Corporate Cyber Security Leadership Is Lacking, Survey Finds

/in /by

With Cyber Security Awareness month set to kick off on October 1, a new survey finds that the boards of U.S. companies should pay attention. The Wall Street Journal reports that an analysis by software provider Diligent found 88% of companies listed on the S&P 500 have no directors who are cyber security experts.

The survey defined “experts” as those who had served as a Chief Information Security Officer (CISO) or who had technology experience, including those who had previously held senior roles in technology. The survey also found that 52% of companies had at least one member of the Board of Directors with technology experience “adjacent to cyber security.” NightDragon CEO Dave DeWalt, who commissioned the survey with Diligent, said, “This lack of momentum in the boardroom continues to startle me.”

Without Leadership, Cyber Security Will Continue to Fall Short

If 100% of companies listed on the S&P 500 use technology, 100% should have some cyber security expertise on their boards of directors. These boards exist to set company priorities and guide business growth. Without directors who understand the ever-evolving strategies and techniques used by cyber criminals, it is difficult to take their security measures seriously.

New Securities and Exchange Commission cyber attack reporting rules that went into effect on September 5, 2023, may push some companies to pay closer attention to online security. The rules are a step in the right direction, but they fall short in one regard: A provision that would have required companies to detail cyber security experience on their boards was dropped from the final regulations. The SEC dropped this provision amid complaints that a specific level of expertise was not defined in the rules, that an insufficient number of cyber security experts were available to hold director positions and that the requirement might limit diversity on company boards.

In other words, the Federal government backed off a sensible requirement because businesses said they could not find the right people. The gap in leadership starts with Federal regulators, then trickles down to the companies that face cyber threats.

Shareholders Must Take Notice

One benefit of the new SEC reporting rules is a requirement that publicly traded companies report cyber attacks and their impact on business activities. Shareholders should use this information to probe expertise and cyber awareness of the companies whose stock they hold. Effective immediately, a search of a company’s filings in the EDGAR Database will reveal the number and severity of recent cyber attacks for any publicly traded company. Companies that suffer repeated attacks, or that suffer easily preventable attacks, should be held to account on their security practices and training.

Shareholders have the right to question company leadership and to demand change if they feel threats are not adequately addressed. The SEC disclosure rule puts the needed information in shareholders’ hands, but it is only valuable if shareholders use it to demand accountability.

Not every company needs a CISO on its Board of Directors, but every company should strive to have at least one director with significant cyber experience who can evaluate threats and risks. When that expertise is not available, companies must outsource experienced support.

All too often, companies fail to take action until after a cyber attack occurs. Criminals know this and see U.S. businesses as ripe targets for data theft and ransomware extortion. Solving this problem requires every U.S. business to see security as more than occasional employee training and software updates. The larger the company, and the more it relies on technology, the more critical the need for a comprehensive cyber strategy.

Small businesses have a role to play as well, as they are part of the overall “threat surface” for their clients and partners. Many companies have received letters from partners in recent weeks asking about their security practices and protocols as publicly-traded companies ramp up their compliance. If you need help responding to these requests, please contact us online or call us at 1-800-658-8311.

When and How to Report a Cyber Attack Attempt

/in , , , , /by

Should you report a cyber attack attempt? Even a small, seemingly insignificant one? The answer is almost always yes.

There are two reasons to report a cyber attack. The first is to show cyber criminals that you take security seriously. The second is to gain safety in numbers. The more people who are aware of current attacks and techniques, the harder it is for criminals to operate. Remember that hackers and fraudsters depend on their victims knowing little no nothing about their scams. Spread the word, and you help others defend themselves. When enough people fight back or ignore scam and hacking attempts, criminals move on to easier targets.

When Should I Report a Cyber Attack Attempt?

You should immediately report any cyber attack that occurs at the workplace, targeting your office phone, personal phone, email, text messages or web browsers. You should consider reporting attacks that target your personal email or phone as well, if you believe the attacker obtained information about you online. Senior executives and those who have access to financial or information-management systems should report every attack on any business or personal device.

What looks like a common malware email, such as “Your package could not be delivered,” or “Your account has been suspended,” takes on an added significance if you are a high-value target. Low-level employees may not need to report mass-email phishing and malware attacks, but should report any attack using a business or personal phone number, particularly if the attacker claims to be a co-worker.

Where Should I Report an Attempted Cyber Attack?

The size of your business will determine how you should report the attack.

For mid-size and large companies: You likely have an internal or external specialist who handles your cyber security. Report all attacks to this individual, no matter how small or obvious they may seem. Do not worry about being a nuisance. It is the cyber specialist’s job to determine how significant or widespread an attack may be, and they can only do their job if they have a complete picture of the threats a business faces. Provide as much detail as possible, including screenshots of emails and text messages, if any.

If someone calls or texts you claiming to be a coworker, report this activity immediately. Targeted pretexting attacks are on the rise, with some criminals using sophisticated software to impersonate the voices of business leaders and public figures. These attacks are resource-intensive and require planning. which makes it more likely that a criminal will target multiple individuals within an organization.

For small businesses: If you work in a small business without an in-house cyber security or IT specialist, you have two options:

  1. If you have an external IT specialist, report the attack to them and ask them to monitor your systems for any signs of unusual behavior.
  2. If you do not have an external IT specialist, send an email to all coworkers advising them of the attack. Send a screenshot of the text, email or website and ask if anyone else has received similar messages. If multiple people in a small business report the same attack, it may be a sign that you have been targeted. Strongly consider professional IT support to identify any possible system breaches or data loss if this occurs.

Reporting Attempted Attacks to Law Enforcement

Every successful cyber attack should be reported to local police. Your cyber insurance policy likely requires this. If customer data are stolen, you must report the attack to police and check reporting requirements under the FTC Safeguards Rule, if you qualify as a Financial Institution, and the SEC Disclosure Rule, if you work for or partner with a publicly traded company. Any significant data breach should be reported immediately to your state Attorney General’s office. In the case of a significant data breach or an attack that compromises critical public systems, you should contact the local Federal Bureau of Investigation field office and your state Attorney General, who will provide support and additional guidance on disclosure. Note that in some cases, cyber attacks and data breaches should not be disclosed to the public without first contacting Federal or state officials.

Whether you should report an attempted cyber attack is murkier and depends on the nature of the attack. If you have publicly traded companies among your clients, or clients covered by the FTC Safeguards Rule, you should report targeted pretexting attacks to their IT or cyber security specialists. Criminals may be attempting to harm your partners by attacking their vendors, clients or associates. Law enforcement agencies generally will not handle this reporting for you. You must do it yourself, and you should do it as quickly as possible, as you may have some obligations to report under the Safeguards Rule or SEC Disclosure Rule. When in doubt, reach out.

Where Else Should Attempted Cyber Attacks Be Reported?

If you work for a franchise business, report any cyber attack attempt to your franchisor’s head office immediately. This is especially critical if the attacker attempts to impersonate a senior employer of the business. Criminals may be launching simultaneous attacks against franchisees. Your quick response could prevent significant damage to the business and your fellow franchisees.

If you are part of a trade association, such as a Bar Association or the National Association of REALTORS®, for example, or if you are a member of a state association or Chamber of Commerce, report any cyber attack that targets your business or employees to the senior officials in your area, and to your local and national headquarters. In recent years, there have been surges of criminal cyber activity targeting specific sectors, such as health care or public schools, or specific regions, such as the recent spate of Vacant Land Scam attempts in the Southwest United States. There is no way to know if an attack on your business is isolated or part of a bigger trend. Spreading the word to professional associates may give them the opportunity to stop similar criminal attacks.

 

Would you know what to do during a cyber attack? Download our free Cyber Crime Response Kit, which includes detailed, step-by-step instructions that will help you prevent an attack from spreading, quarantine infected devices and rebuild systems safely. For more detailed guidance on preventing and responding to cyber attacks, please contact us online or call us at 1-800-659-8311.

Protect Now Clears First Step for Online Cyber Security Employee Training CE Accreditation

/in /by

Online cyber security employee training courses from Protect Now have been certified by the International Distance Education Certification Center (IDECC). This certification represents a critical step toward offering continuing education (CE) credits for licensed real estate professionals who take Protect Now’s Cyber Social Identity (CSI) Protection Certification courses online.

IDECC is an internationally recognized standards and certification body for online and distance education. More than 40 U.S. and Canadian jurisdictions require or endorse IDECC certification as a prerequisite for state and provincial CE accreditation.

“This is both a validation of the quality of our online training courses and an important step toward getting licensed professionals the cyber security training that they need,” said Robert Siciliano, co-founder and head of training for Protect Now.  “Our in-depth employee training enables licensed professionals to protect themselves, their clients and their businesses. As we gain CE eligibility, it becomes a professional benefit as well.”

In-person training and live virtual training seminars from Protect Now are already CE-eligible in 18 states, including Florida, New York and Texas, with the company adding additional accreditations on a regular basis as it works to provide a CE-eligible program throughout the United States. Protect Now’s eLearning classes cover the same material as their in-person sessions, using a series of self-directed videos that allow students to learn at their own pace.  In addition to convenience, the eLearning provides an affordable option for individuals and small businesses.

Once a student enrolls, they have lifetime access to the video library and its updates for future reference. Protect Now regularly reviews and updates its course content in response to shifting trends in cyber crime, while teaching students to recognize and apply the value they place on personal data protection in business settings.

“A few years ago, training focused on dangerous links sent in emails and texts, as well as phishing attacks,” Siciliano explained. “Now our students face far more sophisticated attacks involving fake websites and criminals who will call on the phone and directly engage to try and steal credentials or money. We constantly monitor the threats aimed at small and midsized businesses to ensure that we provide our students the skills they need to avoid cyber crime.”

With IDECC certification in hand, Protect Now is on its way for state-level CE accreditation for its online cyber security employee training in all 50 states. Announcements of eligibility will be made in the coming months.

About Protect Now

Led by noted cyber security speaker and expert Robert Siciliano, Protect Now provides in-person, virtual and online cyber security employee training that changes attitudes toward cyber security by making it personal. The company’s in-person CSI Protection Certification is CE eligible for real estate professionals in more than 18 states, with CE eligibility pending for its eLearning modules. To learn more or try a free online employee training class, visit protectnowllc.com.

New National Cybersecurity Policy Is a Step, Not a Solution

/0 Comments/in , /by

The new National Cybersecurity Policy from the Biden Administration holds lofty ideas, but little that is actionable. As reported by The New York Times, the policy, unveiled on March 2, seeks to push greater responsibility for cyber attacks and data breaches toward those who own, operate or use online infrastructure. The policy also outlines a formal strategy for the United States Government to take action against professional cyber criminals and state-sponsored hackers.

With regard to national standards, the new cybersecurity policy is a long-overdue step in the right direction. One of the greatest challenges in convincing organizations to adopt stronger cyber security has been a lack of regulations. In cases where Federal or state governments have mandated security rules, adoption has been swift. Both the Gramm-Leach-Billey Act, which mandates protection of consumer financial data, and the California Consumer Privacy Act, which gives individuals the right to delete their data, as well as the European Union’s General Data Protection Act led to widespread changes in the ways businesses of all sizes collected, protected and stored personal data.

Biden’s Cybersecurity Policy Is Not Regulation

Many cyber security professionals have argued for national standards for years, yet this is where the Biden National Cybersecurity Policy comes up short. Outside of executive orders that narrowly target some Federal agencies, there is no mechanism to create or enforce mandates. Congress would need to pass legislation outlining standards and penalties for noncompliance. There also remains a question of who would investigate and enforce national guidelines.

Simply setting those guidelines will be difficult, given the ever-changing nature of the Internet and the software that powers it.  Internet infrastructure developers have fought standards and regulation on the grounds that mandates deter innovation. A balance must be struck between the needs of a better Internet and a safer one, and any policy that emerges will do well to require a reasonable level of security to exist in new tools and services without stifling innovation solely to deter cyber attacks.

What Does the Policy Mean for Business Owners?

Absent Congressional action to set standards and mandate compliance in the private sector, the new National Cybersecurity Policy has no immediate functional impact on any private or state-operated organization’s cyber security. However, this policy, taken with the Federal government’s more aggressive stance on common-sense cyber security practices, suggests that more executives could be found liable for cyber security lapses until formal regulations are passed.

The new policy may also embolden cyber insurance underwriters to deny claims if, in their assessment, reasonable care has not been taken to protect systems and data.

This policy is likely to lead to several years of uneven enforcement, insurance denials and court challenges that will ultimately prompt Congress to step in and pass broad-based rules. Until then, business leaders should understand that the burden of preventing cyber attacks continues to shift toward individual organizations. In this environment, good cyber security practices and cyber security employee training are more important, and potentially more cost effective, than they were before.

Gartner Survey Explains Why Cyber Security Employee Training Fails

/0 Comments/in , /by

Sobering data from Gartner illustrates the shortcomings of cyber security employee training. The company predicts that more than half of cyber attacks by 2025 will result from :lack of talent or human failure.”

This is in spite of ongoing efforts by businesses to provide employee training on cyber security. What stands out is the reason why that training fails.

According to their survey of 1,310 employees in mid 2022, “69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months.” More concerning, 74% said the would ignore cyber security practices “to achieve a business objective.”

The problem is clear: employees may know an organization’s rules for cyber security, but they willingly ignore those rules to get their jobs done. As long as this situation persists, cyber criminals will have the advantage they need to carry out attacks.

Cyber Security Employee Training Must Be Personal and Ethical

Every organization has a to-do list for compliance and a general set of employee rules. Most employees know they cannot treat others unfairly because of their background, race or identity, that they cannot steal from the company coffer and that they have a set time for lunch and breaks. Many employees bend these rules at times, while some bend them pathologically.

When cyber security becomes just another set of flexible company rules, disaster follows. The employee who takes an extra half hour for lunch only harms productivity in the short term. The employee who denies promotions to certain co-workers may trigger a lawsuit. The employee who shares passwords with teammates risks a costly data breach or an intrusion that takes all systems offline.

In all of these cases, organizations tend to train on the whats instead of the whys. Employees learn that they can be suspended or terminated for long lunch breaks, then see if that rule is actually enforced. The same applies to discrimination and cyber security. Employees may understand the consequences of breaking rules, but if they see co-workers getting away with things, or they consider some rules flexible, the training they received is useless.

It should be no secret to organizational leaders that employees behave very differently in their private lives. Most people would not brush off a friend or discriminate against a family member, and they tend to take great care with their personal cyber security. They are motivated to do this because they face lasting, personal repercussions in valuable relationships if they behave selfishly.

Leaders expect this behavior to carry over on the job, but Gartner’s data disputes that belief, painting cyber security as just another obstacle employees try to overcome. This occurs because most cyber security employee training, like other forms of employee training, lays out facts and broad hypothetical situations without asking the question that would really motivate employees: What would your friends and family think if you were responsible for a major cyber security attack?

The answer to that question is the key to effective employee cyber security training. Most people would be horrified and ashamed if their actions caused harm to a friend or family member. They would be similarly ashamed and horrified to have to tell people that they were involved in a cyber attack that made headlines. Those emotions provide a powerful incentive to follow cyber security rules, but they are absent from nearly all of the training programs available. Training based on ethics and personal attitudes toward responsibility delivers better results, because it connects with the protective instincts people practice in their personal lives.

Choose Training That Works

The CSI Protection Certification cyber security employee training program created by Protect Now changes employee attitudes toward security by tapping into their personal desire for safety. Created by cyber security speaker and author Robert Siciliano, this program is empowering and entertaining, and it now qualifies for CE credits for real estate professionals in many states. The program is available via in-person seminars, virtual seminars or through a library of eLearning modules. To learn more, contact us online or call us at 1-800-658-8311.

Feds Move Toward Mandatory Cybersecurity

/0 Comments/in /by

Mandatory cybersecurity is coming, according to details published by Slate of the Biden Administration’s National Cybersecurity Strategy now circulating in Washington. The document, which is expected to be approved in the coming weeks, details significant, meaningful changes in the way the United States approaches cybersecurity that every business owner needs to understand.

Mandatory Cybersecurity Is Coming to Some Sectors

Over the last few decades, as business owners know, cybersecurity has been voluntary. Business owners faced costly liability for failing to secure customer data, including the costs of credit monitoring and lawsuits, but there were no cybersecurity regulations or mandates. Government relied on conscience and customer pressure to convince business owners to do the right thing.

In recent years, the failure of the voluntary cybersecurity model has been plain. Cyber attacks have reached record highs each year. The most brazen attacks have gone after municipal government systems and what the Federal Government defines as “critical infrastructure”: pipelines, water supplies and electrical systems. The new guidelines present a direct response to the failure of voluntary compliance, and while their initial reach is limited, they point to a future of growing government oversight and regulation.

There are two main components to the Biden Administration plan:

  1. The United States Government will take direct action against cyber criminals. For the first time, offensive cyberattacks, conducted under the supervision of the FBI’s National Cyber Investigations Joint Task Force. Organizations that conduct repeated attacks against U.S. targets, or that attempt to infiltrate critical infrastructure will now face retaliation designed to degrade and destroy their capabilities. This is, essentially, a declaration of cyber war on hackers.
  2. Mandatory cybersecurity requirements will apply to organizations with critical infrastructure, including banking, utilities, telecommunications and emergency management. In areas where the Biden Administration lacks the authority to impose mandatory cybersecurity via an executive order, it is expected to seek Congressional authorization to do so.

Every U.S. Business Will Be Affected

The new U.S. government approach to cybersecurity reveals frustration at the current state of cybersecurity defenses. Although it will target critical infrastructure initially, these regulations will eventually impact any organization that conducts business online or uses the Internet for communications.

Directly and in the short term, any business that works with or supplies an organization subject to these rules will be required to follow them as well. Expect compliance with to be part of any service or sales contract for businesses that support, supply or collaborate with critical-infrastructure organizations. Law firms and managed service providers will be among those facing new regulations before the end of 2023.

Over the long term, the standards developed to protect critical infrastructure will be handed down to all businesses and likely enforced at the Federal level. Those standards are not currently known, but based on FTC Safeguards Rule compliance, they are likely to include end-to-end encryption of all data, regular employee training and penetration testing and restrictions on how and where data can be stored. Some level of certification or accreditation for cybersecurity oversight is also likely. Business owners in some sectors, including banking, mortgages and real estate appraisals, already must file compliance paperwork, along with third-party vendors who support these businesses. Those requirements will eventually extend to all businesses and will present particular problems for those who develop their own software, apps or websites.

Businesses must begin to prepare now for tighter cybersecurity regulations, which will fall into three categories:

  1. Hardened Infrastructure. All systems will need to be secured and all data will need to be encrypted. Passwords will need to be strong, and two-factor authentication is likely to become mandatory.
  2. Employee Training: Cyber security awareness and anti-phishing training will be required on an annual basis. Employee response testing may be a requirement as well.
  3. Breach Monitoring and Response: Businesses will be required to monitor for data loss and intrusions, and to have written policies to respond to cyber attacks, which will include notification requirements both for law enforcement and customers.

By taking a comprehensive approach to cybersecurity now, businesses will find it easy to pivot to any new mandatory cybersecurity requirements. Businesses that already have some level of security in place may find it helpful to employ a Virtual CISO to review threat readiness and compliance, if only to establish a relationship with a cybersecurity professional in the event that new regulations require one.

Protect Now provides complete cybersecurity training and compliance support for small- and mid-sized businesses, specializing in the real estate, legal, managed hosting and municipal sectors. Our services can be customized to meet your specific needs and to work with legacy systems and decentralized operating environments. Contact us online or call us at 1-800-658-8311 to speak to a cybersecurity professional.

Let’s Be Honest About SMB Cybersecurity Risks

/0 Comments/in /by

There is a disconnect between the reality of small- and mid-sized business (SMB) cybersecurity risks, the way SMBs think about them and the services that cyber security companies offer. This disconnect is most obvious for law firms and real estate agencies that may have office WiFi, or even a cloud-based server, but that lack central IT and cybersecurity support.

Everyone at the firm or agency has their own laptop. They likely use their own devices for work at home. They use their own phones at all hours of the day to conduct business. If this describes your SMB, then this cybersecurity guidance is for you.

Let’s start by dispelling the biggest SMB cybersecurity myth:

SMBs Face Lower Cybersecurity Risks

You run a small firm or agency. You have no custom code or central client database loaded with credit cards or passwords for criminals to steal. No one would bother to target you.

This is at once true and untrue, and this is the largest source of the disconnect between SMBs and cybersecurity firms. The attacks that make headlines involve the theft of tens of thousands of customer records, or disrupt operations that impact thousands of customers. It is true that the cyber criminals and state-sponsored attackers who commit these crimes are very unlikely to target a single-office law firm or a Main Street real estate agency.

But those crimes are just the tip of the iceberg. The most recent report from the Anti-Phishing Working Group (APWG) documented 1,270,883 phishing attacks in the third quarter of 2022, the third quarter in a row to see a record number of these attacks. The report also revealed that U.S. businesses are the most frequently targeted by ransomware attacks and are nearly five times more likely to report one, accounting for 39% of all attacks reported. England and France tied for the second-most targeted, with 5% of ransomware attacks each.

Legal services accounted for 5% of ransomware attacks in the third quarter of 2022. These attacks happen because the majority of criminals are simply trolling for easy targets. If you have a website, if you have a Linkedin presence, if you have a social media profile that identifies what you do, you are a target.

IT Providers Protect Online Systems

A firewall is not sufficient cyber security, and even the best protection can fall to a basic phishing attack. Law firms, real estate appraisers, small insurance agencies and real estate professionals are uniquely vulnerable to phishing because employees deal directly with a large number of clients on an irregular schedule. Opening attachments, handling sensitive information and responding to emails are all part of the job. Amid a flood of emails, it is easy to click the wrong link or respond to the wrong address. Criminals know this, and low-level cyber criminals target small firms and agencies looking for vulnerabilities.

Your IT provider may do a good job of keeping your systems running, protected and patched, but they likely do not provide ongoing anti-phishing training and simulated attacks that improve awareness. Without regular training and reinforcement, you are vulnerable to an attack.

Cyber security also does little to prevent Business Email Compromise (BEC) attacks, where criminals impersonate your employees or clients in an attempt to steal money. Vigilance is the only way to thwart these criminals.

Law Enforcement/Our Insurance Company Will Protect Us

Anyone who has been a victim of a low-level cyber attack will tell you that there is little to nothing that law enforcement can do. Local police, even state police and the FBI have little authority to prosecute extrajudicial crimes launched from overseas. In most cases, they lack the ability or resources to properly investigate low-level cyber crimes. You will be told to pay the ransom or write off the monetary loss. They will collect details on the crime, and some day years from now you may get a tiny fraction of restitution. None of that will get your systems running again or repair the reputational damage a cyber attack can cause.

Insurance may cover your losses, but only if you are in full compliance with the terms of your cyber liability insurance policy. You may be required to have a CISO overseeing your systems, or to provide regular cyber security training to file a claim.

SMBs Have Limited Liability for Cyber Attacks

This situation is changing. Between the expansion of the FTC Safeguards Rule, which mandates SMB cybersecurity for any business defined as a “financial institution” by the Federal government, to the suspension of a municipal IT director to government sanctions against the CEO of Drizly. regulators are placing a far greater burden for strong cyber security on employees and business owners. This situation is similar to the fallout from the Enron scandal, which led Federal regulators to require executives and CPAs to sign off on all financial reports under the penalty of fines or prison time if they knowingly misrepresented results.

A similar trend is taking shape around cyber security. Faced with growing complaints from cyber crime victims, the U.S. government is placing the burden of developing and following best practices on the shoulders of business owners, with no exception for SMBs.

Existing Cyber Security Solutions Are Unaffordable

This is the last major disconnect in SMB cybersecurity. The online conversation is driven by big firms that serve big clients, leaving a gap for SMBs that lack full-time CISOs or centralized systems. In some cases, the services offered are incompatible with the way small firms operate. You may not have the ability or employee support to restrict the use of devices, manage all communications through a central source or send the staff off for a week of training.

A cursory search of the options available can be disheartening, especially for SMBs that know they need help but have no idea where to begin. Protect Now exists to fill this gap. We built our business around the cyber security needs of real estate agencies and financial services providers, helping small and mid-sized firms get the training and support they need to conduct business efficiently and safely. We welcome all SMB cybersecurity enquiries and can tailor a program to meet the specific needs of your business. Contact us online or call us at 1-800-658-8311 to speak to a cyber security expert.

Your New Year’s Resolutions for Cyber Security

/0 Comments/in , /by

The More You Make and Keep, the Stronger Your Cyber Security in 2023

Resolution season is upon us as we take our annual stock of who we would like to be. Fitter, kinder, more charitable, as always, but why not safer?

Your New Year’s Resolutions for Cyber SecurityThese cyber security New Year’s resolutions vary from simple things you can do in a few seconds to things that might require some outside help. They all have one thing in common: Individually, they will make you safer in 2023, so following just one will give you greater protection against cyber criminals. Each resolution that you add will boost security for you and your business.

I will secure my phone. Around 1 in 4 people fail to use a screen lock on their smart phones. That’s an improvement from 2013,when around 1 in 3 people failed to secure their phones. Use of lock screens must be mandatory for all work-related devices. It is also the first step for stronger cyber security in 2023.

I will use two-factor authentication. Apart from securing your phone, this is the most critical thing you can do to boost security. Every email account, every account that processes payments and all online accounts relating to finances must have two-factor authentication, along with every account that allows admin-level access to business systems or customer data. Two-factor authentication takes a few minutes to set up and adds seconds to the login process. The strongest method sends a text message to your phone (already secured with a lock screen) link to click. Without access to your phone, criminals cannot use stolen passwords to log in. Links are better than plain-text codes, which may be visible on Android devices even while the screen is locked.

I will update my passwords every 3 months. The start of each new business quarter should bring new passwords. Google can be configured to require this on a schedule that you set. This is a best practice for email and all business systems. The advantage is obvious: Stolen passwords become useless once you change them. The more often you change them, the greater your cyber security. If keeping track of business and personal passwords is a challenge, consider using a password manager that centralizes all of your credentials. Good password managers require your main login to be updated regularly.

I will not write passwords down. There is no safe place to store passwords on scraps of paper. Someone determined to find them will, whether they’re on a note in a drawer, tucked in your wallet or written backwards on a receipt hidden in a piece of ice in the freezer. If you must write passwords down to remember them, the safe way to store them is in a password-protected Excel spreadsheet. You will need to change that password a few times a year, and avoid writing it down anywhere.

I will limit what I share online. Some companies make it far too simple for social engineers to get the information they need to launch attacks by publishing executive information online. Far too many individuals overshare on personal social media accounts. Social engineers data mine public information for the names, emails and password hints they use to launch intrusions and phishing attacks. There is a delicate balance between what needs to be shared to promote a business and what creates cyber risks. Sharing less is always better. When personal information must be shared, it should be with safeguards in place to help employees spot possible attacks using that information.

I will close all my unused accounts. This is a more time-consuming resolution, but it only needs to be done once a year. Take an inventory of all the logins you have that you no longer use. Do you still have a MySpace account from your college days? Has your business changed software vendors but left the old logins active? Did you once buy something from an online store and then never visit again? Did you try a social media site for a day or two and then stop using it? Take the time to identify, disable and delete these outdated accounts for two reasons. First, criminals may try to access them through old logins, creating a base that can be used to compromise your identity. Second, if you do not actively use those accounts, particularly if you changed emails after you opened them, you may not be receiving security alerts or breach notifications. Anything you have not used in the past 14 months should be deactivated.

I will review financial statements. Criminals probe bank accounts by initiating a very small transaction, such as $1, then reversing it with a credit. Legitimate businesses also do this to verify bank accounts, credit cards and debit cards. Businesses must mandate a specific review of financial statements for these types of transactions; any debit that is subsequently credited should be scrutinized, along with any small transaction. Anything suspicious should be reported to your financial provider immediately. Do the same for your personal accounts. Financial providers are good at challenging large, unusual purchases, but they often fail to notice the tiny debit/credit transactions that precede an attempt at a big-ticket purchase. Some of the most determined cyber criminals siphon off a small amount each month from a company’s finances, knowing the theft is unlikely to be detected. Bookkeepers and accountants should pay close attention to any new vendors who invoice an organization and raise the alarm if those vendors have the same address, email or phone number as employees.

I will train myself and my employees to prevent phishing attacks. Phishing attacks rose by 61% in 2022, with more than 255,000,000 incidents. For cyber criminals, this is a numbers game. The more attacks they launch, the more likely they are to find a victim. It is no longer just big companies with volumes of personal data at risk, it’s every business in every sector and nearly every individual who has a smart phone or an email address. Annual phishing awareness training should be mandatory at all companies. Twice-annual training is better. Programs that include simulated attacks with a summary of how employees responded provide the best results. You will need professional support for this, but there are a number of affordable solutions available. Weigh that cost against the potential expense of a phishing attack: Someone sending a $500 gift card to a cyber criminal may not seem like a big deal, but once any criminal successfully attacks your organization, more criminals with more sophisticated attacks often follow.

I will hire or contract a Chief Information Security Officer (CISO). All large businesses and most mid-sized businesses have a CISO on staff or on retainer. This executive-level information-security professional handles all cyber security needs, from evaluating and setting up security measures to documenting compliance to ensuring that employees receive appropriate cyber security training. Small businesses and startups, outside of the tech sector, have a far lower level of CISO protection. A full-time security specialist may be beyond the needs or budget of many small companies. In these cases, a part-time, affordable Virtual CISO can significantly improve cyber security. For companies that fall under the FTC Safeguard Rule in 2023, professional support is almost mandatory.

You must change habits to improve cyber security. These New Year’s resolutions can help you do that, and most of them are very easy to keep, with no additional cost for you or your business beyond a bit of time. If you feel that you are not doing enough to improve your business’ security, or if you are unsure where to begin, contact us online or call us at 1-800-658-8311 to speak to a cyber security professional. We build custom security awareness solutions for our clients, based on their needs and what they can afford.

Good luck with all your New Year’s resolutions.

‘Tis the Season to Be Mindful

/0 Comments/in , , /by

Don’t Wind Up on a Cyber Criminal’s Nice List

Amid the December maelstrom of planning, parties, shopping and activities lie more opportunities for cyber criminals than any other time of the year. The Grinches running scams like the holidays a lot because they know you have an above-average number of emails and online purchases flying around, because your schedule is packed and because there’s a greater level of personal activity around your workplace and your home. These are ripe conditions for your vigilance to slip, giving cyber criminals the opportunity they need to steal your money, your identity or business data.

Celebrate and savor the season, but keep these tips for cyber security in mind while you do.

Thwarting Cyber Criminals at Home

  • Never Click on Email Links.  Bogus links in spoofed emails are a favorite tactic for cyber criminals at the holidays. Chances are you are ordering more things online. You may be expecting statements or shipping details. You get an email in the evening, claiming to be from Amazon or UPS, and click on the link without thinking. At best, you get scammed for a few hundred dollars. At worst, you compromise your identity or allow a cyber criminal to install malware on your device. Always go to a website via a browser, not an email link, to verify order and shipping details. If you get a tracking number via email, copy it, go to the shipper’s website, and paste it into their package tracker. That will identify any attempts to trick you with phony shipping. You should also read up on a new scam targeting Pay Later users.
  • Leave your devices home for the holidays. If you plan to travel, or your holiday involves overnights at a hotel, a motel or a friend or family member’s home, leave every device with sensitive information at your home. You should never connect your devices to a public network at a hotel or someone else’s home. You have no way of knowing who else is connected, or if the connection is encrypted and secured
  • Don’t let guests connect to your home network. This one is tough if you have friends or relatives staying with you, but you simply cannot allow guests in your home to access your Wi-Fi or wired home network. Familiar fraud is one consequence of too much generosity with your home password. You also run the risk of malware from a guest’s device infecting your network, either when they first log in or while they surf the web. If your guests must have access to email or the daily crossword, provide a device for them in a busy part of your home. Make sure that device has a password-protected login, and be sure to turn it off at night and when a majority of people are out.
  • Scan those tech gifts before you connect them. New phones, laptops, tablets and all USB devices should get an offline antivirus scan before they go online with your network. Be very wary of any USB memory stick or card given as a gift or brought by a well-meaning friend or relative, as malware infections on these devices are increasingly common.
  • Turn off Bluetooth and Wi-Fi discovery on your phone. Big holiday crowds at malls, airports and transit hubs attract cyber criminals, who blend quietly into the crowd looking for data to steal. Open Bluetooth connections and devices seeking Wi-Fi can wind up connecting to criminals with significant consequences. Bluetooth should always be off unless you have a specific need for it. Wi-Fi should be off in general unless you are on a trusted network at home or a secured connection at work.

Protect Against Cyber Criminals at Work

  • Never bring devices to the holiday party. Hats and coats aren’t the only things that disappear when the staff gathers to toast the year. Laptops loaded with customer data have disappeared from cabs and cloakrooms, leading to potential data breaches, expensive customer notification and monitoring campaigns and cyber security headaches.
  • Log off devices ahead of office parties. It can be tempting to hop up and run to say hello to a visiting co-worker or client, or to work right up to the start of a conference-room celebration, but that open device is an invitation to criminal activity. Always log out of devices before leaving your work area and power them off if you can. Threats to data and passwords can come from criminals who sneak into buildings, from visiting clients or from fellow employees.
  • Don’t hold the door for strangers. “Tailgating” is a tactic used by criminals to gain entrance to a secure area. These thieves will ask someone to hold the door, or try to slip in behind an employee before a door closes. During the holidays, tailgaters may pose as delivery people to access secure areas. Whenever you encounter someone you do not know at a door, bring them to the reception area.
  • Give your work devices a holiday break. Avoid traveling with work devices. If you must, leave them turned off and packed in a carry-on bag, never with luggage that will be checked. The best practice is to keep work devices at work during a vacation. The chances of device theft, information theft or malware attacks rise when you are away from the secure environment of your office.
  • Avoid shopping on work devices. It can be convenient to shop from and ship to the office, particularly if you’re trying to keep a gift a surprise or if your neighborhood is prone to porch piracy. Remember that cyber criminals use fake invoices, fake shipping notices and fake order updates, along with the usual assortment of fake gift card offers, to try and steal your personal information and login credentials. It can be challenging enough to spot the scams in your personal email account without adding that burden to your work emails. If your company allows it, shipping to your office is a good holiday option, but always order using your personal email.

Wherever the holidays find you, remember that cyber criminals are also hoping to find you. Trust your instincts. If something seems off to you, like a long-lost “friend” who starts sending holiday greetings via social media, or an email stating you missed a package delivery, find ways to verify without directly interacting with those emails, private messages or texts.

Personal security and device security are critical components of cyber security. Protect Now helps businesses and organizations manage cyber threats by making security personal to every individual. Contact us online to learn more about our services, including Virtual CISO, Dark Web Monitoring and cyber awareness training, or call us at 1-800-658-8311.

Cyber Warfare Is Here: Are You Prepared?

/0 Comments/in , /by

When you think about cyber warfare, you probably imagine an underground bunker full of people working computers to try and take down the Pentagon, or to shut down air traffic control. You probably don’t imagine North Korea or Russian agents coming for your small business.

Cyber Warfare Is Here: Are You Prepared?It’s time for that thinking to change. In its 2022 Digital Defense Report, Microsoft reported that nation-state attacks targeting infrastructure rose from 20% of the attacks they detected to 40%. Microsoft cited espionage attacks on NATO countries and attacks on IT firms as areas of higher activity.

What Does Cyber Warfare Look Like?

Cyber warfare is happening right now, every time a nation-state hacker infiltrates an IT backbone or targets a public health provider. Nation-state actors will not “declare cyber war” or announce their intentions. They will simply strike at whatever targets they can compromise, with the intent of causing as much disruption as possible.

What Is a Nation-State Cyber Attack?

Nation-state cyber warfare differs from criminal cyber attacks in two ways. First, the attack is either carried out directly by foreign agents, or by people who get funding, training and infrastructure support from an enemy country.

Cyber criminals can often be stopped with basic cyber security and phishing awareness training, because they’re looking for easy money and easy victims. They use well-known malware and common social engineering techniques to extort their victims.

Cyber warfare is far more sophisticated. It uses techniques and custom-designed software designed to avoid detection, and to prevent common methods of restoring system access. In less-destructive forms, it is a tool to harass and extort an adversary. In more sinister applications, it can silently exfiltrate information that can give an enemy a strategic advantage, such as the ability to delete needed data or take control of mechanical and energy systems.

Why Would a Nation State Attack My Business?

As in any conflict, there are degrees of cyber warfare. In any attack, the following entities are vulnerable:

  • Energy generation, transmission and controls
  • Water utilities
  • Chemical and fuel facilities
  • Public health facilities
  • Telecommunications, including emergency response

The goal of these attacks is to sew chaos. The size of the target does not matter. Most cyber warfare analysts expect big-city infrastructure and large health systems to be primary targets, but nation-state attackers will look to spark terror in any way they can. Opening a dam in a small town or poisoning a water supply will lead to widespread fear, and smaller municipalities may not be as well protected against a cyber attack as urban providers.

In a wider attack, a nation-state will almost certainly target the following:

  • Banking
  • Food processing and distribution, including supermarkets
  • Logistics, including package delivery, rail and trucking
  • Pharmacies
  • Managed service providers
  • Cloud networks
  • Payroll processing

The goal is to cause as much disruption as possible by denying people access to everyday goods and services. Shutting down thousands of websites via an attack on a cloud provider or managed service provider interrupts the flow of goods and services and gets media attention. Shutting down pharmacy computers makes it harder for people to get essential medications. Adversaries want media amplification of their attacks that will make people fearful.

Your (Unexpected?) Role in Cyber Warfare

We tend to think of cyber attacks in terms of breaches, monetary theft or lost access to systems. If you operate a system that has been compromised, it is easy to see that you have been attacked. If your managed service provider, ISP or cloud servers go down, you may be surprised to find out that you are the reason why.

This is where cyber warfare becomes every online organization’s responsibility. Nation-state attackers continually probe for weaknesses and novel ways to get at essential online infrastructure. Everyday things that many business and developers do can be opportunities for foreign adversaries.

  • Posting source code on GitHub or other online repositories. We recently explained how that led to Federal sanctions against a U.S. executive. Posting source code can expose passwords and pathways to adversaries.
  • Launching new apps or forms without thorough testing. Nation-state attackers have a catalog of known software vulnerabilities and near-unlimited resources to find websites that have those vulnerabilities. You could be the crack in the door that gives an adversary the access needed to take down an ISP or managed services provider.
  • Insufficient online monitoring. The antivirus program will not stop a nation-state attacker, who is using new methods of attack that the software does not recognize. In the most sophisticated attacks, adversaries embed their code in system software so that it looks normal to any scanner. Dark Web monitoring is sometimes the most reliable way to identify these vulnerabilities.

Every business and organization that publishes or maintains a website, whether you collect information or not, is a potential target of nation-state cyber warfare. You could have an unexpected and unwanted role in the next attack, because the United States does not prioritize the role individuals play in cyber security. Major targets may have significant defenses against nation-state attackers, but they also have necessary connections to the World Wide Web. This is like building a massive wall to protect a town but leaving a tiny hole for the wastewater to flow downstream. Enemies will find that hole, find a way to get into it and run wild once they are on the other side.

We often discuss cyber security in terms of business interruption and liability. Those are still significant concerns, but with determined nation-state attackers continually working to find new methods of attack, we need to consider how individual vulnerabilities could escalate into a local or national emergency.

Protect Now specializes in cyber security and compliance for small businesses. We provide affordable VCISO support, cyber security training and Dark Web monitoring. Call us at 1-800-658-8311 or contact us online to speak to a cyber security expert.