople.

Understanding and Assessing Risk at Work

Safety Month was created to encourage workers to think about the risks they face on the job and the best ways to manage them. In assessing risk, it can be helpful to think about what motivates criminals and how they choose their victims.

Most criminals seek financial gain and use manipulation, harassment, threats or, if all else fails, violence to get what they want from you. There are some cases where an individual seeks to inflict some kind of personal harm on someone else, but these cases are far rarer than robberies or muggings. You are most likely to be a victim of monetary or property theft on the job.

Criminals prefer easy targets in situations that they can control, away from others. How you present yourself, both in person and online, and how you protect yourself on the job contribute to a criminal’s assessment of your vulnerability. Making yourself a difficult target and limiting the chances for a dangerous encounter will protect you from the majority of criminals.

Here are some practical steps you can take to make criminals think twice about targeting you.

  1. Be mindful of what you share online. Your online profile does more than advertise you to potential clients. It also lets criminals know how vulnerable you are. It is increasingly common for criminals to research their targets online and plan a robbery ahead of time. If you follow good practices for cyber security, which include limiting what you share, regularly changing passwords and enabling two-factor authentication, criminals may move on from you to someone who appears to be an easier target. Personal phone numbers, personal emails and daily schedules should never be shared online.
  2. Always meet new clients in your office or a public place. This will not work for service professionals, such as plumbers and electricians, but it is recommended for all other workers. If you are conducting an assessment or inspection in a remote area, ask to meet in public place nearby and travel to the location from there. This will give you a chance to assess any possible risk.
  3. Travel in pairs. Many service professionals do this with new clients. Bringing someone else reduces risk but does not eliminate it. If you feel that you will be outnumbered by a group of criminals, leave the area.
  4. Ask for a preliminary video conference. Service professionals can ask a potential customer to show them the problem. Real estate professionals and appraisers can ask for a quick video tour of the property. Criminals will not agree to this, either because there is no real problem or because they do not have access to the property.
  5. Keep a second phone exclusively for business use. Carry it along with a personal phone wherever you go. Be sure to check coverage maps when selecting a second phone, so that you can maintain signal wherever you go. In the worst-case scenario, you can throw your business phone at an attacker and run while keeping your personal phone to call for help.
  6. Be mindful of urgency. Criminals often use the pretext of immediate need, or the threat of a lost opportunity, to lure victims into situations they would otherwise avoid. They may contact you late in the day, over the weekend or on a holiday and tell you that you must immediately come to a location to win their business. If you attempt to slow the process down, either by scheduling an appointment the next day or asking for a video tour, criminals will either give up on you or demand that you come anyway. Never let the promise of business overcome your personal safety rules.
  7. Be aware of individuals who lurk. Keep a close eye on people who arrive late to an open house, insist on a showing very late in the day or who shadow you while you do your job. Some curiosity on the part of customers is normal; someone who follows you closely is a potential danger. In this situation, ask for some space so you can do your work or inform the customer that you need to check something outside.
  8. Take a self-defense class. The NAR reports that 40% of Realtors® have completed a self-defense class. Good classes teach the ability to spot dangerous situations as well as how to react to them. It is always better to avoid the confrontation entirely than to know how to handle it.
  9. Carry a self-defense tool. Service professionals will have a truck or van full of things that can be useful in an attack, but salespeople, appraisers and real estate professionals may have little more than a pen and a computer. The best self-defense measures are nonlethal and have an area of effect, such as pepper spray. You will be more likely to use them in a dangerous situation, and they can incapacitate several attackers at once. Be sure to check your state’s rules for licensing and training, as you could face criminal charges if you discharge pepper spray or bear spray, even in self defense.
  10. Report any threatening messages you receive. The 2022 NAR Member Safety Residential Report revealed that 30% of Realtors® who were targeted by criminals received a threatening voice mail, email or text message before the attack. Threatening messages should be taken very seriously by all professionals, and you should take extra precautions after receiving them. The individual who threatens ahead of time is more likely to be motivated by anger or revenge and is simply looking for a chance to attack. This individual wants to harm you, unlike the opportunist criminal who simply wants to steal your phone or money.

Safety Month Exists to Challenge Your Routine

All workers fall into rhythms and routines on the job. Even those who practice good personal and cyber security may get comfortable over time and relax their safety practices in pursuit of efficiency or out of a sense of confidence.

People like to think that they are aware of the risks they face. Some believe they have an instinct that lets them anticipate danger. These mental gaps can put you in threatening situations. Remember that criminals have one job: To find victims and steal from them. They spend all of their time looking for new tactics and honing strategies that succeed.

Safety Month provides an opportunity to think about the risks you face and to retrain yourself in practices that limit risk. This is a good time to review personal protocols, company protocols and cyber security practices. Should you need help with cyber security, or guidance on establishing safe working practices for your business, please contact us online or call us at 1-800-658-8311.