If large global brands, like Target, struggle to protect themselves from cyber attackers, how can small businesses protect themselves? How can you manage IT in a way that helps you conduct business, while also protecting your assets and lowering risk?
During our recent panel on cybersecurity, Anthony Butler, author of Cracking the IT Code , described the state of the security market like a very difficult puzzle with the nature of threats continually changing.
VIDEOhttps://www.youtube.com/embed/bF5f-LuaReU?list=PLIFRX-Eb7233gDSnY4-VTsbi... " width="560"></p> <p>What exactly is changing?  The sophistication of attacks has gone from hacks carried out by college kids, to organized crime spending millions to develop debilitating attacks. The increased frequency of attacks is even more alarming. We no longer see cyberattacks from a handful of isolated groups, but instead from hundreds of organizations. With the increased frequency and intensity of attacks, we have reviewed some recent cybersecurity trends to help you understand how they are impacting small and medium businesses. <br /> Ransomware<br /> The next generation of ransomware and malware produced today are more effective and harder to detect, exposing us to even greater risk, according to Nick Belov, CISO at CGS . <br /> The cyberattackers building these malicious programs are changing their tactics as well. Attackers today will sometimes masquerade as security consultants who can “recover” encryption keys for companies that have been the victim of an attack. The hackers claim they can recover their data, for a fee. Attackers have found it easier to convince companies to pay IT consultants a steep fee, as opposed to paying a ransom to cyberattackers. </p> <p>Another new strategy is creating ransomware that is smart enough to hunt down and destroy backups or backup catalogs in addition to the original data. This has companies looking to air gapped backups as one popular way to reduce risk. </p> <p>The good news is ransomware attackers are also working against the clock. Flaws in malware implementation may weaken attacks so that companies can quickly recover their lost or damaged data. In some cases, if the affected company can afford to wait, simply holding out for a few weeks or a month may allow them to use a public solution to a widespread malware attack. This is, of course, a business decision, not a technology or information security decision , that each company has to make case by case. </p> <p>More Sophisticated Attacks</p> <p>The increase sophistication of attacks has been problematic for some time, however, we have seen a few recent dramatic jumps.</p> <p>The recent dump of NSA tools has been hugely impactful. One of the most well-known attacks as a result of the dump is the zero day hackers developed known as the WannaCry ransomware. Zero days are attacks on previously unknown software vulnerabilities for which a developer has not released a patch or fix. As we saw in the case of WannaCry, companies are not well prepared to manage zero days, and neither is the IT industry . This is incredibly surprising as these attacks can be very damaging and are increasing in intensity and frequency.  </p> <p>There has also been an increase of carefully constructed social engineering email phishing attacks such as: CEO wire scams, W2 scams or phishing for credentials for services like Office 365 and Outlook Web Access. </p> <p>In the past, these kinds of attacks were easily identified by poor English and a liberal dose of grammatical and linguistic mistakes. Cyberattackers today have tools that can accurately mimic the language and communication style of the supposed sender, be it the CEO or controller. The emails are almost perfect, down to the smallest details, to the point that the person reading it might believe she actually wrote the email.  </p> <p>On the Defensive<br /> How do you defend your company and ensure a fast recovery when an attack hits? </p> <p>One recent positive change in the marketplace is the availability of cyber insurance for SMBs. With more companies buying cyber insurance, providers have been able to deliver more coverage and lower prices to a level more affordable for smaller businesses. The other hurdle has been the perceived complexity of the steps required to qualify. A company must complete sometimes extensive inquiry forms and technical interviews to prove that they’ve taken proper and reasonable steps to protect their assets. Which means having a proper plan in place before applying for insurance, and with a lack of awareness on just how quickly SMBs are becoming prime targets combined with limited security expertise on staff it’s a step that most have been forgoing. According to Small Business Trends, 60 percent of small companies go out of business within six months of a cyber attack. Given all the impacts and costs that can come with an attack or breach, it’s a step worth taking. Insurance is there to help you recover more quickly in the event that something does go wrong, however preventing the attack in the first place is still top priority. </p> <p>One easy step is to increase the emphasis on building adequate, tested backups. We need to consider that regardless of the format, and how well it works, in an attack, everything will reflect back on your preparation. In the event of an attack or infection, it's one thing to have to replace a day's worth of work because it was caught it in a few hours, versus having to go back three months. In particular, if you have your backups and your backups are not detached, malware and ransomware are becoming smart enough to reach these files and destroy them as well. Data governance and understanding where your data lives is key to your recovery steps.  </p> <p>Additionally, it is critical that we challenge our implementations and configurations. We need to make use of tabletops, with red teams, penetration tests, and similar tools to exercise and tune our defensive processes and to avoid unintentional mistakes. Independent audits are one tool to help you discover where the risks lie and ensure that your bases are covered . </p> <p>Conclusion<br /> Building a program that makes sense for your business can actually protect your assets in a comprehensive way without over exhausting your team. As there are no cookie-cutter solutions, it can be a difficult challenge to undertake. To ensure you reach your security goals without overburdening your team, make sure to choose the right partners with the right expertise, and get cyber insurance.</p> <p>Start with putting into place a few countermeasures, and identify the most critical items. Work with professionals to define your potential attack surface, and know what to address first in an incident. With the right preparation, you will be able to mitigate the risk to a bearable or tolerable level with a lower level of exposure. This is really a puzzle that will be worth your time and effort to figure out and put together.</p> </div> <div> </div> <div> </div>
What exactly is changing?
VIDEOhttps://www.youtube.com/embed/KrfVWtiRHww?list=PLIFRX-Eb7233gDSnY4-VTsbi... " width="560"></div> <div> <div> <div id="_com_1"> </div> </div> </div> <p></p> <div> <div> <div id="_com_1"> </div> </div> </div> </div>
The sophistication of attacks has gone from hacks carried out by college kids, to organized crime spending millions to develop debilitating attacks. With the increased frequency and intensity of attacks, we have reviewed some recent cybersecurity trends to help you understand how they are impacting small and medium businesses.
Ransomware
The next generation of ransomware and malware produced today are more effective and harder to detect, exposing us to even greater risk, according to Nick Belov, CISO at CGS.
VIDEOhttps://www.youtube.com/embed/5XHTJT0Lbww?list=PLIFRX-Eb7233gDSnY4-VTsbi... " width="560"></p> <p> </p> </div> <div> </div> </div>
The cyberattackers building these malicious programs are changing their tactics as well. Attackers today will sometimes masquerade as security consultants who can “recover” encryption keys for companies that have been the victim of an attack. The hackers claim they can recover their data, for a fee. Attackers have found it easier to convince companies to pay IT consultants a steep fee, as opposed to paying a ransom to cyberattackers.
Another new strategy is creating ransomware that is smart enough to hunt down and destroy backups or backup catalogs in addition to the original data. This has companies looking to air gapped backups as one popular way to reduce risk.
The good news is ransomware attackers are also working against the clock. Flaws in malware implementation may weaken attacks so that companies can quickly recover their lost or damaged data. In some cases, if the affected company can afford to wait, simply holding out for a few weeks or a month may allow them to use a public solution to a widespread malware attack. This is, of course, a business decision, not a technology or information security decision, that each company has to make case by case.
VIDEOhttps://www.youtube.com/embed/-4QXQqnP32E?list=PLIFRX-Eb7233gDSnY4-VTsbi... " width="560"></div> <div> </div> <div> </div> </div> </div>
More Sophisticated Attacks
The increased sophistication of attacks has been problematic for some time, however, we have seen a few recent dramatic jumps.
The recent dump of NSA tools has been hugely impactful. One of the most well-known attacks as a result of the dump is the zero day hackers developed known as the WannaCry ransomware. Zero days are attacks on previously unknown software vulnerabilities for which a developer has not released a patch or fix. As we saw in the case of WannaCry, companies are not well prepared to manage zero days, and neither is the IT industry. This is incredibly surprising as these attacks can be very damaging and are increasing in intensity and frequency.
VIDEOhttps://www.youtube.com/embed/Ck-Udq2ZUtI?list=PLIFRX-Eb7233gDSnY4-VTsbi... " width="560"></p> <p> </p> </div> </div> </div>
There has also been an increase of carefully constructed social engineering email phishing attacks such as CEO wire scams, W2 scams or phishing for credentials for services like Office 365 and Outlook Web Access.
In the past, these kinds of attacks were easily identified by poor English and a liberal dose of grammatical and linguistic mistakes. Cyberattackers today have tools that can accurately mimic the language and communication style of the supposed sender, be it the CEO or controller. The emails are almost perfect, down to the smallest details, so that the receiver might actually believe she wrote the email.
VIDEOhttps://smallbiztrends.com/2017/01/cyber-security-statistics-small-busin... " href="https://smallbiztrends.com/2017/01/cyber-security-statistics-small-busin... ">Small Business Trends</a>, 60 percent of small companies go out of business within six months of a cyberattack. Insurance is there to help businesses recover faster in the event of an attack, however preventing the breach in the first place, is still top priority. </div> <div> </div> <div>One easy step is to build adequate, frequently tested backups. Regardless of the format and how well it works, in an attack everything will reflect back on your preparation. It's one thing to replace a day's worth of work because it was caught it in a few hours, versus having to go back three months. In particular, if you have backups and they are not detached, malware and ransomware have become smart enough to reach these files and destroy them in an attack as well. Data governance and understanding where your data lives is a key part of your recovery prepartion. </div> <div> </div> <div><iframe frameborder="0" height="315" src="https://www.youtube.com/embed/3r7h3ofSk7Q?list=PLIFRX-Eb7233gDSnY4-VTsbi... " width="560"></div> <p> </p> </div> </div> </div>
On the Defensive
How do you defend your company and ensure a fast recovery when an attack hits?
One recent positive change in the marketplace is the availability of cyber insurance for SMBs. With more companies buying cyber insurance, providers have been able to deliver better coverage at more affordable prices for smaller businesses. One common hurdle for SMBs with insurance has been the perceived complexity of qualification process. There are sometimes extensive inquiry forms and technical interviews a company must complete to prove that they’ve taken the proper, reasonable steps to protect their assets. This requires businesses to have a solid plan in place before applying for insurance. With a lack of awareness of how quickly SMBs have become prime targets, combined with the limited internal security expertise in many companies, many businesses skip these steps. Doing so, however, can be extremely costly, as it puts the survival of the company at great risk. According to Small Business Trends, 60 percent of small companies go out of business within six months of a cyberattack. Insurance is there to help businesses recover faster in the event of an attack, however preventing the breach in the first place, is still top priority.
One easy step is to build adequate, frequently tested backups. Regardless of the format and how well it works, in an attack everything will reflect back on your preparation. It's one thing to replace a day's worth of work because it was caught it in a few hours, versus having to go back three months. In particular, if you have backups and they are not detached, malware and ransomware have become smart enough to reach these files and destroy them in an attack as well. Data governance and understanding where your data lives is a key part of your recovery prepartion.
VIDEOhttps://www.youtube.com/embed/Iox-nmWQ_JE?list=PLIFRX-Eb7233gDSnY4-VTsbi... " width="560"></div> </div> </div> </div>
It is also critical that we challenge our implementations and configurations. We need to make use of tabletops with red teams, penetration tests, and similar tools to avoid unintentional mistakes and to fine tune our defensive processes. Independent audits are available to help you discover where the risks lie and to ensure your bases are covered.
VIDEO
Conclusion
Building a program that makes sense for your business can protect your assets in a comprehensive way without over extending your team. There are no cookie-cutter solutions, so it can be a difficult challenge to undertake. To reach your security goals, the first steps are to choose the right partners with the right expertise and invest in cyber insurance.
Identify the most critical items, and then start with implementing a few countermeasures. IT professionals can help define your potential attack surface, and will know what to address first in an incident. With the right preparation, you will be able to reduce the risk of cyberattacks to a tolerable level with lower levels of exposure. This is really a puzzle that will be worth your time and effort to figure out and put together.