New National Cybersecurity Policy Is a Step, Not a Solution

The new National Cybersecurity Policy from the Biden Administration holds lofty ideas, but little that is actionable. As reported by The New York Times, the policy, unveiled on March 2, seeks to push greater responsibility for cyber attacks and data breaches toward those who own, operate or use online infrastructure. The policy also outlines a formal strategy for the United States Government to take action against professional cyber criminals and state-sponsored hackers.

With regard to national standards, the new cybersecurity policy is a long-overdue step in the right direction. One of the greatest challenges in convincing organizations to adopt stronger cyber security has been a lack of regulations. In cases where Federal or state governments have mandated security rules, adoption has been swift. Both the Gramm-Leach-Billey Act, which mandates protection of consumer financial data, and the California Consumer Privacy Act, which gives individuals the right to delete their data, as well as the European Union’s General Data Protection Act led to widespread changes in the ways businesses of all sizes collected, protected and stored personal data.

Biden’s Cybersecurity Policy Is Not Regulation

Many cyber security professionals have argued for national standards for years, yet this is where the Biden National Cybersecurity Policy comes up short. Outside of executive orders that narrowly target some Federal agencies, there is no mechanism to create or enforce mandates. Congress would need to pass legislation outlining standards and penalties for noncompliance. There also remains a question of who would investigate and enforce national guidelines.

Simply setting those guidelines will be difficult, given the ever-changing nature of the Internet and the software that powers it.  Internet infrastructure developers have fought standards and regulation on the grounds that mandates deter innovation. A balance must be struck between the needs of a better Internet and a safer one, and any policy that emerges will do well to require a reasonable level of security to exist in new tools and services without stifling innovation solely to deter cyber attacks.

What Does the Policy Mean for Business Owners?

Absent Congressional action to set standards and mandate compliance in the private sector, the new National Cybersecurity Policy has no immediate functional impact on any private or state-operated organization’s cyber security. However, this policy, taken with the Federal government’s more aggressive stance on common-sense cyber security practices, suggests that more executives could be found liable for cyber security lapses until formal regulations are passed.

The new policy may also embolden cyber insurance underwriters to deny claims if, in their assessment, reasonable care has not been taken to protect systems and data.

This policy is likely to lead to several years of uneven enforcement, insurance denials and court challenges that will ultimately prompt Congress to step in and pass broad-based rules. Until then, business leaders should understand that the burden of preventing cyber attacks continues to shift toward individual organizations. In this environment, good cyber security practices and cyber security employee training are more important, and potentially more cost effective, than they were before.

Gartner Survey Explains Why Cyber Security Employee Training Fails

Sobering data from Gartner illustrates the shortcomings of cyber security employee training. The company predicts that more than half of cyber attacks by 2025 will result from :lack of talent or human failure.”

This is in spite of ongoing efforts by businesses to provide employee training on cyber security. What stands out is the reason why that training fails.

According to their survey of 1,310 employees in mid 2022, “69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months.” More concerning, 74% said the would ignore cyber security practices “to achieve a business objective.”

The problem is clear: employees may know an organization’s rules for cyber security, but they willingly ignore those rules to get their jobs done. As long as this situation persists, cyber criminals will have the advantage they need to carry out attacks.

Cyber Security Employee Training Must Be Personal and Ethical

Every organization has a to-do list for compliance and a general set of employee rules. Most employees know they cannot treat others unfairly because of their background, race or identity, that they cannot steal from the company coffer and that they have a set time for lunch and breaks. Many employees bend these rules at times, while some bend them pathologically.

When cyber security becomes just another set of flexible company rules, disaster follows. The employee who takes an extra half hour for lunch only harms productivity in the short term. The employee who denies promotions to certain co-workers may trigger a lawsuit. The employee who shares passwords with teammates risks a costly data breach or an intrusion that takes all systems offline.

In all of these cases, organizations tend to train on the whats instead of the whys. Employees learn that they can be suspended or terminated for long lunch breaks, then see if that rule is actually enforced. The same applies to discrimination and cyber security. Employees may understand the consequences of breaking rules, but if they see co-workers getting away with things, or they consider some rules flexible, the training they received is useless.

It should be no secret to organizational leaders that employees behave very differently in their private lives. Most people would not brush off a friend or discriminate against a family member, and they tend to take great care with their personal cyber security. They are motivated to do this because they face lasting, personal repercussions in valuable relationships if they behave selfishly.

Leaders expect this behavior to carry over on the job, but Gartner’s data disputes that belief, painting cyber security as just another obstacle employees try to overcome. This occurs because most cyber security employee training, like other forms of employee training, lays out facts and broad hypothetical situations without asking the question that would really motivate employees: What would your friends and family think if you were responsible for a major cyber security attack?

The answer to that question is the key to effective employee cyber security training. Most people would be horrified and ashamed if their actions caused harm to a friend or family member. They would be similarly ashamed and horrified to have to tell people that they were involved in a cyber attack that made headlines. Those emotions provide a powerful incentive to follow cyber security rules, but they are absent from nearly all of the training programs available. Training based on ethics and personal attitudes toward responsibility delivers better results, because it connects with the protective instincts people practice in their personal lives.

Choose Training That Works

The CSI Protection Certification cyber security employee training program created by Protect Now changes employee attitudes toward security by tapping into their personal desire for safety. Created by cyber security speaker and author Robert Siciliano, this program is empowering and entertaining, and it now qualifies for CE credits for real estate professionals in many states. The program is available via in-person seminars, virtual seminars or through a library of eLearning modules. To learn more, contact us online or call us at 1-800-658-8311.

Feds Move Toward Mandatory Cybersecurity

Mandatory cybersecurity is coming, according to details published by Slate of the Biden Administration’s National Cybersecurity Strategy now circulating in Washington. The document, which is expected to be approved in the coming weeks, details significant, meaningful changes in the way the United States approaches cybersecurity that every business owner needs to understand.

Mandatory Cybersecurity Is Coming to Some Sectors

Over the last few decades, as business owners know, cybersecurity has been voluntary. Business owners faced costly liability for failing to secure customer data, including the costs of credit monitoring and lawsuits, but there were no cybersecurity regulations or mandates. Government relied on conscience and customer pressure to convince business owners to do the right thing.

In recent years, the failure of the voluntary cybersecurity model has been plain. Cyber attacks have reached record highs each year. The most brazen attacks have gone after municipal government systems and what the Federal Government defines as “critical infrastructure”: pipelines, water supplies and electrical systems. The new guidelines present a direct response to the failure of voluntary compliance, and while their initial reach is limited, they point to a future of growing government oversight and regulation.

There are two main components to the Biden Administration plan:

  1. The United States Government will take direct action against cyber criminals. For the first time, offensive cyberattacks, conducted under the supervision of the FBI’s National Cyber Investigations Joint Task Force. Organizations that conduct repeated attacks against U.S. targets, or that attempt to infiltrate critical infrastructure will now face retaliation designed to degrade and destroy their capabilities. This is, essentially, a declaration of cyber war on hackers.
  2. Mandatory cybersecurity requirements will apply to organizations with critical infrastructure, including banking, utilities, telecommunications and emergency management. In areas where the Biden Administration lacks the authority to impose mandatory cybersecurity via an executive order, it is expected to seek Congressional authorization to do so.

Every U.S. Business Will Be Affected

The new U.S. government approach to cybersecurity reveals frustration at the current state of cybersecurity defenses. Although it will target critical infrastructure initially, these regulations will eventually impact any organization that conducts business online or uses the Internet for communications.

Directly and in the short term, any business that works with or supplies an organization subject to these rules will be required to follow them as well. Expect compliance with to be part of any service or sales contract for businesses that support, supply or collaborate with critical-infrastructure organizations. Law firms and managed service providers will be among those facing new regulations before the end of 2023.

Over the long term, the standards developed to protect critical infrastructure will be handed down to all businesses and likely enforced at the Federal level. Those standards are not currently known, but based on FTC Safeguards Rule compliance, they are likely to include end-to-end encryption of all data, regular employee training and penetration testing and restrictions on how and where data can be stored. Some level of certification or accreditation for cybersecurity oversight is also likely. Business owners in some sectors, including banking, mortgages and real estate appraisals, already must file compliance paperwork, along with third-party vendors who support these businesses. Those requirements will eventually extend to all businesses and will present particular problems for those who develop their own software, apps or websites.

Businesses must begin to prepare now for tighter cybersecurity regulations, which will fall into three categories:

  1. Hardened Infrastructure. All systems will need to be secured and all data will need to be encrypted. Passwords will need to be strong, and two-factor authentication is likely to become mandatory.
  2. Employee Training: Cyber security awareness and anti-phishing training will be required on an annual basis. Employee response testing may be a requirement as well.
  3. Breach Monitoring and Response: Businesses will be required to monitor for data loss and intrusions, and to have written policies to respond to cyber attacks, which will include notification requirements both for law enforcement and customers.

By taking a comprehensive approach to cybersecurity now, businesses will find it easy to pivot to any new mandatory cybersecurity requirements. Businesses that already have some level of security in place may find it helpful to employ a Virtual CISO to review threat readiness and compliance, if only to establish a relationship with a cybersecurity professional in the event that new regulations require one.

Protect Now provides complete cybersecurity training and compliance support for small- and mid-sized businesses, specializing in the real estate, legal, managed hosting and municipal sectors. Our services can be customized to meet your specific needs and to work with legacy systems and decentralized operating environments. Contact us online or call us at 1-800-658-8311 to speak to a cybersecurity professional.

Let’s Be Honest About SMB Cybersecurity Risks

There is a disconnect between the reality of small- and mid-sized business (SMB) cybersecurity risks, the way SMBs think about them and the services that cyber security companies offer. This disconnect is most obvious for law firms and real estate agencies that may have office WiFi, or even a cloud-based server, but that lack central IT and cybersecurity support.

Everyone at the firm or agency has their own laptop. They likely use their own devices for work at home. They use their own phones at all hours of the day to conduct business. If this describes your SMB, then this cybersecurity guidance is for you.

Let’s start by dispelling the biggest SMB cybersecurity myth:

SMBs Face Lower Cybersecurity Risks

You run a small firm or agency. You have no custom code or central client database loaded with credit cards or passwords for criminals to steal. No one would bother to target you.

This is at once true and untrue, and this is the largest source of the disconnect between SMBs and cybersecurity firms. The attacks that make headlines involve the theft of tens of thousands of customer records, or disrupt operations that impact thousands of customers. It is true that the cyber criminals and state-sponsored attackers who commit these crimes are very unlikely to target a single-office law firm or a Main Street real estate agency.

But those crimes are just the tip of the iceberg. The most recent report from the Anti-Phishing Working Group (APWG) documented 1,270,883 phishing attacks in the third quarter of 2022, the third quarter in a row to see a record number of these attacks. The report also revealed that U.S. businesses are the most frequently targeted by ransomware attacks and are nearly five times more likely to report one, accounting for 39% of all attacks reported. England and France tied for the second-most targeted, with 5% of ransomware attacks each.

Legal services accounted for 5% of ransomware attacks in the third quarter of 2022. These attacks happen because the majority of criminals are simply trolling for easy targets. If you have a website, if you have a Linkedin presence, if you have a social media profile that identifies what you do, you are a target.

IT Providers Protect Online Systems

A firewall is not sufficient cyber security, and even the best protection can fall to a basic phishing attack. Law firms, real estate appraisers, small insurance agencies and real estate professionals are uniquely vulnerable to phishing because employees deal directly with a large number of clients on an irregular schedule. Opening attachments, handling sensitive information and responding to emails are all part of the job. Amid a flood of emails, it is easy to click the wrong link or respond to the wrong address. Criminals know this, and low-level cyber criminals target small firms and agencies looking for vulnerabilities.

Your IT provider may do a good job of keeping your systems running, protected and patched, but they likely do not provide ongoing anti-phishing training and simulated attacks that improve awareness. Without regular training and reinforcement, you are vulnerable to an attack.

Cyber security also does little to prevent Business Email Compromise (BEC) attacks, where criminals impersonate your employees or clients in an attempt to steal money. Vigilance is the only way to thwart these criminals.

Law Enforcement/Our Insurance Company Will Protect Us

Anyone who has been a victim of a low-level cyber attack will tell you that there is little to nothing that law enforcement can do. Local police, even state police and the FBI have little authority to prosecute extrajudicial crimes launched from overseas. In most cases, they lack the ability or resources to properly investigate low-level cyber crimes. You will be told to pay the ransom or write off the monetary loss. They will collect details on the crime, and some day years from now you may get a tiny fraction of restitution. None of that will get your systems running again or repair the reputational damage a cyber attack can cause.

Insurance may cover your losses, but only if you are in full compliance with the terms of your cyber liability insurance policy. You may be required to have a CISO overseeing your systems, or to provide regular cyber security training to file a claim.

SMBs Have Limited Liability for Cyber Attacks

This situation is changing. Between the expansion of the FTC Safeguards Rule, which mandates SMB cybersecurity for any business defined as a “financial institution” by the Federal government, to the suspension of a municipal IT director to government sanctions against the CEO of Drizly. regulators are placing a far greater burden for strong cyber security on employees and business owners. This situation is similar to the fallout from the Enron scandal, which led Federal regulators to require executives and CPAs to sign off on all financial reports under the penalty of fines or prison time if they knowingly misrepresented results.

A similar trend is taking shape around cyber security. Faced with growing complaints from cyber crime victims, the U.S. government is placing the burden of developing and following best practices on the shoulders of business owners, with no exception for SMBs.

Existing Cyber Security Solutions Are Unaffordable

This is the last major disconnect in SMB cybersecurity. The online conversation is driven by big firms that serve big clients, leaving a gap for SMBs that lack full-time CISOs or centralized systems. In some cases, the services offered are incompatible with the way small firms operate. You may not have the ability or employee support to restrict the use of devices, manage all communications through a central source or send the staff off for a week of training.

A cursory search of the options available can be disheartening, especially for SMBs that know they need help but have no idea where to begin. Protect Now exists to fill this gap. We built our business around the cyber security needs of real estate agencies and financial services providers, helping small and mid-sized firms get the training and support they need to conduct business efficiently and safely. We welcome all SMB cybersecurity enquiries and can tailor a program to meet the specific needs of your business. Contact us online or call us at 1-800-658-8311 to speak to a cyber security expert.

Your New Year’s Resolutions for Cyber Security

The More You Make and Keep, the Stronger Your Cyber Security in 2023

Resolution season is upon us as we take our annual stock of who we would like to be. Fitter, kinder, more charitable, as always, but why not safer?

Your New Year’s Resolutions for Cyber SecurityThese cyber security New Year’s resolutions vary from simple things you can do in a few seconds to things that might require some outside help. They all have one thing in common: Individually, they will make you safer in 2023, so following just one will give you greater protection against cyber criminals. Each resolution that you add will boost security for you and your business.

I will secure my phone. Around 1 in 4 people fail to use a screen lock on their smart phones. That’s an improvement from 2013,when around 1 in 3 people failed to secure their phones. Use of lock screens must be mandatory for all work-related devices. It is also the first step for stronger cyber security in 2023.

I will use two-factor authentication. Apart from securing your phone, this is the most critical thing you can do to boost security. Every email account, every account that processes payments and all online accounts relating to finances must have two-factor authentication, along with every account that allows admin-level access to business systems or customer data. Two-factor authentication takes a few minutes to set up and adds seconds to the login process. The strongest method sends a text message to your phone (already secured with a lock screen) link to click. Without access to your phone, criminals cannot use stolen passwords to log in. Links are better than plain-text codes, which may be visible on Android devices even while the screen is locked.

I will update my passwords every 3 months. The start of each new business quarter should bring new passwords. Google can be configured to require this on a schedule that you set. This is a best practice for email and all business systems. The advantage is obvious: Stolen passwords become useless once you change them. The more often you change them, the greater your cyber security. If keeping track of business and personal passwords is a challenge, consider using a password manager that centralizes all of your credentials. Good password managers require your main login to be updated regularly.

I will not write passwords down. There is no safe place to store passwords on scraps of paper. Someone determined to find them will, whether they’re on a note in a drawer, tucked in your wallet or written backwards on a receipt hidden in a piece of ice in the freezer. If you must write passwords down to remember them, the safe way to store them is in a password-protected Excel spreadsheet. You will need to change that password a few times a year, and avoid writing it down anywhere.

I will limit what I share online. Some companies make it far too simple for social engineers to get the information they need to launch attacks by publishing executive information online. Far too many individuals overshare on personal social media accounts. Social engineers data mine public information for the names, emails and password hints they use to launch intrusions and phishing attacks. There is a delicate balance between what needs to be shared to promote a business and what creates cyber risks. Sharing less is always better. When personal information must be shared, it should be with safeguards in place to help employees spot possible attacks using that information.

I will close all my unused accounts. This is a more time-consuming resolution, but it only needs to be done once a year. Take an inventory of all the logins you have that you no longer use. Do you still have a MySpace account from your college days? Has your business changed software vendors but left the old logins active? Did you once buy something from an online store and then never visit again? Did you try a social media site for a day or two and then stop using it? Take the time to identify, disable and delete these outdated accounts for two reasons. First, criminals may try to access them through old logins, creating a base that can be used to compromise your identity. Second, if you do not actively use those accounts, particularly if you changed emails after you opened them, you may not be receiving security alerts or breach notifications. Anything you have not used in the past 14 months should be deactivated.

I will review financial statements. Criminals probe bank accounts by initiating a very small transaction, such as $1, then reversing it with a credit. Legitimate businesses also do this to verify bank accounts, credit cards and debit cards. Businesses must mandate a specific review of financial statements for these types of transactions; any debit that is subsequently credited should be scrutinized, along with any small transaction. Anything suspicious should be reported to your financial provider immediately. Do the same for your personal accounts. Financial providers are good at challenging large, unusual purchases, but they often fail to notice the tiny debit/credit transactions that precede an attempt at a big-ticket purchase. Some of the most determined cyber criminals siphon off a small amount each month from a company’s finances, knowing the theft is unlikely to be detected. Bookkeepers and accountants should pay close attention to any new vendors who invoice an organization and raise the alarm if those vendors have the same address, email or phone number as employees.

I will train myself and my employees to prevent phishing attacks. Phishing attacks rose by 61% in 2022, with more than 255,000,000 incidents. For cyber criminals, this is a numbers game. The more attacks they launch, the more likely they are to find a victim. It is no longer just big companies with volumes of personal data at risk, it’s every business in every sector and nearly every individual who has a smart phone or an email address. Annual phishing awareness training should be mandatory at all companies. Twice-annual training is better. Programs that include simulated attacks with a summary of how employees responded provide the best results. You will need professional support for this, but there are a number of affordable solutions available. Weigh that cost against the potential expense of a phishing attack: Someone sending a $500 gift card to a cyber criminal may not seem like a big deal, but once any criminal successfully attacks your organization, more criminals with more sophisticated attacks often follow.

I will hire or contract a Chief Information Security Officer (CISO). All large businesses and most mid-sized businesses have a CISO on staff or on retainer. This executive-level information-security professional handles all cyber security needs, from evaluating and setting up security measures to documenting compliance to ensuring that employees receive appropriate cyber security training. Small businesses and startups, outside of the tech sector, have a far lower level of CISO protection. A full-time security specialist may be beyond the needs or budget of many small companies. In these cases, a part-time, affordable Virtual CISO can significantly improve cyber security. For companies that fall under the FTC Safeguard Rule in 2023, professional support is almost mandatory.

You must change habits to improve cyber security. These New Year’s resolutions can help you do that, and most of them are very easy to keep, with no additional cost for you or your business beyond a bit of time. If you feel that you are not doing enough to improve your business’ security, or if you are unsure where to begin, contact us online or call us at 1-800-658-8311 to speak to a cyber security professional. We build custom security awareness solutions for our clients, based on their needs and what they can afford.

Good luck with all your New Year’s resolutions.

‘Tis the Season to Be Mindful

Don’t Wind Up on a Cyber Criminal’s Nice List

Amid the December maelstrom of planning, parties, shopping and activities lie more opportunities for cyber criminals than any other time of the year. The Grinches running scams like the holidays a lot because they know you have an above-average number of emails and online purchases flying around, because your schedule is packed and because there’s a greater level of personal activity around your workplace and your home. These are ripe conditions for your vigilance to slip, giving cyber criminals the opportunity they need to steal your money, your identity or business data.

Celebrate and savor the season, but keep these tips for cyber security in mind while you do.

Thwarting Cyber Criminals at Home

  • Never Click on Email Links.  Bogus links in spoofed emails are a favorite tactic for cyber criminals at the holidays. Chances are you are ordering more things online. You may be expecting statements or shipping details. You get an email in the evening, claiming to be from Amazon or UPS, and click on the link without thinking. At best, you get scammed for a few hundred dollars. At worst, you compromise your identity or allow a cyber criminal to install malware on your device. Always go to a website via a browser, not an email link, to verify order and shipping details. If you get a tracking number via email, copy it, go to the shipper’s website, and paste it into their package tracker. That will identify any attempts to trick you with phony shipping. You should also read up on a new scam targeting Pay Later users.
  • Leave your devices home for the holidays. If you plan to travel, or your holiday involves overnights at a hotel, a motel or a friend or family member’s home, leave every device with sensitive information at your home. You should never connect your devices to a public network at a hotel or someone else’s home. You have no way of knowing who else is connected, or if the connection is encrypted and secured
  • Don’t let guests connect to your home network. This one is tough if you have friends or relatives staying with you, but you simply cannot allow guests in your home to access your Wi-Fi or wired home network. Familiar fraud is one consequence of too much generosity with your home password. You also run the risk of malware from a guest’s device infecting your network, either when they first log in or while they surf the web. If your guests must have access to email or the daily crossword, provide a device for them in a busy part of your home. Make sure that device has a password-protected login, and be sure to turn it off at night and when a majority of people are out.
  • Scan those tech gifts before you connect them. New phones, laptops, tablets and all USB devices should get an offline antivirus scan before they go online with your network. Be very wary of any USB memory stick or card given as a gift or brought by a well-meaning friend or relative, as malware infections on these devices are increasingly common.
  • Turn off Bluetooth and Wi-Fi discovery on your phone. Big holiday crowds at malls, airports and transit hubs attract cyber criminals, who blend quietly into the crowd looking for data to steal. Open Bluetooth connections and devices seeking Wi-Fi can wind up connecting to criminals with significant consequences. Bluetooth should always be off unless you have a specific need for it. Wi-Fi should be off in general unless you are on a trusted network at home or a secured connection at work.

Protect Against Cyber Criminals at Work

  • Never bring devices to the holiday party. Hats and coats aren’t the only things that disappear when the staff gathers to toast the year. Laptops loaded with customer data have disappeared from cabs and cloakrooms, leading to potential data breaches, expensive customer notification and monitoring campaigns and cyber security headaches.
  • Log off devices ahead of office parties. It can be tempting to hop up and run to say hello to a visiting co-worker or client, or to work right up to the start of a conference-room celebration, but that open device is an invitation to criminal activity. Always log out of devices before leaving your work area and power them off if you can. Threats to data and passwords can come from criminals who sneak into buildings, from visiting clients or from fellow employees.
  • Don’t hold the door for strangers. “Tailgating” is a tactic used by criminals to gain entrance to a secure area. These thieves will ask someone to hold the door, or try to slip in behind an employee before a door closes. During the holidays, tailgaters may pose as delivery people to access secure areas. Whenever you encounter someone you do not know at a door, bring them to the reception area.
  • Give your work devices a holiday break. Avoid traveling with work devices. If you must, leave them turned off and packed in a carry-on bag, never with luggage that will be checked. The best practice is to keep work devices at work during a vacation. The chances of device theft, information theft or malware attacks rise when you are away from the secure environment of your office.
  • Avoid shopping on work devices. It can be convenient to shop from and ship to the office, particularly if you’re trying to keep a gift a surprise or if your neighborhood is prone to porch piracy. Remember that cyber criminals use fake invoices, fake shipping notices and fake order updates, along with the usual assortment of fake gift card offers, to try and steal your personal information and login credentials. It can be challenging enough to spot the scams in your personal email account without adding that burden to your work emails. If your company allows it, shipping to your office is a good holiday option, but always order using your personal email.

Wherever the holidays find you, remember that cyber criminals are also hoping to find you. Trust your instincts. If something seems off to you, like a long-lost “friend” who starts sending holiday greetings via social media, or an email stating you missed a package delivery, find ways to verify without directly interacting with those emails, private messages or texts.

Personal security and device security are critical components of cyber security. Protect Now helps businesses and organizations manage cyber threats by making security personal to every individual. Contact us online to learn more about our services, including Virtual CISO, Dark Web Monitoring and cyber awareness training, or call us at 1-800-658-8311.

Cyber Warfare Is Here: Are You Prepared?

When you think about cyber warfare, you probably imagine an underground bunker full of people working computers to try and take down the Pentagon, or to shut down air traffic control. You probably don’t imagine North Korea or Russian agents coming for your small business.

Cyber Warfare Is Here: Are You Prepared?It’s time for that thinking to change. In its 2022 Digital Defense Report, Microsoft reported that nation-state attacks targeting infrastructure rose from 20% of the attacks they detected to 40%. Microsoft cited espionage attacks on NATO countries and attacks on IT firms as areas of higher activity.

What Does Cyber Warfare Look Like?

Cyber warfare is happening right now, every time a nation-state hacker infiltrates an IT backbone or targets a public health provider. Nation-state actors will not “declare cyber war” or announce their intentions. They will simply strike at whatever targets they can compromise, with the intent of causing as much disruption as possible.

What Is a Nation-State Cyber Attack?

Nation-state cyber warfare differs from criminal cyber attacks in two ways. First, the attack is either carried out directly by foreign agents, or by people who get funding, training and infrastructure support from an enemy country.

Cyber criminals can often be stopped with basic cyber security and phishing awareness training, because they’re looking for easy money and easy victims. They use well-known malware and common social engineering techniques to extort their victims.

Cyber warfare is far more sophisticated. It uses techniques and custom-designed software designed to avoid detection, and to prevent common methods of restoring system access. In less-destructive forms, it is a tool to harass and extort an adversary. In more sinister applications, it can silently exfiltrate information that can give an enemy a strategic advantage, such as the ability to delete needed data or take control of mechanical and energy systems.

Why Would a Nation State Attack My Business?

As in any conflict, there are degrees of cyber warfare. In any attack, the following entities are vulnerable:

  • Energy generation, transmission and controls
  • Water utilities
  • Chemical and fuel facilities
  • Public health facilities
  • Telecommunications, including emergency response

The goal of these attacks is to sew chaos. The size of the target does not matter. Most cyber warfare analysts expect big-city infrastructure and large health systems to be primary targets, but nation-state attackers will look to spark terror in any way they can. Opening a dam in a small town or poisoning a water supply will lead to widespread fear, and smaller municipalities may not be as well protected against a cyber attack as urban providers.

In a wider attack, a nation-state will almost certainly target the following:

  • Banking
  • Food processing and distribution, including supermarkets
  • Logistics, including package delivery, rail and trucking
  • Pharmacies
  • Managed service providers
  • Cloud networks
  • Payroll processing

The goal is to cause as much disruption as possible by denying people access to everyday goods and services. Shutting down thousands of websites via an attack on a cloud provider or managed service provider interrupts the flow of goods and services and gets media attention. Shutting down pharmacy computers makes it harder for people to get essential medications. Adversaries want media amplification of their attacks that will make people fearful.

Your (Unexpected?) Role in Cyber Warfare

We tend to think of cyber attacks in terms of breaches, monetary theft or lost access to systems. If you operate a system that has been compromised, it is easy to see that you have been attacked. If your managed service provider, ISP or cloud servers go down, you may be surprised to find out that you are the reason why.

This is where cyber warfare becomes every online organization’s responsibility. Nation-state attackers continually probe for weaknesses and novel ways to get at essential online infrastructure. Everyday things that many business and developers do can be opportunities for foreign adversaries.

  • Posting source code on GitHub or other online repositories. We recently explained how that led to Federal sanctions against a U.S. executive. Posting source code can expose passwords and pathways to adversaries.
  • Launching new apps or forms without thorough testing. Nation-state attackers have a catalog of known software vulnerabilities and near-unlimited resources to find websites that have those vulnerabilities. You could be the crack in the door that gives an adversary the access needed to take down an ISP or managed services provider.
  • Insufficient online monitoring. The antivirus program will not stop a nation-state attacker, who is using new methods of attack that the software does not recognize. In the most sophisticated attacks, adversaries embed their code in system software so that it looks normal to any scanner. Dark Web monitoring is sometimes the most reliable way to identify these vulnerabilities.

Every business and organization that publishes or maintains a website, whether you collect information or not, is a potential target of nation-state cyber warfare. You could have an unexpected and unwanted role in the next attack, because the United States does not prioritize the role individuals play in cyber security. Major targets may have significant defenses against nation-state attackers, but they also have necessary connections to the World Wide Web. This is like building a massive wall to protect a town but leaving a tiny hole for the wastewater to flow downstream. Enemies will find that hole, find a way to get into it and run wild once they are on the other side.

We often discuss cyber security in terms of business interruption and liability. Those are still significant concerns, but with determined nation-state attackers continually working to find new methods of attack, we need to consider how individual vulnerabilities could escalate into a local or national emergency.

Protect Now specializes in cyber security and compliance for small businesses. We provide affordable VCISO support, cyber security training and Dark Web monitoring. Call us at 1-800-658-8311 or contact us online to speak to a cyber security expert.

The Tricks Behind the Clicks: Cyber Scams and Psychology

What is it that makes people fall for scams? Cybercrime is as hot as ever, with new and more creative scams popping up all the time. There is plenty of focus on spotting scams, but less so on what makes people miss the signs.

The Tricks Behind the Clicks: Cyber Scams and PsychologyMartina Dove, Ph.D., is a senior UX researcher at Tripwire and an expert in fraud psychology. Her research into the brain’s reaction to cyber scams and how the human mind operates when presented with a scam makes for an interesting read. On top of this, it also takes a look at fraud, and how susceptible we are to it, and it does this by using Dove’s own model.

Cybercrime from a Psychological Standpoint 

Discussions around cyber security often center on the technical aspects of security and data protection for businesses and people’s personal lives. New gadgets, devices, controls, and defenses are constantly circulating- which helps the fight to fortify our information and secure the confusing and tricky online environment.

Trust is a fundamental human trait. Humans trust by default. Scammers capitalize on this knowing that people look at life and scams and trust first, and scrutinize later. The hard part is how we can best keep ourselves, and our minds, safe against scams and where the holes might lie. The fundamental psychology behind the cybercrime mentality is underexplored, and so far, discussions often go no further than scratching the surface.

This is surprising, considering that it has such huge impact on what motivates people on either side of a scam. According to the latest Verizon Data Breach Investigations Report (DBIR)social engineering is the most common type of attack in regard to cybercrimes.

The psychological elements of how phishing emails are presented, the power of persuasion, and what makes people fall for scams are all important to really understand how things work and ultimately how to avoid becoming a victim.

Martina Dove’s Research into Fraud Psychology and Scams 

Few people have provided quite as much insight into this topic as Dove. Having specialized in fraud psychology, Dove became particularly interested in the concept of gullibility when pursuing her master’s degree and ultimately decided to carry it through into her Ph.D.

In an interview with Tim Erlin of Tripwire, Dove said that she had always been interested in the idea of gullibility, which is what makes a person gullible- and what it really means to be a gullible person. After reading an article published by two psychology researchers who were exploring the tricks and techniques used by scammers (particularly in phishing emails), Dove decided to drive her own studies down a similar route, diving deeper into the human psyche and scam vulnerability.

The main point of this research is a fraud susceptibility model that looks at the ins and outs of what puts a person at risk on a psychological level of falling victim to spam, scams, and phishing.

According to Dove, it was not her intention to create a model when she first started- the research naturally took her in that direction as she uncovered more fascinating theories about persuasive techniques, thought processing, and personalities that may influence how people react to these attacks.

Martina Dove’s Ph.D. research has also been turned into a book called The Psychology of Fraud, Persuasion, and Scam Techniques, which is available on Amazon.

The Fraud Susceptibility Model 

The research that ultimately led to the model in Dove’s book started as a questionnaire designed to build a “measurable scale of fraud vulnerability.” It was scorable, with the answers determining what areas of a person’s personality put them at risk.

After a series of tests and experimental studies, along with expert analysis and validation, the model just created itself. Dove explained that some factors that influence susceptibility could actually be mapped and used to predict a person’s natural reaction when faced with a fraudulent situation. The fraud psychology expert also went on to describe how the model is used to determine compliance and the reasons behind it, as well as how people strategize after they realize they have been victimized.

It looks into the characteristics that leave a person most susceptible at each stage of a scam.

1.   Precursors

How do personal circumstances- emotional, social, financial, etc. – influence how we react to fraud? Does our demographic play a role? Our family situations? Essentially, how great an impact do our social surroundings and everything that comes with them have on our ability to identify and avoid scams?

2.   Engagement with scammers

Once a person is on the hook, what techniques does the scammer use, and how do personal character traits change how we respond? What types of persuasion works best on different personalities, and how do scammers identify and exploit these vulnerabilities?

3.   Dealing with victimization

Dove’s model explores the conscious versus unconscious decision-making processes that occur when people deal with phishing emails and other fraudulent communications- and after they realize they have been fooled. How do people accept what happened, and how does it impact their behaviors?

Throughout her research, Dove shares examples of circumstances and characteristics that can make people more or less susceptible.

  • Group mentality: Someone who is highly concerned with being part of a group and uncomfortable going against the status quo may ignore signals of uncertainty and doubt if others disagree.
  • Compliance: Naturally compliant individuals are hardwired to follow instructions. Scams prey on this, hoping that the ‘no questions asked’ mentality is enough to make a person adhere to requests.
  • Impulse: Impulsive people are less likely to take time to assess a situation and take the necessary steps to confirm a source or authenticity. Those who tend to favor fast decision-making over meticulous processes are more likely to become fraud victims.
  • Belief in justice: It may sound strange, but people who believe criminals will get caught and that bad things don’t happen to good people are vulnerable. Because they don’t see these things as pressing threats, they may overlook obvious signs. The naivety that says, “this won’t happen to me- I am a good person,” is potentially dangerous.
  • Background knowledge and self-evaluation: How much a person knows- or thinks they know- about cyber security can be a hindrance. People assume that their understanding of how scams work and what to look out for will protect them from becoming victims. This is, to a point, true, but it can also make people complacent. Being an expert in a field doesn’t disqualify a person from falling victim to targeted fraudulent communication.
  • Reliance on authority and social confirmation: If someone is particularly concerned with what others think, they may be at more risk. Authority-driven individuals may make decisions based on the belief it is a request from a superior, and socially-driven people may go along with something because of influence from friends or family.
  • A general predisposition to scams: According to a study published via ScienceDirect, some people are just prone to fraud because of their engagement levels. Everything about them may suggest otherwise, but they have something in them that makes them more likely to go along with a scam.

Examples of Scams and Victim Profiles 

Here are two examples of scams and the types of psychological profiles they are likely to target. 

  • Business Email Compromise Scam: The basis of this type of scam is a boss or member of management emailing an employee asking for urgent funds. It preys on qualities such as compliance, obedience, respect for authority, and hierarchical values. People who have a strong belief in the pecking order are less likely to question a demand made by a superior and are therefore more likely to comply without hesitation.
  • Sexploitation Scams: These scams use fear as the driving force to get people to comply with demands. A scammer working in this field uses language to evoke a person’s most primal drives- hoping their influence takes over the more practical aspects of human thinking. Anyone can struggle to make intelligent decisions when they are especially scared or excited, but someone prone to fast emotions is more likely to be a prime target.

It is interesting to see how different these two examples are, which shows how much a person’s emotional makeup and core values can impact their likelihood to become a victim of fraud.

The Challenges Facing Scam Awareness 

As Tim Erlin rightfully pointed out during his interview with Martina Dove– a significant challenge that stalls the progress of beating cyber criminals is the underlying sense of shame and embarrassment many scam victims feel. He stated that people don’t want to admit they fell for it and may not even report that it ever happened. This, sadly, is true and only adds to the stigma of fraud victimization- making it harder to build a substantial defense against these crimes.

Furthermore, there is a dangerous habit out there of immediately labeling scam victims as stupid, making them feel guilty for being the target of what is, at the end of the day, a crime. Fraud is as real as robbery, yet the victims are treated very differently.

Increasing the awareness and understanding of why these things happen and changing the narrative of how victims are perceived could help bring a more accepting mainstream view.

How Can Martina Dove’s Research Help with Fraud Awareness Training? 

Modern businesses are acutely aware of the very real risk of cyber scams and take steps to protect and educate their staff, but is there enough focus on vulnerability rather than vigilance? The idea that anyone can fall for a scam needs to be more publicized, and people made aware of what exactly is it about a person’s personality and psychology that makes them vulnerable.

As cyber security professionals can confirm- the human aspect is and always has been the weak link in the defense chain because people can make mistakes, and the brain is open to mind games. If scammers are getting better at playing on the mind, then security experts need to get better at educating people on how this exploitation works.

Using Dove’s research to make anti-fraud training more human-focused and interactive could be the difference between a person falling victim and feeling ashamed and being aware of emotions used against them- and being able to stop an attack in its tracks.  

Practical Advice for People at Risk

As part of Dove’s research, she complied a checklist of actions to take towards proactively identifying potential scams and avoiding being drawn into the deception. Here is a brief summary of the key points for consideration. 

  • Question how it makes you feel: Scams play on emotion and aim to evoke a strong reaction, so how you feel when you read something could be an instant warning sign.
  • Look for further language clues: Is there any wording that seems overly strong or makes you feel bad in a way that seems unnatural?
  • Beware of links: A quick and convenient ‘click here to solve your problems’ may not be what it seems. Only access trusted links and log into any secure accounts via the official portals and never through an email.
  • Make space for rationality amongst emotion: Understand that what you feel in the moment could have been engineered through clever psychological tricks and attacks. Take a step back, wait to make a decision, and ask for opinions from family and friends if you are not sure about how to proceed.
  • Scrutinize the details: Look into correspondence for any sign of falsification or something that just doesn’t feel right. Emotional people may be quick to act, but they can also have strong senses of instinct.
  • Don’t rush to action, no matter the request: Sometimes, a pause is all it takes. Stopping and thinking is never bad practice in any walk of life or decision to be made.  

Final Thoughts 

Everyone was not created equally when it comes to emotions and how they drive our thoughts. Moderating how they impact decisions and how vulnerable they make us to gullibility is not easy, and greater awareness is needed.

The ties drawn between psychology and cybercrime are truly fascinating and open up an interesting and far overdue conversation about the correlations.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Protecting Your Accounts from Russian – or Any — Cyberattacks

No matter when you look at the news, there is probably a story about Russian hackers…and if there is not a story about hackers from Russia, there is likely a story about hackers from China or a place like Turkey. There is definitely a chance that any hacker or hacking group could launch an attack against the US, and the government has even briefed companies about what to do if they believe they are at risk.

hacker chest

Just because you are an individual, it doesn’t mean that you are not at risk of a cyberattack, just like a company is. You may be wondering how you can protect yourself, since this is the case. This is a great time to learn more about how to stay safe from cyberattacks – no matter where they come from.

Many cybersecurity threats are coming from what is known as a “Distributed Denial of Service” (DDOS) attack, which is often launched against a website or a financial network. Basically, the hackers push so much traffic to a network or site that it totally crashes, which disrupts business. At this point, the IT team has to focus on getting the network or site back up, which opens a window for a hacker to move in right under their noses.

These attacks can happen at any time, and they can be quite far reaching. Back in 2012, a group of Iranian activists attacked more than a dozen banks in the US, which disrupted all of their sites.

So, what can you do to make sure this doesn’t happen to you? Here are some tips:

In addition to below, check out our post: Russian Hackers: 14 Ways to Protect Yourself and Your Business

  • CASH, YES Cash: Try to keep a little cash available, especially if you are going out of town. This way, you will have money in case a banking network or ATM is not working due to a DDOS.
  • For every banking or financial account you have, make sure you have a strong and unique password. Don’t reuse any passwords, and do not use any social media password for any banking site.
  • Always watch your financial accounts for unusual activity. Check your bank account online or via phone at least once a week, and if you can, every day or two. If there is a problem, it is always best to find it as early as possible.
  • Russian hackers often try phishing scams on social media or via email in order to get access to corporate networks. Never, ever click a link in an email or on social media from someone you do not know. They also use text messages to try to get people to respond with information that will allow them into accounts. Even if it seems like it’s coming from a company you are familiar with or even do business with…confirm everything before you click or give information.
  • Sign up for email or text alerts for all of your financial accounts. This way, if there is a weird transaction, you will be notified immediately.
  • You should also consider signing up for multi-factor authentication for any financial account. When you do, and someone tried to sign into your account…even yourself…the bank or other company will send you a code to the email or phone number they have on file. Even if you put the correct username or password in, you cannot get into the account without that code.
  • Always update all of your apps and software on every device, including phones, tablets, and computers. To make it easy, set these updates to occur automatically, and then you don’t have to worry about it.
  • Don’t believe everything you see online. There are a lot of scams out there, and there is a lot of “news” out there that is not real nor correct. Use common sense before doing anything.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

8 Cyber Security Tips You Can Start Today to Keep Yourself Safe

These days, it seems like there is one data breach after another, and each time, they are being done by those who want to steal your identity. Thankfully, it is much easier than you probably think to keep your info safe. Here are some tips that you can start doing right now to put yourself in a position to fight this:
Cyber Security Tips
Take a Look at Your Accounts

Almost any account allows you to check the recent activity. Even Facebook, Google, and Twitter have this available. When you take a look at this, you can see every log in and authorization. If something looks strange, such as a log in from Nigeria, odds are good that you have been compromised. Most of these sites allow you to log out of every location, so you should definitely do that.

Take a Look at Your Computer

 You may not realize it, but at any time, there are a number of programs running on your computer. However, some of these might not be safe. So, it is always a smart idea to check to see what is running in the background. To do this, you can check Activity Monitor for Mac or Task Manager for Windows. If you don’t know what a program is, look on Google. It will tell you if it is good or bad. If it is not good, figure out how to uninstall or remove it.

Take a Look at Your Passwords

 Also, take a close look at your passwords. Do you think they are really safe? Every account should have its own password, and if you use the same passwords for more than one account, your chances of getting hacked rise exponentially. You also need to make sure you are changing your account passwords on a regular basis. You can use our FREE Email Checker and check your email address and passwords.

When you do this, you can check to see if your account has been compromised. If so, change your password immediately. You should also consider using a password manager.

Take a Look at Your Wi-Fi Connection

Are you paying attention to your Wi-Fi connection? Do you have a password protecting it? Do you have a WPA encryption? Do you have anyone piggybacking on your connection? You can install a program like Wireless Network Watcher. It is also very important that you are cautious when on public Wi-Fi. Only use a VPN, virtual private network, when connecting to public Wi-Fi.

Take a Look at Connected Apps

You also may not realize that you have given your social media accounts permission to connect to other apps. Though this isn’t extremely dangerous, they can result in account takeovers and data leaks. So, if you don’t use a specific app or service any longer, you should sever the connection.

Take a Look at Installed Apps

When you look at those connected apps, also take a look at what apps you have installed on your computer and your mobile device. You may have downloaded some type of malicious program that looks like a tool or game, but it could end up wrecking your system. If you have any weird apps, check Google to see if there were any vulnerabilities or flaws.

Update Everything

You also want to make sure you are updating your apps and OS regularly. These updates often contain security improvements in order to keep your devices safe. The newer the update, the safer your device. Also, don’t forget to check for updates on your browsers, routers, and even printers, as these can be manipulated, too.

Protect Your Identity

Finally, do everything you can to protect your identity. There are two ways to do this, especially when it comes to stopping someone from opening new lines of credit in your name. You should set up a credit freeze through every credit bureau. You should additionally set up an account that offers identity theft protection. This helps to watch your data, and it monitors your credit reports. If something goes wrong, when you have this type of protection, there are people standing by to fix things, and by doing this, you can minimize the damage that could occur.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.