Okta has recently admitted to making a mistake by delaying the disclosure of a hack that occurred in January. Okta says that in January the company believed this was an unsuccessful account takeover by Lapsus$ data extortion group, targeting a Sitel engineer that required no further action. This “attempt” impacted 366, 2.5% of Okta’s customers. This was an issue of Incident Response gone bad. The cause was a hacker obtaining Remote Desktop Protocol access to a Sitel employee’s laptop.
Another similar incident is the Blackbaud hack in 2022, where the company identified a months-long ransomware attack, paid an undisclosed ransom, and the hacker had already compromised the data of over 120 organizations. The company faced criticism for downplaying the incident and waiting weeks to disclose information related to the attack.
Events like these highlight the importance of having strong Incident Response plans in place, including plans on communication in the event of an event, as well as testing and practicing these procedures before an incident occurs. Take this as a lesson and keep your company and your clients secure, by doing the necessary preparation, properly investigating if you notice anything suspicious, and having cyber insurance in place before an incident occurs.
CISA (The Cybersecurity and Infrastructure Security Agency) is warning organizations that Russia’s invasion of Ukraine could include malicious cyber activity against the U.S. and stated that “evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks”. CISA asks that organizations report any malicious cyber activity. Additionally, during this time, every organization should adopt a heightened cybersecurity posture to be prepared to respond in the event of a cyber incident.
CISA provides recommended actions and resources to reduce the likelihood of a cyber intrusion, quickly detect a potential intrusion and ensure the organization is prepared in the event of an incident. These actions include but are not limited to:
Require MFA for all remote, privileged, or administrative access to the organization’s network.
Disable all ports and protocols that are not essential to the business.
Confirm the organization is protected by antivirus/anti-malware software and update signatures in the tools.
Routinely test backup procedures and have an incident response plan in place.
Conduct employee awareness training to educate all personnel on how to prevent and spot a cyber-attack and improve your organization’s overall digital wellness.
Do not click any links that seems suspicious.
If you have been neglecting your digital hygiene, now is the time to get back on track, CISA advises organizations to plan for the worst-case scenario. Reference the recommended actions and materials provided by CISA and keep your organization educated and up to date on the potential risks and the importance of digital hygiene at this time.
The healthcare industry has been digitally transforming over the past few years, especially due to the global pandemic. With this increase in technology comes an increase in risk and greater difficulty protecting patient privacy. Healthcare providers already have many crucial components to manage such as patient privacy and care, as well as the numerous compliances and regulations. Now that cyber-attacks are on the rise, healthcare providers are also working to keep their data and systems secure, but cybercriminals are taking advantage of this busy time.
Cybersecurity is a bit different and more complicated when it comes to healthcare and medical data. There are more digital systems than we typically realize. Patients fill their prescriptions and schedule appointments online. Not to mention heating, ventilation, air conditioning, infusion pumps, and many other systems that can be compromised by cybercriminals. The impact of a ransomware attack on healthcare data will be a much larger than most other industries because the data is extremely sensitive, and lives depend on it.
According to Deloitte experts, the primary concerns for the healthcare industry are phishing, man-in-the-middle attacks, attacks on network vulnerabilities, and ransomware. To combat these types of attacks, clinics need to incorporate employee cybersecurity training, so that employees are educated on digital hygiene and know how to spot a threat. Clinics should also focus on data usage control, by monitoring, blocking, and logging any malicious activity, as well as implementing strict access rights (based on least privilege). Additionally, with mobile phones, apps, and other devices being more commonly used by administrative personnel, it is crucial to monitor any remote devices and disable any nonessential accounts. Businesses in any industry should be incorporating MFA, regular backups, and regularly updating software.
The healthcare industry is growing rapidly, and so are cyber threats. If clinics can execute these security measures and keep up with them, they will be in a much better place to withstand any threat that arises and keep their data and patients secure.
Social media platforms like LinkedIn, Twitter, and Facebook, as well as simple text messages have become a popular vector for phishing attacks. As phishers step up their scams, organizations need to keep their employees informed on how to spot them.
LinkedIn is widely considered a trusted domain. This means that any malicious emails that are leveraging LinkedIn most likely will not get blocked by your anti-spam and malware filters. The “redirect” feature for business on LinkedIn that allows you to track ad campaign performance can also unfortunately be used by hackers to redirect users to phishing scams. If you are unsure whether a message is legitimate or not, take a pause and do your own research on the site or service in question.
You may have heard of the July 15th Twitter hack that compromised high-profile, verified Twitter accounts. This phishing attack sent out fake tweets with links to a phishing site designed to steal cryptocurrency. Although people were scammed out of money, it could have been much worse, and information could have easily been stolen. If this type of scam can happen to celebrities, political leaders, and large corporations, it can happen to anyone.
Earlier this year, Facebook users were warned of phishing campaigns disguised as Messenger chats. When it comes to Facebook, if you are getting unprompted messages from friends or people you know, asking you to click a link or provide any information, just ignore it. If you think it may be legitimate or important, reach out to that person with another means of communication and ask them to be sure.
As if social media scams aren’t bad enough, mobile phishing scams are becoming more popular than ever. With all the buttons and ads that pop up on your phone, it can be easy to let your guard down when it comes to mobile phishing scams. Then there is SMS phishing, which can install malware on your device and significantly control your device functionality. If you receive a suspicious text message, do not open it, and absolutely do not click on any links.
All it takes is one click for a hacker to compromise your device. Mobile security should be a top priority for any organization. With more employees using mobile devices for work and having their social media apps such as LinkedIn on their phones, organizations need to step up their anti-phishing capabilities to keep users secure no matter what device they are working from. Organizations should be including regular security awareness training to help employees understand these threats and how they target individuals and businesses. Phishing can come from any source, and you need to be suspicious of any and every suspicious message or link you come across.
The Federal Trade Commission (FTC) released an alert, warning companies that they may face legal penalties if they aren’t taking the proper steps to mitigate Log4j vulnerabilities to protect consumer information. Earlier this month, FTC officials said there is a “severe risk” to consumer products, software, and applications caused by a vulnerability in the Java logging package. This vulnerability is being exploited by hackers and it is critical that vendors who rely on Log4j take the proper precautions to reduce their likelihood of an attack.
An example of this is the Equifax breach, which was caused by failing to patch a known vulnerability. Because of this vulnerability, the personal information of 147 million consumers was left exposed. Equifax paid $700 million to settle actions taken by the FTC. The FTC intends to pursue any companies that fail to take steps to protect consumer data from exposures caused by Log4j, or similar vulnerabilities that may occur in the future.
The FTC advises companies to keep your Log4j software package updated to the most recent version, and reference Log4j Vulnerability Guidance provided by CISA. This FTC alert is a wake-up call to many companies that cyber threats are evolving, and so are security requirements and legal actions that will be taken if they do not take the proper steps to protect consumer information.
A company’s employees can often be seen as a weakness in terms of cybersecurity. In fact, according to the Verizon Data Breach Investigations report, 3 out of the top 5 threat actions involve human risk. We all have biases in our thinking that can create risky behavior. Some even argue that there is a connection between employee personalities and security.
The traits with the highest correlation to information security behavior (positive or negative) are risk taking, openness, agreeableness, and conscientiousness. For example, employees who score high on conscientiousness are less likely to engage in risky behaviors and vice versa. Employees who are natural risk takers and tend to engage in sensation-seeking activities may take chances when it comes to security.
Personality tests like Meyers-Briggs and DISC, have been used by organizations for screening and training purposes for years. How should an organization use these tests for cybersecurity purposes? There are no definitive answers, but here are a couple of thoughts:
Build processes that create healthy behaviors. Well documented procedures for systems administration or development with a solid change management process, automated testing tools and peer review are an example of methods to ensure that proper behaviors are deployed consistently and minimize non-compliance. Pilots with decades of experience still use checklists to inspect planes, take-off, land and taxi; your IT team should as well.
Install tools that minimizes impact of non-compliance. Tools such as Multi-factor authentication, email and web filters and endpoint detection and response (EDR) can go a long way to mitigate non-compliant employee behavior.
Conduct role- and behavior-based security awareness training. Best practice security awareness training states that an organization should provide security awareness training particular to the role the individuals plays in the organization. Consider paying particular attention to training those with non-compliant tendencies.
Ensure that there are proper incident response procedures in place. Even with a fully “compliant” staff from a cybersecurity perspective, stuff happens. Make sure you have a solid incidence response plan and are testing it on at least an annual basis.
Finally, the most important area the organization should focus on is leadership and governance. Spend some time thinking about the personality of the organization’s culture and how it can positively or negatively impact risk behavior. Remember, people will tend to mimic the leadership’s style in everything they do, including cybersecurity behavior. Whether that’s a good thing or not, is up to you.
The holidays are a huge time for buying and giving to loved ones. Unfortunately, this increase in purchasing means there is an increase in phishing and other holiday scams. Phishing is typically targeted towards consumers aiming to collect credentials, credit card or financial information, although companies are also affected since many employees now use their personal devices for business reasons.
The most common forms of scams this time of year are non-delivery; where you pay for something online and never receive it, or non-payment; where the product is being shipped but the seller is never paid. Some tips to avoid this: do not click any suspicious links or emails in attachments or on other platforms/websites and be wary of any websites asking you to update account information.
While you’ve all heard of phishing, don’t forget about smishing this holiday season. SMS phishing is only the first step in these types of attacks. Once the system has been successfully compromised, scammers can then install malware on the targeted devices. This enables them to control device functionality and makes you vulnerable to other attacks. To avoid this, be diligent in your research of any websites you purchase from and be wary of emails or text messages relating to purchases.
Especially during this holiday season look out for any suspicious text messages or emails and employ email filtering. Companies can reduce these threats by patching, using multi-factor authentication whenever possible and incorporating security awareness training to better spot scams. Be extra diligent this time of year, as hackers are becoming more sophisticated and making their scams look more legitimate.
With increasing requests from clients regarding their cybersecurity controls, companies are looking to us to help in a number of areas, with questions about written security policies, vulnerability and penetration testing, risk assessments, and security awareness training. These questions and concerns, which were mainly targeted towards large companies are now also crucial for small and medium-sized businesses.
In addition to the previously mentioned topics, clients are looking to see that companies have certain security tools in place such as:
Multi-Factor Authentication (MFA): MFA is a keyway to provide an extra layer of security to prevent hackers from accessing your system. MFA is when an alternate means of identification, in addition to a password is necessary to log in.
Endpoint Detection and Response (EDR): EDR is a cyber security solution that continuously monitors, collects data, and responds to help mitigate cyber threats.
Backup: Companies should be sure to include multiple forms of backup with at least one stored off-site. Backups should also be regularly tested to ensure they can be restored as needed.
Patching: Patches are software and operating updates that help address any vulnerabilities and keep your system up to date.
If your company is getting overwhelmed by client requests about your security posture, you are not alone. If you think your current measures may not be up to par or do not have the time, Designed Privacy created a program that provides you with a guide to cybersecurity and the tools you need to keep your company and your clients protected and stay competitive.
This Fall, the personal health information of over 170,000 dental patients was exposed in a data breach associated with the Professional Dental Alliance, a network of dental practices affiliated with the North American Dental Group. According to the Professional Dental Alliance, patient information was exposed due to a successful phishing attack against one of their vendors, North American Dental Management. The phishing campaign gave attackers access to some of NADM’s emails, where the personal information of patients were apparently stored.
While the Professional Dental Alliance has said their electronic dental record system and dental images were not accessed, an investigation found that the protected health information of patients such as names, addresses, email addresses, phone numbers, insurance information, Social Security numbers, dental information, and/or financial information were accessed by the attackers.
These incidents reveal just how vulnerable professionals can be against cybersecurity attacks and data breaches. One of the reasons for this is because many professionals are small businesses who don’t have the time or expertise to deal with everything that goes into cybersecurity. So, many professionals rely on vendors and associations to ensure they are protected. The issue is, if those vendors and associations experience a breach, professionals are also at risk.
To keep their patient information safe, it’s vital that dental offices and all professional businesses pay attention to some of the human risks that can lead to cybersecurity incidents. The attack this week, for instance, was the result of a phishing attack that tricked an employee into handing over account credentials. Here are a few things all professionals can easily do on their own to stay secure:
Endpoint detection and prevention
Endpoint detection and response (EDR) is a type of security software that actively monitors endpoints like phones, laptops, and other devices to identify any activity that could be malicious or threatening. Once a potential threat is identified, EDR will automatically respond by getting rid of or containing the threat and notifying your security or IT team. EDR is vital today to stay on top of potential threats and put a stop to them before they can cause any damage.
Using multi-factor authentication (MFA) is a simple yet powerful tool for stopping the bad guys from using stolen credentials. For example, if an employee is successfully phished and the attack gets that employee’s login information, having MFA in place for that employee’s account can stop the attacker from accessing their account even if they have the right username and password. If possible all users accessing your system should have multi-factor authentication set up for all of their accounts. At minimum, however, it is extremely important that every user with administrative privileges use MFA, whether they are accessing your network remotely or on-premise.
Hackers are constantly looking for vulnerabilities in the software we rely on to run our businesses. All those software updates may be annoying to deal with, but they often contain important security features that “patch up” known vulnerabilities. At the end of the day, if you’re using out-of-date software, you’re at an increased risk for attack. It’s therefore important that your team stays on top of all software updates as soon as they become available.
Having a backup of your systems could allow you to quickly restore your systems and data in the event of an attack. This is especially important if you are hit by ransomware, in which the attackers remove your data from your networks. However, it’s essential to have an effective backup strategy to ensure the attackers don’t steal your backups along with everything else. At minimum, at least one backup should be stored offsite. You should also utilize different credentials for each copy of your backup. Finally, you should regularly test your back-ups to ensure you will be able to quickly and effectively get your systems online if an attack happens.
Security Awareness Training
As this latest data breach shows, phishing and social engineering attacks are common ways attackers gain access to your systems. Unfortunately, phishing attacks are not something you can fix with a piece of software. Instead, its essential employees are provided with the training they need to spot and report any phish they come across. Sometimes it only takes one wrong click for the bad guys to worm their way in.
A recent article in The Wall Street Journal highlights some of the big changes that businesses have made to their employee training programs since the start of the pandemic. Typically, these trainings are formal, multi-hour in-person meetings. According to Katy Tynan, research analyst at Forrester Research, “formal, classroom-delivered training was easy to plan and deliver, but organizations didn’t always see the intended results.” Once the pandemic came along, trainings moved online and offered fun, informal bitesize trainings that employees take overtime. These changes to classical training programs echo many of the behavior-design principles that we incorporate into our cybersecurity awareness training.
Let’s break down some of the key changes the Journal article discusses and how they related to behavior-design principles:
1. Keep it Simple
Instead of hours-long trainings, businesses are starting to break down their trainings into small pieces for employees. In behavior-design terms, this represents an important element towards creating change: making sure users can easily do what we are asking them to do. Simply put, you can’t throw a ton of information at someone and expect them to keep up with it all. What’s more, employees will be a lot more willing to go through with a training if they know it will only take 5 minutes instead of 5 hours. Keeping trainings short and easy to do are therefore important steps towards ensuring that your desired outcome aligns with your employees’ abilities.
2. Consistency is key
Most traditional training programs are a one-and-done deal. Once it’s over, you never have to worry about it again. However, this is exactly what we don’t want employees to take away from training. Instead, consistency is key for any changes. With short lessons, employees can go through the program in small, daily steps that are easy to manage while also keeping the training in their mind over an extended period of time.
3. Make it Interesting
The final piece of the behavioral puzzle is ensuring that employees actually want to do the trainings. Most traditional training programs may involve some small group discussions, but overall employees are shown videos and made to listen to someone talk at them for long periods of time. Employees are only taking in information passively. Instead, trainings should be fun, interesting, and engaging to keep users coming back for more.
The pandemic has brought about so many changes to our lives. While some of the changes have been for the worse, it’s also forced us to start thinking differently about how we do things and come up with creative solutions. The new trend in training programs is one such change. And what makes these changes so successful is the way it incorporates some of the basic behavior-design principles. This is an approach we’ve taken when we developed The PhishMarket™, our cyber awareness training program. By offering engaging and interactive 2-4 minute lessons given daily over an extended period of time, our program has shown success in reducing employee phish susceptibility 50% more than the industry standard.