The FBI has designated October as Cybersecurity month. Here we are about to start October of 2020.  We have had enough to worry about in 2020, so let’s really enjoy Cybersecurity month and celebrate!  Well, maybe not, but let’s at least pay some attention and give it thought.

The point of cybersecurity month is to be aware of what is going on around us.  Raising awareness should raise action, and raising action keeps us secure.  With all of the cybersecurity talk, you would think we all would be very aware by now, but that is not the case. Breaches are on the rise.  In fact, according the National Association of Insurance Commissioners (NAIC), in 2019, 6.2% of those insured for cybersecurity reported claims.  This is roughly a 30% increase in the number of claims over 2018.  And this is just for those insured, which may be greatly skewed by the fact that most businesses don’t carry cyber insurance.

In addition to an increase in the number of claims, the payout on claims has also seen a sharp increase.  According to Coalition, a cybersecurity insurance company, the dollar amount of claims for their customers is up by approximately 65%.  This huge increase is likely driven by larger demands in the amount of payment required by ransomware attacks.  If you are not familiar, ransomware is a malicious program usually let in by someone clicking on something in an email.  It locks all your folders and files, and then requires that you pay the hacker, most often in untraceable Bitcoin.  The average payment demanded by a strain of malware has gotten quite large:  Maze – $420,000, Ryuk $282,590, Netwalker – $176,190, Zepplin – $132,573, just to name a few.

Interestingly, the types of attacks are much the same as last year.  Ransomware is still the number one risk, followed by funds transfer fraud, and finally, email compromise (typically when the hacker gains access to your email account to impersonate you).  What is frustrating, though, is that even though the methods of the hacker are similar, it appears we are falling prey to them at an even greater rate.

Coalition, also gives us some insight into which attack techniques cause the most claims.  The number one attack technique is email at 54%.  Ransomware almost always enters a business network this way.  Someone clicks on an email attachment or link that lets it in.  The other hacking technique that falls in the email category is phishing, an attack that most often directs you to a false login screen in hopes of gaining your credentials for email or finance.  The second highest attack technique is remote access at 29%.  This involves taking advantage of remote access portals that are somehow insecure and then gaining further access to the network.  This is not surprising as often as we see companies bending the security rules to make it easier to get into a network remotely.  The final attack technique that earns mention is social engineering at 6%.  Yes, fraud attempts like impersonating an executive, and requesting that you send all the W2 information for review are still out there.  In fact, they are gaining sophistication.

Have you seen a trend in the information here?  The attacks have not changed that much.  They have grown in sophistication and expense, but they are really the same techniques that have been used for years.  This highlights the fact that many organizations still have not taken the fundamental steps to be secure.

Here are 4 fundamentals for security:

1. Educate and Test – We often pay great attention to the network firewall, but not enough attention to the human firewall. The network firewall is similar to a home alarm system. The alarm system keeps us safe from the criminal element outside, and the firewall keeps us safe from dangerous things on the Internet. Just like someone in your family opening the back door and allowing someone into the house, thus bypassing the alarm, so our team members inside our company can allow something in and bypass the firewall. What is the solution?   Education and testing, or using the more formal term, Security Awareness Training as a Service.  Under a plan like this, your team receives video-based training and then test phishing emails to see how they do.  This type of training improves the human firewall by simply creating awareness!

2. Password Policy and Security – We all know what needs to happen — passwords that are cryptic, 10 characters or more, regular changes, no using the same password for multiple systems, and no re-using old passwords. But too many companies are still avoiding the policy, because the perception is that it is too hard. If you have Windows Servers, a policy like this can be setup, and the system will require all of your team members to abide by this policy. If you are overwhelmed by all of the passwords, you can use a password manager program to vault your passwords.  With a secure vault, you are more likely to use different and more complex passwords, because it stores them easily and even generates them for you.

3. Secure Remote Access – Remote access has always been a big target for hackers. The hacker figures that if there is a way in, maybe he can take advantage. What creates the issue here is the often-opposing factors of ease of use and security. Often companies weaken security to make connecting remotely easier.  Unfortunately, hackers are searching for any exposed opening, and they often find it.  There are two technologies to consider as you look at remote access.  First, are you using a VPN or similar technology that encrypts your traffic, so it cannot be read?  Is that technology up-to-date.  You should no longer be using the old PPTP technology, but something newer like SSL.  Also, consider a MFA (Multi-Factor Authentication) solution.  This is where you get a code sent to you via text or app that you must type in to get in remotely.  It makes it so that even if someone has your login/password, they will not get in.

4. Secure your email – So many attacks start with email. A team member falls for that email that looks just fine, only to find they have opened the network to ransomware. Or, perhaps this time the attachment is a phishing link, that once followed, asks for login and password and looks so official, that we fall for it.  To increase your security, you may want to make sure your mail DNS settings use SPF records and they are setup properly.  Also, consider MFA for your email.  Microsoft 365 email has this feature built-in, and it just requires some setup. Once configured, it requires an MFA pin number for web based or unusual logins, but remembers an app password for things like Outlook and your phone.  Finally, consider adjusting SPAM protection settings or adding a SPAM package that will examine weblinks.  Most phishing occurs via a weblink, so if your SPAM protection software checks out that link and hides it when it is malicious, you get rid of a lot of bad stuff.

Happy Cybersecurity month!  Let us know if you would like to discuss turning up your security.  We would be glad to help!