As cyber security experts, we are constantly researching the latest developments in the cyber-threat world. On a positive note, many enterprises are beginning to understand that they need to take a more proactive approach to protecting their businesses.
In a best-case scenario, companies are implementing a multi-layered cybersecurity model. Part of this cyber stack may also include cyber security insurance.
But, let’s say the hackers still find a way into your IT infrastructure and they hold your data hostage. They’re demanding a ransom payment of $250,000 – the average demand for SMBs in 2021. You contact our insurance agent, who after a lengthy review, declines the claim because you “failed to patch vulnerabilities in a timely manner.”
Before we get into the topic of what you should do next, let’s delve a little more into the risks of relying on cyber insurance to save your business.
In excerpts from an article by TechTarget, they wrote, “With increasing demand and dangerous third-party risks, cyber insurance carriers are taking a much harder look at enterprises’ security postures — to the point where they’re limiting or denying coverage based on the presence of certain technologies.
Cyber insurance premiums and payouts have risen significantly over the past three years as attack surfaces and adversary techniques have expanded. Insurance carriers struggling to keep pace with the rapid evolution of cybersecurity risks have required customers to comply with a growing list of requirements. But the costs of cyber attacks have climbed so sharply that cyber insurance companies are going a step further.
While work to improve security postures continues from both sides, there are specific technologies and software that can affect coverage for enterprises. Payal Chakravarty, head of product at the cyber insurance provider Coalition, said rates are based on the root causes that lead to claims. Examples include a remote desktop protocol (RDP), which continues to be a problem for SMBs, as well as supply chain issues and third-party partner risks.
While rates have increased, she said enterprises can control the costs by being more intelligent about risk selection regarding the products and technologies in their environment. Coalition rates are based on certain technologies, which means it’s not a flat rate increase for every renewal. Renewal rates are determined by a technology-based rating and user behavior, including how they responded to alerts and whether they fixed the issues.”
In other words, insurance companies are For-Profit businesses and they’ll do anything they can to deny your claim.
So, now it’s up to you. Is your business worth $250,000? If the answer is yes, how do you know – without a shadow of a doubt – whether you’ll actually get your data back? Hackers are criminals after all. It’s not like they’re you can trust them.
This begs the question… Should you pay?
According to excerpts from an article by SpiceWorks, they wrote, “When it comes to paying a ransom, cybersecurity experts recommend following the FBI’s and homeland security’s advice, which is NOT to pay the ransom.
According to Danny Allan, CTO at Veeam, a “modern data protection strategy” should be in place as a clear indication of the organization’s commitment to never pay the ransom. “Educate employees and ensure they practice impeccable digital hygiene; regularly conduct rigorous tests of your data protection solutions and protocols, and create detailed business continuity plans that prepare key stakeholders for worst-case scenarios.”
So, insurance companies aren’t paying and business owners aren’t paying. What’s a hacker have to do to earn an indecent living nowadays?
Oh, I don’t know… how about threatening your partner or clients? Or maybe even taking out critical infrastructure facilities, such as power grids and water-treatment plants.
Yeah, it’s gotten that bad.
In an article by CityNews, they wrote, “The federal cybersecurity centre says criminals who hold data for ransom are expected to use new techniques — such as threatening a target’s partners or clients — to increase their chances of receiving payment.
In its threat forecast for 2023-24, the Canadian Centre for Cyber Security says cybercrime continues to be the online activity most likely to affect Canadians and their organizations.
The report released Friday says ransomware attacks, in which digital files are held hostage or encrypted until a fee is paid, are almost certainly the most disruptive form of cybercrime facing Canadians.
The centre says by threatening the business partners or clients of a victim, cyber criminals very likely anticipate that these organizations will increase pressure on the victim to pay the ransom.
The centre notes one cybercriminal group, which has targeted victims in Canada, is known to conduct denial-of-service attacks during payment negotiations, increasing the pressure.
The report also says the state-sponsored programs of China, Russia, Iran, and North Korea pose the greatest strategic cyber threats to Canada.
“State actors can target diaspora populations and activists in Canada, Canadian organizations and their intellectual property for espionage, and even Canadian individuals and organizations for financial gain.”
Critical infrastructure facilities, such as power grids and water-treatment plants, are increasingly at risk from cyber threat activity, the centre says.
“Cybercriminals exploit critical infrastructure because downtime can be harmful to their industrial processes and the customers they serve,” the report says.
“State-sponsored actors target critical infrastructure to collect information through espionage, to preposition in case of future hostilities, and as a form of power projection and intimidation.”
However, the cyber centre believes those carrying out state-sponsored cyber threats will likely refrain from intentionally disrupting or destroying Canadian critical infrastructure in the absence of direct conflict.
The centre, part of the Communications Security Establishment, Canada’s cyberspy agency, has seen cyberthreat actors’ use of misinformation, disinformation, and malinformation, which is based on reality but presented in a misleading way, evolve over the last two years.
“Machine-learning enabled technologies are making fake content easier to manufacture and harder to detect.”
So, what else should you know about the current cyber threats and future cyber predictions? Check out the info below…
Common Hacking Techniques in 2022 and Predictions for 2023
In an article by Mitnick Security, They wrote, “Hacking techniques are ever-evolving, and it’s important to keep up with new threats. Threat actors are usually after two things from your business: data or money. Usually, they’re motivated by both, as uncovering a wealth of data can help them to cash in at the detriment of your business.
In addition to financial costs, a well-executed cyberattack could damage your reputation and put you out of business. Prosper in 2022 and 2023 by educating your employees (and yourself!) with security awareness training. Here are the top hacking techniques to look out for…
1. Social Engineering & Phishing
Social engineering is an attempt to get a potential victim — often someone who works for a targeted organization — to share personal information, usually by impersonating a trusted source.
Social engineering bait frequently comes in the form of phishing emails, where a threat actor sends a message that looks like it’s from someone you know. This message asks you to do something — like to click and download an infected attachment — under the guise of being helpful. If an infected file is downloaded, your computer can be compromised, giving the threat actor access to your computer, and sometimes, your entire network.
EarthWeb reported that “over 3.4 billion emails are sent daily as part of phishing attacks 2022.” With this number, it’s no surprise social engineering tactics, like phishing, are some of the biggest threats to look out for this year.
What you can do: Warn your employees to never give out private business information over email, to think before opening any attachments, and educate them on how to avoid email scams.
2. Malware-Injecting Devices
Cybercriminals can use hardware to sneak malware onto your computer. For example, compromised USB sticks can give hackers remote access to your device as soon as they’re plugged into your computer.
All it takes is for one person to give you a malware-ridden USB stick, and your whole organization could be at risk. Plus, clever hackers are now using cords — like USB cables and mouse cords — to inject malware.
What you can do: Educate your employees on physical malware injection methods and caution them to stop and think before plugging in an unknown drive or cable.
3. Missing Security Patches
Security tools can become outdated as the hacking landscape advances. They require frequent updates to protect against new threats. However, some users ignore update notifications or security patches, leaving them vulnerable.
It’s not just antivirus software that needs patching. According to EdgeScan’s Vulnerability Statistics report, “Eighteen percent of all network-level vulnerabilities are caused by unpatched applications – Apache, Cisco, Microsoft, WordPress, BSD, PHP, etc.” Your applications need constant attention as well to keep bad actors from exploiting holes in your security, especially considering the additional security threats evolving in 2022.
In January 2022, the Cybersecurity & Infrastructure Security Agency (CISA) warned the country about cyber threats sponsored by Russia. CISA went as far as listing the following recommendation first under the Vulnerability and Configuration Management section of the official document: “Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner.”
What you can do: Ensure that all of your antivirus and applications are routinely updated as security patches become available. Consider vulnerability assessments to ensure that the most prominent vulnerabilities are identified and addressed first.
4. Cracking Passwords
Hackers can obtain your credentials through a number of means, such as keylogging, in which undetected software — accidentally downloaded by the victim of a social engineering attack — can record keystrokes for the threat actor to use at their will. This includes saving usernames and passwords as they are entered on the infected computer.
Additionally, password cracking programs can run through letter and character combinations at blinding speeds to guess passwords. In fact, the latest graphics processing technology allows for even more complex passwords to be brute forced and hacked in significantly less time than ever before.
What you can do: Use a password management tool, which securely houses your company credentials. These tools can often auto-generate lengthy, diverse character passwords that are difficult for hackers to brute force guess— and autofill for your employees for easy access to their tools. Consider also looking into encryption and multi-factor authentication methods to shield your data from hacking techniques that go undetected by automated scans.
5. Distributed Denial-of-Service (DDOS)
This hacking technique is aimed at taking down a website so that a user cannot access it or deliver their service. Denial-of-Service (DoS) attacks work by hitting the target’s server with large influxes of traffic. The amount is so frequent and high that it overloads the server by giving it more requests than it can handle. Ultimately, your server crashes and your website goes down with it.
Larger businesses can get hit by a Distributed Denial of Service (DDoS) attack, which is a synchronized attack on more than one server or website, using multiple computers to attack at once, potentially taking down numerous online assets.
What you can do: Use a cloud protection service or DDoS mitigation services to protect your business from a site takedown. Consider external network penetration testing and product claims testing to verify that your chosen protection methods are effective.
2023 Cyber Security Threats and Predictions
The landscape of potential cybersecurity threats has quickly become a minefield for 2023. We believe that knowledge is power. Here is what to look out for, and what we think will happen next year:
1. COVID-19 Induced Remote Vulnerabilities
Social engineering has grown even more rampant, with the coronavirus pandemic giving cyber criminals the perfect pretense for manipulations. Social engineers have played off of America’s urgency for financial support and medical care services after losing their jobs and watching loved ones take ill. They pose as the government offering stimulus checks or imploring other clever phishing schemes to capitalize on the fearful pandemic.
Remote Vulnerabilities
With the 2020 COVID-19 pandemic, many organizations have switched to either full or partial remote operations, allowing employees to work from home. The problem remains, many companies shifted to home offices in desperation to avoid closure and do not have proper security measures in place to protect themselves against a slew of hacking techniques targeting the remote landscape.
For example, threat actors are capitalizing on users working on open WiFi networks, creating malicious networks posed as trusted businesses like Starbucks to hack targets. A special series by the International Monetary Fund (IMF) warns that unsupported remote access facilities “increase potential security risk.”
What you can do: In 2023, be on the lookout for phishers promising coronavirus relief or resources. If you receive an email asking you to register online to be first in line for a COVID vaccine, or a text message from a number you don’t recognize, asking you to confirm your mailing address to receive coronavirus support information, think before you click.
Follow any remote connection protocols set forth by your organization. If you are an organization leader, ensure that remote workers are aware of potential threats and enforce a secured connection policy.
2. Previously Unexplored Tech Hacks
We all know our computers can be exploited, but cybersecurity experts are predicting that bad actors will go after much larger fish for 2023. Smartphones and smart home devices, for instance, were responsible for 70% of fraudulent transactions in 2018, with bad actors taking control of device microphones or cameras to listen in or watch users, in hopes of recovering private data to use against them.
Beyond the home or office, cybercriminals are experimenting with remote hacks to cars with electronic operating systems, like the Brokenwire technique which involves sending malicious signals to interrupt the charging session of electric vehicles. In years to come, larger systems responsible for transport like train railways and airplanes may be targets for malicious compromise, as well as hospitals and schools.
What you can do: Keep an eye on the tech news to see how cybersecurity experts are working to find solutions.
3. AI (Artificial Intelligence)
According to Forbes, “AI is a tool that can also be exploited by bad actors.” From realistic-sounding voices to rendering images, there are several new tools in a threat actor’s toolbox for 2023.
What you can do: Relying on automated scans and tools can give threat actors the opportunity to utilize AI in social engineering attacks to steal company data. Provide cyber security awareness training to keep your employees informed about new techniques employed by threat actors.
4. Geo-Targeted Phishing Threats
Phishing has been a huge threat for years. However, threat actors are now targeting victims who live in specific locations with seemingly relevant, innocent clickbait. For example, a sophisticated spear phishing email in 2023 may offer an employee discount at a water park in their city — they just have to put in their employee ID. A threat actor could then use this information to access your internal network and launch their ransomware or other attacks with ease.
What you can do: A social engineering pentest can evaluate the current level of security awareness among your employees. From there, you can work to mitigate the risks by providing continuous education and live hacking demonstrations.
Top 10 Cybersecurity Tips for SMBs
In excerpts from an article by Fortinet, they wrote, “As individuals and businesses become more conscious of the need to protect their devices and data and take measures to secure what they can, cyber criminals have stepped up their game significantly. Cyber threats have escalated in number, complexity, and sophistication.
Cyber threats may or may not happen, and the fear of the unknown continues to pervade most organizations. However, taking precautions after a breach has occurred may be a little too late. PayPal CEO Dan Schulman is quoted as saying that in the cyber community, there are two types of companies: those who have been hacked and those who do not know they have been hacked.
Cyber criminals are well aware that small businesses might not have the resources to spend on security staff and software as would a much larger enterprise. This is what makes them a prime target, as hackers see small businesses as particularly vulnerable, especially those without basic security measures.
Cyber criminals are also aware that many small businesses work with large companies, so access to a small business’s network might mean access to that of a larger corporation. Further, small businesses, including restaurants and franchises, store vast amounts of bank account and credit card information, so a hack into a small business could prove valuable for those with malicious intent.
But, small businesses have several opportunities to strengthen their defenses against a cyberattack. Below are a few that can be incorporated with little to no additional expense.
1. Regular Software and Patch Updates
Most people never consider that software or systems need to be manually updated because they are used to automatic updates on their PCs and laptops, especially from Windows or Windows-based programs.
However, some software, such as the Wi-Fi router’s firmware, needs to be manually updated. Software updates include security patches, which are necessary in the fight against cyber threats. Without these new patches, a router—and the devices connected to it—remain vulnerable. As such, businesses should update their wireless routers’ firmware, in addition to all of the devices in the workplace—printers, scanners, and the like.
2. Train Employees
According to a study cited by a CNBC report, employee negligence is the main cause of data breaches. Nearly half, 47%, of businesses pointed to human error, such as accidental loss of a device by an employee, as the reason behind a data breach at their organization. Therefore, it is imperative that businesses take the time to train employees on cybersecurity measures.
3. Passwords and Authentication
Strong passwords that are hard to figure out—20 characters in length, including numbers, letters, and symbols—are a must in the fight against cyber threats. The more difficult to crack a password, the less likely a brute-force attack will be successful. As an additional measure, small businesses should incorporate multi-factor authentication (MFA) into their employees’ devices and apps.
There are password keepers, apps for storing and managing passwords, that not only keep track of passwords but also set reminders when they are due for an update.
4. Timely Risk Assessments
Risk assessments might sound like something only large enterprises have time and money to carry out. Yet, small businesses should consider incorporating them into their cybersecurity processes.
Businesses should brainstorm “what if” scenarios for cybersecurity, especially as they relate to data storage. Data is most likely stored in the cloud. As such, businesses can lean on their cloud storage provider to help them perform a risk assessment to determine what threats, if any, exist and what measures can be taken to strengthen data security.
5. Use Virtual Private Networks (VPNs)
A VPN allows employees to securely access a company’s network when working from home or traveling. This is necessary because employees often use the internet for access, which is not as secure as the company’s network.
VPNs mitigate the effects of a cyberattack because VPNs also encrypt data. As such, they can serve as an extra measure of security when employees are using their home wireless network, a network at another worksite or a café or restaurant, or a public internet access point.
6. Regular File Backups
Backing up files might seem like a rather 1990s way to protect data, but even in the modern world of cloud storage and backup, it is relevant. According to the National Cybersecurity Alliance, small businesses continue to evaluate the decision to trust their data to AWS, Microsoft Azure, or Google, expecting these companies to provide backups. However, storing copies of data offline is not a bad idea and can even provide cost savings in the long run.
***And make sure the backups are working
7. Deploy Antivirus
The number of viruses has multiplied exponentially over the years, so businesses should ensure that antivirus software is installed properly. Antivirus software should be installed not only on corporate-owned devices but also on devices owned by employees that are used for work-related purposes.
The antivirus software also needs to be updated regularly. Updates could be automatic or may need to be performed manually.
8. Secure Your Wi-Fi Networks
Businesses must secure their wireless networks in as many ways as they can. Two easy things they can do is change the router’s default name and password. It is important to change the router’s name to a name that does not automatically give the name of the business away.
Next, encrypt the wireless network to the strongest protocol available, which is currently Wi-Fi Protected Access 3 (WPA3), as advised by the Wi-Fi Alliance. Yet another way to ensure that the Wi-Fi network remains secure is to constantly check that all of the devices connected to the network are also secure—using strong passwords and data encryption.
9. Employ Best Practices on Payment Cards
Small businesses rely on their banks and card processors to make sure that all anti-fraud measures are in place. In addition to physically handling customers’ cards with extra care, the security protocol of the business’s wireless network—again—needs to be set to the strongest, WPA3.
The PCI Security Standards Council prohibits retailers from processing credit card data using the older Wired Equivalent Privacy (WEP) protocol, which was abandoned in 2003.
10. Limit Physical Access to Computers
As with access to a building or physical assets, unauthorized individuals should be prevented from potentially gaining access to laptops, PCs, scanners, and other devices the business owns. This may include physically securing the device or adding a physical tracker to recover the device in case of loss or theft.
For devices that are used by multiple employees, businesses should consider creating separate user accounts and profiles for additional protection.”
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca