Awareness Vital in Fight Against New Cyber Threats
By Matt Searfoss, Director of Support Services, CDI Managed Services
At some point, your business could be impacted by data breaches, malware, spam, phishing scams, or ransomware, but you cannot afford to suffer from declining stock valuations, job losses, damaged business reputations, and lost revenue. Update your IT security awareness campaigns and training programs to sharpen staff awareness about potentially crippling new threats.
It’s that special season again, and I’m not just talking about the weather. While many of you have certainly noticed a drop in temperatures, especially early in the morning, did you know that October is National Cyber Security Awareness Month? And November is National Critical Infrastructure Security and Resilience Month.
As you reflect on the IT security best practices at your organization, I’d like to help you understand some of the latest threats. It’s important to assess your preventive capabilities, threat response readiness, disaster recovery, and backup plans as part of a thorough risk analysis and follow-up plan. Now is a good time to reach out to us here at CDI to take action. Our experienced professionals can guide you through a complete spectrum of proactive, preventive, corrective, and restorative activities, products, and services.
Data Security Breaches in Healthcare IT
I want to start with Healthcare IT because it’s a field we’re all familiar with. We don’t want our private health information to be shared.
A set of safeguards and legislation known collectively as HIPAA investigates large patient health data breaches that can result in a fine of over one million dollars annually for a business in violation. Any unsecured protected health information affecting 500 or more individuals that is leaked, lost, or stolen is reported and investigated by regulators.
According to the Department of Health and Human Services, 127 cases from 2016 are still under active investigation and 235 new cases are underway through 2017 YTD.
What I want you to take away from these numbers is how important it is for leadership to adopt a formal risk management strategy. Perform a solid and comprehensive audit and then develop a strategic plan to mitigate the identified risks. I’m sharing the actual published list of reported breach categories because they apply to other industries. How many of these risks do you recognize at your office?
- Theft of devices including laptop computers
- Theft of film, paper, or other originals
- Unauthorized access/disclosure of electronic medical records
- Hacking/IT incidents involving network servers, desktop computers, laptops, mobile devices, or email
- Improper disposal and other forms of loss
Importance of IT Security Staff, Funds and Programs
It’s also important for C-level executives and senior management to budget for IT security and see it as critical to the bottom line. As you review your 2018-2019 fiscal budgets, I encourage you to invest in your own corporate security infrastructure based on awareness of the big picture that includes a panoramic view of all global markets.
You have to persuade those with budget authority to understand this fundamental point: our financial institutions, transportation systems, agriculture, schools, hospitals, communications, commerce, the electric power grid, and any other essential systems that enable us to live and breathe, all require internet connectivity and depend on healthy IT systems.
The cybersecurity policies in place at your organization impact the entire global infrastructure; and critical infrastructure at the national level influences the types of risks you’ll face locally. Yes, the water is running today, and the traffic lights are operating as expected, but you should be planning now for the system redundancy, disaster recovery, and agile resiliency you’ll need tomorrow.
While many of the risks I discuss in my blogs are immediate, such as malware, data breaches, or disasters, some risks might appear on a more distant horizon. For example, a Center for Cyber Safety and Education study forecasts a shortage of 1.8 million IT security professionals over the next five years.
You Can’t Afford to Make the Same Mistakes
Declining stock valuations, job losses, and damaged business reputations are just some of the resulting fallout from the recent Equifax security blunder that allowed hackers to access social security numbers, driver’s license information, birth dates, and personal addresses for 146 million Americans (yes, nearly half the adult population).
In fairness, the company is now offering free enrollment in their premier credit monitoring service and has posted a breach impact assessment tool for consumers on their website. As reported by the NY Times, Equifax also plans to introduce a free credit lock feature in early 2018 that customers can control through a mobile app. Some lawmakers are pushing for credit reporting companies to offer complimentary credit freezes.
Again, the lesson we can all take away from this incident is important. IT security is critical to your business and you cannot afford to make the same mistakes. Let’s break down what happened. Does any of this sound familiar at your company?
March 2017: The Department of Homeland Security issues a notice to companies (including Equifax) about a critical vulnerability in software that Equifax used in an online portal for recording customer disputes.
April 2017: Equifax sent an internal email request for technical staff to patch the software. According to testimony, “an individual did not ensure communication got to the right person to manually patch the application,” and the scanning software used to detect vulnerabilities failed to find the unpatched code.
May 2017: Unauthorized access from cyber criminals occurs from mid-May 2017 through July 2017.
September 7, 2017: Equifax announces the breach in a public press release.
October 2017: After conducting hearings, lawmakers propose more government regulation of the credit reporting industry including updated security standards, timely written notification of breaches, and free access to consumer credit protection services.
Malware, Spam, Phishing Scams and Ransomware
This is one area where I think automated filters are getting better and also business users in general are getting better at spotting and deleting suspicious content without allowing it to infect their PCs or the network. However, the quantity, volume, and pace of malicious content continues.
Malware: According to Symantec, malware sent by email increased in August to 1 in 347 emails. They reported that the email malware rate has increased steadily for the last six months. Today, on average, 1 in every 312 emails is malicious, and at firms with 251-500 employees, the rate jumps to 1 in 202.
Spam: Their report also suggests that the global spam rate is growing with over 55 percent of all messages attributed to unwanted spam. Over 700 million email addresses were found on a single spambot which was distributing variants of a trojan virus aimed at stealing information from infected recipients.
Phishing: While phishing rates declined over the summer, the IRS issued an alert about a new scam targeted at stealing personal data about clients from tax professionals. Approximately, 1 in 2,500 email messages is a phishing scam. On average, a typical user might get 10-15 phishing emails per day. Your email server can filter many of them out.
Ransomware: Every 90 days, about 500 million email messages are carrying (known or unknown to the sender) a downloader for ransomware. Most are detected and blocked, but 20 percent (1 in 5) do execute some type of infection, lock, or full-blown attack with file encryption and ransom instructions. As a reminder, ransomware can affect enterprise or home networks, and victims could be specific targets or random users. Ransomware can also encrypt files on servers and mapped drives, and can spread using network drives or by exploiting system vulnerabilities.
Educate Your Users
Implement an awareness and training program. End users, employees, contractors, visitors, and other individuals should be aware of all threats and should be equipped with the tools, knowledge, and proper best practices for deterring their delivery.
To protect your organization, follow these tips:
- Don’t open unexpected email attachments or click mysterious links.
- Make regular backups of your files and verify their integrity. Also, take steps to secure them. Backups that are connected to computers and networks are vulnerable.
- Apply the latest application versions, device firmware patches, and operating system updates. They often include bug fixes and security vulnerability fixes.
- Keep your anti-virus software subscription and definitions up-to-date. Schedule quick scans daily and full scans once a week or month, depending on how active you are as a user. Windows 10 includes Windows Defender and a scan tool that finds and removes malware.
- To prevent email spoofing, US-CERT recommends authenticating inbound email using technologies likeSender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM). [Source: https://www.us-cert.gov/ncas/alerts/TA17-132A.]
- Scan all incoming and outgoing email to detect threats and filter executable, infected, or unwanted files from reaching end users.
- Enable strong spam filters to prevent phishing emails from reaching users.
- Configure firewalls to block access to known malicious IP addresses.
If you have any questions or concerns, please do not hesitate to contact your Service Delivery Manager or the CDI Service Desk.