Are Backup Files the Missing Link in Your Cyber Security?
/in online safety, online security /by Robert SicilianoDo you have backup files for your critical business data and software? Where are they stored? How often are they updated?
During Cyber Security Awareness Month, you should be asking these three critical questions. Too often, business leaders and employees see cyber security as an ongoing battle against phishing, business email compromise and other direct scams. While these are core concerns in cyber security, data safety is also essential. You can train your people to stop pretexting attacks, but that training is of no value when a hacker encrypts or steals all of your business data, shutting down your operations. Even the most experienced IT professionals can have a blind spot when it comes to data backups.
Cloud Backup Files Are Not Enough
The default choice for many businesses is cloud backup, which is simple to implement and easy to access. The convenience of cloud backup files can obscure a significant risk: Cloud services can be hacked. If your only backups exist on a server, and that server is compromised, your backup data are gone. You may have done enough to qualify for a cyber liability insurance or business interruption insurance claim, but you still lack the data you need to run your business.
Cloud backup files should be part of your cyber security protocols, but they should not be your only path to data recovery. Backups on a solid-state device, such as a USB drive or an external hard drive, are also necessary for the following reasons:
- Your cloud backups can be compromised. Hackers may encrypt or steal your data from your cloud backup provider, or compromise your cloud provider’s operations, preventing you from accessing data.
- Backup files may contain malware. Cyber criminals are more patient than most people realize. It is rare for them to gain access and immediately deploy malware or ransomware. Instead, they will lurk for weeks, sometimes months, waiting to deploy an attack. If criminals launch a ransomware attack that encrypts all your files and you attempt to restore a recent backup, there is a good chance it will fail to solve the problem.
- Cloud backup files may be incomplete. Creating a daily cloud backup is a good practice, but daily backups typically get purged after a few weeks to make room for newer backups. If you need data that is more than a month old, it may not be available. Your cloud backups may also be limited in scope; they may save daily data, but not the software you need to access that data.
Best Practices for Backup Files
Backup files are a crucial part of your overall cyber resilience. In the event of a ransomware attack, backup files may allow you to restore systems and avoid paying a ransom. In the event of data loss or exfiltration, backups may allow you to determine exactly what data were stolen, which can help you comply with new SEC Disclosure Requirements. Backups may also help cyber security professionals identify the timeline and methods used in a cyber attack.
Here are five things every organization should do to incorporate backup files in a cyber resilience plan:
- Employ cloud backups wherever they are offered. Even with their limitations, cloud backups offer the simplest option for daily data and system protection. Set up daily backups for your website, business data and cloud-based services that you use. Be sure that data are encrypted and take note of what is and is not backed up; for example, a website backup may include the core elements of the site and exclude add-ons, plugins and custom code. Cloud services may back up your business data but not any customizations you have made to your cloud environment. When in doubt, ask your service provider for a full list of what is and is not backed up. Ask how long data are retained as well, and make a note of that timeline. If you have to pay a little extra for daily backups or longer data storage, it may be a worthwhile investment.
- Create solid-state backups of business data. At least once a week, essential business data should be downloaded to spreadsheets and stored on a USB device or external drive. Once the storage device is full, label it with a date and keep it in a secure area in your office under lock and key. Restrict access to these backups to IT staff and senior leadership, and allow access only if critical systems are compromised and data become unrecoverable. Note that backups containing personal information may need to be erased or destroyed to maintain compliance with the FTC Safeguards Rule.
- Maintain a physical file of critical business data. This should include information that you need to keep your business running, including client names, phone numbers, addresses and order or delivery information. To determine what to include, imagine a situation where your business is without power for several weeks, or where you lack access to your office due to a fire or disaster. What would you need to continue to service your clients, and what functions can you track and complete offline? The physical file can be created in a spreadsheet and printed weekly, or as you add new clients. Like data backups on external drives, information in these files are subject to the FTC Safeguards Rule, so you will need to store the physical files in a secure place, limit access to them and destroy old copies periodically.
- Create a System Recovery Image or Recovery Drive. An IOS Recovery Drive will allow you to repair a failing Mac or reinstall your MacOS software. A Windows System Recovery Image is a complete snapshot of your current Windows installation, settings and applications. These recovery images should be created quarterly and stored on a USB or external drive. Use a separate drive for each backup to reduce the risk of malware. These backup files have a practical purpose beyond cyber security: In the event that your primary computer is lost or damaged, you can use them to rebuild your systems on a new device. They can also help you restore systems if your hard drive fails.
- Maintain access to your passwords. If you rely on your browser to fill in stored passwords, you could find yourself locked out of critical systems. A cloud-based password manager can provide access, as long as you have a copy of the keys and passwords needed to access it. Consider keeping critical passwords on a written list or in a text file on a USB drive that you store in a secure place, such as a safe or locked drawer. Never store sensitive passwords in emails or files on your hard drive, as cyber criminals will look for these if they gain access to your systems.
Backup files, printouts and drives should be treated with the same care as digital data. They must be kept in a secure place and should be used only when necessary. These additional security measures should not deter you from creating backups. In the event of a ransomware attack, natural disaster or catastrophic damage to a computer, backup files can get you up and running in less than two hours, or provide the information you need to run your business offline until online problems can be addressed.
Large organizations should have protocols in place to create and maintain backups as part of an overall cyber resilience plan. Small businesses and sole proprietors will need to manage backups by themselves, but it is not a complex or overly time-consuming process. If you need guidance on creating system recovery files, or help creating and protecting backup files, please contact us online or call us at 1-800-658-8311.
Social Engineering Eyed in High-Profile Casino Attacks
/in online safety, online security /by Robert SicilianoSocial engineering may be behind two high-profile attacks on casino operators Ceasar’s and MGM. In an 8-K filing with the Securities and Exchange Commission, Ceasar’s Entertainment reported “a social engineering attack on an outsourced IT support vendor used by the Company.” Hackers were able to steal data from the Ceasar’s loyalty database around September 7, exposing an unknown number of drivers license and Social Security numbers. The Wall Street Journal reported that Ceasar’s paid around half of a $30 million ransom demanded by hackers to restore systems and delete stolen information. In their SEC filing, Ceasar’s noted that there is no guarantee the criminals will delete the data.
Elsewhere in Las Vegas, MGM systems, including coded room keys, booking systems and slot machines, were turned off following a ransomware attack. Reuters reported that the ransomware attack was attributed to a group known as Scattered Spider, which has previously targeted telecommunications and business outsourcing firms. Scattered Spider is also believed to be behind the Ceasar’s attack.
Anatomy of a Social Engineering Attack
In an interview with TechCrunch, an alleged Scattered Spider spokesperson took credit for the MGM social engineering attack but denied involvement with the Ceasar’s hack. The spokesperson claimed that they had found information on an employee at an MGM IT vendor via LinkedIn, then called the vendor’s help desk to gain access to that person’s account.
Social engineering attacks are targeted. The criminal is typically armed with some information about an individual they are attempting to impersonate or persuade. The most sophisticated attackers can now employ artificial intelligence tools that synthesize an individual’s voice using just a few seconds of online audio. They will then call people who can grant account access, such as bankers or help desks, using the fake voice in real time to try and gain account access. Employees at companies that are high-value targets, such as hospitals, banks, casinos and telecom providers, and third-party vendors that serve these companies are most likely to be targeted with sophisticated attacks. The larger the potential payout, the more sophisticated the attack will be.
Other social engineering scams are clumsier and should trigger immediate red flags. Someone may call claiming to be a vendor or IT staffer and ask the victim to read out a two-factor authentication code over the phone, defeating the protection this authentication offers. Attacks like this are very common and can happen to any employee in any business.
Scattered Spider is not as sophisticated as some criminal gangs and state-sponsored hackers. They are motivated by money and mainly made up of young people, with one report suggesting they deliberately recruit young teens to avoid significant criminal consequences if they get caught. What business owners should know is that groups like Scattered Spider are sophisticated enough if they can trick employees into providing access or divulging information.
Preventing Social Engineering Attacks
As social engineering attacks become more sophisticated, business owners must double down on cyber security employee training and establish firm protocols that guide information or access requests. Individuals have a responsibility as well, as they must limit the discovery of information that criminals can use in social engineering attacks. Here are five things to do now to reduce your risk:
- Review your LinkedIn and social media profiles. Do strangers need to know where you work? Does your profile need to be publicly accessible? For a handful of people, the answer is yes, and those individuals generally take steps to separate their public profile from their private and business profiles. For most workers, the answer is no. Follow this simple rule: The more you share, the less visible your profiles should be. Go ahead and cultivate a professional network on LinkedIn, but limit your visibility to people you know.
- Change your passwords. Assume your current username and password are available for sale on the Dark Web. They likely are, making it a matter of time before a criminal connects that information to your workplace accounts. Use separate passwords for work and personal accounts and change them every few weeks, at least four times each year. When criminals see passwords changing, they recognize that you take cyber security seriously and may pass you by in favor of an easier target.
- Enable two-factor authentication. This should route access codes to a device that is with you at all times. Never, under any circumstances, share one of those access codes with someone. Two-factor authentication remains one of the strongest protections against account hijacking.
- Assess your level of risk. Some companies know they are targets, because they have access to money or personal data. Those companies typically have very strict protocols in place to deter social engineering and phishing attacks. Vendors may not have the same level of protection or training, which gives criminals a back door into secured systems. If you have high-value clients, you must adopt their level of cyber security and train every employee to recognize and respond to attempted cyber attacks.
- Require review of access attempts. One of the best protocols to put in place is to require a second set of eyes on any attempt to gain access to accounts via phone, text or email. These requests should route to a higher-level employee who is well-versed in social engineering and phishing attempts. When in doubt, protocols should require a call to the phone number on file for the individual as a final step in approving access. Do not call any other number, and do not use redial, as scammers may spoof an individual’s phone number on your devices.
Sophisticated social engineering attacks work because employees trust and want to do a good job. Training must emphasize that security is equally if not more important than customer service. An inconvenienced person may be upset with you briefly. A cyber crime victim will never forget who allowed the attack to happen.
If you need employee training, anti-phishing training, compliance services or guidance on establishing cyber security protocols, please contact us online or call us at 1-800-658-8311.
When and How to Report a Cyber Attack Attempt
/in cyber crime, cyber-invasion, cybersecurity, online safety, online security /by Robert SicilianoShould you report a cyber attack attempt? Even a small, seemingly insignificant one? The answer is almost always yes.
There are two reasons to report a cyber attack. The first is to show cyber criminals that you take security seriously. The second is to gain safety in numbers. The more people who are aware of current attacks and techniques, the harder it is for criminals to operate. Remember that hackers and fraudsters depend on their victims knowing little no nothing about their scams. Spread the word, and you help others defend themselves. When enough people fight back or ignore scam and hacking attempts, criminals move on to easier targets.
When Should I Report a Cyber Attack Attempt?
You should immediately report any cyber attack that occurs at the workplace, targeting your office phone, personal phone, email, text messages or web browsers. You should consider reporting attacks that target your personal email or phone as well, if you believe the attacker obtained information about you online. Senior executives and those who have access to financial or information-management systems should report every attack on any business or personal device.
What looks like a common malware email, such as “Your package could not be delivered,” or “Your account has been suspended,” takes on an added significance if you are a high-value target. Low-level employees may not need to report mass-email phishing and malware attacks, but should report any attack using a business or personal phone number, particularly if the attacker claims to be a co-worker.
Where Should I Report an Attempted Cyber Attack?
The size of your business will determine how you should report the attack.
For mid-size and large companies: You likely have an internal or external specialist who handles your cyber security. Report all attacks to this individual, no matter how small or obvious they may seem. Do not worry about being a nuisance. It is the cyber specialist’s job to determine how significant or widespread an attack may be, and they can only do their job if they have a complete picture of the threats a business faces. Provide as much detail as possible, including screenshots of emails and text messages, if any.
If someone calls or texts you claiming to be a coworker, report this activity immediately. Targeted pretexting attacks are on the rise, with some criminals using sophisticated software to impersonate the voices of business leaders and public figures. These attacks are resource-intensive and require planning. which makes it more likely that a criminal will target multiple individuals within an organization.
For small businesses: If you work in a small business without an in-house cyber security or IT specialist, you have two options:
- If you have an external IT specialist, report the attack to them and ask them to monitor your systems for any signs of unusual behavior.
- If you do not have an external IT specialist, send an email to all coworkers advising them of the attack. Send a screenshot of the text, email or website and ask if anyone else has received similar messages. If multiple people in a small business report the same attack, it may be a sign that you have been targeted. Strongly consider professional IT support to identify any possible system breaches or data loss if this occurs.
Reporting Attempted Attacks to Law Enforcement
Every successful cyber attack should be reported to local police. Your cyber insurance policy likely requires this. If customer data are stolen, you must report the attack to police and check reporting requirements under the FTC Safeguards Rule, if you qualify as a Financial Institution, and the SEC Disclosure Rule, if you work for or partner with a publicly traded company. Any significant data breach should be reported immediately to your state Attorney General’s office. In the case of a significant data breach or an attack that compromises critical public systems, you should contact the local Federal Bureau of Investigation field office and your state Attorney General, who will provide support and additional guidance on disclosure. Note that in some cases, cyber attacks and data breaches should not be disclosed to the public without first contacting Federal or state officials.
Whether you should report an attempted cyber attack is murkier and depends on the nature of the attack. If you have publicly traded companies among your clients, or clients covered by the FTC Safeguards Rule, you should report targeted pretexting attacks to their IT or cyber security specialists. Criminals may be attempting to harm your partners by attacking their vendors, clients or associates. Law enforcement agencies generally will not handle this reporting for you. You must do it yourself, and you should do it as quickly as possible, as you may have some obligations to report under the Safeguards Rule or SEC Disclosure Rule. When in doubt, reach out.
Where Else Should Attempted Cyber Attacks Be Reported?
If you work for a franchise business, report any cyber attack attempt to your franchisor’s head office immediately. This is especially critical if the attacker attempts to impersonate a senior employer of the business. Criminals may be launching simultaneous attacks against franchisees. Your quick response could prevent significant damage to the business and your fellow franchisees.
If you are part of a trade association, such as a Bar Association or the National Association of REALTORS®, for example, or if you are a member of a state association or Chamber of Commerce, report any cyber attack that targets your business or employees to the senior officials in your area, and to your local and national headquarters. In recent years, there have been surges of criminal cyber activity targeting specific sectors, such as health care or public schools, or specific regions, such as the recent spate of Vacant Land Scam attempts in the Southwest United States. There is no way to know if an attack on your business is isolated or part of a bigger trend. Spreading the word to professional associates may give them the opportunity to stop similar criminal attacks.
Would you know what to do during a cyber attack? Download our free Cyber Crime Response Kit, which includes detailed, step-by-step instructions that will help you prevent an attack from spreading, quarantine infected devices and rebuild systems safely. For more detailed guidance on preventing and responding to cyber attacks, please contact us online or call us at 1-800-659-8311.
Business Email Compromise (BEC) Attack Steals $6 Million from Public School System
/in online safety, online security /by Robert SicilianoThe New Haven, Connecticut, school district lost more than $6 million to cyber thieves in a Business Email Compromise (BEC) attack that was discovered only after the real vendor asked why they had not been paid.
ABC News provided details on the attack, which began in May and demonstrated a high level of patience on the part of the hackers.
- Criminals gained access to the email account of the school system’s Chief Operating Officer (COO).
- Using that email access, the hackers monitored communications for several weeks, identifying vendors.
- Phony vendor emails were then sent to the COO, directing payments to bank accounts controlled by the criminals.
Losses included more than $5.9 million in fraudulent payments meant for a school bus company. The FBI was able to recover $3.6 million of the stolen money.
This BEC attack shows a level of sophistication and patience that many business owners and employees do not associate with cyber criminals. By quietly gaining access to a targeted email account and monitoring conversations, criminals were able to gather additional, personalized information they needed to successfully redirect a significant amount of money.
As I noted last month, cyber criminals are using AI to improve their BEC and pretexting attacks. While many attempts at phishing and fraud still bear reconizable signs, employers and employees must be prepared to deal with increasingly sophisticated, personalized and persuasive attacks. Remember that criminals have just one job: to steal from you and hide their ill-gotten gains before they can be recovered. Any unusual action or request from a vendor, even if it seems small, should be investigated.
Simple Tactics Will Stop Sophisticated Business Email Compromise Attacks
The hackers who targeted New Haven’s school system took their time to identify high-value vendors, at the risk of losing access to the compromised COO email account. While this demonstrates a level of sophistication that is unusual, it also proved successful, and hacker groups share their success stories as they refine their criminal strategies.
More BEC attacks like this one will occur. Organizations should follow these simple steps to avoid becoming the next victim:
- Mandate two-factor authentication (2FA). Assume that hackers have your usernames and passwords, no matter how careful you are with them, or how frequently you change them. The only reliable way to keep criminals out of your email is to use two-factor authentication that requires you to complete an extra step via a personal device, such as a smart phone, before you can log in. Google now requires 2FA for some of its services. This should be a mandatory policy for every organization and is essential for anyone with access to financial systems or databases of personal information.
- Monitor online use regularly. IT departments should always know who is accessing systems and from where. Sophisticated criminals may be able to cover their tracks or spoof a location, but there will still be an unusual increase in access for individual accounts. Systems should be set up to alert both the account user and the IT staff whenever a new device attempts to connect to a network or log in to an email or online service.
- Require a second set of eyes on any changes. BEC attacks steal money and goods by diverting them to new accounts or locations. Organizations should put processes in place that mandate internal review of any changes in payment destinations, delivery schedules or delivery locations. Pay very close attention to the Sender of any email requesting a change, as criminals will create phony emails that look legitimate to try and trick their targets.
- Mandate voice approval for any changes. When a request to use a new bank account comes up, or a client sends an email asking for a delivery to be rerouted, organizational procedures should require a phone call to that client’s point person. Do not call any number given in a suspect email. Call the number on file for the client or vendor, and ask them if they requested the change. Consider implementing a password that only you and the vendor would know as a means of authorizing any changes.
- Limit the visibility of key staff online. Criminals regularly harvest compromised email and business accounts to identify high-value targets who they believe can access personal information or finances. Keeping the identities of key personnel concealed helps to deter this kind of targeting. For individuals who have a high level of visibility, consider setting up a second email account or logins that cannot easily be traced, while maintaining a publicly visible email. For example, a CEO named Joe Smith might have a joesmith@companyname.com email account for public use, but a very different email account, such as 712995abznow@companyname.com for official duties. Criminals will not be able to easily identify the secondary account, though this is not a foolproof solution if the hidden email is not carefully guarded.
Cyber security employee training should be provided to every worker in your organization. The more access and responsibility the employee has, the more critical this training becomes. Protect Now offers CE-eligible training for real estate professionals, as well as online and in-person training for all small- and mid-sized businesses. Contact us online or call us at 1-800-658-8311 to learn more.
The New SEC Disclosure Rule Will Impact Nearly Every U.S. Business
/in online safety, online security, Personal Security /by Robert SicilianoThe new Securities and Exchange Commission (SEC )disclosure rule for cyber incidents represents the most sweeping attempt to date to mandate cyber security by the United States government. If you own or work at a publicly traded company, if you handle data provided by a publicly traded company or if you simply supply a publicly traded company, this new rule will impact your business.
What Is the New SEC Disclosure Rule?
As reported by the Federal Bureau of Investigation, the new SEC Disclosure Rule goes into effect on September 5, 2023. In broad terms, it requires the following:
- Every publicly traded company in the United States must file form 8K to the EDGAR database within 4 days of the discovery or awareness of any cybersecurity incident that has a “material impact” on their business.
- The United States Attorney General may allow a reporting delay of up to 30 days, with a possible renewal for an additional 30 days, if the cybersecurity incident presents a danger to public safety or national security.
- The United States Attorney General may allow an additional 60-day delay in reporting only if there is a significant risk to national security.
Publicly traded businesses have the ability to determine whether or not a cybersecurity incident has a material impact on their operations or valuation. In the event that it does, they must report the nature, scope and timing of the incident, as well as its impact or potential impact.
How Does the SEC Rule Apply to Me If I Do Not Own a Publicly Traded Business?
This rule will be enforced by the SEC, which has extensive investigative capabilities and the ability to determine the penalties that violators will face. Unlike the FTC Safeguards Rule, which has defined penalties and regulations, the SEC disclosure rule is open, both in terms of what defines a “material impact” and in terms of how the agency will follow up. In the worst-case scenario, Federal investigators could arrive at your door to seize documents and devices, if they believe you are responsible for a cybersecurity incident that impacted a publicly traded company, or if the company identifies your business as the source of the data breach.
Here are a few examples of ways a company could inadvertently be swept up in an SEC investigation:
- A franchisee of a national company suffers a data breach that exposes the personal financial information of its clients.
- A shipping company receives a fraudulent order through a pretexting attack that diverts money or materials of significant value to criminal actors.
- A conference planner suffers a data breach, exposing the email addresses, usernames and login credentials of all conference attendees.
- A marketing agency’s servers are breached, revealing the embargoed technical specifications of a client’s new product.
- A law firm’s email is breached, revealing details of a client’s patent filings or lawsuits.
- A doctor’s office wireless network is compromised, allowing hackers to steal the personal health information of corporate executives.
- A mortgage broker’s file transfer system is compromised, exposing the property valuations of individuals referred by a client.
- A company website is hacked, revealing administrative usernames and credentials.
These examples fall into three broad categories:
- Data breaches that expose data belonging to a client’s customers.
- Hacking attacks that uncover a client’s future business plans, internal information or intellectual property.
- Credential theft or protected personal data theft that compromises a client’s leadership or employees.
Something as simple as a phishing attack that exposes your email contacts could be material, if hackers then use that information to launch a targeted attack on your client or sell the information to others. Pretexting attacks that divert payments, materials or finished goods that a client needs to operate could be material if they have a significant impact on a client’s sales. Ransomware attacks that lock your clients out of needed services, disrupting their operations, could also qualify as a material impact.
What Do I Need to Do to Comply?
Only publicly traded businesses are required to report cyber incidents under the disclosure rule, but their ability to report depends on support from their vendors, franchisees, service providers and partners. Remember that if your business is the source of a cyber incident that compromises a client’s business, you may be investigated, and your cyber security policies will be scrutinized. The publicly traded company will face SEC penalties. You will lose the client, and your reputation will take a significant hit.
No business wants to deal with the SEC. Investigations can be lengthy, disruptive and expensive. It is very likely that publicly traded companies will demand some accountability from vendors and partners, as well as assurances, possibly legally binding assurances, that cybersecurity incidents will be reported. For companies that are not publicly traded, compliance requests will likely include the following:
- Documentation of current cyber security standards, including incident monitoring and security updates.
- Documentation of cyber security employee training practices.
- Written plans to report cyber security incidents to impacted clients as soon as these incidents are known.
- Written plans to respond to and stop cyber attacks, along with an evaluation of data loss or potential third-party compromises.
Do not be surprised if clients ask for this documentation. Clients may also want to execute additional nondisclosure agreements (NDAs) that include specific language around cyber incidents, or ask for these protections to be outlined in service contracts or contract amendments.
How Will the SEC Enforce the Cyber Incident Disclosure Rule?
It is impossible to know what enforcement will look like, as the SEC tends to treat violations on a case-by-case basis. Based on past behavior around new regulations, the SEC is likely to issue warnings for a period of time for first-time offenders or minor breaches. If a significant breach occurs, or if a publicly traded company repeatedly violates the rule, an extensive investigation with significant penalties will follow. This will trigger a stampede for services that will leave providers struggling to keep up with demand, and companies scrambling to find providers who can help them. It is better to take this matter seriously now, evaluate your needs and get professional cyber security support if you need it.
Note that the new disclosure rule does not require an experienced or certified professional to oversee or report cybersecurity incidents. Most small businesses should be able to manage compliance on their own, or with the help of a VCISO.
Why Did the FTC Add This Reporting Rule?
The SEC outlined two needs that drove the new disclosure rule. First, the SEC believed, as do many law-enforcement organizations, that cyber crime is underreported. By bringing their authority to this area, the SEC seeks to compel a greater level of reporting compliance, eliminating the tendency of some businesses to quietly pay ransoms or overlook seemingly minor cyber intrusions.
Second, the SEC felt that current reporting, which lumps cyber security incidents in with other business challenges, did not provide enough information to shareholders. The standard report will allow shareholders to see how often a business suffers cybersecurity incidents and how severe they are, providing another data point investors can use to evaluate opportunities.
As a final, broader goal that was unstated, the disclosure rule puts anyone who works with a publicly traded company on notice that their clients’ interactions are under Federal scrutiny. This is likely meant to compel greater adoption of cyber security best practices across all U.S. businesses, which will make it harder for criminals to carry out attacks. In that regard, it is the most significant effort to date by the U.S. government to establish and require cyber security as a basic element of business operations.
If you have questions about the SEC disclosure rule, how it could impact you, how you can comply or how you can improve your cyber security employee training, please contact us online or call us at 1-800-658-8311.
Inactive Account Policy: Don’t Let New Google Rules Lock You Out of Your Site
/in online safety, online security /by Robert SicilianoGoogle has announced a new Inactive Account Policy that every business owner needs to understand. From their update:
Starting later this year, if a Google Account has not been used or signed into for at least 2 years, we may delete the account and its contents – including content within Google Workspace (Gmail, Docs, Drive, Meet, Calendar) and Google Photos.
The policy only applies to personal Google Accounts, and will not affect accounts for organizations like schools or businesses.
The new inactive account policy is a good idea, but it may come with some significant hidden risks for your website, domain, security certificates and online presence.
How could the Inactive Account Policy harm my business?
As nearly anyone who has worked at an IT firm, digital agency or cyber security business can tell you, some businesses lose their security certificates, hosting or websites because they do not respond to renewal emails. The problem typically begins with a business owner setting up a website using a personal account as the email address, buying services for several years, then forgetting that those services need to be renewed. This happens more frequently than most business owners realize, and it can be devastating if a site host wipes out a business website, or if a business loses access to its domain.
Think about every piece of collateral with your website on it: business cards, letterhead, advertising, online links. Now imagine that all of it is lost because you failed to renew your web address on time. While many online service providers have built recovery options into their renewal processes, those processes may not work if you do not have access to the email used to register the service. At a minimum, you can expect to spend a lot of time on the phone with the provider attempting to resolve the problem. If you lose your web domain, your business email will stop working. These are not problems to take lightly.
How can I stop a lost email address from shutting down my business?
The first step in protecting your online assets is to know what you pay to access to keep your site online. This will always include the following:
- Domain Name: This is the URL of your business, such as https://protectnowllc.com. Domains are not owned; businesses purchase access to them for a set period of time from a domain name registrar, such as GoDaddy or Google Domains. Most businesses opt for 2- or 3-year domain registrations, though you can register a domain for longer or for as little as a year.
- Losing access to your domain is the worst case scenario for any business. Sites and email will no longer function.
- Site Hosting: Unless you run your own server, someone provides a service to keep your website online. This could be an all-in-one site builder and hosting provider provider, such as Squarespace; a company that specializes in a particular site platform, such as WP Engine, or companies like SiteGround and HostGator that provide server space and allow you to build your site any way you like.
- Most hosting providers have a grace period for renewal. Your site will go offline and your email may stop working, depending on whether your host provides your email as well as your website. Contacting their customer service and updating your agreement with the provider will typically get your site back online quickly. In the worst case scenario, all of your data and site content could be deleted.
- Security Certificates: Your site should have some sort of SSL certificate. Sites that lack them will not be indexed by search engines and may be blocked by web browsers and smart phones.
- These certificates must be renewed annually. You may find it very difficult to access your website if the security certificate expires, but your email will work.
- Third-Party Services: Many things fall into this category, such as image hosts, data feed providers and some website widgets or modules.
- Only specific functions or parts of your website will stop working if one of these services is interrupted.
Make a list of the services you use and the companies that provide them. At a minimum, the list should include your domain name provider, your email provider, your web host and your security certificate provider. If you have trouble identifying any of these providers, look through old emails or review old bank statements and look for one-time charges for companies that may provide these services. You should keep the list of services and providers in a spreadsheet. Do not include passwords in this spreadsheet, as this creates a security risk.
Once you have services and providers listed, log in to each provider and note the date when your service must be renewed. As you attempt to do this, you may discover that a service was registered with a personal email you can no longer access. This is the time to contact the company directly and update your account information. Do not wait until services go down and you are potentially losing business.
Make sure that the email used for each service is active; it can be a personal email, as long as you use that personal email account at least a few times a month. Preferably, it should be a business email associated with a business owner or a company’s IT department. Remember that the new Google Inactive Account Policy will only apply to personal accounts, not Google Workspace or business accounts.
Add the email used to register each service to your spreadsheet. Check the spreadsheet on a regular basis; if you see a renewal date coming up, be sure to check the email associated with that service, including spam folders. Service providers will typically send renewal notices 60 days, 30 days and 14 days before a service is suspended for nonrenewal.
Following these steps will ensure that you do not suffer any service interruptions. In larger organizations, it is a good idea to task someone with service monitoring and renewal so that notices do not slip through the cracks or get overlooked in spam folders. If you contract IT services or have an in-house IT department, make sure that your service providers are whitelisted so that emails can get through.
Why is Google changing its Inactive Account Policy?
Unused email accounts can be used by cyber criminals to carry out attacks, including fake ad attacks that direct users to malware sites. Cyber criminals may also mine unused accounts for personal contacts that can be used in phishing attacks, which is why it is a good idea to be wary of unexpected contacts from people you have not heard from in a long time. An abandoned account may have been compromised, and you could be talking to a criminal.
By suspending these unused accounts, which may have passwords for sale on the Dark Web, Google eliminates an avenue for cyber crime. This is a welcome step for everyone who is concerned with cyber security. Take inventory of your services and the accounts used to access them, and it will have no impact on your business.
Protect Now offers CSI Protection Certification, cyber security employee training that creates meaningful changes in employee attitudes toward individual and business security. We also help businesses manage their overall cyber security with Virtual CISO services. Contact us online or call us at 1-800-658-8311 for a free consultation.
ChatGPT Breach: What You Need to Know
/in online safety /by Robert SicilianoIt took less than 5 months for a significant ChatGPT breach. This is not surprising, given the incredible pace of the software’s adoption. On February 1, Reuters reported that ChatGPT had reached 100 million active monthly users in the two months since its launch, citing data from UBS.
Any platform as new as ChatGPT with a userbase the size of ChatGPT’s will be a target for cyber criminals hoping to find new vulnerabilities to exploit. Businesses and individuals who use ChatGPT need to understand the risks, and to recognize that the unprecedented growth of ChatGPT may make the platform uniquely vulnerable in the short term as its developers rush to keep up with demand.
What Happened in the ChatGPT Breach?
Around March 20, payment information for some ChatGPT Plus subscribers was exposed, including names, emails, billing addresses, card expiration dates and the last four digits of the card used to subscribe to the service. OpenAI, the creators of ChatGPT, contacted the affected users, estimated at 1.2% of the overall subscriber base. OpenAI patched the vulnerability that enabled the breach.
There is no reason to stop using ChatGPT, and unless you were notified of the breach, there is no immediate cause for concern. Those who were impacted by the ChatGPT breach may want to consider canceling and replacing affected credit cards, as the exposed digits and expiration date could be combined with other data on the Dark Web to commit identity fraud.
Is ChatGPT Safe to Use?
If you use ChatGPT as a standalone application, it should not present a risk to your overall cyber security. If you attempt to integrate ChatGPT with other systems, do so with caution.
Security researchers identified a vulnerability in a ChatGPT plugin that allows the software to collect information by connecting directly to third-party systems. In this case, the threat came not from ChatGPT but from outdated code used to facilitate communications. ChatGPT integrations with existing business systems or databases should only be undertaken by a developer with considerable experience in cross-platform vulnerabilities and up-to-date awareness of cyber threats. Cyber criminals love software integrations, because they create complex vulnerabilities and may rely on communication methods with known exploits. Remember that data must be protected at every stage of its use: storage, processing and communication between systems.
Chat GPT as a Phishing Lure
The greater danger of ChatGPT to most organizations may be its use in phishing scams. We have seen this previously with every popular platform and service online: Users receive an email claiming to be from a service provider, asking them to click a link to solve a phony problem. Examples include:
- Your (Gmail, Yahoo, Microsoft) account has been suspended. Please click this link to restore access.
- We were unable to deliver your package. Please click this link to reschedule delivery.
- Your (PayPal) payment has been rejected. Please click this link to update your payment method.
- Please log in to update your password.
Popular services inevitably find themselves targeted in these spoofing attacks, where criminals send official-looking emails, often with company branding and some legitimate links, in an attempt to steal usernames and passwords. As one of the fastest-growing services in history, it is inevitable that ChatGPT will be targeted as well.
Fortunately, there is a simple way to avoid these phishing attacks: Never click on links in emails. If you get an email indicating a problem with an online account or service, go directly to the provider’s web page and log in to your account directly. Do not click on any link that you receive via email, even if it looks legitimate.
Protect Now offers cyber security employee training that changes attitudes toward cyber security by making it personal for every employee. With in-person, virtual and eLearning options, our employee training programs offer an effective and affordable solution for every business and organization. Contact us online to learn more, or call us at 1-800-658-8311 to learn more.
The Software Patch is a Nuisance and a Necessity
/in online safety, security /by Robert SicilianoValentine’s Day kicked off a big week for software patch fans, as Apple sent out a patch for its operating systems and Microsoft pushed a flurry of patches for Windows.
If you are not a software patch fan, you should be. The seconds you spend patching work and personal devices can save thousands of dollars and dozens of hours cleaning up from cyber criminals who exploit vulnerabilities. Yes, patches are a nuisance and more common than most would like them to be, but they are also a necessity if you care about cyber security.
Why Do I receive so many software update requests?
Responsible software makers continually evaluate threats to their systems and issue software patches to fix them. Apple was tipped off to a flaw in its operating systems that could allow hackers to install and execute code on an unpatched device. This patch fixed what is known as a Zero-Day Flaw or Zero-Day Exploit, which is a flaw that exists in software when it ships. Hackers carefully review every new piece of software to find vulnerabilities in security, as do researchers familiar with vulnerabilities. Apple issued its software patch in response to findings by a researcher who recognized the potential risk.
Microsoft, as usual, is furiously patching its most recent Windows release to close 75 security gaps, including some that would allow a hacker to bypass Windows malware filters or access system functions.
Patching Protects Against Phishing
Everyone who uses Windows or iOS should apply these software patches immediately. Doing so, on personal devices as well as work-issued devices, delivers two real benefits. First, it blocks a potential risk to cyber security that is known to and in use by criminal hackers. Second, it nullifies some phishing attacks by making it impossible for hackers to deliver malicious software.
The exploits patched by Apple and Microsoft may require users to visit a compromised website or download software that can exploit the known vulnerability. A software patch removes the vulnerability, so even if an employee clicks on a compromised link, the hacking attempt fails.
Every business should make software patches mandatory for all personal and work devices, particularly personal smart phones and laptops, which may access business WiFi or networks when employees come to the office. Software patches are usually sent out by software manufacturers automatically, but users may find them a nuisance and ignore them. Businesses can assist with updates by emailing staff when security patches are sent out. Ask employees to update their devices and provide links to download sites and additional information from manufacturers.
Patches may arrive at inconvenient times and employees may consider them a bother, but they are an essential piece of overall cyber security. Be aware that failure to patch can violate a cyber liability policy or expose a business to government fines if an unpatched exploit leads to a data breach.
Installing software patches is good cyber hygiene and part of employee cyber security awareness. Protect Now has developed an employee training program that changes culture by changing the way employees consider cyber security. We go beyond concepts and hypotheticals to help employees understand their attitudes about cyber security and the need to apply the same standards they use in their personal lives to data protection in the workplace. Contact us online to learn more, or call us at 1-800-658-8311.
Why Do I Need Dark Web Monitoring?
/in online safety, online scams, online security, passwords /by Robert SicilianoDark Web monitoring fills an important security gap for individuals and businesses. It has applications in cyber security, reputation management and brand management. By monitoring Dark Web activity, individuals and organizations may be alerted to cyber attacks or data breaches.
Admit it: You search your name on Google to see what’s there. Most businesses pay attention to their online reviews. Some monitor social media to see what customers are saying. Dark Web monitoring completes the picture of your and your organization’s online reputation. It can also tip you off to data breaches or potential cyber attacks.
What Is the Dark Web?
In its broadest definition, the Dark Web is a portion of the Deep Web, which itself is a collection of websites and databases that are not indexed by the major search engines (Google, Microsoft Edge, Yahoo!, DuckDuckGo, etc.). In 2018, CNBC estimated that the Deep Web was 400 to 500 times the size of the Internet that most people use.
The Deep Web itself is benign. It consists of password-protected content, encrypted databases and data, including millions of articles, books, recipes and public records. Some of these can be accessed through specialized search engines, such as a university’s library catalog of digital media or LexisNexis.
Amid those terabytes of data lurks a smaller set of sites that can be accessed with browsers such as TOR, short for The Onion Router, a browser that attempts to conceal the user’s location by routing web traffic randomly across the globe. Promises of anonymity and cover from law enforcement have made the Dark Web a haven for illegal activity. It is where many cyber crimes originate, and where you will find cyber criminals offering their services and software for sale alongside the fruits of their labors: credit cards, login credentials and personal information.
Why Are Businesses Monitoring the Dark Web?
Because a great deal of cyber crime originates on the Dark Web, monitoring is a tool that thwarts and reveals attacks. In some cases, it can be the first warning of a data breach.
Dark Web monitoring begins with a deep dive on selected data points. For businesses, this is most commonly the business name and the names of senior executives and managers. This creates a baseline of information that is known to be compromised, as well as intelligence on any discussions about the business or its leaders among cyber criminals. This information is provided to the business with notes on any areas of concern.
Once the baseline is established, the Dark Web is searched on a regular basis for new information. This may include
- Mentions of the business or its leaders by cyber criminals, which can signal a pending attack
- Solicitations to buy or sell information on the business or its leaders
- Newly posted data, which may include compromised logins for systems, user accounts or personal accounts of the company’s leaders
- Customer data, such as credit card numbers, exfiltrated from a company’s database
When new information is found, the business receives an immediate alert that can be used to prepare for or stop a cyber attack. In some cases, this is the first evidence of a data breach that compromises customer information.
Dark Web monitoring may also reveal what people are saying about a business and its employees, providing opportunities to repair reputational damage. It can also be used to prevent disgruntled former employees from selling stolen data online after their separation from a company.
How Can I Monitor the Dark Web?
Dark Web monitoring requires specialized software that can access and index the hundreds of thousands of hidden sites that criminals use to communicate. There is currently no free solution, and until recently, monitoring was an expensive service available only to large companies.
Protect Now is pleased to offer affordable small-business Dark Web monitoring that includes a full baseline examination of data about your business and employees, as well as regular updates on any new information that appears online. If someone adds to that information, attempts to buy or sell it or discusses using it, you will be notified immediately so that you can take action.