04Jan

Securing Remote Employees is the Top 2021 Cybersecurity Challenge for Organizations

January 4, 2021By 0 comment

Security vendor CheckPoint provides insight into what are the organizational cybersecurity priorities for next two years, as well as where cybersecurity is going to be challenging.

It’s no secret; cybersecurity has become much harder this year. The pandemic has taken a toll on every organization’s cybersecurity posture, making it increasingly more difficult as more users want to work from home and cybercriminals step up their game to take advantage of this “new normal.”

New survey data from CheckPoint highlights where the problems are and what organizations are planning on doing about it:

  • 58% of organizations feel they are facing an increase in cyberattacks since the pandemic
  • 95% say they changed security strategies mid-year
  • The two biggest security challenges are remote workers (47% of orgs) and protecting against phishing and social engineering attacks (42%)
  • Securing remote working is the top priority for the next two years (cited by 61% of orgs)
  • Half of orgs say their new security approach is here to stay, even after the pandemic subsides.

With a remote workforce, it’s imperative that organizations look to improve the security posture, even by those users working on a home network and a personal device. Security Awareness Training is the one part of your security strategy that can be easily applied regardless of where the user works, what device they are on, etc.

Organizations look to be getting serious about how they will maintain the same levels of security they’ve enjoyed for years within the corporate network now that a material portion of their workforce works remotely. Ensuring the user plays a part of that strategy is going to be the critical element to determine whether the org is truly secure moving forward.

READ MORE
31Dec

Beware of Puppy Scams

December 31, 2020By 0 comment

Researchers at Anomali have discovered eighteen scam websites offering pets for sale. Most of the websites purport to be selling dogs, although some offer cats and birds as well. The sites are all operated by the same group of scammers that use similar social engineering tactics to lure people in.

“The websites all share similar and sometimes identical text in their reviews/testimonials pages,” the researchers write. “There are also numerous typos in the testimonials with one post discussing how a German Shepherd had ‘hatched’ and was available, which is a clear copy-and-paste error from the actors’ bird fraud websites.”

While the scammers’ writing skills won’t win any awards, the photos of puppies may be enough to get people to lower their defenses. If a user clicks the “Buy me!” button, they’ll be taken to a contact form where they can get in touch with the scammers.

The researchers explain that the scammers are exploiting the holiday season as well as the increased demand for pets amid the pandemic.

“The COVID-19 pandemic has increased pet purchases as stay-at-home policies and remote work makes people seek companionship from their animal friends, a condition that may amplify the bad actors’ ability to run a more successful scam,” the researchers write. “Furthermore, these scams focus on purebred dogs, which again are increasingly difficult to find.”

Anomali offers the following tips for users to avoid falling for scams:

  • “Be extremely cautious if the price is too good to be true.
  • “Be extremely cautious if the site does not provide you with the owner’s names, address, and social pages.
  • “Pay attention to elaborate testimonials that are too good to be true. They are often copied too, so you may google a part of it to see if it is unique.
  • “Pay attention to typos and phrases like “Labrador baby had hatched,” scammers often sloppy in their templates and have bad English.
  • “If they give you a phone number, try Googling it. Often the fraudsters use the same phone number for different schemes, and it might be already listed on some scam lists.
  • “Be extremely careful if you are advised to pay for your future pet with Bitcoins or gift cards, which is even more suspicious.”

And besides, people who can’t keep the puppies and the hatchlings apart in their own minds can hardly be reliable pet sellers. And, as always, new-school security awareness training can teach your employees to follow security best practices.

Anomali has

READ MORE
29Dec

Cybercriminals Attempt to Exploit Australian Fears on COVID-19

December 29, 2020By 0 comment

The bad guys are attempting to take advantage of Australian fears of COVID-19 in 2021. The National Identity and Cyber Support Service of Australia and New Zealand ID Care recently warned of COVID-19 phishing attacks using deepfakes that is set to launch in 2021.

ID Care analysts stated that the cybercriminals will likely use COVID-19 vaccine as a target through the first half of 2021. “This is likely to lead to an increase in phishing scams, with the intent of scaring people into clicking on harmful links,” stated the service provider.

The bad guys could also take advantage through check-ins with QR codes. “And when you think of the information stored on there – your name, address and phone number – this information could be a honeypot for cyber criminals,” the service stated. It’s important to also be vigilant about deepfakes – a realistic video or audio recording of someone well-known that is computer generated. “And don’t believe every video clip you see of a famous person, whether it be a celebrity endorsing cryptocurrency or a President giving a “speech” via YouTube,” ID care said.

Fortunately, vaccine providers Pfizer and Moderna are already working in tandem with America’s Homeland Security department to prepare for incoming vaccine scams. It’s important to not open any links in email or reply to texts that you are unfamiliar with. ID Care is expecting the scammers to portray as health officials or government agencies, so do not release any personal information whatsoever.

With the new year already facing potential attacks, it’s important to continually educate your users of the latest threats. New-school security awareness training can teach your users how to analyze and report any suspicious activity in their day to day job functions.

READ MORE
24Dec

Private Online Shopping Risks Affect Businesses, Too

December 24, 2020By 0 comment

Consumers aren’t the only ones who can be victimized by social engineering attacks while shopping online, according to Arab News. Employees who use work devices for personal shopping are at risk of falling for scams and potentially letting attackers into the company’s network. Arab News quotes Werno Gevers, regional manager at Mimecast Middle East, discussing the findings of Mimecast’s recent report on how employees use company-issued devices.

“The research showed that 81 percent of participants had received specific work-from-home cybersecurity training, yet 61 percent still admitted to opening emails they thought were suspicious,” Gevers said. “This shows that while there is a lot of awareness training offered, the content and frequency is completely ineffective at winning the hearts and minds of employees to reduce today’s cybersecurity risks. Training needs to be regular and memorable if organizations are to protect workers and company systems from compromise.”

Cybersecurity expert Abdullah Al-Jaber told Arab News that employees should avoid using company devices for personal matters.

“Don’t use a work laptop for personal use, such as emails and surfing the Internet,” he said. “Make sure to enable two-factor authentication whenever available on any platform and use complex passwords that cannot be guessed easily. And, of course, report any suspicious emails or calls.”

In addition to attacks that affect an organization directly, phishing campaigns that impersonate a company’s brand can impact the company’s reputation.

“As part of its regular security research, Mimecast monitored 20 leading global retail brands and found almost 14,000 suspicious, recently registered website domains using names related to those brands,” Arab News says.

While these attacks aren’t the fault of the impersonated organization, Gevers explained that they can still have an impact on the organization’s reputation.

“The damage to a company’s reputation following a successful online brand exploit can take a long time to repair, so it’s in the best interest of the organization and its customers to take preventative measures,” Gevers said.

New-school security awareness training can enable your employees to follow security best practices and avoid falling for social engineering attacks.

READ MORE
23Dec

Wedbush Analyst: “Cybersecurity spending will increase 20% in 2021 Due To SolarWinds.”

December 23, 2020By 0 comment

Wedbush senior tech analyst Dan Ives says cybersecurity spending will increase by 20% in 2021 as more companies ramp up protection following the SolarWinds hack that compromised state agencies and corporations including Microsoft.

Ives said he’s very bullish on cybersecurity stocks given a “perfect storm of demand” in the field. He raised price targets for several cybersecurity stocks in a Sunday note. Names specifically in advanced threat detection, zero trust architecture, data security, and identity security will see a near-term surge of budget allocation based on the nature of the SolarWinds hack, said Ives.  Story at BusinessInsider:

https://markets.businessinsider.com/news/stocks/cybersecurity-stock-outlook-impact-of-solarwinds-attack-further-acceleration-wedbush-2020-12-1029912129

READ MORE
22Dec

Eye-Opening Password Predictions: Remote Work Will Increase Risk for Data Breaches

December 22, 2020By 0 comment

Ponemon’s State of Password and Authentication Security Behaviors Report analyzes password and security behaviors over time with similar trends. We wanted to deep dive into the reports of years past and give some predictions as we move closer to 2021.

We’ll start with 2019 – according to the report, extremely poor password management habits by those in IT were making a hacker’s job much easier. One of the most surprising stats from that report 51% of IT admins reuse the same password across an average of five business and/or personal accounts.

Now onto 2020 – based on the updated report, there were several findings, including two-thirds of IT organizations use older best practices such as requiring periodic password changes (67%), a recommendation Microsoft has officially killed. It also revealed that 20% of users don’t take any steps to secure passwords.

What similarities can we find year over year? For starters, re-use of the same passwords across multiple accounts is still happening a lot. Password policies are also not being updated, with organizations still sticking to the old-school approach. This lack of best practices has also shown an increase in data breach attacks year over year.

The only wrench in the 2020 report was the COVID-19 pandemic, causing millions of companies to move to a remote workforce. With 2021 still moving in that direction, there are some causes for concern what next year’s report will look like. We have some predictions:

  • Increase in attacks on multiple accounts – according a recent report from Security Magazine, 53% of people admit to reusing the same password for multiple accounts. Now that users are working remote, it’s a larger attack surface for the bad guys to go after.
  • Passwords re-use will continue – without any strict password policies, users will continue to go on a downward spiral of reusing the same passwords on multiple accounts

As we continue to work in a remote environment, user education is of high importance. New-school security awareness training can keep your users informed about good password hygiene and avoid potential data breaches.

READ MORE
21Dec

Beware! The Holidays Bring the Worst Out in Cyber Scammers

December 21, 2020By 0 comment

With emotions running high, time running out to get that last needed gift, and a returned focus on family and what’s truly important, scammers are taking advantage at every turn.

Every year – and this year in particular as people are looking to the holiday season to bring back some resemblance of normalcy – cybercriminals find a myriad of ways to use holiday-themed scams and use social engineering to fool victims out of credit card information and even hard-earned money. And with COVID putting a damper on in-person shopping, the massive reliance on online shopping makes the bad guy’s job even easier.

Some of the common scams to be mindful of include:

  • Social Media Deals – that convenient ad on your favorite social media site can take you to what appears to be a legitimate website (that you’ve never heard of) offering the perfect gift for someone you care about at an unheard of price. And once they have your credit card details, they can be used or sold within minutes. Remember, even criminals can pay to have ads posted…
  • Charity Scams – A simple pulling of the heart strings with an email, social media post, etc. about how you can help is designed to take advantage of your giving spirit. Be sure any charity asking for your money is legitimate before giving.
  • Fake Shipping Notifications – sent via email or text, the simple message that delivery is being delayed and may not make it by Christmas is all that’s needed to get the potential victim invested enough to need to find out more, click links, provide credentials, etc. Any legitimate shipping notification will provide some details you already known (e.g., the company shipping the item, your address, etc.).

There are many more – free gift cards, payment declines, look-alike websites, etc. What’s needed is to be mindful that not everything one reads, is sent via email, is received via text, etc. is real; a modicum of suspicion and scrutiny is needed, even while staying in the holiday spirit.

READ MORE
18Dec

Over Half of Users Admit to Reusing the Same Password on Multiple Accounts

December 18, 2020By 0 comment

New data reported earlier this year by Security Magazine shared a report from Secure OAuth that 53% of users reuse the same passwords on multiple accounts. Among those 44% admit to using their personal passwords at work.

Additional findings include management having the worst password hygiene. Only 38% of those in leadership positions say their work passwords are unique. 34% of Director-level positions admit to using one of the most common passwords.

In 2018, OpenVPN reported that the number of employees reusing common passwords on their accounts was only 25%. This year, the percent has nearly doubled.

Password sharing also runs rampant in the office, with text message being the common way people share a password. As most users continue to work in a remote environment, it’s important to teach your users how to have healthy password hygiene to avoid any potential data breach or malicious attack.

Some ways to avoid reusing the same passwords would be to invest in a password management system. Password management systems can help your users store complex passwords without having to remember the laundry list of passwords for you. You can also implement effective password policies, such as giving a timeframe on how often users should update their passwords, or consequences if a common password is used.

Consistent education is essential in ensuring your users are prepared with the tools to apply these best practices to their day-to-day work functions. New-school security awareness training can teach your users tips and tricks on how you can stay safe from the bad guys from infiltrating your account.

READ MORE
17Dec

Data Breaches Are Expected to Decline While Ransomware and BEC Gain Steam

December 17, 2020By 0 comment

A new report from the Identity Theft Research Center discusses which cybersecurity attacks will be most impactful next year as part of the ITRC’s 2021 predictions.

It’s a pivotal moment with an organization primarily focused on helping individuals with identity theft bothers to say that cybercriminals are less focused on making the consumer a victim and more interested in attacking organizations. When they say it, you should be listening.

And that’s exactly what was reported in this year’s ITRC 2021 predictions. According to the ITRC, cybercriminals are generating more revenue through ransomware attacks and business email compromise (BEC) via phishing schemes than they are via individual consumer scams or consumer behavior.

According to the report:

“Cybercriminals are focusing on cyberattacks that require logins and passwords to get access to corporate networks for ransomware or Business Email Compromise (BEC) scams. These attacks require less effort, are largely automated, the risk of getting caught is less, and the payouts are much higher than taking over an individuals’ account. The average ransomware payouts for all businesses have grown from less than $10,000 in Q3 2018 to more than $178,000 per event by the end of Q2 2020. Large enterprises are making average ransomware payments of over $1 million. BEC scams cost businesses more than $1.8 billion in 2019.”

And because a consumer-focused organization is saying this, it’s even more imperative that you take note and do something about it. The use of phishing is a constant in both BEC and ransomware scams. Teaching users not to engage with such malicious content via Security Awareness Training is a critical part of a strong security defense that stops attacks before they gain a foothold within your organization.

READ MORE
16Dec

Zoom Phishing is Still Rampant

December 16, 2020By 0 comment

Cybercriminals are still using Zoom and other conferencing platforms as phishbait, according to Zlati Meyer at Fast Company. This phishing theme isn’t likely to let up any time soon, so employees need to know how to recognize these scams.

“The bait is decorated with the Zoom logo and sent via text, email, or social media message to say that your account has been suspended (but can be reactivated by clicking on the attached link), that you missed a meeting (but can click on the link to find out the details and schedule), or that Zoom is welcoming you (but you need to click on the link to activate your account), according to the Better Business Bureau,” Meyer writes. “Of course, the link does none of those things and instead downloads malware to your computer or mobile device or takes you to a login page where you need to enter your login and password, which lets the thieves gain access to other accounts with similar combinations.”

Edgar Dworsky, founder of Consume World, told Fast Company that this trend isn’t surprising, since scammers always capitalize on what’s popular at the moment.

“For people who are in this business of doing phishing schemes, it becomes the scam du jour,” Dworsky said. “What’s popular now? How can I capitalize on something that’s in people’s minds, that they use? The timeliness and popularity is something they look for.”

Dworsky added that scammers exploit the fact that Zoom notifications are something they have to pay attention to for their jobs.

“They create a sense of urgency, because they know you have some upcoming meeting and need to fix this,” Dworsky said. “With any one of theses phishing scams, you have to look before you click. The relevance lends credence to the fact that that’s legit.”

New-school security awareness training with realistic, up-to-date phishing simulations can help your employees recognize social engineering tactics.

READ MORE