You’re Still Not too Small

by

A Ransomware attack on your small business might not cause oil and gas shortages over a wide swath of the country, but rest assured cyber criminals want to exploit the files and data you have worked so hard to develop and maintain for their own profit.

In fact, reported Homeland Security Secretary Alejandro Mayorkas on May 13, small businesses now account for 50 percent to 75 percent of Ransomware attacks.

Ransomware attacks increased 300 percent in the past year as Ransomware gangs extorted and blackmailed $350 million from businesses through encryption of their data and then stealing that data and threatening to expose it to the public.

The plague has become particularly acute in industries that rely on their data to operate and are considered to be “one-stop shopping” for most if not all of the data hackers need to commit a wide variety of crimes ranging from financial to medical fraud.

Think data-intensive companies like accountants, law firms, and healthcare practices. If you run a small business in those industries, you should:

  • Layer multiple defenses on your network including anti-virus, firewalls, third-party threat hunters
  • Provide Cyber Security Awareness Training to you and your employees
  • Obtain cyber insurance to cover potential damages.

Understand that criminals don’t need to be computer geniuses or even know how to write a virus to commit their crimes. Dark Side, the group believed behind the Colonial Pipeline attack, sells Ransomware as a Service to make the job easier for other criminals. That makes for a lot of potential criminals and a lot of potential victims.

If you need help fortifying defenses or Cyber Security Awareness Training for you and your employees, call 302-537-4198 or email me personally at ericm@flexitechs.com.

Cyber Security Tips for Protecting Law Firms

by

We’ve just produced another eBooklet, this one designed specifically for law firms but with a couple tidbits that also apply to other types of businesses that handle sensitive data.

This one, “Five Strategies for Lawyers to Mitigate Cyber Security Risks”, highlights the following five tips that you may not have thought about to prevent cyber criminals from profiting off of your hard work:

  1. Securing Your Mobile Devices
  2. Always Being on Guard
  3. Exercising Care with Autocomplete
  4. Insufficient Network Protection for the types of sensitive data lawyers handle
  5. Making Hackers’ Jobs Harder

To secure your FREE copy of this booklet, click the link below:

https://lp.constantcontactpages.com/su/DPjZTx9

For more information about Threatucation’s Cyber Security Awareness Training services, give us a call at 302-537-4198 or email us at info@threatucation.com or fill out the Contact form on this page.

Security Awareness not Just for Employees

by

An article I read this morning on one of my security web sites reminded me of the need for small business executives to understand that when it comes to cyber security awareness, they are also employees — but with a twist — they hold the keys to the kingdom.

While a higher percentage of CEOs and business owners now recognize the threats small organizations face from hackers than they used to, it is likewise true that cyber criminals have recognized the value of attacking them directly because they have access to the most sensitive information a company handles.

The article I read pointed to a discovery by researchers at the security software developer Trend Micro that found that 45 percent of the phishing attacks they studied directly targeted the CEO’s email address rather than everyone in the organization (anecdotally, I have seen an increase in direct attacks on CEOs, as well).

Also known as “whaling” because the CEO is considered the big fish in a company, that’s almost as many attacks against the CEO as everyone else in those organizations combined. Managing Directors and Chief Financial Officers are also frequently targeted at 9.7% and 4.8%, respectively.

What makes this important is that I encounter executives who at times consider themselves to be almost immune to the attacks their employees face.

From the article, quoting Ryan Flores of Trend Micro, CEOs and other top executives sometimes view email security mechanisms or policies as “an inconvenience to them” and because of that, they behave like they are “an exception to the rule.”

I offer this blog less as an admonishment of SMB executives as a reminder that they, too, are as susceptible to Social Engineering attacks like phishing and whaling emails as their employees. Executives need to be even more vigilant, though, as these attacks increasingly focus on them specifically and the sensitive nature of what they know and have access to.

To create a culture of Cyber Security that starts from the top down in the hierarchy of your organization, contact me personally at ericm@threatucation.com or 302-537-4198 to discuss a Cyber Security Awareness Training program tailored to you and your employees.

Cautionary Tales for SMBs from Hacked Water System

by

As you probably read or heard last week, the small city of Oldsmar, Florida, population 13,500, narrowly escaped a disaster from a cyber attack.

A hacker manipulated the Lye ratio in the water system of the city near Tampa using the remote access tools the city’s water department deploys to remotely manage the chemicals that make the city’s water safe to drink.

The story doesn’t tell us as much about the vulnerability of our nation’s critical utilities, however, as it does about what can happen when municipalities and businesses cut corners on the technology they use.

Oldsmar turned out to be fortunate in this case.

First, the hacker chose to access the system during working hours in full view of on-site staff, who immediately alerted their superiors to the attempts to drastically change the lye content in the water. Had the hacker attempted to do this after hours, the problem might not have been caught until the next morning.

Second, the water plant still remotely accesses the system with Windows 7 32-bit computers a year after Microsoft retired that operating system and declared it unsafe, but that was the least of the plant’s security transgressions.

The computers used to access the plant’s treatment control system shared the same password for remote access. In addition, all appeared to be directly connected to the Internet without a firewall.

Budget concerns justifiably come into play with cyber security measures at small municipalities, just as they do for small businesses.

But using different passwords, changing them from time to time, installing a firewall, and implementing multi-factor authentication offer low-cost protection that any organization can afford.

Another cost-effective measure would be cyber security awareness training for employees and management.

For information on what a security awareness training program can do for your business, visit https://threatucation.com, call me at 302-537-4198, or email me at ericm@threatucation.com.

Five Tips to Strengthen Security in Your Law Firm

by

No profession depends more on the confidentiality, integrity and availability of its data than law firms.

The information they collect forms the basis of all of their cases. Without it, they can’t represent their clients.

Because of the nature of that data, which includes PII, PHI, confidential and proprietary information, not to mention potentially embarrassing revelations, attorneys will be in the crosshairs of cyber criminals for the foreseeable future.

In fact, an analysis of public records by Law360 found that nearly 50 law firms reported data breaches in 2020 and that most were small and boutique firms. And that’s not all …

“There are probably many more attacks than what you’ve listed here. They just have not been documented in any official way,” said Claudia Rast, co-chair of the American Bar Association’s cyber security legal task force, to Law360.

The overwhelming majority of the 50 breaches (80%) was caused by human error or insider incidents.

To strengthen your firm’s security, consider the following five tips:

  • Secure Your Mobile Devices with Passcodes, Biometric fingerprint access, and Encryption
  • Create a culture of cyber security in your firm with policy-based Security Awareness Training
  • Watch Autocomplete in Emails to avoid inadvertently sending an email to the wrong person
  • Ensure remote devices and computers get the same protection at home and on the road as in the office
  • Consider multi-factor authentication on critical entry points to your network, such as computer logins, to prevent criminals from accessing it with a stolen user name and password caught up in a data breach that had nothing to do with your firm

Test Your Backups Regularly

by

Most businesses back up their data frequently. Some even back up to multiple locations in the event of a fire, hard drive failure, natural disaster, or theft.

But few realize the cyber security implications of TESTING your backups to ensure they work if you need to recover critical files or data after a Ransomware attack.

Backups fail anywhere between 5% to 25% of the time depending on the backup service used according to the research firm Gartner. Backups fail either in the backup process or in the recovery process.

If you have a Managed IT Services Provider, your backups should not only be monitored for failures but also tested regularly to ensure that files restore successfully when needed. The last thing you want is to end up in negotiations with the hackers after learning your backups won’t restore your files.

If testing your backups was not discussed when you signed up for an automated backup plan, or you simply don’t know if they are tested, ask your backup provider or backup software company if they are and if not, how to do this.

Backups should be tested on a regular schedule like this:

  • At least once a month, pick a random backup version date and restore a handful of files to see if they restore successfully (be careful not to restore over the current version of those files)
  • At least once a quarter, perform a deeper restore operation of numerous files from different backup dates, again being careful not to overwrite the current versions of your files
  • At least once a quarter, check all files in the most recent backup to be sure that you are backing up all files that you would need to restore
  • On a daily basis monitor your backups for failures. Any good backup software will let you know whether the backup succeeded or failed with an email or within the software itself
  • If you see errors at any stage of the backup or restore processes, resolve those issues or have your IT or backup service resolve them for you.

Keep in mind that if your data is critical to the operation of your business, you should perform the steps above more frequently to minimize the risk of partial or complete data loss when you need to restore from your backups.

For help implementing a backup testing program or an automated backup program if you don’t have one, call 302-537-4198 or email me personally at ericm@flexitechs.com.

Auto-Forwarded Emails Costly to Small Organizations

by

One of the least publicized but most dangerous cyber attacks against small businesses involves auto-forwarding emails to cyber criminals.

Hackers use Social Engineering tactics like phishing emails to con email login credentials out of unsuspecting users. The hackers then use those credentials to set up the compromised accounts to automatically forward the victims’ emails to themselves.

From there, the hackers can collect the victims’ forwarded emails to perform all sorts of frauds including Business Email Compromise attacks, Payroll Diversions, blackmail, extortion, malware infections, and the resale of Personally Identifiable Information or proprietary files.

The FBI considers it enough of a threat to warn businesses about such attacks after seeing losses from BEC’s in the U.S. of more than $10 billion from 69,384 victims from 2013 to 2019.

We have seen this attack ourselves at a client that lost more than 8,000 emails to the attackers before the scheme was discovered four months after an auto-forwarding rule was installed in an email account.

The lost emails included the PII of the client’s customers. The client had to notify each customer and offer free credit checks for a year. Had there been more than 500 PII records stolen, the client would have suffered the embarrassment of notifying the media.

In a typical BEC attack, a hacker pilfers the email user name and password of the victim with a phishing email that warns that their email account has been compromised and they need to log into their account and change their password.

Of course, the link in the phishing email takes the victim to a fake web page that sends the user’s original password to the hacker while the victim mistakenly believes they have protected their account by changing their original password.

The hacker then watches the victim’s account for emails with, say, suppliers and, mimicking a legitimate contact from one of those emails, sends a fake invoice that looks authentic enough that it is paid by the victim’s company.

The hacker might also jump into an email chain between the victim and a supplier about an order and submit their own quote or proposal to the victim in a malware-laced attachment.

To protect yourself against a forwarded email attack, consider these options:

  1. If you use Office 365 in your business, your system administrator can set an alert to notify you if email forwarding has been set up to automatically forward an employee’s emails. That forwarding rule can then be deleted.
  2. If you use another email program or service, routinely check your account for any auto-forwarding rules that you did not set.
  3. If your email service allows it, prohibit automatic email forwarding to external email addresses.
  4. Be wary of quotes, proposals and other emails seeking payments that do not match the tone of the contact you routinely work with or have spelling or grammatical errors. In those cases, call the contact if something seems amiss.

The FBI provides more information on BEC attacks here.

For help with disabling auto-forwarding emails, you can call us at 302-537-4198 or use our Contact Form to email us.

New E-Book! SMB Resolutions for 2021

by

New Year Resolutions for SMBs

Small business owners and CEOs face a number of continuing challenges, and even though COVID-19 continues to hamper growth, increasing productivity and efficiency while holding off cyber attacks will continue to be the main issues they must deal with.

For that reason, our sister company, FlexITechs IT Services, has produced a new e-Book, “New Year Resolutions for Businesses”, that addresses the primary areas small businesses should focus on to improve security and securely increase productivity. Included are important measures all SMBs can take in 2021 to enhance their cyber security posture.

For your FREE copy, click this link and submit the form and you’ll also be enrolled in our monthly e-letter that provides advice and tips on a variety of small business IT topics.

SMBs Not too Small to Hack

by

A colossal data breach like the one of Solarwinds should serve as a reminder that small business owners, too, need to keep an eye on their cyber security measures.

While data breaches at small businesses don’t generate those kinds of headlines, they do cause pain in the affected SMBs including not only financial losses but also operational disruption and loss of time and reputation.

In the past year, 35 percent of small businesses who experienced a data breach either closed their doors or filed for bankruptcy,  according to a survey of 1,006 small business owners by the National Cyber Security Alliance.

Additionally, in a 2019 Ponemon Institute study, 66 percent of SMBs said they suffered a cyber attack in the previous year, 69 percent said an attack eluded their intrusion detection system, and 57 percent reported succumbing to Social Engineering attacks like phishing emails.

The fact is, you’re not too small to hack.

Cybercriminals continually tune the efficiency of their mass attacks on small organizations because they handle the same types of sensitive information as large enterprises but don’t have the sophisticated security measures that big companies deploy.

They have also learned to target specific small businesses because of the unique value of their data or because of their relationships with larger companies.

So, the need for SMBs to pay attention to their data’s security has never been greater.

But, just how do you protect your data without breaking your bank account?

In its Q1 2020 Wave Security Awareness and Training Solutions document, titled “Behavior and Culture Reign Supreme over Awareness and Punishment”, Forrester Research determined that the best security awareness training vendors aim to change negative employee behaviors by fostering a culture of cyber security within organizations.

Threatucation’s motto has always been “Creating a Culture of Cyber Security in Small Organizations”. We have long championed this approach over phishing email simulations designed to punish an employee with a bad score for succumbing to a phishing test.

While phishing simulations are part of Threatucation’s Cyber Security Awareness Training program, we really create a culture of Cyber Security with our unique policy-based approach that helps employees understand the reasoning behind the policies, the ramifications of violating them to the company, co-workers, customers and board members, and how to recognize and properly react to cyber attacks.

The whole process takes just 3 steps, starting with a Cyber Security Risk Assessment to ensure the security measures you ultimately choose to protect your business actually match your data security requirements.

For a free, no-obligation Cyber Security Risk Assessment for your business, contact us at info@threatucation.com or 302-537-4198.

Data Breaches pose grave threat to SMBs

by

One of the most frightening and controversial statistics used in cyber security and cyber insurance advertising regards the impact a data breach has on a small business.

As the narrative goes, 60% of small businesses file for bankruptcy within six months of a breach. That number is often attributed to the National Cyber Security Alliance.

That’s a frightening number for obvious reasons but controversial because the National Cyber Security Alliance says it never stated or reported that figure.

So perhaps in response to the controversy that has embroiled the organization for the past half-dozen years over that claim (google it to see how many times it appears in the search results), the Alliance commissioned a survey of 1,006 small business owners and CEOs to get a better handle on what the actual figure might be.

The results aren’t a whole lot more encouraging.

More than one-third of small businesses responded that they filed for bankruptcy or closed their doors after a successful cyber attack. That’s 25 percent who filed for bankruptcy and 10 percent who went out of business.

That’s certainly not in the 60 percent stratosphere but it should give small business leaders enough pause to ensure that their cyber security measures meet their data handling needs.

In addition, 63 percent of small businesses in a 2019 Ponemon Institute study conducted for Keeper Security said they had suffered a data breach in the previous 12 months. Keep in mind this is just the percentage of small businesses that suffered a data breach, not the actual number that were attacked, which is 100 percent as every SMB receives phishing emails on a regular basis.

I state this often but it bears repeating often — you cannot protect your business with guesses. You must know what risks your specific business faces to make the most cost-effective decisions regarding the cyber security measures you need. The only way to do that is with a Cyber Security Risk Assessment.

If you need help with that, call Threatucation at 302-537-4198. Mention this blog post and we’ll conduct a free, no-obligation Cyber Security Risk Assessment for you.