If I go into your house and take all of the things important to you, lock them away in a safe and I am the only one with the key and I tell you that you will have to pay me to get the stuff back, that’s ransomware.
Cybersecurity experts are warning that by 2021, businesses will fall victim to ransomware every 11 seconds. That’s down from every 14 seconds in 2019.
Can you imagine being one of those businesses?
Having to make the decision—do I pay the ransom, knowing that I will be fueling more attacks on businesses potentially in my community—or risk not being able to recover because I’ve never personally tested or seen that my backups are good enough or even secure enough for my organization to withstand an attack?
The cost of ransomware in 2021 is estimated to hit 20 Billion dollars annually. Global estimates are now nearing 6 Trillion Dollars—yes, that’s trillion with a ‘T’.
As big money continues to pour into cyber criminal’s hands, one thing seems obvious. There is no stopping the flood of talented people into cybercrime. They are going where the money is and it is not in protecting your businesses.
Over half of attacks begin today with phishing attacks—primarily targeting very specific people in your organization. While preparing your team for phishing attacks and identifying unique characteristics of them is important, one of the best ways security experts still advise to protect your data is by making sure your patches and critical system updates have been successfully applied.
Every year, hundreds of thousands of security vulnerabilities are announced, but in most of those instances, our organizations do nothing because we are not made aware of what is going on or because there are just too many to handle and visibly control.
In nearly every cybersecurity insurance case last year, network vulnerabilities were partially to blame for the devastation left by a ransomware attack.
One major problem with updating computer systems across the network? Experts typically find that between 35 and 50% of their systems have not had all available patches applied. That means that within your organization, you might have half of your team walking around susceptible to a hacking event. Does it make you feel good that the possible line of defense is phishing training?
Here are some additional ways to protect your network:
Remind your employees about updates—explain to them with stories why updates are important. Get them engaged into making sure their computers are patched—to protect their personal and their client’s information. Make sure to put faces to stories to really highlight the importance of security.
Share examples of threats—share examples of threats to your entire team. Even if they aren’t related to emails, it’s good for your team to understand how criminals are getting onto networks so that they can see where they fit in across the board.
Give them ways to speak up—create ways for your team members to bring up issues or questions they have about security. Whether it’s for their personal data or at work, the more security and involved your team is in bringing up problems, the better off they will be in keeping your organization secure.
Unfortunately, no one is immune to an attack or breach. If you keep your team up to speed, you will be better off if your team embraces security.
Mobile phishing campaigns could be targeting your bank. In fact, phishing attackers are targeting bank accounts more in 2020 than ever before. Criminals found the easiest way to get in is through your mobile phone. Some of the recent targets? Capital One and Chase are two of the dozens of phished that have been identified recently.
Hackers are using automated SMS tools to blast bogus security text messages to you and have successfully snatched accounts from thousands so far—that’s of the millions receiving these texts.
Mobile campaigns will become the new normal in 2020
We predict that mobile-based attacks will grow more prevalent in 2020 than ever before. As people become more cautious of email phishing attacks (though these attacks are easy to forget), criminals have started exploiting mobile-based texting attacks more and more.
These SMS-based messages can include a link to a phishing page (mirroring a legitimate bank page).
These phishing pages are built to look like legitimate mobile-friendly web pages. They have login pages mirroring the mobile site at your bank. They completely mimic the layout of the bank’s applications and sizing, along with its links—including its privacy and security policies or account management pages.
Hackers are wanting you to never catch on to their scheme.
By mimicking the experience you get on the bank’s legitimate mobile site, they are hoping you will be none the wiser by the end of your login and experience with their fake mobile portal.
By doing this, they are making sure that you will not get alarmed, change your credentials or alert your bank to the scam.
They are playing the long game. At some point when you least expect it—they will start siphoning money out of your account. They will take as much information as possible—your purchase history and behaviors—to be able to impersonate you in your digital life.
Why Text Messages?
Since mobile users are less likely to scrutinize SMS messaging AND since mobile providers have not kept up with spam technologies implemented in email systems, you are less likely to even tell the difference between a legitimate and malicious text.
On top of that, mobile sites do not display entire URLs, making it harder for you to even determine if the site that text is linking you to is legitimate.
There have been LOTs of banks impacted that have been impacted, several of which are in the US.
What if you click on the link in a malicious text?
If hooked, you will be prompted for information. You probably will be prompted to divulge answers to security questions like date of birth, credit card expiration date, account number, along with standards like username and password.
What the criminal wants to do before logging in is get as much information as possible to log in from an unrecognized account. And if two-fact authentication is set up on that account, to get as much information about you as they can to verify who they are via phone in the case they are not able to bypass your bank’s security.
The bottom line: there is always a way in, some ways just take longer and more tedious. In many difficult cases, a criminal will likely opt to move on to the next victim (cybercrime is very much a numbers game).
You may have already grown accustomed to texts from your bank
With increased use of multi-factor authentication for banking, you are probably already used to text messaging in banking. This added security has likely made your trust in bank texts a little higher than it should be.
Criminals are realizing that text messaging may be a good way of getting your attention and that it’s been an effective way of getting people to comply with their demands.
What to do the next time you get a text?
Treat texting like email. Revisit your phishing training in the context of texts. If someone is asking for you to login via text, reconsider clicking on that link. If someone you know is asking for information or money, give them a call to a number you trust. Just keep a skeptical eye on things that come into your inbox, whether email or texts.
Do you know where the holes in your network are? Are you concerned about them? Do you even know TO be concerned about them?
As I talk to business leaders it has become increasingly clear that network security—especially understanding where you fall in network security to secure your sensitive data—is non-existent within many organizations.
One of the easiest ways to see where your security holes are?
Experts recommend performing a gap analysis to evaluate where your information security program stands today and where it should be.
How can you ensure that you are properly addressing gaps and remediating security vulnerabilities within your organization?
Measure your progress.
One of the easiest ways to making sure you reaching your goals when it comes to security is by measuring your progress, performance and outstanding risks. Performing a continual gap analysis will provide you with a way of tracking security within your organization and will help you devise metrics that create acute awareness as to whether you are filling in the security gap.
Practically speaking, think of every gap identified through gap analysis as a homework assignment for your IT team. One easy way to measure how your team is doing on its assignments is to assess progress against those assignments. This will involve several steps:
Define your desired outcomes—what does “good” security look like in one area of network security. For passwords, it might be having a policy that is getting your team to actually change passwords at regular intervals and get them to understand how and why secure passwords are important.
Determine intermediate milestones—any long term goal will likely need continual feedback. Think of bigger security initiatives within your organization akin to bigger homework assignments. Instead of writing 10 page paper and calling it done, your milestones might be to create a topic outline, topic sentences for each paragraph, research any topics you are unsure about and then put together content paragraph by paragraph.
Similarly, for larger initiatives, make sure your team has broken down the bigger project into smaller milestone tasks that can be tracked (completed or not completed). Assign someone within your IT team responsible for those tasks and hold them accountable to their completion.
Devise ways to measure intermediate progress—as I mentioned above, understanding that progress is getting made on a larger initiative is critical to its completion. Make sure that your team has broken down tasks into digestible week by week assignments and hold them accountable to getting those done. Consider holding a weekly meeting to determine what has been done and what has been missed. If you notice tasks getting missed, devise a plan to getting your team back on track.
Set realistic timelines—if a lot is getting missed because your team has a ton on its plate, take a step back and redefine priorities or timelines. In order to be successful, it’s always best to set SMART (specific, measurable, attainable, relevant and time-bound goals).
Continually celebrate throughout the process—even for small wins or milestones, make sure to encourage your team to keep moving through your security gaps.
The measurables listed above were purely project management deliverables. In cybersecurity, you will definitely want clear metrics to show that your team is actually keeping you safe. Below are some areas where you might want to focus your awareness and tracking of issues:
Understand risks to your business—the list of vulnerabilities that might put your business at risk of a cyberattack are growing day by day and week by week. Understanding what is out there and being able to confidently say whether something is an actual risk to your organization is becoming a critical measurement for leadership.
Classifying risks as key or non-essential—having your team classify and point out critical risks to your network and infrastructure security should be a growing focus of leadership teams.
Prioritizing risks your organization faces—your team should be prioritizing your security risks in relation to the level of impact and damage a potential vulnerability could cause. In addition, make sure to consider the ease of addressing issues as part of prioritization (better to focus on low hanging fruit than spend countless weeks trying to fix complex issues).
Identify tolerances your business permits—by identifying tolerances and comparing your metrics vs a tolerance or tolerance range, you can evaluate areas or gaps in your security that need to have higher attention. As your leadership sees those tolerances they’ll be able to understand critical contingencies, such as budgets or devoted team members to a specific issue.
Compute an aggregated risk score—as you tally up all of the vulnerabilities facing your business, you should consider getting some aggregate score to sum up your improvements and where you stand today vs yesterday.
What to do next?
Know that metrics are living and dynamic. What was reported last week is probably an inaccurate depiction of what your security looks like this week.
Your ongoing step is to continually track your weaknesses and adjust your security posture accordingly. The metrics you produce should guide you and allow to intelligently course correct, rather than simply haphazardly making decisions and throwing money to this expensive cybersecurity problem. Gap analysis can serve you well as a driver of how to improve your security program and help your IT team seize opportunities to make you and your stance even safer.
Sometimes persistent ransomware attacks feel like the flu. As soon as security experts find a defense against one strain, a new and more deadly version appears. All making it harder to defend against and certainly difficult to keep up.
With cryptic names like WannaCry, Petya and SamSam, leadership all too well have familiarized themselves with names of attacks and many even know someone who have fallen victim to the latest strain.
While ransomware campaigns have targeted pretty much everyone, they are becoming more tailored to your industry, finding technical vulnerabilities to exploit your network and your software and customizing their attacks to target specific roles within your organization. Unlike flu epidemics, there is less of a cycle or timing of when catching a virus is more or less likely. For ransomware, infections are becoming more persistent day after day.
Ransomware attackers are targeting everyone. In 2018, for instance, attackers were breaching networks in technology, manufacturing, financial and healthcare industries at alarming rates. All industries showed an uptick in the sophistication of attacks targeting each industry.
Because insurance companies are finding that ransomware payments are cheaper than complete recoveries, many businesses have paid ransomware payments in hopes of easily recovering their systems (easy recovery using a decryption key is NOT always that easy).
Across organizations, ransomware now accounts for more than 70% of malicious software attacks. With price tags in the tens to hundreds of thousands of dollars (we’ve seen cases where IT Support companies were ransomed for over a million bucks), recovery might be a long road. In many instances recently, businesses have opted to close their doors because there was no light at the end of the recovery tunnel.
When a ransomware attack brings down your IT systems, it doesn’t just disrupt your business processes. It means no one is getting billed or paid for time worked. It means the livelihood of all of those that have put their trust in you for feeding their families.
Ransomware is by no means static.
In fact, new emerging variants of software come out weekly (if not sooner than that). It’s a constant cat and mouse game. We are constantly chasing new infections down.
We’re no longer in an era where one single person can humanly read everything that’s happening. Organizations like yours will likely need a security information management system that collects and summarizes data, identifies trends and provides recommendations as to how to best prioritize your security.
One of the latest ransomware viruses that has been targeting businesses—Zeppelin—first spotted in November was carefully designed to target healthcare and organizations in the U.S. It is targeted through phishing attacks to specific roles within your organization.
One low cost way to stay updated on security?
One of the easiest ways to stay up on your security is to be updated on areas that malicious software are attacking and understanding what you have in place to prevent malicious code to move within your network.
Having an easy place that aggregates information and gives you a score card on how your organization is doing to keep up with the latest threats (both in technology and team training).
One of the easiest first steps?
A network assessment to show you where your gaps fall. Security experts tend to focus on technology, implementation of that technology and education and security training for your teams to ensure that your organization is prepared for the latest attacks.
