Cyberattacks continue to increase in frequency, sophistication, and impact, especially since the onset of the COVID-19 pandemic when many workers were suddenly forced to work remotely. Remote workers are often working in environments that are much less secure than the corporate environments they fled. For example, personal devices may intermingle with work devices and personal equipment is likely not “hardened” against attack, providing hackers an entry point for their nefarious deeds.
Former IBM CEO Ginni Rometty called cybercrime “the greatest threat to every profession, every industry, every company in the world.”
Dave Hatter
Disturbing recent cybercrime statistics and news headlines clearly back this up:
The University of Maryland reported that an attack happens every 39 seconds on average, affecting one in three Americans every year.
Cyberinsurance company Coalition reported that ransoms have jumped from less than $10,000 to over $100,000 in 2019 with the introduction of newer, nastier ransomware. Ransom demands have topped $10,000,000.
Ransomware accounted for 41% of all cyberinsurance claims in the first half 2020.
The FBI reported Business Email Compromise (BEC) was a $26 billion dollar enterprise over a 5-year period. The FBI has also said reports of cybercrime spiked 400% in the early days of the pandemic. Even more concerning is that the FBI has said they believe only 10% to 12% of cybercrimes are reported.
89% of breaches had a financial or espionage motive according to a recent Verizon Data Breach Investigations Report.
The Service Core of Retired Executives (SCORE) reported that 43% of cyberattacks are on small and medium businesses (SMBs), who typically have less resources to devote to cybersecurity.
Homeland Security graphic
A recent report from Cybersecurity Ventures predicted that cybercrime costs could top $10 trillion dollars by 2025!
The COVID-19 pandemic has been a powerful catalyst for digital transformation, and we are becoming increasingly reliant on technology in our personal and professional lives. As our physical and virtual worlds merge, the attack surface expands and cyberattacks can now impact our physical world. Noted cybersecurity expert Bruce Schenier said it best: “We no longer have things with computers embedded in them. We have computers with things attached to them.” Your Ring doorbell, Nest thermostat, “smart” TV, Internet of Things (IoT) coffee maker or even that new app your kids just installed could be the weak link in your environment. Once attackers breach your home network, it’s possible they could find sensitive information and could even find a hole that allows them to gain access to your corporate network. Unfortunately, the increasing availability of low-cost or free hacking tools and the increasing technical prowess of attackers means it’s never been easier to compromise the ill-informed or the unprepared.
With many if not most employees accessing sensitive information remotely from less secure environments, it’s never been more important to ensure that your organization understands the growing threats and takes a risk-based approach to defend against them. And while some employees will go back to the office full-time, many will not ever return to the office full-time and many if not most will work in a hybrid model with “hot desking” for mobile employees. You should expect to see many organizations take this approach because it saves money and provides employee flexibility.
Sadly, EVERY organization and every individual is now a target, and working remotely increases the risk. Stephane Nappo said “It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” The good news is that there are many steps you can take to “harden” your systems and improve your cybersecurity hygiene, and many cost nothing but a little time and effort. With attacks on the rise and increasingly devastating consequences the result, it’s never been more important to take proactive steps to protect yourself, your family, your clients and your employees. Concrete steps you can take today include:
• Install updates, aka patches, regularly on ALL your devices including computers, tablets, phones, printers, routers and other “smart” (IoT) devices.
• Update to the latest applicable version of any software you use. Old software that is not updated is a significant risk that grows over time.
• Use endpoint protection aka anti-virus or anti-malware software and update it regularly. Ensure devices are scanned regularly. Windows 10 ships with Microsoft Defender their free endpoint protection software.
• Use a firewall. Windows 10 has an embedded firewall.
• Change the default password on your systems and “smart” devices. Hackers can easily access these passwords from the manufacturer.
• Enable Multi-factor Authentication (MFA) aka Two-Factor Authentication or Two-Step verification everywhere you can. Microsoft and Google have both stated that MFA can block up to 99% of automated attacks. Learn more here.
From dhs.gov
• Use a strong, unique password on each account and never share credentials (username and password) between work and personal accounts or other individuals. Even better, use a phase that no one would guess but is easy to remember, for example, “IL0v3Pr0j3tM@n@g3m3nt”. Per howsecureismypassword.com, it would take 3 sextillion years to crack that passphrase.
• Use a secure password manager (vault) like LastPass to create and manage strong passwords for each account. A zero-knowledge vault like LastPass will make it easy for you create extremely strong passwords and easily use them across all your devices. I am a big LastPass fan, but there are other excellent low-cost or free password managers.
• Use a Virtual Private Network (VPN) for encryption of data transmitted over the Internet. Use Bitlocker to encrypt data on your Windows devices.
• Get a quality WiFi router and use WPA2 or higher encryption for your wireless network.
Backup your data regularly and regularly test the backups. There are many low-cost, secure, cloud-based backups available, iDrive for example.
• Don’t allow family members to use work related equipment.
• Only install carefully vetted apps to ensure they are safe. Sites like ZDNet, CNET and PCmag have editors and experts that evaluate and recommend products and services.
Explore Cyberinsurance. General liability insurance will not cover cyberattacks in many if not most cases.
• Evaluate your vendor’s cybersecurity maturity level. Target was breached as the result of 3rd-party HVAC contractor and a supply chain attack is behind the Solar Winds hack, which is shaping up to best the worst known attack to date.
• Find a cybersecurity partner you can trust to help improve your cybersecurity hygiene.
Explore cybersecurity frameworks like the NIST Cybersecurity Framework (CSF), NIST 800-171 or the Center for Internet Security Controls.
• Be skeptical and stay informed. There are vast quantities of quality free education available.
Before you act, STOP, THINK, PROTECT. Be a human firewall.
The good news is that there have never been more ways to work remotely and collaborate digitally. But bad actors increasingly target those systems and tools, and human error is a leading cause of sensitive data leaks. For example, someone emails a spreadsheet containing Personally Identifiable Information (PII) to a colleague at an external organization. The use of insecure products can be devastating, more than 300 companies have had information breached through the Accellion hack, learn more here.
Fortunately, there are secure platforms for communication and collaboration, for example Microsoft 365. You easily send and receive encrypted email and collaborate securely with Teams and SharePoint. In fact, with proper licensing, M 365 /Azure complies with virtual every security and privacy standard in the world, learn more here.
Former National Security Director Richard Clarke said “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked” and I agree. Hope and denial are NOT a strategy. You are a target, and if you do nothing, it’s a matter of when not if you are hacked. But you can take proactive steps to mitigate the risks, get started improving your cybersecurity posture today.
Dave Hatter is a Cybersecurity Consultant at Intrust IT, a Cincinnati-based MSP. Dave has nearly 30 years of software development, cybersecurity and project management experience and had been an adjunct instructor at Cincinnati State for more than 15 years. He has earned numerous industry certifications including CISSP, CCSP, CSSLP, Security+, Network+, MS Azure Fundamentals, PMP, PMI-ACP, PMI-PBA, PSM 1, PSD 1, and ITIL Foundation V3, and has a BS in Information Systems from NKU. He is a regular on-air contributor on WXIX (FOX19) and Local 12 (WKRC-TV) and he can be heard every Friday morning at 6:30 AM on 55KRC’s “Tech Friday” segment with host Brian Thomas. He appears as an expert on many other outlets including Bloomberg Financial, WCPO, WLWT, 700 WLW, WVXU, WNKU and Spectrum News 1. You can view nearly 250 TV interviews here: https://www.youtube.com/davehatter. Reach him at davehatterit@gmail.com
