Majority of Cyber Attacks Launched by Company Insiders

Business, technology, internet and networking concept. Young businessman working on his laptop in the office, select the icon cyber security on the virtual display.

According to figures released by IBM, nearly 60 per cent of all cyber attacks in 2015 were launched by “company insiders,” based upon data gathered from 8,000 of their clients’ devices. Though industry experts have warned for years that a company’s employees may inadvertently make systems vulnerable, IBM found that 44.5 per cent of attacks were, in fact, malicious.

It’s important to note that IBM defined an “insider” as anyone who had either physical or remote access to a company’s assets. While this would certainly include employees, it would also include business partners, contractors and vendors.

While insider threats can be difficult to detect, businesses can still work to prevent them. Above all, it’s important to have a cyber security plan in place—one that manages passwords in a mindful way and protects shared documents.

© Zywave, Inc. All rights reserved

4 Questions to Ask When Choosing a Cloud Computing Provider

cloud computingMoving an aspect of your business—like email, payment processing, data storage, etc.—to the cloud can help you save money and streamline processes. As an added bonus, cloud service vendors can handle administrative tasks like security, maintenance, backup and support, allowing you to focus on the day-to-day operations.

However, with so many cloud computing solutions and vendors to choose from, it’s hard to know what to look for.

To ensure the process goes smoothly and that you choose the right provider, it’s important to ask yourself the following questions:

  1. What’s the vendor’s track record? Before landing on a cloud solution, it’s important to consider the vendor’s reputation. In general, it’s best to find a company that has been in business for a fair amount of time and has a good history of service.
  2. What are the vendor’s capabilities? After understanding what you are looking for in a cloud computing solution, it’s critical that your vendor can meet your needs. Your provider should be able to implement your desired solution on day one and have the expertise to continually offer new ways to adapt to changing markets.
  3. What’s their pricing? A vendor may have everything you need, but could end up being out of budget. Determine a realistic amount you’re willing to pay for cloud services and compare that number to your options. It’s also important to only pay for what you use. Don’t be afraid to renegotiate if a company wants you to pay for extra bells and whistles you don’t need.
  4. Is my data safe? In an age where cyber crime is common and proprietary data can be lost with the click of the mouse, security is key. When researching vendors, ensure that you know the location of their data centres and what precautionary measures they have in place to prevent a hack. If possible, consult an expert to see if a prospective vendor is compliant with all applicable industry security standards.

Keeping in mind the above tips will ensure that, when the time is right to migrate your company’s data or processes to the cloud, you are prepared to choose a vendor that will help achieve your goals.

© Zywave, Inc. All rights reserved.

Global Spending on the Internet of Things May Reach $1.29 Trillion by 2020

Connect Planet Earth (Daylight)Today, there are more digitally connected devices than there are people on the planet. These immense networks are capable of supporting an array of applications—from the mundane to the sophisticated—and can help propel economic opportunities. This vast interconnected system of devices, vehicles and even buildings are all part of the Internet of Things (IoT)—and more and more businesses are investing in it.

According to the International Data Corporation (IDC), worldwide spending on the IoT will experience a growth rate of nearly 16 per cent, reaching $1.29 trillion by 2020.

According to the Worldwide Semiannual Internet of Things Spending Guide, spending is expected to be highest in the following three industries:

  1. Manufacturing ($178 billion)
  2. Transportation ($78 billion)
  3. Utilities ($69 billion)

The IDC reports that hardware, services and software will make up the majority of the investments. In general, modules and sensors that connect endpoints to networks will represent the bulk of hardware purchases. Things like telemetrics, health monitoring, smart home investments, and smart grids for oil and gas utilities are also major spending drivers.

While the IoT continues to change the way companies do business, each new device connected represents another potential point of access for criminals. In addition to the sheer number of connections available to hackers, the interconnectedness of IoT devices poses a new kind of threat. Accessing a single device could, in theory, give a criminal access to a person’s home, car, phone, work and many other smart systems.

To protect themselves, organizations must be proactive regarding their cyber security measures. And while cyber coverage is still in its infancy, the IoT will undoubtedly force the market to consider these new exposures as they develop.

© Zywave, Inc. All rights reserved.

Canada Ranks Poorly in Lost Revenue and Continuity After Ransomware Attacks

Skull and crossbones on binary code with message of infection. Eps10. RGB. Global colorsRansomware is a type of malicious software that is specifically designed to block systems or files until a victim—typically a company or high-ranking professional—has paid a sum of money to regain access. These types of attacks can be costly, sometimes averaging up to $50,000.

According to the recent report, the State of Ransomware, by malware remediation company Malwarebytes, Canadian businesses were among those most likely to pay ransomware demands. Additionally, the report, which examined 5,400 IT staff across Canada, the United States, the United Kingdom and Germany, showed that Canadian businesses ranked among the highest for lost revenue and business interruption following an attack.

In total, around 75 per cent of Canadian businesses admitted that they would pay an attacker to regain access to key systems and functionality. Other interesting findings from the report included the following:

  • Ransomware can impact more than the original infected system or file. In the report, Canada ranked the highest for ransomware penetration, as close to half of attacks affected 26 per cent or more of a company’s extended network.
  • Executives and senior-level staff are typically the targets of ransomware schemes.
  • On average, ransomware attacks in Canada were twice as expensive as those in the United States.
  • Business applications were found to be the most common vulnerability to ransomware in Canada. While email attacks are common in other countries, Canada’s strict anti-spam laws could be contributing to the lower number of email attacks.
  • Despite Canada ranking poorly in terms of business interruption and overall cost as it relates to the impact of ransomware attacks, 51 per cent of surveyed businesses claimed they were confident in their ability to stop an attack.
  • Health care and financial services were found to be the most common industry targets for ransomware attacks.

Ransomware attacks are a serious concern—one that continues to impact Canadian businesses. In the past year alone, more than one-third of security attacks in Canada were ransomware-related. To protect themselves from this ongoing threat, organizations should consider having a risk assessment done to determine and remediate potentially vulnerabilities.

© Zywave, Inc. All rights reserved

4 Things Companies Should Document to Improve IT Security and Disaster Response

IT Security word cloud conceptAn IT manager has the difficult task of overseeing people, processes and technology. And, if there isn’t a departmental emphasis on documenting pertinent information, overseeing a successful IT security program can be a difficult, sometimes impossible, task.

The following are a few items IT professionals should keep a record of in order to maintain efficient IT workflows:

  1. Incident response plans. An incident response plan not only helps companies prepare for potentially crippling IT disasters, but it can also give clients, partners and customers reassurance that an organization is committed to IT security.
  2. Key stakeholders. In the event of an emergency, it can sometimes be difficult to identify who is responsible for what. This can make responding to incidents difficult and confusing. To help ensure a quick response to incidents, identify who would be the decision-makers following a variety of scenarios.
  3. Common risks. Documenting IT information and processes not only ensures business continuity in the event of an incident, but it can help IT professionals prevent threats altogether. Experts recommend that IT departments rank their top five greatest threats and detail possible actions that the department can take if and when a threat emerges.
  4. Third-party providers. More and more IT departments are working with third-party providers, especially as data continues to move to the cloud. In the event of an incident, it is important that a company is equipped with a list of contacts if there is an issue with an off-site system.

As an added bonus to documenting key IT information and processes, other departments will be able to see how data security is handled at a high level. This not only reinforces the importance of IT infrastructure, but it can help promote company-wide buy-in as it relates to ongoing training and future security initiatives.

© Zywave, Inc. All rights reserved

Preventing Social Engineering Attacks

Social EngineeringReliable security systems can prevent losses for your business. While many businesses invest large sums of money into building sound physical structures and robust IT systems or even hiring on-site security guards, they often overlook the biggest security vulnerability—people.

No matter how dependable security systems might be, people with authorized access to those systems will always be a vulnerability. That’s why criminals have begun employing a series of tactics called “social engineering” to convince people to give them access—something that costs companies billions each year, and is completely preventable.

What is social engineering?

Social engineering is the art of accessing information, physical places, systems, data, property or money by using psychological methods, rather than technical methods or brute force. In order to do so, social engineering relies upon a set of tactics that exploit psychological weaknesses and blind spots in order to convince victims to give social engineers what they want.

That’s what can be so dangerous about social engineering—criminals can use psychological blind spots to have employees willingly give unauthorized parties access, information or property. These attacks can occur in a number of different forms, including a well-crafted spear-phishing campaign, a plausible-sounding phone call from a criminal posing as a vendor, or even an on-site visit from a “fire inspector” who demands access to the company’s server room.

Psychological Weaknesses

There are a number of different types of attacks, but social engineers almost always prey upon the following psychological weaknesses in order to get what they want:

  • Fear of conflict. People dislike conflict and confrontation and will use almost any excuse to avoid them. Social engineers exploit this by exuding confidence when they ask for information or physical access that they have no right to. When social engineers display confidence, most people prefer to comply with requests rather than challenge them.
  • Getting a deal. Confidence artists have always relied upon the greed of their victims; social engineers exploit a similar principle. These criminals have often been known to use gifts and giveaways to get victims to let down their guard. Sometimes, the giveaway itself will be used to masquerade a piece of malicious code that the unsuspecting victim then uploads to his or her computer.
  • Sympathy. Sometimes, social engineers employ a softer tactic, using charisma and humor to gain sympathy or to ingratiate themselves to an individual or group. By establishing rapport and breeding positive feelings, victims are too distracted to realize that they’re being scammed.
  • Need for closure. The need for closure is a well-documented psychological need, and one which social engineers exploit. In the event that they are ever questioned or confronted, social engineers who’ve done their homework will have an answer to any challenge or question likely to come their way. In most cases, any answer—even if it’s undocumented, unsubstantiated or blatantly untrue—offers people psychological closure, giving them the sense that they’ve done their due diligence.

Preventing Social Engineering Attacks

Educating your employees is essential to minimizing the risk of social engineering. Even the best security system will fail if employees willingly allow unauthorized use of their workstations or email their system credentials to a criminal. In order to make your educational efforts stick, consider employing the following strategies:

  • Encourage your employees to “Stop. Think. Connect.” The “Stop. Think. Connect.” campaign is a global initiative that encourages people to be smarter about online privacy and security. The motto is an easy-to-remember way to approach divulging sensitive information, both in person and online.
  • Make a personal connection. The same principles that make your company vulnerable can make your employees vulnerable in their personal lives. Show employees how the same practices for security at work will make them more secure in their personal lives as well.
  • Use “social proof” to your advantage. Social engineers will often deploy social proof—evidence of a large number of people or select important people engaging in a behaviour as proof of its validity—in order to gain compliance. Use that to your organization’s advantage by making sure executives and managers make security a top priority as an example for the rest of the company.
  • Train. Getting the information out there is important, but most adult learners retain more information when they receive interactive training. Consider specific social engineering training that encourages questions and incorporates interactive examples that relate directly to your employees’ work activities.
  • Test. Make sure your educational and training efforts work by conducting regular tests. Despite growing awareness of social engineering tactics like phishing, large numbers of people still open emails and click on links that they shouldn’t. Consider conducting an in-house phishing audit to find out just how many employees have taken their security training to heart.

Remain Vigilant

Your employees will always represent a possible vector of attack for criminals, which is why you should always remember the human factor when considering security. Just as your company upgrades systems and installs software patches, so too should you periodically remind your employees of best practices and determine what new tactics social engineers are using to exploit people.

©  Zywave, Inc. All rights reserved.

4 Takeaways from a Cyber Study

Cyber lock with chainsThe Scalar Security Study is an annual report that examines how prepared Canadian businesses are for cyber threats. Specifically, the study surveyed 654 IT and IT security practitioners to determine the average cost of a cyber attack, whether organizations feel prepared for cyber threats and what tactics they find most effective when it comes to protecting themselves. The following are some of the major findings from the study:

  1. The number of cyber attacks is increasing. Survey responders reported experiencing an average of 40 cyber attacks per year. This number represents a 17 per cent increase compared to last year’s report. It’s important to note that many of these cyber attacks related to the loss of sensitive information.
  2. Organizations are less confident in their ability to protect themselves. Cyber attacks are increasing in frequency and sophistication. What’s more, insufficient personnel or lack of in-house expertise were found to be the major reasons for why organizations felt unprepared for the increasing threat. In fact, only about 37 per cent of organizations felt they are winning the war against cyber criminals.
  3. Organizations are concerned about security threats from mobile devices. Mobile devices and applications were two of the major security concerns for organizations. These risks require both technological and internal governance to help mitigate the risk.
  4. Intellectual property is a major and expensive target of cyber criminals. The loss of intellectual property and other proprietary information due to cyber attacks impacted 33 per cent of the businesses surveyed, with the average cost of the loss coming in just under $6 million.

In addition to the above, the report found that cyber security threats will increase in severity. Businesses will need to adapt to the changing landscape if they are to protect themselves from the devastating losses associated with cyber crime.

©  Zywave, Inc. All rights reserved.

The Risks of Allowing Employees to Use Tablets

iStock_cell & tablet-000022454376SmallTablets and other such devices have become increasingly common in the average workplace. And, while these devices can be important for your employee’s daily work, they also represent a cyber risk if they are not properly managed.

The following are just a few of the major risks associated with having tablets in the workplace:

  • Mobile malware. Tablets are typically infected by malware via malicious apps and phishing scams. When this happens, a cyber criminal can gain unauthorized access to the device and associated network systems. In general, iOS tablets like iPads are safer from malware than Android tablets. However, mitigating the risk of malware typically comes down to the user. Workers should avoid downloading unfamiliar apps.
  • Loss of data. Following a security breach, data loss is inevitable. For tablets, this could mean that users are locked out of their devices altogether. To protect your business, employees should always back up their data, and ensure that no sensitive or proprietary information is stored on it.
  • Unsecured networks. Unsecured networks are a particular concern for tablets because they are easy to take on the go into areas with free and public Wi-Fi connections, like cafés and airports. These connections are not always secure and can be easily hacked by cyber criminals. To prevent this, employees should be reminded that no public Wi-Fi is safe. For further protection, offer a virtual private network (VPN) that your employees can utilize to safely use the internet off-site.
  • Theft. In addition to virtual threats from hacking and phishing scams, cyber criminals could just as easily steal the tablet itself. This could give them unlimited access to proprietary or personal information. To combat this, employees should never leave their devices unattended. Using a secure password can also help prevent theft of information.

Above all, employers should have a personal device policy in place that accounts for security threats. Employees should know what they can and cannot do with their devices and how to protect the sensitive information contained within. These policies should be extended to other personal devices with internet access, such as smartphones.

©  Zywave, Inc. All rights reserved.

The Fake President Cyber Fraud

CThe “fake president fraud” is a type of scam in which a criminal posing as a company executive convinces an employee to voluntarily transfer a large sum of money directly to the criminal’s account. It may be hard to imagine that any of your employees would authorize a wire transfer to an unknown account, but law enforcement officials have seen a marked rise in the occurrence of this scam over the past several years.

What’s especially dangerous about this particular type of fraud is that many companies—even those with both crime and cyber policies—might not be covered unless they have a social engineering fraud endorsement on their crime policy. Read on to better understand how the scam works and what you and your employees can do to mitigate the risks.

Understanding Social Engineering

The scam’s success relies on criminals using something called “social engineering.” Social engineering refers to tactics that exploit common psychological weaknesses and preconceived notions about authority and social relationships to make people engage in certain behaviours. Often, that means exploiting patterns of behaviour that are automatic and subconscious, so that victims might not even realize what they’ve done until after the fact.

Because social engineering relies on exploiting your employees’ assumptions and subconscious thought patterns, it can be hard to recognize unless someone points it out. That’s why the best way to defend your organization is to learn how a scam works and educate your employees about it.

How Does the Fake President Fraud Work?

The fake president fraud may vary in some of its details, but it always contains four major elements.

  1. The “president” makes contact. Someone posing as a high-level executive in the company—often the president, CEO or CFO—will reach out to the target employee. This contact often occurs via email, either from a domain that is deceptively similar to the company’s actual domain, or via a “personal account.”
  2. The “president” asks for a wire transfer. The “president” asks the employee to wire a large sum of money to a foreign bank account. The employee might be told that the money is for a host of seemingly legitimate purposes (recent acquisitions, paying off debts, paying vendors, etc.).
  3. The “president” pressures compliance. At this point, many employees may question the unusual request or the break in typical company protocol. That’s when the “president” deploys psychological pressure on the employee to accept the scenario as genuine and comply with the request. Those pressures can rely on a number of different factors, including the following:
    • Authority: The criminal will emphasize his or her rank to convince the employee. This offers the criminal many options, such as using that authority to intimidate the employee or preying upon the employee’s desires to impress a superior.
    • Time pressure: Criminals will often claim that the transfer is an urgent matter, forcing the employee to ignore typical protocol and eliminate the chance that he or she might disclose the transfer to another party or verify the information before making the transfer.
    • Secrecy: Often deployed in conjunction with time pressure, the “president” may emphasize that this deal must remain secret for strategic or legal reasons. Having the employee “in” on the secret can make him or her feel special and thereby increase the chance that the transfer will go through.
  4. The employee makes the transfer. The employee contacts the bank, and the bank then makes the transfer. Even if it is unusual, the bank will transfer the funds to the account if the employee making the request is authorized to do so.

Why This Scam is NOT Covered by a Cyber Policy

This scam bears similarities to certain cyber scams, like spear phishing. Insofar as both kinds of scams involve sending emails targeted to specific employees, the tactics are similar. However, there are some crucial differences.

Spear phishing targets an employee in order to convince him or her to open an email or click a link, which downloads malicious code onto the employee’s computer and allows the criminal to access the company’s network. With phishing scams, the crime is an unauthorized data breach, and, as such, the exposure would be addressed by a cyber policy.

By contrast, in the fake president fraud, the employee willingly authorizes a wire transfer to the criminal’s bank account. Even though the crime was initiated via email, the fundamental criminal act is fraud, not data breach, and will not be covered by a cyber policy.

Mitigating Risks

There are a number of things companies can do to reduce the risk of falling victim to such a scam. These include the following.

  • Educate Employees. It’s essential that all employees—especially those who are authorized to make wire transfers—are aware of the scam and how it works. Ultimately, this scam works by preying on a number of psychological blind spots, including ignorance. Combat that by making your employees aware of the risk and diligent about company procedure.
  • Demand Adherence to Protocols. Your company should have protocols for authorizing the transfer of funds. Reinforce the importance of adhering to these protocols.
  • Verify Identities. This can be especially important if employees have infrequent contact with C-suite executives or if requests are frequently made remotely. Establish guidelines for independent means of verification if requests fall outside of established protocols or if timelines must be accelerated.

Make Sure You’re Covered

Insurance solutions for the fake president fraud are available, but they often come in the form of a specific endorsement on a crime policy.

© Zywave, Inc. All rights reserved.

Spear Phishing: Targeted Cyber Crime

The word password hooked by fishing hook“Phishing,” a type of cyber attack in which a hacker disguises him- or herself as a trusted source online in order to acquire sensitive information, is a common scam that can put employees and businesses at risk. However, more resourceful criminals are resorting to a modified and more sophisticated technique called “spear phishing,” in which they use personal information to pose as colleagues or other sources specific to individuals or businesses. And, when attacks contain personal information, they are much more difficult to identify as malicious.

For businesses, the potential risk of spear phishing is monumental. The 2015 Internet Security Threat Report released by Symantec Corporation, a company that specializes in security software, states that, globally, 5 out of every 6 large employers were targeted in spear phishing attacks in 2014, and that there was an average of 73 spear phishing email attacks per day.

How to Protect Your Business

Though it is difficult to completely avoid the risk that spear phishing attacks pose, there are ways to prevent further damage to your business. For example:

  • Be cautious when you are asked to divulge personal information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone. When in a Web browser, you can ensure a website is secure when you see a lock icon in the URL bar, or when an “s” is present in the “https” of a URL. The “s” stands for “secure” at the end of the normal “http”.
  • Some spear phishing schemes use telephone numbers, so be sure to never share information over the phone unless you initiate the call to a trusted number.
  • Never click on links or open attachments from unknown sources. Even opening a file that seems familiar can give a spear phishing attacker access to personal information stored on your device.
  • Ensure that your company’s security software is up to date. Firewalls and anti-virus software can help protect against spear phishing attacks.
  • Encourage employees to think twice about what they post online. Spear phishing hackers often attain personal information through social media sites. Make sure that employees know how to keep this information private to protect their own security as well as that of your business.

Regularly check all online accounts and bank statements to ensure that no one has accessed them without authorization.

 

© Zywave, Inc. All rights reserved.