What Keeps You Up At Night – Part II

This week let’s take a look at data feedback so here we go! Over 350 organizations globally participated in this year’s report. The top industry verticals high to low are as follows: Finance, Technology, Healthcare, Government, Professional Services, Non-profit, Manufacturing, Energy & Utilities, Education, Transportation, Insurance, Consumer, Materials, Real Estate, Construction.

Representing these organizations of every size, gaining perspective from a wide range of IT titles, ranging from IT admin all the way up to those in the C-suite.

The key findings around security that organizations don’t quite yet have a handle on. While a portion of organizations had many of the issues under control, on the average, 81% of organizations were concerned to some degree about a security issue.

The Up At Night issue

  • Users are the primary concern for 92% of organizations. Negligent users that become phishing attack victims tops the “up at night list.
  • Ensuring security is in place that meets GDPR requirements is still a challenge for 64% of organizations, despite the regulation details being out for quite some time.
  • Security awareness training along with phishing testing topped the list of security initiatives 80% of organizations are needing to implement.
  • Data breaches remain a rampant problem worldwide. With executives concerned about breach repercussions, this one has 95% of organizations worried.
  • Attackers utilization of compromised credentials is such a common tactic, 93% of organizations are aware of the problem, but still have lots of work to do to stop it.
  • Nearly every part of the success of a security strategy relies on having adequate budget, a material concern for 75% of organizations.

In my next post we will look at “What single issue around your organization’s security stands out as the greatest concern that either figuratively or literally keeps you up at night?”

Till then…..Think Before You Click!

Tina Louise ~ https://www.cloudplusservices.com ~ 888.871.6584

What Keeps You Up At Night

Maintaining organization security against cyber threats last year was a unique challenge. Cybercriminals turned up their execution a notch – targeting specific industry verticals organizations, and even individuals. Increases in the frequency of ransomware, phishing and cryptojacking attacks were experienced by businesses of nearly every size vertical , and locale. Many criminal organizations now leverage the very same types of machine learning AI to help them better understand how to improve the art of their attack.

2018 was also a year of some of the most sensational and successful attacks. Marriott’s 500 million stolen customer record represented the largest data breach in history, reminding organizations that no company is completely safe. Over 184 million ransomware attacks occurred, with damages estimated at over $8 billion. And phishing attacks are now being used to commit fraud that has some businesses out millions of dollars. And in the midst of all this cyber-turmoil, IT organizations have been tasked with trying to establish and maintain a layered security defense that protects the organization and its users, despite the every-changing threat landscape. Much of the constant barrage of threats, attacks, malware, and news stories has got to have some IT organizations deeply worried.

So, let’s look at possible concerns that may be keeping you “up at night”; that is, which aspects of security – from prevention, to attack, to detection, to response – are you most concerned about. Over the next six post, we’re going to take a deep dive into the stuff of nightmares – security concerns that have organizations worried. Six areas to focus on will be:

  • Attack Types
  • Security Initiatives
  • Compliance Security
  • User-Related Issues
  • Resource Issues
  • Executive-Level Concerns

We’ll dig into each area, providing insight into what parts of security have organizations lying awake in their beds, and which ones allow them sleep soundly.

Thank you for the above content in my partnership with KnowBe4 ~ Till next time……Think Before You Click!

Tina Louise ~ https://www.cloudplusservices.com ~ 888.871.6584

Theirs A Hunter In The Wild

I was speaking to a business today and they are perplexed by the emails their employees are receiving seem fishy and I said as in Phising? She said what do you mean and I said theirs a hunter in your mist don’t respond or click on anything.

I received one of those UPS emails right after my post last week, funny I didn’t order anything so I filed it under “T” for trash. Here are more “Common Attacks In The Wild”!

  • Apple: You recently requested a password reset for your Apple ID
  • Employee Satisfaction Survey
  • Sharepoint: You Have Received 2 New Fax Messages
  • Your Support Ticket is Closing
  • Docusign: You’ve received a Document for Signature
  • ZipRecruiter: ZipRecruiter Account Suspended
  • IT System Support
  • Amazon: Your Order Summary
  • Office 365: Suspicious Activity Report
  • Squarespace: Account billing failure

KEY TAKEAWAY

The desire to receive communications intended for the individual is strong. The potential of something being wrong and/or at risk also plays into the human psyche, leaving the individual to think that he/she must act immediately to resolve the issue. These types of attacks are effective because they cause a person to react before thinking logically about the legitimacy of the email.

Till Next Time ~ Think Before You Click!

Tina Louise ~ http://www.cloudplusservices.com ~ 888.871-6584

Top-Clicked Phishing Test!

Top 10 general email subjects

  1. Password Check Required Immediately – 34%
  2. You Have A New Voicemail – 13%
  3. Your order is on the way – 11%
  4. Change of Password Required Immediately – 9%
  5. De-activation of [[email]] in Process – 8%
  6. UPS Label Delivery 1ZBE312TNY00015011 – 6%
  7. Revised Vacation & Sick Time Policy – 6%
  8. You’ve received a Document for Signature – 5%
  9. [ACTION REQUIRED] – Potential Acceptable Use Violation – 5%
  10. Spam Notification: 1 New Messages – 4%

If you have not received the above subject lines and there are many more it is up to you to stop and think “Why am I receiving this email”? In the work place and in our personal lives be diligent in protecting your network and data.

Tips and tricks – hover your mouse over the sender if it looks odd it is, so block that address. I have even received a so called email from UPS with a tracking number – copy the tracking # go to the legit UPS site and paste the number, that will tell you the story. Become the detective, get on the phone make a call if needed and scrutinize the email do not click on any link or attachments.

Key Takeaways – Hackers are playing into employees’ desires and our personal lives to remain security minded. There’s also an intrigue of mystery that often makes people curious enough to click (i.e., new voicemail, order on the way). Password management is a popular way to get people to click on a link.

Next time ~ COMMON “IN THE WILD” ATTACKS ~ Think Before You Click!

Tina Louise ~ http://www.cloudplusservices.com ~ 888.871.6584

CEO Fraud – Action Step Four And Wrap It Up!

Isolate security policy violations
For such an incident to happen, violations of existing policy are likely to be in evidence. Conduct an internal investigation to cover such violations as well as to eliminate any possibility of any collusion with the criminals.
Take the appropriate disciplinary action.

Draw up a plan to remedy security deficiencies
When the immediate consequences of the attack have been addressed and full data has been gathered about the attack, draw up a plan that encompasses adding technology and staff training to prevent the same kind of incident from repeating. Be sure to beef up staff awareness training as a vital part of this.


Wrap It Up!
There is no substitute for preparation when it comes to dealing with cybercriminals and the many flavors of CEO fraud. The CEO Fraud Prevention Checklist given here will guide you through the steps to take to proof the organization up against this type of incident.


While those steps will greatly reduce the likelihood of an incursion, all it takes is one gullible or inattentive user to let the bad guys inside. In those cases where CEO fraud is being perpetrated.


In the case of both checklists, security awareness training plays an essential role in creating a human firewall around your organization. Only when users are fully aware of the many facets of phishing will they be capable
of withstanding even the most sophisticated attempts at CEO fraud.

Contact my office for CEO Fraud Response Checklist.

Thank you for following this important series on CEO Fraud…Till next time..Think Before You Click!

Tina Louise – http://www.cloudplusservices.com – 888.871.6584

CEO Fraud – Action Step Three!

Action is the cure to all business growth! As it is in security awareness training being proactive instead of reactive determines success of your data.

Contact your insurance company
FBI data shows that less than 4% of CEO fraud funds are recovered. Therefore, it is necessary to contact your insurance company to find out if you are covered for the attack. While many organizations have taken out
cyber-insurance, not all are covered in the event of CEO fraud.
This is a grey area in insurance and many refuse to pay up. Many that have reported CEO fraud to their insurer, find that this type of incident is not covered. Despite the presence of a specific cyber insurance policy,
the unfortunate fact is that no hardware or software was hacked. It was the human that was hacked instead. Insurance companies draw a distinction between financial instruments and email fraud. Financial instruments
can be defined as monetary contracts between parties such as cash (currency), evidence of an ownership interest in an entity (share), or a contractual right to receive or deliver cash (bond). Many companies are
covered in the event of a fraudulent financial instrument.

However, CEO fraud is often categorized differently. It is regarded by some insurance firms as being purely an email fraud and not a financial instrument fraud. In other words, it is being regarded in many cases as a matter of internal negligence or email impersonation as opposed to being a financial instrument matter. That said, there are dozens of carriers in the market providing up to $300 million in limits. Coverage extensions have developed to include both the third-party liability and first-party cost and expenses associated with a data breach or cyber-attack.

Next time…Action Step Four…till then “Think Before You Click”!

Tina Louise ~ http://www.Cloudplusservices.com ~ 888.871.6584

CEO Fraud – Action Step Two!

Action is the cure to all business growth! As it is in security awareness training being proactive instead of reactive determines success of your data.

Brief the board and senior management
Call an emergency meeting to brief the board and senior management on the incident, steps taken and further actions to be carried out.

Conduct IT forensics
Have IT investigate the breach to find the attack vector. If an executive’s email has been hacked, take immediate action to recover control of that account such as changing the password. But don’t stop there, the
likelihood is that the organization has been further infiltrated and other accounts have been compromised. Have them run the gamut of detection technologies to find any and all malware that may be lurking to strike
again.

Bring in outside security specialists
If the organization was breached, it highlights deficiencies in existing technology safeguards. These will prove harder for IT to spot. So bring in outside help to detect any area of intrusion that IT may have missed. The goal is to eliminate any and all malware that may be buried in existing systems. The bad guys are inside. The organization isn’t safe until the attack vector is isolated and all traces of the attack have been eradicated. This
is no easy task.

Next time..Action Step Three…till then Think Before You Click!

Tina Louise ~ http://www.cloudplusservices.com ~ 888.871.6584