Cybercriminals are Targeting US Businesses with Malicious USB Drives

The FBI released a warning for US businesses – about a cybercriminal group from Eastern Europe trying to hack into the networks of US companies by mailing these businesses USB drives with malicious code on them.

Cybercriminals are Targeting US Businesses with Malicious USB Drives

This cybercriminal group, known as FIN7, is based in Eastern Europe, and US officials believe that they are responsible for billions of dollars in both business and consumer losses in both the US and abroad. The Justice Department has blamed FIN7 for stealing millions of credit card numbers in 47 states, and the FBI has been on the group’s tail for years.

This highly organized and sophisticated group attempts to infiltrate corporate networks by employing a seemingly old-fashioned, yet remarkably effective, tactic: mailing physical USB drives containing malicious code directly to businesses.

One of the most dangerous threats is a “BadUSB” attack. Plugging in a random USB drive, whether found on the ground or received as a freebie at a conference, poses significant cybersecurity risks. This seemingly innocuous act can lead to severe consequences for your computer and personal or corporate data.

These aren’t just regular storage devices; their firmware has been reprogrammed to act as other devices, most commonly a keyboard. When plugged in, the BadUSB instantly mimics typing commands, often at superhuman speed, which can then download malware, install ransomware, steal data, or even grant remote control to attackers. It bypasses typical antivirus scans because it’s not a “file” being scanned; it’s a device behaving maliciously.

These attacks have been going on for decades, primarily targeting companies in the defense, transportation, finance and insurance sectors. The mailed USB drives are often disguised as legitimate deliveries, arriving via services like the U.S. Postal Service and UPS. Some packages pretend to be from the Department of Health and Human Services (HHS), while others mimic Amazon deliveries, complete with fake “thank you” letters and counterfeit gift cards.

When an unsuspecting employee plugs one of these malicious USB drives into a computer, the device immediately registers itself as a Human Interface Device (HID) keyboard, rather than a storage device. This clever trick allows it to bypass many traditional security measures that block removable storage. Once recognized as a keyboard, the USB drive automatically injects a series of preconfigured keystrokes. These commands then download and install additional malware onto the compromised system, granting the cybercriminals remote access.

FIN7’s ultimate goal is to gain a foothold within the victim’s network, escalate privileges, and then deploy ransomware by gaining back door access to achieve their objectives. The success of this method hinges on human curiosity and the deceptive nature of the packages, making it particularly dangerous in environments where employees might not be rigorously trained on physical media security.

The FBI emphasizes that even a non-administrative account compromise can lead to significant breaches, as the attackers can then conduct reconnaissance and move laterally within the network to gain access to more critical systems. This resurgence of physical media attacks highlights the evolving tactics of cybercriminals and the need for businesses to educate their employees on the dangers of plugging in any unsolicited external devices.

Steps To Protect Your Self and Your Company Data

Thankfully, there are a number of steps that you can take in order to protect yourself and company data. Here are some tips:

  • Don’t put any “free” or unknown USB drive into your computer, no matter what. If you find a USB drive, or you are given one from a stranger, you should give it to your IT department or other security personnel. Don’t even put it near your computer – even if you think you can see the owner of the drive.
  • You also want to take full advantage of any security features you have access to including strong passwords and encryption on your own USB drives. You also want to make sure that you are backing up any data on those drives in case they are lost.
  • Keep your business and personal USB drives in separate places. You shouldn’t use your personal USB drive in your work computer, and vice versa.
  • Don’t use Autorun on your computer. This feature causes some types of media, such as DVDs, CDs, and USB drive to automatically open when they are put into a drive. When you disable this feature, if you insert a USB drive that is infected into your PC, it won’t open, and you can prevent the code from being put on your device.
  • Use security software and make sure it Is updated. Use antivirus software, a firewall, and anti-spyware programs to make your computer as safe as possible. Also, make sure you update your computer with any updates or patches that come through automatically.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.

PREDICTION: The Rise of Cybercrime in 2025: A Growing Threat

The cybercrime landscape is rapidly evolving, driven by technological advancements, increasing digital dependency, and the potential for substantial financial gain. As we move into 2025, several factors suggest that the cyber criminal job market will continue to expand, attracting both new recruits and experienced cybercriminals.

PREDICTION: The Rise of Cybercrime in 2025: A Growing Threat

Factors Driving the Growth of Cybercrime in 2025:

  • Increased Digital Reliance:
  • Advancements in Cybercrime Tools and Techniques:
  • Lucrative Financial Rewards:
  • Globalized Nature of Cybercrime:

The Evolving Role of the Cybercriminal:

As the cybercrime landscape evolves, so too does the role of the cybercriminal. Here are some key trends to watch:

  • Specialization: Cybercriminals are increasingly specializing in specific areas, such as hacking, phishing, or malware development. This specialization allows them to hone their skills and become more effective at their craft.
  • Outsourcing and Collaboration: Cybercriminal organizations are outsourcing specific tasks to freelancers or other criminal groups, creating a more efficient and scalable model.
  • Automation: The use of automation tools and AI is enabling cybercriminals to launch attacks at scale, increasing the frequency and impact of cyberattacks.
  • Recruitment and Training: Cybercriminal organizations are actively recruiting new members and providing them with training to enhance their skills. This pipeline of talent ensures a steady supply of cybercriminals.

To combat the growing threat of cybercrime, organizations must invest in robust cybersecurity measures, stay informed about the latest threats, and train their employees to recognize and respond to cyberattacks. Additionally, international cooperation is essential to disrupt cybercriminal networks and bring perpetrators to justice.

Robust Cybersecurity Measures: A Comprehensive Guide

As cyber threats continue to evolve, it’s imperative for organizations to implement robust cybersecurity measures to protect their sensitive data and systems. Here are some key strategies:

Essential Cybersecurity Measures:

  • Strong Password Policies:
  • Multi-Factor Authentication (MFA):
  • Network Security:
  • Endpoint Security:
  • Data Encryption:
  • Regular Security Audits and Penetration Testing:
  • Employee Training and Awareness:

Staying Informed About the Latest Threats:

  • Subscribe to Cybersecurity News Sources:
  • Join Cybersecurity Communities:
  • Attend Cybersecurity Conferences and Webinars:

Training Employees to Recognize and Respond to Cyberattacks:

  • Phishing Awareness Training:
  • Social Engineering Awareness:
  • Incident Response Training:

By implementing these robust cybersecurity measures, staying informed about the latest threats, and training employees to recognize and respond to cyberattacks, organizations can significantly reduce their risk of falling victim to cybercrime.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.

Are You a Hard Target for Cyber Criminals? You Must Be

Cyber criminals hate a hard target. In the language of security, a “hard target” is someone difficult to hack, while a “soft target” is someone who is especially vulnerable.

Put yourself in a criminal’s shoes: Which home would you attempt to rob: the one with the back door open or the one with the spotlights and a burglar alarm? Those home security deterrents may not stop a determined criminal, but they send a clear message: This home takes security seriously, and you put yourself at risk if you try to break in.

Cyber criminals think in the same terms. They look for signs that you take security seriously. Some criminal gangs keep databases of known soft targets; you may know someone who is often hacked. All cyber criminals know what signs to look for to see if you pay attention to cyber security. They also know the difference between real cyber security and half-hearted attempts, just as experienced burglars know how to spot fake cameras and alarms.

It is not expensive or difficult to be a hard target. All you need is a little time and a commitment to consider how you approach online interactions. Here are five things you can do right now that will make you a hard target and convince criminals to look for easier victims.

Update your software.

A recent article in The Wall Street Journal certainly caught the eye of cyber criminals. It discussed users who cling to old operating systems and old software because they like certain features or because they do not want to learn a new interface. Some businesses still rely on old operating systems and outdated devices that power critical business functions because they want to avoid the learning curve with new software or because they find upgrading too expensive.

These users and business owners are the ultimate soft target. Criminals have databases of known exploits in old apps, programs and operating systems. They search online to find outdated software that is still in use, then launch attacks to steal passwords, gain access to networks, install ransomware or hijack customer data. Updates should be automatically applied and must be manually applied when auto-updating is not an option. Business owners should note that failure to update systems will void cyber liability insurance policies and trigger violations of the FTC Safeguards Rule. Publicly traded companies and businesses that serve publicly traded clients could face additional penalties under the SEC Disclosure Rule if hackers attack out-of-date systems and software.

If you absolutely must maintain old software or devices, the only safe way to do so is to keep them fully isolated from the Internet. That means no wired or wireless connections that could allow a hacker to access the device.

Change your passwords.

Password and credential theft occur daily. Most people accept it as a fact of life. What most people do not realize is that criminal gangs keep databases of usernames, passwords and other login credentials. These databases are bought and sold on the Dark Web, tested using a variety of methods, then repackaged into verified lists of working credentials. If you change passwords several times a year, you will be seen as a hard target and criminals may stop selling your personal information. Criminals will note that old passwords do not work, and those who act as information brokers may take note of how frequently you change your credentials.

Do not trust. Verify.

If you have ever taken a self-defense or defensive-driving course, you know that one of the first lessons is to question the way you trust. Most people trust unconditionally. They see a yellow line on the road and assume other drivers will respect it. They receive a text that appears to be from a coworker and they respond.

A hard target is vigilant and skeptical. They question everything and develop the ability to sense unusual situations. Instead of assuming that an email, text or phone call are legitimate, they investigate. These skills, which can be developed through cyber security awareness training, make the hard target nearly invulnerable to business email compromise and pretexting attacks.

Anyone can begin to develop these skills by questioning how easily they trust, and why. Criminals prey on trust to steal credentials and cash and to reroute valuable deliveries. Businesses can develop protocols to limit these attacks, but it ultimately falls on individuals to recognize unusual behavior and have the confidence to investigate it. When in doubt about a text or email request, do not respond to it. Reach out to the source at a known phone number and verify the request.

Use multi-factor authentication.

You should be familiar with two-factor authentication, which sends a code to your phone or a verified email address to allow you to log in to services. You may be less familiar with multi-factor authentication, such as biometric logins on devices or apps that check for the presence of your phone before authorizing a financial transaction.

Whenever, and however, multi-factor authentication is offered, take advantage of it. This makes you a very hard target to hack, and shows criminals that you take cyber security seriously. When criminals discover that you have multi-factor authentication enabled, they may stop attempting to hack your accounts and stop sharing your credentials online.

Report successful hacks and data breaches to law enforcement.

Here are two things you must understand about cyber criminals: They want to avoid exposure and they talk to each other. When criminals successfully claim a ransom from a business, steal data. steal money or gain access to networks and systems, they share that information with other criminals in online forums. You may believe that failing to report a cyber crime keeps the knowledge of that crime between you and the hackers, but it does not. Hackers tell other hackers what they did, who you are and how you failed to alert anyone. That invites more hackers to attack you. To be a hard target, you must communicate as loudly as possible. Tell law enforcement. Tell professional associations. Tell colleagues at other organizations. Tell the press. Share everything you know about how you were hacked and how you responded. Cyber criminals do not want the publicity, and they do not want their methods compromised. In the best-case scenario, law enforcement may make an arrest, thwart a future attack or help you regain lost money. In most cases, you will simply be contributing to a shared knowledge base that makes it harder for criminals to operate.

A Hard Target Still Faces Two Types of Cyber Attacks

Making yourself a hard target will deter cyber criminals and reduce the amount of fraud you encounter. There are two additional categories of cyber attacks that you may face, depending on who you are and what you do.

  1. Spam attacks. Inexperienced and unskilled criminals still send mass emails claiming that you have inherited millions from a deceased prince, that your package cannot be delivered or that your account has been deactivated. You will also encounter browser takeovers online from time to time. As a hard target, you will know that these are very unsophisticated, broad-based attacks designed to catch the unwary. They are not targeted and they are not personal. If you have developed a healthy level of skepticism, you will find it easy to ignore them.
  2. Spear phishing and AI-powered attacks. Depending on what you do, where you work or whom you work with, you could be a high-value target for cyber criminals. You likely know if you fall into this category, and you should have received additional cyber security and anti-phishing training. The main question you need to ask is whether you are as vigilant in your personal cyber security as you are on the job, and whether you take steps to help your loved ones maintain good cyber habits. High-value targets are closely watched by cyber criminals, who may use sophisticated methods to attack your personal devices, or people you know, as a means of getting to you.

If you have a few minutes to work toward becoming a hard target, take our free E-Mail Safety Crash Course. Adapted from our comprehensive Cyber, Social, Identity Protection Certification program, this video module offers immediate steps you can take to thwart cyber attacks on any email platform, as well as advice on how to identify suspicious emails.

When and How to Report a Cyber Attack Attempt

Should you report a cyber attack attempt? Even a small, seemingly insignificant one? The answer is almost always yes.

There are two reasons to report a cyber attack. The first is to show cyber criminals that you take security seriously. The second is to gain safety in numbers. The more people who are aware of current attacks and techniques, the harder it is for criminals to operate. Remember that hackers and fraudsters depend on their victims knowing little no nothing about their scams. Spread the word, and you help others defend themselves. When enough people fight back or ignore scam and hacking attempts, criminals move on to easier targets.

When Should I Report a Cyber Attack Attempt?

You should immediately report any cyber attack that occurs at the workplace, targeting your office phone, personal phone, email, text messages or web browsers. You should consider reporting attacks that target your personal email or phone as well, if you believe the attacker obtained information about you online. Senior executives and those who have access to financial or information-management systems should report every attack on any business or personal device.

What looks like a common malware email, such as “Your package could not be delivered,” or “Your account has been suspended,” takes on an added significance if you are a high-value target. Low-level employees may not need to report mass-email phishing and malware attacks, but should report any attack using a business or personal phone number, particularly if the attacker claims to be a co-worker.

Where Should I Report an Attempted Cyber Attack?

The size of your business will determine how you should report the attack.

For mid-size and large companies: You likely have an internal or external specialist who handles your cyber security. Report all attacks to this individual, no matter how small or obvious they may seem. Do not worry about being a nuisance. It is the cyber specialist’s job to determine how significant or widespread an attack may be, and they can only do their job if they have a complete picture of the threats a business faces. Provide as much detail as possible, including screenshots of emails and text messages, if any.

If someone calls or texts you claiming to be a coworker, report this activity immediately. Targeted pretexting attacks are on the rise, with some criminals using sophisticated software to impersonate the voices of business leaders and public figures. These attacks are resource-intensive and require planning. which makes it more likely that a criminal will target multiple individuals within an organization.

For small businesses: If you work in a small business without an in-house cyber security or IT specialist, you have two options:

  1. If you have an external IT specialist, report the attack to them and ask them to monitor your systems for any signs of unusual behavior.
  2. If you do not have an external IT specialist, send an email to all coworkers advising them of the attack. Send a screenshot of the text, email or website and ask if anyone else has received similar messages. If multiple people in a small business report the same attack, it may be a sign that you have been targeted. Strongly consider professional IT support to identify any possible system breaches or data loss if this occurs.

Reporting Attempted Attacks to Law Enforcement

Every successful cyber attack should be reported to local police. Your cyber insurance policy likely requires this. If customer data are stolen, you must report the attack to police and check reporting requirements under the FTC Safeguards Rule, if you qualify as a Financial Institution, and the SEC Disclosure Rule, if you work for or partner with a publicly traded company. Any significant data breach should be reported immediately to your state Attorney General’s office. In the case of a significant data breach or an attack that compromises critical public systems, you should contact the local Federal Bureau of Investigation field office and your state Attorney General, who will provide support and additional guidance on disclosure. Note that in some cases, cyber attacks and data breaches should not be disclosed to the public without first contacting Federal or state officials.

Whether you should report an attempted cyber attack is murkier and depends on the nature of the attack. If you have publicly traded companies among your clients, or clients covered by the FTC Safeguards Rule, you should report targeted pretexting attacks to their IT or cyber security specialists. Criminals may be attempting to harm your partners by attacking their vendors, clients or associates. Law enforcement agencies generally will not handle this reporting for you. You must do it yourself, and you should do it as quickly as possible, as you may have some obligations to report under the Safeguards Rule or SEC Disclosure Rule. When in doubt, reach out.

Where Else Should Attempted Cyber Attacks Be Reported?

If you work for a franchise business, report any cyber attack attempt to your franchisor’s head office immediately. This is especially critical if the attacker attempts to impersonate a senior employer of the business. Criminals may be launching simultaneous attacks against franchisees. Your quick response could prevent significant damage to the business and your fellow franchisees.

If you are part of a trade association, such as a Bar Association or the National Association of REALTORS®, for example, or if you are a member of a state association or Chamber of Commerce, report any cyber attack that targets your business or employees to the senior officials in your area, and to your local and national headquarters. In recent years, there have been surges of criminal cyber activity targeting specific sectors, such as health care or public schools, or specific regions, such as the recent spate of Vacant Land Scam attempts in the Southwest United States. There is no way to know if an attack on your business is isolated or part of a bigger trend. Spreading the word to professional associates may give them the opportunity to stop similar criminal attacks.

 

Would you know what to do during a cyber attack? Download our free Cyber Crime Response Kit, which includes detailed, step-by-step instructions that will help you prevent an attack from spreading, quarantine infected devices and rebuild systems safely. For more detailed guidance on preventing and responding to cyber attacks, please contact us online or call us at 1-800-659-8311.

New National Cybersecurity Policy Is a Step, Not a Solution

The new National Cybersecurity Policy from the Biden Administration holds lofty ideas, but little that is actionable. As reported by The New York Times, the policy, unveiled on March 2, seeks to push greater responsibility for cyber attacks and data breaches toward those who own, operate or use online infrastructure. The policy also outlines a formal strategy for the United States Government to take action against professional cyber criminals and state-sponsored hackers.

With regard to national standards, the new cybersecurity policy is a long-overdue step in the right direction. One of the greatest challenges in convincing organizations to adopt stronger cyber security has been a lack of regulations. In cases where Federal or state governments have mandated security rules, adoption has been swift. Both the Gramm-Leach-Billey Act, which mandates protection of consumer financial data, and the California Consumer Privacy Act, which gives individuals the right to delete their data, as well as the European Union’s General Data Protection Act led to widespread changes in the ways businesses of all sizes collected, protected and stored personal data.

Biden’s Cybersecurity Policy Is Not Regulation

Many cyber security professionals have argued for national standards for years, yet this is where the Biden National Cybersecurity Policy comes up short. Outside of executive orders that narrowly target some Federal agencies, there is no mechanism to create or enforce mandates. Congress would need to pass legislation outlining standards and penalties for noncompliance. There also remains a question of who would investigate and enforce national guidelines.

Simply setting those guidelines will be difficult, given the ever-changing nature of the Internet and the software that powers it.  Internet infrastructure developers have fought standards and regulation on the grounds that mandates deter innovation. A balance must be struck between the needs of a better Internet and a safer one, and any policy that emerges will do well to require a reasonable level of security to exist in new tools and services without stifling innovation solely to deter cyber attacks.

What Does the Policy Mean for Business Owners?

Absent Congressional action to set standards and mandate compliance in the private sector, the new National Cybersecurity Policy has no immediate functional impact on any private or state-operated organization’s cyber security. However, this policy, taken with the Federal government’s more aggressive stance on common-sense cyber security practices, suggests that more executives could be found liable for cyber security lapses until formal regulations are passed.

The new policy may also embolden cyber insurance underwriters to deny claims if, in their assessment, reasonable care has not been taken to protect systems and data.

This policy is likely to lead to several years of uneven enforcement, insurance denials and court challenges that will ultimately prompt Congress to step in and pass broad-based rules. Until then, business leaders should understand that the burden of preventing cyber attacks continues to shift toward individual organizations. In this environment, good cyber security practices and cyber security employee training are more important, and potentially more cost effective, than they were before.

Gartner Survey Explains Why Cyber Security Employee Training Fails

Sobering data from Gartner illustrates the shortcomings of cyber security employee training. The company predicts that more than half of cyber attacks by 2025 will result from :lack of talent or human failure.”

This is in spite of ongoing efforts by businesses to provide employee training on cyber security. What stands out is the reason why that training fails.

According to their survey of 1,310 employees in mid 2022, “69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months.” More concerning, 74% said the would ignore cyber security practices “to achieve a business objective.”

The problem is clear: employees may know an organization’s rules for cyber security, but they willingly ignore those rules to get their jobs done. As long as this situation persists, cyber criminals will have the advantage they need to carry out attacks.

Cyber Security Employee Training Must Be Personal and Ethical

Every organization has a to-do list for compliance and a general set of employee rules. Most employees know they cannot treat others unfairly because of their background, race or identity, that they cannot steal from the company coffer and that they have a set time for lunch and breaks. Many employees bend these rules at times, while some bend them pathologically.

When cyber security becomes just another set of flexible company rules, disaster follows. The employee who takes an extra half hour for lunch only harms productivity in the short term. The employee who denies promotions to certain co-workers may trigger a lawsuit. The employee who shares passwords with teammates risks a costly data breach or an intrusion that takes all systems offline.

In all of these cases, organizations tend to train on the whats instead of the whys. Employees learn that they can be suspended or terminated for long lunch breaks, then see if that rule is actually enforced. The same applies to discrimination and cyber security. Employees may understand the consequences of breaking rules, but if they see co-workers getting away with things, or they consider some rules flexible, the training they received is useless.

It should be no secret to organizational leaders that employees behave very differently in their private lives. Most people would not brush off a friend or discriminate against a family member, and they tend to take great care with their personal cyber security. They are motivated to do this because they face lasting, personal repercussions in valuable relationships if they behave selfishly.

Leaders expect this behavior to carry over on the job, but Gartner’s data disputes that belief, painting cyber security as just another obstacle employees try to overcome. This occurs because most cyber security employee training, like other forms of employee training, lays out facts and broad hypothetical situations without asking the question that would really motivate employees: What would your friends and family think if you were responsible for a major cyber security attack?

The answer to that question is the key to effective employee cyber security training. Most people would be horrified and ashamed if their actions caused harm to a friend or family member. They would be similarly ashamed and horrified to have to tell people that they were involved in a cyber attack that made headlines. Those emotions provide a powerful incentive to follow cyber security rules, but they are absent from nearly all of the training programs available. Training based on ethics and personal attitudes toward responsibility delivers better results, because it connects with the protective instincts people practice in their personal lives.

Choose Training That Works

The CSI Protection Certification cyber security employee training program created by Protect Now changes employee attitudes toward security by tapping into their personal desire for safety. Created by cyber security speaker and author Robert Siciliano, this program is empowering and entertaining, and it now qualifies for CE credits for real estate professionals in many states. The program is available via in-person seminars, virtual seminars or through a library of eLearning modules. To learn more, contact us online or call us at 1-800-658-8311.

Cyber Insurance Companies Go to Court to Block Claims

Cyber insurance may not offer the protection you expect. In a case that has far-reaching implications for all policyholders, leading cyber insurance providers challenged a New Jersey court ruling ordering them to pay damages for the 2017 “NotPetya” attack that led to $1.4 billion in losses for pharmaceutical company Merck & Co, The Wall Street Journal reports.

Insurers claim that the attack is not covered because it was an act of war committed by a foreign adversary. U.S. government officials attributed NotPetya, a Windows ransomware attack that encrypts operating systems and data, on the Russian government. Insurance companies believe this triggers the “war exclusion” common to many types of insurance policies that blocks claims resulting from military action. Though written to cover damage from bullets and bombs, cyber insurance underwriters now seek to apply that exclusion to damage from state-sponsored cyber attacks.

Should insurers prevail, businesses of all sizes could find themselves without protection for any cyber attack attributed to a foreign government.

Read the Fine Print on Your Cyber Insurance Policy

Few insurance buyers take the time to fully read their policies, and fewer inquire about the extra coverage, which comes at a higher cost, that protects against uncommon risks. This can leave businesses vulnerable if they file a claim in the wake of a cyber attack.

Foreign adversaries may be the least of your cyber worries, but you should understand that a cyber policy is not guaranteed protection, but a relationship between your business and your insurer that demands certain actions on your part to keep the policy in effect. These inevitably include the following:

  1. You will take reasonable steps to secure your cyber infrastructure. This includes setting up secure systems, maintaining security certificates and updating software regularly to apply security patches. A recent attack that brought down servers worldwide took place because some users did not apply a security patch issued in February 2021. Those who failed to apply the patch could have their insurance claims denied.
  2. You will limit access to your systems to essential personnel. This includes password security as well as role-based authorizations. As a rule, employees should only have access to the systems and data they need to do their jobs. Shared passwords, poor password security or unchecked access to data could leave you paying out of pocket if you suffer a data breach.
  3. You will take steps to protect customer data. This includes how you collect data, how you transmit it online, how you store it and how long you retain it. Best practices vary depending on the type of data collected, with the strongest protections required for sensitive personal data such as credit card numbers and financial information.
  4. You will verify security with all third-party providers. This requires you to understand the security practices of your vendors and, in some cases, to get regular statements from them attesting to their cyber security. Vendors include your phone company, your Internet service provider, web hosts and software vendors. Expect a request for cyber security documentation from all vendors if you ever need to file a claim.
  5. You will train your employees in cyber security awareness and phishing protection. This requires annual or semiannual in-depth training on recognizing and stopping social engineering and phishing attacks. Your policy may mandate training within a certain period of time for all new employees, as well as regular refresher courses.

Know What Your Insurer Expects of You

If sitting down to untangle the language in your cyber policy is too daunting, speak to your insurance agent and ask for a full list of your responsibilities and the agent’s recommendations. Recognize that things like training and software updates are in your control, while natural disasters and acts of war are not. Insurance policies protect against everyday risks, not exceptional ones, but that protection is only available if you do your part to comply with your policy’s requirements.

A hack or data breach is stressful enough without worrying over whether your insurance policy covers the damage.

Protect Now provides Cyber, Social and Individual (CSI) Protection Certification, a cyber awareness training program that changes employee attitudes toward security by making data protection personal. This affordable program was built to serve businesses that have significant public interactions and need to protect their clients’ personal data. Learn more by calling us at 1-800-658-8311 or contacting us online.

Your New Year’s Resolutions for Cyber Security

The More You Make and Keep, the Stronger Your Cyber Security in 2023

Resolution season is upon us as we take our annual stock of who we would like to be. Fitter, kinder, more charitable, as always, but why not safer?

Your New Year’s Resolutions for Cyber SecurityThese cyber security New Year’s resolutions vary from simple things you can do in a few seconds to things that might require some outside help. They all have one thing in common: Individually, they will make you safer in 2023, so following just one will give you greater protection against cyber criminals. Each resolution that you add will boost security for you and your business.

I will secure my phone. Around 1 in 4 people fail to use a screen lock on their smart phones. That’s an improvement from 2013,when around 1 in 3 people failed to secure their phones. Use of lock screens must be mandatory for all work-related devices. It is also the first step for stronger cyber security in 2023.

I will use two-factor authentication. Apart from securing your phone, this is the most critical thing you can do to boost security. Every email account, every account that processes payments and all online accounts relating to finances must have two-factor authentication, along with every account that allows admin-level access to business systems or customer data. Two-factor authentication takes a few minutes to set up and adds seconds to the login process. The strongest method sends a text message to your phone (already secured with a lock screen) link to click. Without access to your phone, criminals cannot use stolen passwords to log in. Links are better than plain-text codes, which may be visible on Android devices even while the screen is locked.

I will update my passwords every 3 months. The start of each new business quarter should bring new passwords. Google can be configured to require this on a schedule that you set. This is a best practice for email and all business systems. The advantage is obvious: Stolen passwords become useless once you change them. The more often you change them, the greater your cyber security. If keeping track of business and personal passwords is a challenge, consider using a password manager that centralizes all of your credentials. Good password managers require your main login to be updated regularly.

I will not write passwords down. There is no safe place to store passwords on scraps of paper. Someone determined to find them will, whether they’re on a note in a drawer, tucked in your wallet or written backwards on a receipt hidden in a piece of ice in the freezer. If you must write passwords down to remember them, the safe way to store them is in a password-protected Excel spreadsheet. You will need to change that password a few times a year, and avoid writing it down anywhere.

I will limit what I share online. Some companies make it far too simple for social engineers to get the information they need to launch attacks by publishing executive information online. Far too many individuals overshare on personal social media accounts. Social engineers data mine public information for the names, emails and password hints they use to launch intrusions and phishing attacks. There is a delicate balance between what needs to be shared to promote a business and what creates cyber risks. Sharing less is always better. When personal information must be shared, it should be with safeguards in place to help employees spot possible attacks using that information.

I will close all my unused accounts. This is a more time-consuming resolution, but it only needs to be done once a year. Take an inventory of all the logins you have that you no longer use. Do you still have a MySpace account from your college days? Has your business changed software vendors but left the old logins active? Did you once buy something from an online store and then never visit again? Did you try a social media site for a day or two and then stop using it? Take the time to identify, disable and delete these outdated accounts for two reasons. First, criminals may try to access them through old logins, creating a base that can be used to compromise your identity. Second, if you do not actively use those accounts, particularly if you changed emails after you opened them, you may not be receiving security alerts or breach notifications. Anything you have not used in the past 14 months should be deactivated.

I will review financial statements. Criminals probe bank accounts by initiating a very small transaction, such as $1, then reversing it with a credit. Legitimate businesses also do this to verify bank accounts, credit cards and debit cards. Businesses must mandate a specific review of financial statements for these types of transactions; any debit that is subsequently credited should be scrutinized, along with any small transaction. Anything suspicious should be reported to your financial provider immediately. Do the same for your personal accounts. Financial providers are good at challenging large, unusual purchases, but they often fail to notice the tiny debit/credit transactions that precede an attempt at a big-ticket purchase. Some of the most determined cyber criminals siphon off a small amount each month from a company’s finances, knowing the theft is unlikely to be detected. Bookkeepers and accountants should pay close attention to any new vendors who invoice an organization and raise the alarm if those vendors have the same address, email or phone number as employees.

I will train myself and my employees to prevent phishing attacks. Phishing attacks rose by 61% in 2022, with more than 255,000,000 incidents. For cyber criminals, this is a numbers game. The more attacks they launch, the more likely they are to find a victim. It is no longer just big companies with volumes of personal data at risk, it’s every business in every sector and nearly every individual who has a smart phone or an email address. Annual phishing awareness training should be mandatory at all companies. Twice-annual training is better. Programs that include simulated attacks with a summary of how employees responded provide the best results. You will need professional support for this, but there are a number of affordable solutions available. Weigh that cost against the potential expense of a phishing attack: Someone sending a $500 gift card to a cyber criminal may not seem like a big deal, but once any criminal successfully attacks your organization, more criminals with more sophisticated attacks often follow.

I will hire or contract a Chief Information Security Officer (CISO). All large businesses and most mid-sized businesses have a CISO on staff or on retainer. This executive-level information-security professional handles all cyber security needs, from evaluating and setting up security measures to documenting compliance to ensuring that employees receive appropriate cyber security training. Small businesses and startups, outside of the tech sector, have a far lower level of CISO protection. A full-time security specialist may be beyond the needs or budget of many small companies. In these cases, a part-time, affordable Virtual CISO can significantly improve cyber security. For companies that fall under the FTC Safeguard Rule in 2023, professional support is almost mandatory.

You must change habits to improve cyber security. These New Year’s resolutions can help you do that, and most of them are very easy to keep, with no additional cost for you or your business beyond a bit of time. If you feel that you are not doing enough to improve your business’ security, or if you are unsure where to begin, contact us online or call us at 1-800-658-8311 to speak to a cyber security professional. We build custom security awareness solutions for our clients, based on their needs and what they can afford.

Good luck with all your New Year’s resolutions.

‘Tis the Season to Be Mindful

Don’t Wind Up on a Cyber Criminal’s Nice List

Amid the December maelstrom of planning, parties, shopping and activities lie more opportunities for cyber criminals than any other time of the year. The Grinches running scams like the holidays a lot because they know you have an above-average number of emails and online purchases flying around, because your schedule is packed and because there’s a greater level of personal activity around your workplace and your home. These are ripe conditions for your vigilance to slip, giving cyber criminals the opportunity they need to steal your money, your identity or business data.

Celebrate and savor the season, but keep these tips for cyber security in mind while you do.

Thwarting Cyber Criminals at Home

  • Never Click on Email Links.  Bogus links in spoofed emails are a favorite tactic for cyber criminals at the holidays. Chances are you are ordering more things online. You may be expecting statements or shipping details. You get an email in the evening, claiming to be from Amazon or UPS, and click on the link without thinking. At best, you get scammed for a few hundred dollars. At worst, you compromise your identity or allow a cyber criminal to install malware on your device. Always go to a website via a browser, not an email link, to verify order and shipping details. If you get a tracking number via email, copy it, go to the shipper’s website, and paste it into their package tracker. That will identify any attempts to trick you with phony shipping. You should also read up on a new scam targeting Pay Later users.
  • Leave your devices home for the holidays. If you plan to travel, or your holiday involves overnights at a hotel, a motel or a friend or family member’s home, leave every device with sensitive information at your home. You should never connect your devices to a public network at a hotel or someone else’s home. You have no way of knowing who else is connected, or if the connection is encrypted and secured
  • Don’t let guests connect to your home network. This one is tough if you have friends or relatives staying with you, but you simply cannot allow guests in your home to access your Wi-Fi or wired home network. Familiar fraud is one consequence of too much generosity with your home password. You also run the risk of malware from a guest’s device infecting your network, either when they first log in or while they surf the web. If your guests must have access to email or the daily crossword, provide a device for them in a busy part of your home. Make sure that device has a password-protected login, and be sure to turn it off at night and when a majority of people are out.
  • Scan those tech gifts before you connect them. New phones, laptops, tablets and all USB devices should get an offline antivirus scan before they go online with your network. Be very wary of any USB memory stick or card given as a gift or brought by a well-meaning friend or relative, as malware infections on these devices are increasingly common.
  • Turn off Bluetooth and Wi-Fi discovery on your phone. Big holiday crowds at malls, airports and transit hubs attract cyber criminals, who blend quietly into the crowd looking for data to steal. Open Bluetooth connections and devices seeking Wi-Fi can wind up connecting to criminals with significant consequences. Bluetooth should always be off unless you have a specific need for it. Wi-Fi should be off in general unless you are on a trusted network at home or a secured connection at work.

Protect Against Cyber Criminals at Work

  • Never bring devices to the holiday party. Hats and coats aren’t the only things that disappear when the staff gathers to toast the year. Laptops loaded with customer data have disappeared from cabs and cloakrooms, leading to potential data breaches, expensive customer notification and monitoring campaigns and cyber security headaches.
  • Log off devices ahead of office parties. It can be tempting to hop up and run to say hello to a visiting co-worker or client, or to work right up to the start of a conference-room celebration, but that open device is an invitation to criminal activity. Always log out of devices before leaving your work area and power them off if you can. Threats to data and passwords can come from criminals who sneak into buildings, from visiting clients or from fellow employees.
  • Don’t hold the door for strangers. “Tailgating” is a tactic used by criminals to gain entrance to a secure area. These thieves will ask someone to hold the door, or try to slip in behind an employee before a door closes. During the holidays, tailgaters may pose as delivery people to access secure areas. Whenever you encounter someone you do not know at a door, bring them to the reception area.
  • Give your work devices a holiday break. Avoid traveling with work devices. If you must, leave them turned off and packed in a carry-on bag, never with luggage that will be checked. The best practice is to keep work devices at work during a vacation. The chances of device theft, information theft or malware attacks rise when you are away from the secure environment of your office.
  • Avoid shopping on work devices. It can be convenient to shop from and ship to the office, particularly if you’re trying to keep a gift a surprise or if your neighborhood is prone to porch piracy. Remember that cyber criminals use fake invoices, fake shipping notices and fake order updates, along with the usual assortment of fake gift card offers, to try and steal your personal information and login credentials. It can be challenging enough to spot the scams in your personal email account without adding that burden to your work emails. If your company allows it, shipping to your office is a good holiday option, but always order using your personal email.

Wherever the holidays find you, remember that cyber criminals are also hoping to find you. Trust your instincts. If something seems off to you, like a long-lost “friend” who starts sending holiday greetings via social media, or an email stating you missed a package delivery, find ways to verify without directly interacting with those emails, private messages or texts.

Personal security and device security are critical components of cyber security. Protect Now helps businesses and organizations manage cyber threats by making security personal to every individual. Contact us online to learn more about our services, including Virtual CISO, Dark Web Monitoring and cyber awareness training, or call us at 1-800-658-8311.

Cyber Warfare Is Here: Are You Prepared?

When you think about cyber warfare, you probably imagine an underground bunker full of people working computers to try and take down the Pentagon, or to shut down air traffic control. You probably don’t imagine North Korea or Russian agents coming for your small business.

Cyber Warfare Is Here: Are You Prepared?It’s time for that thinking to change. In its 2022 Digital Defense Report, Microsoft reported that nation-state attacks targeting infrastructure rose from 20% of the attacks they detected to 40%. Microsoft cited espionage attacks on NATO countries and attacks on IT firms as areas of higher activity.

What Does Cyber Warfare Look Like?

Cyber warfare is happening right now, every time a nation-state hacker infiltrates an IT backbone or targets a public health provider. Nation-state actors will not “declare cyber war” or announce their intentions. They will simply strike at whatever targets they can compromise, with the intent of causing as much disruption as possible.

What Is a Nation-State Cyber Attack?

Nation-state cyber warfare differs from criminal cyber attacks in two ways. First, the attack is either carried out directly by foreign agents, or by people who get funding, training and infrastructure support from an enemy country.

Cyber criminals can often be stopped with basic cyber security and phishing awareness training, because they’re looking for easy money and easy victims. They use well-known malware and common social engineering techniques to extort their victims.

Cyber warfare is far more sophisticated. It uses techniques and custom-designed software designed to avoid detection, and to prevent common methods of restoring system access. In less-destructive forms, it is a tool to harass and extort an adversary. In more sinister applications, it can silently exfiltrate information that can give an enemy a strategic advantage, such as the ability to delete needed data or take control of mechanical and energy systems.

Why Would a Nation State Attack My Business?

As in any conflict, there are degrees of cyber warfare. In any attack, the following entities are vulnerable:

  • Energy generation, transmission and controls
  • Water utilities
  • Chemical and fuel facilities
  • Public health facilities
  • Telecommunications, including emergency response

The goal of these attacks is to sew chaos. The size of the target does not matter. Most cyber warfare analysts expect big-city infrastructure and large health systems to be primary targets, but nation-state attackers will look to spark terror in any way they can. Opening a dam in a small town or poisoning a water supply will lead to widespread fear, and smaller municipalities may not be as well protected against a cyber attack as urban providers.

In a wider attack, a nation-state will almost certainly target the following:

  • Banking
  • Food processing and distribution, including supermarkets
  • Logistics, including package delivery, rail and trucking
  • Pharmacies
  • Managed service providers
  • Cloud networks
  • Payroll processing

The goal is to cause as much disruption as possible by denying people access to everyday goods and services. Shutting down thousands of websites via an attack on a cloud provider or managed service provider interrupts the flow of goods and services and gets media attention. Shutting down pharmacy computers makes it harder for people to get essential medications. Adversaries want media amplification of their attacks that will make people fearful.

Your (Unexpected?) Role in Cyber Warfare

We tend to think of cyber attacks in terms of breaches, monetary theft or lost access to systems. If you operate a system that has been compromised, it is easy to see that you have been attacked. If your managed service provider, ISP or cloud servers go down, you may be surprised to find out that you are the reason why.

This is where cyber warfare becomes every online organization’s responsibility. Nation-state attackers continually probe for weaknesses and novel ways to get at essential online infrastructure. Everyday things that many business and developers do can be opportunities for foreign adversaries.

  • Posting source code on GitHub or other online repositories. We recently explained how that led to Federal sanctions against a U.S. executive. Posting source code can expose passwords and pathways to adversaries.
  • Launching new apps or forms without thorough testing. Nation-state attackers have a catalog of known software vulnerabilities and near-unlimited resources to find websites that have those vulnerabilities. You could be the crack in the door that gives an adversary the access needed to take down an ISP or managed services provider.
  • Insufficient online monitoring. The antivirus program will not stop a nation-state attacker, who is using new methods of attack that the software does not recognize. In the most sophisticated attacks, adversaries embed their code in system software so that it looks normal to any scanner. Dark Web monitoring is sometimes the most reliable way to identify these vulnerabilities.

Every business and organization that publishes or maintains a website, whether you collect information or not, is a potential target of nation-state cyber warfare. You could have an unexpected and unwanted role in the next attack, because the United States does not prioritize the role individuals play in cyber security. Major targets may have significant defenses against nation-state attackers, but they also have necessary connections to the World Wide Web. This is like building a massive wall to protect a town but leaving a tiny hole for the wastewater to flow downstream. Enemies will find that hole, find a way to get into it and run wild once they are on the other side.

We often discuss cyber security in terms of business interruption and liability. Those are still significant concerns, but with determined nation-state attackers continually working to find new methods of attack, we need to consider how individual vulnerabilities could escalate into a local or national emergency.

Protect Now specializes in cyber security and compliance for small businesses. We provide affordable VCISO support, cyber security training and Dark Web monitoring. Call us at 1-800-658-8311 or contact us online to speak to a cyber security expert.