10 Cyber Security Tips for Small Business

Information technology and high-speed Internet are great enablers of small business success, but with the benefits comes the need to guard against growing cyber threats, thefts, malware, ransomware and scams. ~ Federal Communications Commission (FCC)

The Internet allows small businesses to reach new and larger markets and provides opportunities to work more efficiently by using computer-based tools.

Whether a company is thinking of adopting cloud computing or just using email and maintaining a website, cybersecurity should be a priority and part of the plan.

Theft of digital information has become the most commonly reported fraud, surpassing physical theft.

Every business that uses the Internet is responsible for and must implement measures to create a culture of security that will enhance business and consumer confidence. This starts with creating a cyber plan.

In short, small businesses want to keep their cyber infrastructure running and their critical assets secure from cyber criminals. However, the chaos of rapidly changing technology and evolving cyber threats can create frustrating obstacles to your business—or introduce new growth opportunities!

Based on what your business wants to achieve in cyber security, there are best practices you should be doing to increase your chances of success. There are several security practices rank most effective, and which are making the making difference.

10 Cyber Security Tips for Small Business

Broadband and information technology are powerful factors in small businesses reaching new markets and increasing productivity and efficiency. However, businesses need a cybersecurity strategy to protect their own business, their customers, and their data from growing cybersecurity threats.

1. Train employees in security principles

Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

2. Protect information, computers, and networks from cyber attacks

Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.

3. Provide firewall security for your Internet connection

A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.

4. Create a mobile device action plan

Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

5. Make backup copies of important business data and information

Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.

6. Control physical access to your computers and create user accounts for each employee

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

7. Secure your Wi-Fi networks

If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router, so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.

8. Employ best practices on payment cards

Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

9. Limit employee access to data and information, limit authority to install software

Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10. Passwords and authentication

Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.

When it comes to cybersecurity, training and transparency are key. All users have a responsibility, and if they embraced their responsibility, security in the cyberspace would be easier to achieve.

If the non-technical managers and leaders understood the impact of good and poor cybersecurity, they would use the cyber assets they have more responsibly. The workforce would be more careful about the devices they introduce to the network.

For more information, please download the cybersecurity tip sheet.


References:

  1. https://www.fcc.gov/cyberplanner
  2. https://apps.fcc.gov/edocs_public/my attachmatch/DOC-306595A1.pdf
  3. https://www.fcc.gov/communications-business-opportunities/cybersecurity-small-businesses

Cyber Threats are Clear and Present

Cybersecurity threats, malware and ransomware are clear and present danger threats to American businesses and way of life.

This week, Americans wake-up to dire warnings from the federal government in Washington to growing cyber threats and malware from Russia. The federal government warns American citizens, organizations and businesses to enhance their cyber vigilance and security in preparation of cyber attacks originating from Russia targeting critical information and infrastructure.

The latest cybersecurity threats are taking advantage of pandemic induced work-from-home environments, remote access tools, and new cloud services. According to CISA, these evolving cybersecurity threats include:

  • Malware — malicious software variants—such as worms, viruses, Trojans, and spyware—that provide unauthorized access or cause damage to a computer. Malware attacks are increasingly “fileless” and designed to get around familiar detection methods, such as antivirus tools, that scan for malicious file attachments.
  • Ransomware — a type of malware that locks down files, data or systems, and threatens to erase or destroy the data – or make private or sensitive data to the public – unless a ransom is paid to the cybercriminals who launched the attack. Recent ransomware attacks have targeted state and local governments, which are easier to breach than organizations and under pressure to pay ransoms in order to restore applications and web sites on which citizens rely.
  • Phishing / social engineering — a form of social engineering that tricks users into providing their own sensitive information. In phishing scams, emails or text messages appear to be from a known individual or legitimate company asking for sensitive information, such as credit card data or login information. The FBI has noted about a surge in pandemic-related phishing, tied to the growth of remote work.
  • Insider threats — Current or former employees, business partners, contractors, or anyone who has had access to systems or networks in the past can be considered an insider threat if they abuse their access permissions. Insider threats can be invisible to traditional security solutions like firewalls and intrusion detection systems, which focus on external threats.
  • Distributed denial-of-service (DDoS) attacks — attempts to crash a server, website or network by overloading it with traffic, usually from multiple coordinated systems. DDoS attacks overwhelm enterprise networks via the simple network management protocol (SNMP), used for modems, printers, switches, routers, and servers.
  • Advanced persistent threats (APTs) — an intruder or group of intruders infiltrate a system and remain undetected for an extended period. The intruder leaves networks and systems intact so that the intruder can spy on business activity and steal sensitive data while avoiding the activation of defensive countermeasures. The recent Solar Winds breach of United States government systems is an example of an APT.
  • Man-in-the-middle attacks — an eavesdropping attack, where a cybercriminal intercepts and relays messages between two parties in order to steal data. For example, on an unsecure Wi-Fi network, an attacker can intercept data being passed between guest’s device and the network.

A majority of Americans have moved their financial and daily lives online, and thus are more susceptible than ever to of cyber crime, malware and ransomware attacks.

As you might image, today’s world is more interconnected than ever before. Yet, for all its advantages, increased connectivity brings increased risk of theft, fraud, and abuse.

As Americans become more reliant on modern technology, we also become more vulnerable to cyberattacks and cybercrimes.

Every organization—large and small—must be prepared to respond to cybercrime and disruptive cyber incidents, explains the Cybersecurity and Infrastructure Security Agency (CISA). CISA leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.

CISA recommends all individuals and organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets, like a “zero trust strategy”.

A zero trust strategy assumes compromise and sets up controls to validate every user, device and connection into the business for authenticity and purpose. To be successful executing a zero trust strategy, organizations need a way to combine security information in order to generate the context (device security, location, etc.) that informs and enforces validation controls.


References:

  1. https://www.ibm.com/topics/cybersecurity
  2. https://www.cisa.gov/shields-up

Keep Yourself Cyber Safe

Every American can take simple steps to improve their cybersecurity and protect themselves while online.

As the nation’s cyber defense agency, Cybersecurity and Infrastructure Security Agency (CISA) stands ready to help individuals and organizations prepare for, respond to, and mitigate the impact of cyberattacks and cybercrime.

Currently, CISA recommends all individuals, organizations and businesses —regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical information and assets.

Every American can take several simple steps to improve their cybersecurity and protect themselves while online. In fact there are 5 things you can do to keep yourself cyber safe. CISA urges everyone to practice the following: 

  • Implement multi-factor authentication (MFA) on your accounts. A password isn’t enough to keep you safe online. By implementing a second layer of identification, like a confirmation text message or email, a code from an authentication app, a fingerprint or Face ID, or best yet, a FIDO key,  you’re giving your bank, email provider, or any other site you’re logging into the confidence that it really is you. Multi-factor authentication can make you 99% less likely to get hacked. So enable multi-factor authentication on your email, social media, online shopping, financial services accounts. And don’t forget your gaming and streaming entertainment services!   
  • Update your software. In fact, turn on automatic updates.   Bad actors will exploit flaws in the system. Update the operating system on your mobile phones, tablets, and laptops.  And update your applications – especially the web browsers – on all your devices too.   Leverage automatic updates for all devices, applications, and operating systems. 
  • Think before you click. More than 90% of successful cyber-attacks start with a phishing email.  A phishing scheme is when a link or webpage looks legitimate, but it’s a trick designed by bad actors to have you reveal your passwords, social security number, credit card numbers, or other sensitive information. Once they have that information, they can use it on legitimate sites. And they may try to get you to run malicious software, also known as malware.  If it’s a link you don’t recognize, trust your instincts, and think before you click. 
  • Use strong passwords, and ideally a password manager to generate and store unique passwords.  Our world is increasingly digital and increasingly interconnected. So, while we must protect ourselves, it’s going to take all of us to really protect the systems we all rely on. 
  • Halt bad practices. Take immediate steps to: (1) replace end-of-life software products that no longer receive software updates; (2) replace any system or products that rely on known/default/unchangeable passwords; and (3) adopt MFA for remote or administrative access to important systems, resources, or databases.

Americans should prepared themselves to respond to cybercrime and to disruptive cyber activity. CISA encourages everyone to put their “Shields Up” and take proactive steps to protect against active and future cyber threats. 


References:

  1. https://www.cisa.gov/shields-up
  2. https://www.cisa.gov/free-cybersecurity-services-and-tools

Protect yourself from identity theft

Nearly 45 billion dollars were stolen from identity theft victims in 2020. LifeLock

Identity theft is one of the fastest growing financial crimes in America. Each year, millions of Americans discover that a criminal has fraudulently used their personal information to obtain goods and services and that they have become victims of identity theft.

A wide range of sensitive personal information can be used to commit identity theft, including a person’s name, address, date of birth, Social Security number (SSN), driver’s license number, credit card and bank account numbers, and phone numbers.

Once identity thieves have your personal information, they can drain your bank account, run up charges on your credit cards, open new utility accounts, or get medical treatment on your health insurance. An identity thief can file a tax refund in your name and get your refund. In some extreme cases, a thief might even give your name to the police during an arrest.

The most common form of identity theft involves the fraudulent use of a victim’s personal information for financial gain. According to the Federal Trade Commission’s Guide for Assisting Identity Theft Victims, there are two main types of financial frauds:

Using the victim’s existing credit, bank, or other accounts

  • A victim of existing account misuse often can resolve problems directly with the financial institution, which will consider the victim’s prior relationship with the institution and the victim’s typical spending and payment patterns.

Opening new accounts in the victim’s name

  • A victim of new account identity theft usually has no preexisting relationship with the creditor to help prove she is not responsible for the debts.
  • The new account usually is reported to one or more credit reporting agencies (CRA), where it then appears on the victim’s credit report. Since the thief does not pay the bills, the account goes to collections and appears as a bad debt on the victim’s credit report. Often, the victim does not discover the existence of the account until it is in collection.
  • The victim must prove to the creditor that she is not responsible for the account and clear the bad debt information from her credit report.

The primary tool for preventing criminals from opening additional new accounts in your name are to implement a fraud alert and credit freeze. In most cases, you should place an initial fraud alert on your credit report as quickly as possible after discovering that you have become an identity theft victim, or you realize that your sensitive personal information has been stolen. Once you implemented a fraud alert, you will have some time to consider whether to place an extended fraud alert or a credit freeze on your credit report. You also will be able to obtain a free credit report and review the report to see if it shows that there has been additional fraud by the criminal.

https://twitter.com/ebrownl33/status/146436870204497510

To prevent identity theft, it is critical to keep your personal information safe:

  • Shred financial documents and paperwork with personal information before you discard them.
  • Protect your Social Security number. Don’t carry your Social Security card in your wallet or write your Social Security number on a check. Provide it only when absolutely necessary. You may always ask to use another identifier.
  • Don’t provide personal information over the phone, through the mail, or over the Internet unless the party is known and reputable.
  • Never click on links sent in unsolicited e-mail messages.
  • Use firewalls, anti-spyware, and anti-virus software to protect your personal computer. Keep the protections up-to-date. Visit OnGuardOnline.gov for more information.
  • Don’t use an obvious password like your birth date, your mother’s maiden name, the last four digits of your Social Security number, or your phone number.
  • Keep all personal information in a secure place at home, especially if you have roommates or employ outside help.

Monitor your financial information regularly and request a free copy of your credit report annually. Review various financial accounts and statements, checking for the following:

  • Purchases that were not made by you
  • Bills that do not arrive as expected
  • Unexpected credit cards or account statements
  • Denials of credit for no apparent reason
  • Calls or letters about purchases you did not make

If identity theft is suspected, act quickly!

Identity theft victims have the right to block the reporting of information that resulted from identity theft. Credit reporting agencies (CRAs) are responsible for blocking fraudulent information from appearing in victims’ credit reports, but also to notify furnishers (creditors, debt collectors, and other companies that reported the information).

As the victim, you must provide the CRAs with the following information in writing:

  • a copy of an Identity Theft Report (filed with law enforcement). The Identity Theft Report is the primary tool for removing inaccurate identity theft-related information from your credit report.
  • a letter explaining what information is fraudulent as a result of identity theft
  • the letter should state that the information does not relate to any transaction that the consumer made or authorized
  • proof of identity, which may include the consumer’s Social Security number, name, address, and other personal information requested by the CRA

In summary, identity theft happens when someone steals your personal information to commit fraud. The criminals may use your information to apply for credit, file taxes, or get medical services. These acts can damage your credit status, and cost you time and money to restore your good name.

To Prevent Identity Theft

According to USA.gov, you should keep these tips in mind to protect yourself from identity theft:

  • Secure your Social Security number (SSN). Don’t carry your Social Security card in your wallet. Only give out your SSN when necessary.
  • Don’t share personal information (birthdate, Social Security number, or bank account number) because someone asks for it.
  • Collect mail every day. Place a hold on your mail when you are away from home for several days.
  • Pay attention to your billing cycles. If bills or financial statements are late, contact the sender.
  • Use the security features that can help protect the device and the information on it from threats and vulnerabilities on your mobile phone.
  • Update sharing and firewall settings that analyzes and blocks or allows information traveling between the internet and your computer based on a defined set of security rules.
  • Use a virtual private network (VPN) if you use a public wi-fi network A Virtual Private Network (VPN): a private network that connects your computer or mobile device to the internet and encrypts (codes) your information to protect your internet activity from monitoring or spying.
  • Review your credit card and bank account statements. Compare receipts with account statements. Watch for unauthorized transactions.
  • Shred receipts, credit offers, account statements, and expired credit cards. This can prevent “dumpster divers” from getting your personal information.
  • Store personal information in a safe and secure place.
  • Install firewalls and virus-detection software to prevent, detect, and remove malicious programs that have been placed on your computer to spy on you or to do damage to your computer.
  • Create complex passwords that identity thieves cannot guess. Change your passwords if a company that you do business with has a breach of its databases
  • Review your credit reports will show your bill payment history, current debt, and other financial information once a year. Be certain that they don’t include accounts that you have not opened. You can order it for free from Annualcreditreport.com.
  • Freeze your credit files with Equifax, Experian, Innovis, TransUnion, and the National Consumer Telecommunications and Utilities Exchange for free. Credit freezes prevent someone from applying for and getting approval for a credit account or utility services in your name.

You have limited liability for fraudulent debts caused by identity theft.

  • Under most state laws, you’re not responsible for any debt incurred on fraudulent new accounts opened in your name without your permission.
  • Under federal law, the amount you have to pay for unauthorized use of your credit card is limited to $50. If you report the loss to the credit card company before your credit card is used by a thief, you aren’t responsible for any unauthorized charges.
  • If your ATM or debit card is lost or stolen, you can limit your liability by reporting the loss immediately to your bank or credit union.
  • If someone makes unauthorized debits to your bank or credit union account using your debit card number (not your card), you aren’t responsible – if you report the problem within 60 days after they send your account statement showing the unauthorized debits.
  • Most state laws limit your liability for fraudulent checks issued on your bank or credit union account if you notify the bank or credit union promptly.

References:

  1. https://www.identitytheft.gov/#/
  2. https://www.consumer.ftc.gov/articles/pdf-0119-guide-assisting-id-theft-victims.pdf
  3. https://www.usa.gov/identity-theft

Preventing Scams and Cybercrime

Fraudsters and cybercriminals are getting sneakier – sometimes even claiming to be your bank or financial institution. Outsmart scammers with these tips.

With more than 2 billion people worldwide accessing the internet through smartphones, hackers have never had greater incentive to devise new scams. Getting scammed is an unpleasant experience, but you can be one step ahead.

For example, you look at your phone and you have a new text message saying it is from your bank or financial institution. The message tells you to click this link and download a new app to secure your identity or customer account. It’s strange because you’ve never received a text from your bank at this number before, and you already have your bank’s app downloaded, or at least you thought?

STOP! Don’t click that link. There are a number of red flags to watch out for to recognize a phishing attack. Although this trick is commonly employed over email, savvy thieves are now trying to install ransomware or steal your financial or personal information by impersonating a bank, credit card company or service provider by phone calls or even text messages. Phishing is when a fraudster tricks a consumer into providing their personal information through a fake app or website. The site may appear have a copy of your bank’s or another company’s logo and appears legit. So how do you tell it’s not?

  • With increasing number of cases related to cyber frauds or online scams, it’s recommended that you follow these tips to detect a scam by text and protect your identity:
    • Check the number and search for how your bank has texted you in the past. Are they different? Don’t click the link!
      Is this message irregular? If you have not recently conducted business, used your cards or logged into your bank via the app, mobile or desktop, it may feel out of context to be receiving this request. Don’t click it!
      Are they using the right terminology for you and your account? Does your bank refer to you as a member but this text message says “customer.” Don’t click it!

    REMEMBER: Do not download any software or click on unknown links sent to you by email or text! Banks will typically never ask you to download software in an email or while you are on the phone with us..

    Emails

    There are some easy ways to ensure the email is from bank. Bank emails typically include a Security Zone to help you distinguish a legitimate email from a fraudulent one. Here is what to look for to help identify authentic emails:

    • Always hover over the sender’s email address to verify who it is from. Banks will only send emails from an address that clearly indicates it is from your bank.
    • To be effective, you must verify the spelling of your first and last name and the accuracy of the last four digits of your USAA member number every time you receive an email from USAA.

    Phone Calls

    RING, RING, RING

    The caller ID says your bank across the top. It’s not a 1-800 or a 1-877 number, but when you answer, the caller says they are with your bank and now asks for your customer service identification number to verify you. The caller may offer to assist with installing software you need for your financial services … what do you do?

    STOP! Don’t share your personal information before verifying the caller. If your bank is calling you, they typically will never ask for your “customer” identification number, credit card number or other personal information.

    Follow these tips to detect a scam by a phone call and protect your identity:

    • Do not share security or personal data: Your bank will never call you and then ask you for your one-time verification code, PIN, password or other personal identification details.
    • Always realize that you can call your bank to determine if any request for information is valid. When you call us, know that we’ll use the multifactor identification code from your phone to verify you.

    “Grandpa, I need your help. My car won’t start. Please send me money using this app…” OR

    “Hi, how are you? I can’t deposit any money into my bank account because I am deployed. Can you send me some money for my phone card so we can continue talking? I really miss you.”

    STOP! Imposters have many tricks up their sleeves when they are trying to access your information or steal your assets. As discussed above, it could be by impersonating a company through a phone call, email or text, but now they are even trying to contact you on third-party social platforms, like Facebook or Twitter, or through dating apps and sites.

    Follow these tips to avoid a grandparent or romance scam:  

    • Never send money to someone you don’t know in real life, especially using a third-party app like Zelle, CashApp, etc.
    • If someone claims to be a family member, verify with that family member by calling them directly! If you think your grandson needs help, call him or call his parents before sending money unintentionally to a scammer.
    • Do your research. If you are getting to know someone online, make sure you look them up, validate they are who they say they are. Some also claim to not have access to common resources overseas because they are serving, which is often untrue.

    If any of these situations should happen to you, reach out for advice before giving out any personal information. And, if you get a suspicious email, text, instant message or phone call, you can report it to your bank or to the Federal Trade Commission at ftc.gov/complaint.

    If a scam does trip you up in real life, get help! The FBI has an Internet Crime Complaint Center at ic3.gov. You can also report identity theft to the Federal Trade Commission to 1-877-ID-THEFT (84338).

    There are also some easy ways to ensure a text message is from your bank.  Based on your request, many banks may send a one-time code as part of its multi-factor authentication process. If you suspect fraud, you should:

    •  REPORT! Even if you didn’t share personal information or click a questionable link, if you suspect fraud, let us know so we can help prevent it to protect you and other members in the future.
    • If you receive a suspicious call from someone claiming to be your bank and is requesting account information or security credential information, hang up immediately!
    • If you provided any personal identifiable information prior to hanging up, alert your bank.
    • If you did not provide any information, you should still send an email to your bank reporting the phone number or text message and message details. This helps them to actively work to shut down fraudulent callers, sites and emails.

    Imposters can come from the least expected places and they are constantly changing their tactics. That’s why it is so important to always be on alert. While financial institutions can use sophisticated detection processes, they are most effective in fighting fraud when they work together with their customers.

     

    Think Before You Click

    #ThinkB4UClick

    The global pandemic has tested the online security resilience and vigilance of people world-wide, while at the same time the pandemic is pushing more and more individuals to conduct their daily personal and work lives online.

    Unfortunately, cyber criminals have sought opportunities to create havoc and financial gain in the midst of the chaos caused by the pandemic.

    Since our lives have shifted into the digital dimension, educating the online user on cyber security has become more important than ever before.

    As a result, cyber security has become increasingly important domestically and globally. But we must all remember that cyber security begins with a few basic steps such as: being vigilant, changing your password often and most important… think before you click on or open a link.

    Tips for Securing Your Digital Accounts

    Like keeping our doors locked to keep our homes safe from burglars, keeping our online accounts secure is vital to help protect ourselves from cyber criminals – and passwords are the key.

    Here are some tips to help you keep your accounts safe online.

    1. Choose strong passwords

    The stronger your password is, the more difficult it is to hack your account.

    Create passwords that are at least 15 characters long and include a combination of upper and lower case letters, numbers and symbols if allowed.

    A good way to do this is to create a passphrase – use a sentence that includes unusual words, or words from different languages.

    In addition, always use unique passwords for all your online accounts.

    2. Use a password manager

    A password manager is a convenient way to take care of your passwords.

    Several very good password managers are free and easy to use. It will create strong passwords for you and keep them secure.

    If you’d prefer not to use a password manager, write your passwords into a notebook and keep it in a secure place away from your computer.

    3. Enable Multi-Factor Authentication (MFA)

    Multi-factor authentication (like 2FA) provides an extra layer of security to help protect your accounts.

    It is an electronic authentication method where you need to present two or more pieces of evidence (factors) to confirm your identity and access your account, for example a password and a code that is sent to your mobile phone. Your account cannot be accessed without entering this code.

    4. Do all of the above!

    For extra security, use a password manager that will create strong passwords for you and enable multi-factor authentication when available for your best chance to keep your accounts secure.


    References:

    1. https://cybersecuritymonth.eu/resources/top-tips-for-securing-your-accounts/

    Cyber Security Awareness: Ransomware

    “Organizations and consumers are frequently exposed to the clear and present danger of sophisticated phishing and ransomware cyber attacks.”

    Over the last several years, ransomware has remained a “clear and present” cyber security threat for organizations and individuals around the world. As companies have gone increasingly digital, cyber criminals have sought to maximize their profits by exploiting the vulnerabilities that come with a rapidly expanding cyber ecosystem.

    Global cyber threats include ransomware, common hacks such as phishing and malware, or complex state- sponsored spying efforts like with SolarWinds. And, the frequency of today’s cyber attacks is growing and compelling companies to secure their networks with the most modern threat detection technology.

    Ransomware is a malware that infects computers (and mobile devices) and restricts their access to files, often threatening permanent data destruction unless a ransom is paid. It has reached epidemic proportions globally. According to the Cybersecurity and Infrastructure Assurance Agency (CISA): “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”

    These cyber attacks against U.S. companies and organizations result in shutdown of critical infrastructure, which can create shortages, increased cost of goods/services, financial loss due to shutdown of operations, and loss of money due to having to pay the ransom to the hackers, and worse.

    Ransomware costs include ransom payouts, damage and destruction (or loss) of data, downtime, lost productivity, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hostage data and systems, reputational harm, and employee training in direct response to the ransomware attacks.

    Source: Cybersecurity Ventures

    For example, the DarkSide hacker gang is an organized group of hackers set up along the “ransomware as a service” business model, meaning they develop and market ransomware hacking tools, and sell them to other cyber criminals who then carry out cyber attacks. Additionally, DarkSide steals private data and threaten to make it public unless the victim pays a large sum of money — typically in the range of $200,000 to $2 million, according to CNBC. The FBI has determined that DarkSide was behind the devastating Colonial Pipeline ransomware cyber attack which targeted the company’s billing system and internal business network. Subsequently, the company reportedly paid out $4.4 million dollars in bitcoin. Fortunately, US law enforcement was able to recover much of the $4.4 million ransom payment.

    Human element

    “Ransomware is expected to attack a business every 11 seconds by the end of 2021.” Steve Morgan, Editor-in-Chief, Cybersecurity Ventures

    Ransomware still uses social engineering as its main infection vector,” says KnowBe4’s Sjouwerman. “Some 91% of cyberattacks begin with a “spear phishing” email, according to research from security software firm Trend Micro.

    Spear phishing is an increasingly common form of phishing that makes use of information about a target to make attacks more specific,sophisticated and “personal”. These attacks may, for instance, refer to their targets by their specific name or job position, instead of using generic titles like in broader phishing campaigns.

    According to research firm Cybersecurity Ventures, ransomware damages will reach $20 billion this year, up more than 100% from 2018 and 57 times higher than in 2015.

    As cyber attacks and ransomware continues to grow in frequency and severity, it’s essential that individuals receive security awareness training that specializes in making sure they understand the mechanisms of spam, phishing, spear phishing, malware, ransomware and social engineering and apply this knowledge in their day-to-day online activities.

    Additionally, it’s imperative that organizations employ an endpoint detection and response (EDR) tool which can provide the visibility and cyber protection that organizations need.


    References:

    1. https://www.cnbc.com/2021/05/27/cybereason-ceo-was-in-israel-bomb-shelter-telling-world-about-darkside.html
    2. https://blog.knowbe4.com/bid/252429/91-of-cyberattacks-begin-with-spear-phishing-email
    3. https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php
    4. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/
    5. https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/

    Avoid These 3 Cybersecurity Mistakes

    CISA warns of risky behaviours that leave networks exposed to cyberattacks

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which leads the national effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure, warns that “”exceptionally risky” [cyber] behaviors that can put critical infrastructure at extra risk of falling victim to cyberattacks”.

    The three cyber security mistakes and behaviors to avoid are:

    1. Using unsupported software,
    2. Allowing the use of default usernames and passwords, and
    3. Using single-factor authentication for remote or administrative access to systems

    According to CISA, these are all dangerous behaviors when it comes to cybersecurity and should be avoided by all organizations.

    Using multi-factor authentication can help disrupt over 99% of cyberattacks. Microsoft

    Use of single-factor authentication – where users only need to enter a username and password – was recently added to the list of risky behaviors. CISA warned that single-factor authentication for remote or administrative access to systems supporting the operation of critical infrastructure “is dangerous and significantly elevates risk to national security”.

    Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks.

    Change default passwords as soon as possible, and use a sufficiently strong and unique password. CISA

    CISA describes that using fixed or default passwords as “dangerous” and should be avoided at all cost. Default or simple passwords are good for cyber criminals because there’s a much higher chance of them being able to simply guess passwords to compromise accounts.

    CISA also warns against the use of passwords that are known to have been breached previously, as that means they also provide cyber criminals with a simple means of gaining access to networks.

    One in three breaches are caused by unpatched vulnerabilities. ZDNet

    Finally, CISA warns that the use of unsupported or end-of-life software in critical infrastructure. By using software or operating systems that no longer receive security patches or updates, there’s the risk that cyber criminals could exploit newly discovered security vulnerabilities that emerge because old software often doesn’t receive security patches.

    The 2017 WannaCry ransomware attack stands a shining example of what can go wrong when patches aren’t applied. While a patch for the vulnerability exploited by the ransomware had existed for several months, many organizations failed to install the it.

    Takeaway

    Reducing your organization’s cyber risks requires a holistic approach. CISA

    Avoiding the use of single-factor authentication, default passwords and unsupported software will also help protect you and others from falling victim to cyberattacks.

    To reduce risks, here are three cyber security actions that organizations should do first:

    • Backup Data – Employ a backup solution that automatically and continuously backs up critical data and system configurations.
    • Multi-factor Authentication – Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative and remote access users.
    • Security Patch and Update Management – Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.

    References:

    1. https://www.zdnet.com/article/dont-want-to-get-hacked-then-avoid-these-three-exceptionally-dangerous-cybersecurity-mistakes/
    2. https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/
    3. https://us-cert.cisa.gov/ncas/alerts/TA13-175A
    4. https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Starter%20Kit_03.12.2021_508_0.pdf

    Avoiding Investment Fraud

    Financially savvy and experienced investors, along with inexperienced investors, fall prey to investment fraud frequently.

    Researchers have found that investment fraudsters hit their targets with an array of persuasion social engineering techniques that are tailored to the victim’s psychological profile.

    Here are several “red flags” to look for:

    • If it sounds too good to be true, it is. Any investment opportunity that claims you’ll receive substantially more could be highly risky – and that means you might lose money. Be careful of claims that an investment will make “incredible gains,” is a “breakout stock pick” or has “huge upside and almost no risk!” Claims like these are hallmarks of extreme risk or outright fraud.
    • “Guaranteed returns” aren’t. Every investment carries some degree of risk, which is reflected in the rate of return you can expect to receive. If your money is perfectly safe, you’ll most likely get a low return. High returns entail high risks, possibly including a total loss on the investments. Most fraudsters spend a lot of time trying to convince investors that extremely high returns are “guaranteed” or “can’t miss.” They try to plant an image in your head of what your life will be like when you are rich. Don’t believe it.
    • Beware the “halo” effect. Investors can be blinded by a “halo” effect when a con artist comes across as likeable or trustworthy. Credibility can be faked. Check out actual qualifications.
    • “Everyone is buying it.” Watch out for pitches that stress how “everyone is investing in this, so you should, too.” Think about whether you are interested in the product. If a sales presentation focuses on how many others have bought the product, this could be a red flag.
    • Pressure to send money RIGHT NOW. Scam artists often tell their victims that this is a once-in-a-lifetime offer and it will be gone tomorrow. But resist the pressure to invest quickly and take the time you need to investigate before sending money.
    • Reciprocity. Fraudsters often try to lure investors through free investment seminars, figuring if they do a small favor for you, such as supplying a free lunch, you will do a big favor for them and invest in their product. There is never a reason to make a quick decision on an investment. If you attend a free lunch, take the material home and research both the investment and the individual selling it before you invest. Always make sure the product is right for you and that you understand what you are buying and all the associated fees.

    What You Can Do to Avoid Investment Fraud

    • Ask questions. Fraudsters are counting on you not to investigate before you invest. Fend them off by doing your own digging. It’s not enough to ask for more information or for references – fraudsters have no incentive to set you straight. Take the time to do your own independent research.
    • Research before you invest. Unsolicited emails, message board postings, and company news releases should never be used as the sole basis for your investment decisions. Understand a company’s business and its products or services before investing. Look for the company’s financial statements by searching SEC’s EDGAR filing system.
    • Know the salesperson. Spend some time checking out the person touting the investment before you invest – even if you already know the person socially. Always find out whether the securities salespeople who contact you are licensed to sell securities in your state and whether they or their firms have had run-ins with regulators or other investors. You can check out the disciplinary history of brokers and advisers for free using the SEC’s and FINRA’s online databases.
    • Be wary of unsolicited offers.Be especially careful if you receive an unsolicited pitch to invest in a company, or see it praised online, but can’t find current financial information about it from independent sources. It could be a “pump and dump” scheme. Be wary if someone recommends foreign or “off-shore” investments. If something goes wrong, it’s harder to find out what happened and to locate money sent abroad.
    • Protect yourself online. Online and social marketing sites offer a wealth of opportunity for fraudsters. For tips on how to protect yourself online see Protect Your Social Media Accounts.

    You should strive to become an educated investor and to know what to look for. Make yourself knowledgeable about different types of scams and red flags that may signal investment fraud.


    References:

    1. https://www.investor.gov/protect-your-investments/fraud/how-avoid-fraud/what-you-can-do-avoid-investment-fraud
    2. https://www.investor.gov/protect-your-investments/fraud/how-avoid-fraud/protect-your-social-media-accounts

    Ransomware Attacks and Cyber Scams Surge in 2020

    Ransomware attacks surged 300% in calendar year 2020, according to Chainalysis. And in 2020, $406.3 million was paid out in cryptocurrency ransoms, 337% more than the previous year. This calendar year’s ransom payments are on pace to pass seven figures.

    The attacks have crippled supply chains and critical infrastructure by holding digital information hostage.

    • Colonial Pipeline, one of the largest fuel pipelines in the US, was forced offline for six days in May.
    • An Iowa grain co-op was hit by a cyberattack, and hackers demanded $5.9 million to unlock the organization’s data.

    Ransomware is something that government agencies are extremely focused on these days. They’re viewing it on par with terrorist financing attacks. The victims of ransomware attacks are mostly big businesses, where more sophisticated attack appear to be sanctioned by foreign governments such as Russia, China, North Korea or Iran.

    However, big business are not the only victims of cybercriminals. Nearly 7,000 individual investors lost a collective $80 million to cryptocurrency scams from October 2020 to March 2021, according to the Federal Trade Commission.

    Currently, the biggest type of cybercriminal activity in terms of volume is scamming: your investment scam, your Ponzi scheme, or just a phishing attack. Retail investors are oftentimes more vulnerable to being taken advantage of by scammers. But these scams impact the government as well, because the SEC is chartered to make sure they’re protecting consumers.

    The bottomline is that “illicit activity on the blockchain is heating up, from minor scams to elaborate ransomware attacks”, explained Kimberly Grauer, director of research at Chainalysis.

    The majority of cryptocurrency activity is legal according to the U.S. Treasury Department. But, cryptocurrency can be exploited by cybercriminals and leveraged for ransomware attacks. Crypto’s decentralized nature can make it more difficult to track down hackers.

    The SEC’s Office of Investor Education and Advocacy issues periodic Investor Alerts to help investors identify signs that what is offered as an investment may actually be a scam or fraud. They urge investors to be on high alert in order to protect themselves and others from becoming victims of investment cyber fraud.

    The key to avoiding investment fraud and scams is to be an educated investor. Below are five tips from the SEC website investor.gov to help you avoid investment fraud:

    1. Be Wary of Unsolicited Offers to Invest – Cybercriminals look for victims on social media sites, chat rooms, and bulletin boards. If you see a new post on your wall, a tweet mentioning you, a direct message, an e-mail, or any other unsolicited – meaning you didn’t ask for it and don’t know the sender – communication regarding a so-called investment opportunity, you should exercise extreme caution.
    2. Look out for Common “Red Flags” – Wherever you come across a recommendation for an investment – be it on the Internet or from a personal friend (or both), “red flags” such as (a) It sounds too good to be true since any investment that sounds too good to be true probably is; (b) The promise of “guaranteed” returns since every investment entails some level of risk, which is reflected in the rate of return you can expect to receive; and (c) Pressure to buy RIGHT NOW because should not be pressured or rushed into buying an investment before you have a chance to research the “opportunity.”
    3. Look out for “Affinity Fraud” – Never make an investment based solely on the recommendation of a member of an organization or group to which you belong, especially if the pitch is made online. An investment pitch made through an online group of which you are a member, or on a chat room or bulletin board catered to an interest you have, may be an affinity fraud. Affinity fraud refers to investment scams that prey upon members of identifiable groups, such as religious or ethnic communities, the elderly, or professional groups. Even if you do know the person making the investment offer, be sure to check out everything – no matter how trustworthy the person seems who brings the investment opportunity to your attention (think Bernie Madoff). Be aware that the person telling you about the investment may have been fooled into believing that the investment is legitimate when it is not.
    4. Be Thoughtful About Privacy and Security Settings – Investors who use social media websites as a tool for investing should be mindful of the various features on these websites in order to protect their privacy and help avoid fraud. Understand that unless you guard personal information, it may become available for anyone with access to the Internet – including cybercriminals.
    5. Ask Questions and Check Out Everything – Be skeptical and research every aspect of an offer before making a decision. Investigate the investment thoroughly and check the truth of every statement you are told about the investment. Never rely on a testimonial or take a promoter’s word at face value. You can check out many investments using the SEC’s EDGAR filing system or your state’s securities regulator.

    Investors on the Internet and social media should always be on the lookout for cyber scams and fraud. If you have a question or concern about an investment, or you think you have encountered fraud, you should contact the SEC or FINRA,


    References:

    1. https://www.morningbrew.com/daily/stories/2021/08/23/blockchain-expert-fights-crypto-crime
    2. https://www.sec.gov/oiea/investor-alerts-bulletins/ia_5redflags.html
    3. https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-alerts/updated-11
    4. https://www.sec.gov/oiea/investor-alerts-and-bulletins/investment-scam-complaints-rise-investor-alert