SMB’s Attacked 15x More Often

Small to Medium-sized Businesses (SMB’s) are attacked fifteen times more often than smaller firms (>10 employees) and larger firms (<100 employees).  In 2018 they accounted for 43% of all security incidents. This puts the engine of the world’s economy squarely in harms way.

SMB’s are attacked more often because of:

  • weaker technical protections;
  • they have items of value (money) to steal;
  • untrained employees,
  • less supervision and controls around insiders, and
  • sometimes for the access they have to other businesses.

Training employees on how to spot attacks is the best “returns-on-investment” SMB’s can make to reduce the likelihood of a successful attack.  SMB employees have typically never received any Cybersecurity education in school or from previous employers.  Arm your employees with the knowledge and skills to fight back!

Our school system graduates high-school, post-secondary, and even doctoral program students with little to no cybersecurity training. This is why we have  witnessed a dramatic rise in cyber-attacks over the last few years. For example, 60-minutes ran a 12 minute story last week on 22 towns and government agencies breached by ransomware.

Hacker attacks come from many different groups of people today.  Organized crime hacks to steal our money while nation states hack to steal our Intellectual property.  Hacktivists target special-interest groups to make a point while disgruntled employees may be out for money, revenge or both. All these groups are hanging around our business front doors using the Internet both as their super-highway to you and their invisibility shield to hide their attack tracks with impunity.

What makes them so dangerous and successful is the availability of advanced, sophisticated hacking software purchased easily on the dark web. These hacking tools can encrypt your files and hold you out for ransom without writing a single line of code.

Protection Starts with Education

Start pulling your cybersecurity program together by educating employees on cybersecurity topics such as cyber-policies, training videos, and technical cybersecurity tools such as password managers. The more you know, the better you can fight back.

If you’ve been on the fence about addressing this risk in your business, now is the time to make a decision and give CyberHoot a free trial run for 30 days.  Start a CyberHoot free trial to jump-start your cyber-program protection today. In under an hour your employees can begin training, delivered by a fully-automated tool so simple there is no manual.

Give us a try, you’ll be glad you did.

Privacy Regulations May Cause Data Breaches in Addition to Protection

Image Source

Privacy legislation has expanded significantly in the last two years with the publication and enforcement of the EU’s General Data Privacy Regulation (GDPR). In Jan. 2020, the California Consumer Privacy Act (CCPA) will go into effect, with similar requirements to GDPR, in CA. Other states including Texas, New York, Washington, and Massachusetts are following suite. EU and CA privacy legislation attempts to protect our private data by granting certain rights. These rights allow one to manage the data businesses keep on us through “Data Privacy Requests”. These requests can include but are not limited to the right to have businesses:

  • forget my private data;
  • correct my private data;
  • prohibit my private data from being sold; and importantly,
  • request a business provide me my private data.

Unfortunately, businesses have not prepared properly for these requests.  World wide, businesses are scrambling to accommodate GDPR data privacy requests being made by EU residents.  US businesses with private data on Californians are hurrying to build processes to accommodate data privacy requests from CA residents beginning January 1st, 2020.

Wouldn’t it be ironic if the next wave of privacy breaches stemmed from data privacy requests made by hackers under these legislative acts? This is the very problem CyberHoot sees with these acts.  Businesses have not yet built robust, multi-factor “Data privacy request” processes that verify the identity of each requester!

A Horse named “Black Irony” has Left the Stable

Surprise, surprise, a British researcher name James Pavur, reported in this Black Hat briefing in Aug. 2019, that after making 150 “data privacy requests” for his wife’s private data, businesses sent him her:

  • Social Security Number;
  • current and previous home addresses;
  • credit card numbers;
  • School grades;
  • Hotel Logs; and
  • whether she used certain dating websites or not.

Importantly, Pavur did not forge any documents, signatures or email addresses.  He used his own credentials, signature, and email account in every case to request these items.  Businesses simply did not verify his identity.  Now, imaging what a hacker who forges signatures, documents, and breaks into your email account could do?  CyberHoot has some predictions for you.

Privacy Regulation Predictions/Suggestions for Businesses:

  • Hackers will exploit privacy regulations through weak verification mechanisms to steal the very private data these acts are meant to protect.
  • While CCPA is aware of verification challenges and promises to publish clarification on what constitutes verifiable requests through CA’s Attorney General (AG), business cannot afford to wait. Businesses should create their own verification measures, possibly following measures adopted by Banking (see below) to prepare in time for January 1st, 2020.
  • Banks have the verification process figured out.  When CyberHoot calls its bank, the IVR asks for our 16 digit card number just to speak to an agent.  The Bank agent then sends a 4 to 6 digit code to CyberHoot’s mobile device to require a second factor to verify our identity (something we know and something we have).
    • Businesses would be wise to adopt similar two-factor authentication measures for all privacy data requests.
  • Some businesses CyberHoot consults with don’t collect the requisite data (Account numbers, Email addresses, and/or Mobile phone numbers) to properly verify an individuals identity.  Hopefully the CA AG will exempt these companies from complying with data privacy requests rather than force them to collect more of our private data just to comply with these data privacy requests.

What might Private Citizens do to Protect themselves?

CyberHoot is not suggesting Google and Facebook will be easily fooled into giving your private data away. However, other companies who have your data are not yet prepared to handle these requests.  CyberHoot challenges businesses to build secure verification processes before hackers exploit you in this novel and horribly ironic way.

Author, Craig, Co-Founder – CyberHoot

Cyber “Hoot” Wednesday: QR Code Scams

QR Code Scam
Image Source

The latest way hackers are breaching your private information is by using malicious Quick Response codes, more commonly referred to as a QR Code. QR codes were first created back in 1994 by the Japanese automotive industry to track inventory more effectively but have since been adopted by multiple industries to capture and share information with consumers.  Today you will find them on billboards, web pages, magazines and even clothing. While most of us are familiar with how to scan these codes with our smart phone to retrieve some vendors information or register a warranty, some folks aren’t aware of the cybersecurity and privacy risks relating to their use and abuse.

How Do Hackers Co-opt a QR Code?

One of the most prevalent and easiest ways hackers steal our information is through phishing attacks. Dive deeply into this topic by reading our previous blog article on Avoiding Phishing Attacks but in summary for this QR Code article, phishing attacks typically use an email or web page to lure you into giving out personal information. Hackers create web pages that look identical to a legitimate business web page whose real purpose is to steal your login credentials and private information.

In one of these QR Code attacks, you receive an email from your bank outlining an amazing Credit Card deal which asks you to “scan the embedded QR Code” to apply. Once you scan the “bank’s” QR code, you’re taken to what appears to be your “bank’s” credit card application web page. But here you must be careful as you might not be on your bank’s actual web page.  The domain name may be slightly off (bestbankofall.com was replaced with bestbank0fall.com) behind the QR Code [notice the zero (0) in place of an O (oh)].

As you complete the credit card application form, even if you don’t submit the form for processing, hackers have secretly captured your data and will use it to open credit cards in your name, steal your identity, or steal your bank login credentials if you provided them.  Beyond these data theft attacks, other QR Code attacks try to convince users to download viruses onto their mobile devices, tablets, and computers.

How Can I Protect myself?

Here are some essential basic tips to avoid QR Code scams:

  • If you receive an email from a bank, business, or anyone that asks you to scan a QR code, review a document, or apply for a credit card, double check to ensure the domain name is the perfectly correct watching for look alike letters, missing letters, or combination letters (ie: r+n = m as in rn).
  • If you receive an email from a business or person you don’t recognize, simply do not scan the QR code, as it is likely a scam.
  • If you must check out a QR Code offer, manually type in the domain name and visit the business’s website manually to reach the QR code offer.
  • QR Codes are beginning to be used for payments.  At this time, there are enough alternatives for immediate payments that we would not recommend issuing payment through a QR code methodology.  Simply ask for alternatives.

Summary

QR codes are convenient to use for businesses, consumers, marketers to exchange information with us.  However, hackers are stealing our private data because people aren’t aware of the risks or how to validate sites properly. It is important to be on the lookout for these scams. Do not allow the convenience of a QR code to lull you into a false sense of security.  Be vigilant and use your new found knowledge to protect yourself.

Author, Ty Mezquita, Blogger/Social Media – Cyberhoot

Editor, Craig, Co-Founder – CyberHoot

Update:  Naked Security – one of CyberHoot’s required reading blogs wrote more on this topic here:  QR Codes Need a Cybersecurity Revamp

Cyber “Hoot” Wednesday: Three Tips for the Digital Age

CyberHoot received notice today that our Café Press account had been breached along with 23 million other accounts. Fortunately, no password data was reported stolen. However, phone numbers, home addresses, email addresses, and full names were breached. This comes on the heels of Capital One’s 100 Million breached financial records announced last week. The FBI claims there are ONLY two types of companies. First, there are companies that know they’ve been breached while second, there are companies that don’t know they’ve been breached. Every company, not just Capital One and Café Press, should assume it has been, or will be, breached. What are you to make of these breaches?

Breached personal data is part of the new normal in the digital age. It’s a fact that our personal data will be compromised; it will be available in online hacker forums for bad actors to try and take advantage of us with. Recognizing that fact, CyberHoot and all our employees have been preparing for this for many years. We practice the three tips below for the digital age; will you practice them?

CyberHoot believes there are two kinds of people. First, there are people who know their personal data has been breached and do something to minimize the impact. Second, there are those people that know their personal data has been breached but do nothing about it. You’re reading this article to learn how to minimize the impact of breached personal data, right? If so, then take the following three steps.

CyberHoot’s Top Three Tips in the Digital Age to protect yourself Personally and professionally:

  1.  Freeze your Credit. If you haven’t frozen your Credit yet, well, what are you waiting for? Here’s the Freeze your Credit article from CyberHoot.
  2.  Learn a Password Manager: given all our data will be breached, you need to learn this skill. Here’s CyberHoot’s article on Password Managers.
  3.  Enroll in a Cybersecurity Awareness Program: do this for yourself personally and make sure your company does it for all its employees.

It’s too dangerous out there not to provide awareness training to your staff. You can be sure no-one else is. If you don’t, who will?

Come to CyberHoot.com for a free 30-day trial for Cybersecurity awareness training. Our training is quick, easy, and effective! All it takes is the will to act… we’ll handle everything else.

Craig, Co-Founder – CyberHoot