Technology Advisor Blog

Key Takeaways:  Verizon Data Breach Investigations Report

Posted by Ann Westerheim on 7/29/19 5:07 PM

DataBreachMeterEach year Verizon publishes the much-anticipated Data Breach Investigations Report (DBIR).  The report is built on real-world data from 41,686 security incidents and 2,013 data breaches provided by 73 data sources, both public and private entities, spanning 86 countries worldwide.    We'll cover some of the key take-aways in this post, and if you're interested in more information, we recommend checking out the full report.  

One of the key take-aways is that small businesses are a prime target with 43% of breaches affecting SMBs.  Too many small businesses believe they're under the radar and this isn't the case.  Large, well-known businesses make the headlines when a breach occurs, but SMBs aren't safe.  Ransomware as a service has become a big money maker.  Any business that stores financial or other protected information is a target, and in the case of ransoware, what really matters is how important is the data to youCan your business run without access to your data for days or weeks while you try to recovery from a ransomware attack?    

Another significant data point  is that email is still the top threat vector for hackers to deliver malware to targets. After reviewing millions of malware detonations, Verizon found that the median company received over 94% of their detected malware through email.  We have a mantra:  "Think before you click!"  Fake invoices, fake resumes, fill inboxes of busy professionals.  We strongly recommend email security scanning AND employee training based on actual phishing test cases.

One of the biggest concerns from the report is that while attackers are quick to extract stolen data, defenders are distressingly slow to detect that compromise even occurred. On average, 56% of the breaches identified in this report ‘took months or longer’ to discover. The time it takes hackers to gain a foothold then actually compromise the asset can be measured in minutes. Many businesses don’t realize they are breached until the stolen info becomes public.  We strongly recommend detection tools and Dark Web monitoring to help make sure threats are detected early for the fastest response.

Data breaches continue to make headlines and this is the world we now live in.  It seems no matter what defensive measures security professionals put in place, attackers are able to circumvent them.  No organization is too large or too small to fall victim to a data breach and no industry vertical is immune to attack.  It's a scary situation, but there's actually a lot you can do at an affordable price to stay protected.

Having a sound understanding of the threats you and your peer organizations face, how they have evolved over time, and which tactics are most likely to be utilized can
prepare you to manage these risks more effectively and efficiently.   We strongly advise all businesses to work through a disaster recovery plan to make sure you have the right safeguards in place appropriate to the size of your business, and to maximize your chances of a speedy response to a threat.   The great news for SMBs is that many tools that were previously only available to enterprise class businesses are now available at an affordable SMB price.  The foundational security from years past, (firewall, antivirus, and security patches) are NOT enough to have an adequate protection level for today's threats.   

Call us for a security assessment and we'll help make recommendations to stay protected.  

 

Tags: cybersecurity, ransomware

2019 State of Cybersecurity - Lunch and Learn Presentation

Posted by Ann Westerheim on 7/26/19 9:18 AM

Cyber Lunch June 2019This past month Ekaru hosted a lunch and learn with over 50 local business leaders.  Education and "the human firewall" are key components of any cybersecurity plan, and we're on a mission to educate our community.  Here's a re-cap of the event.

The average cost of a cyber attack for a small business is $53,970.  Big businesses make the headlines, but half of attacks are hitting smaller businesses.  Cyber crime is now bigger than all other forms of organized crime combined!

To set the stage, we opened with a short video from Jimmy Kimmel Live.  If you haven't seen this yet, its worth watching!

It's very important for business owners to understand that the threat actors can leverage the bad habits of well-meaning employees.  Are you using the same password for many on-line applications?  Are you sharing passwords?  Are they easy to guess?  Who in your organization will click on the bad link in an email and unknowingly help launch an attack?  

In 2018, the Internet Crime Complaint Center (IC3) received over 350,000 complaints representing over $2.7 Billion in losses.  Some of the major categories include BEC - Business eMail Compromise - whereby a threat actor will impersonate a known person to steal money, most commonly by wire transfer.  Other types of threats include fake tech support scams, credit card scams, non-payment or non-delivery scams, and the list goes on.  With the availability of crypto-currency, criminals can hide their identity and they're motivated to invent new attack methods. 

Research by Barracuda Networks shows a "startling rise" in the number of Account Takeover Attacks for Office 365 suggesting that hackers impacted 29% of organizations in March of this year alone.  

One of the factors driving the rise in cyber crime is the convenience we all expect from our technology to be able to work from anywhere on any device.  In years past, a business would keep all computers in an office protected by a firewall.  Now the laptops, tablets, and smart phones travel all over and they're harder to protect.

Some of the cybersecurity myths commonly held by small businesses include:

  • SMB owners don't believe their information is valuable to hackers (in a Ransomware attack, the only thing that matters is how important your data is to YOU).
  • SMB owners think that cyber crime won't happen to them and that it only happens to big companies.  Actually half of attacks hit smaller organizations, but they don't make the headlines.
  • SMB owners think their IT team has everything covered.  The reality is that the foundational security that's typically delivered (firewall protection, antivirus, security patch updates) just aren't enough anymore!

Some of the many different types of attacks were discussed in more detail.  The bottom line is that there's a lot of money in cybercrime these days, and the threat actors are very clever in finding new ways to attack.

We recommend a frame work of thinking about the roles of the data owner (the business owner), the Information Technology (implementing and maintaining data systems), and Information Security (risk insights and mitigation strategies).  We recommend starting with a Security Risk Assessment to understand what critical data needs to be protected, where it is located, and how it is protected.   Then the gaps in protection can be more clear.  Each business owner needs to make an informed decision about the acceptable level of risk and security.

One of the analogies we encourage business owners to consider is how you protect your home.  The first step is to identify what you're protecting (family members, pets, documents, valuables, etc).  Then you can consider the various ways to protect your home (locks, doors, windows, yard signs, etc). For detection, there are many options for alarm systems,  motion sensors, cameras, etc.  The next two areas are Response and Recovery

NIST - Home Security Analogy

Consider how you would change your home security if you learned about a major crime wave in your neighborhood.  Effectively, this is what's happening in cyber space right now.

The biggest threats we're currently seeing for SMBs involve Ransomware.  In a Ransomware attack, the business data is encrypted and held hostage for a Ransom.  There's no guarantee that you'll get your data back from the criminals if you pay the ransom, and you'll be targeted for more attacks.  Cyber Insurance typically won't cover all the damages.  We covered a few exampled in the presentation of an innocuous looking email arriving at the company, such as a resume, and hard working employees accidentally opening the email and inadvertently assisting in the launch of an attack.  Also in in other types of emails, passwords can be compromised and then wind up on the Dark Web.  

Education is a key first step to understanding the threats.  It's important for businesses to make sure all employees know about the risks and what to look out for.  In fact, the Massachusetts Data Security Law (and various other industry regulations such as HIPAA) REQUIRE on-going employee training.  

Next on the list is a complete assessment to understand the current state of security and identify the gaps.  There's no such thing as 100% security, but there are many affordable options for small businesses to increase security and decrease risk.

Call us for an assessment or for training for your employees.  We're here to help!

 

 

Professional Tax Preparers:  Do you have a Written Data Security Plan?

Posted by Ann Westerheim on 7/25/19 9:01 AM

Check ListThe IRS has issued a reminder to all practitioners that all "Professional Tax Preparers" must create a written data security plan to protect clients.  

The IRS and Security Summit partners are reminding tax preparers to take time this Summer to make sure the plan is in place.  It's required by Federal Law!

“Protecting taxpayer data is not only a good business practice, it’s the law for professional tax preparers,” said IRS Commissioner Chuck Rettig. “Creating and putting into action a written data security plan is critical to protecting your clients and protecting your business."

The FTC-required information security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. This is very similar to the Massachusetts Data Protection Law requirements that went into effect in 2010. 

According to the FTC, each company, as part of its plan, must:

  • designate one or more employees to coordinate its information security program;
  • identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;
  • design and implement a safeguards program and regularly monitor and test it;
  • select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
  • evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Its important to note that the plan is to be designed around the company’s size and complexity.  The security coverage doesn't need to be expensive, but it needs to be comprehensive.  There are so many affordable options available to smaller organizations, so don't put this off and risk your clients and your reputation.

Summer is a great time to step up security!  Ekaru has a lot of training materials and affordable security options for small businesses, so if you have any questions about your existing security and risk level, give us a call!  

For more information, you can access the full IRS post here.

Tags: MA Data Security Law, cybersecurity, ransomware

Subscribe by Email

Most Popular Posts

Browse by Tag

See all tags...

Connect With Us

Older Blog Posts

For older Ekaru blog posts, go to ekaru.blogspot.com.