Cyber News Roundup: Cyber tips for small businesses, employee cyber training, and ‘hacking back’ on the dark web
Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.
Own IT. Secure IT. Protect IT. That’s this year’s overarching message for National Cybersecurity Awareness Month (NCSAM), focusing on key areas including citizen privacy, consumer devices, and e-commerce security. The Department of Homeland Security in conjunction with the National Initiative for Cybersecurity Careers and Studies (NICCS) has extensive information for individuals, organizations, and businesses. Everything from social media tips, to keeping your work secure, to thefts and scams — available to all: https://niccs.us-cert.gov/national-cybersecurity-awareness-month-2019
We know that all businesses large and small are at risk for cyber-attack. As cybersecurity threats continue to escalate, 43% of cyber breaches claim small businesses, according to the Verizon 2019 Data Breach Investigations Report. It is time for small businesses to prioritize cybersecurity, according to Forbes author, Frank Sorrentino. In his article, small businesses are the lifeblood of our nation’s economy, making up nearly 44% of our national GDP. He contends that small businesses make the mistake of assuming it won’t happen to them, so they forget basic preventative measures and often fail to invest in reliable security solutions. According to the article, common mistakes small businesses make are:
- Wire transfer issues. Small businesses have continually fallen victim to those requesting fraudulent wire transfers in recent years. This can be avoided easily by carefully reviewing all payments before they are sent and verifying payee details – specifically, location and account information. One incorrect number could result in that wire winding up in the wrong hands.
- Overlooking admin account access. Small businesses often give too many employees access to vital services and hardware through admin accounts. These accounts can be easily hacked, however, and are favorite targets of many cyber criminals. Consider dialing back the number of admin accounts your company has and make sure only necessary people are granted access.
- Smart phone vulnerabilities. Despite what employees may think, their work phone or tablet are high risk targets. Conducting business or making purchases while using public Wi-Fi could put an individual, and the business they work for, at risk. Malware threats also lurk in third-party app sites as cyber criminals find it easy to trick people into downloading spoof apps.
- Ransomware attacks. In recent years, ransomware threats have skyrocketed by nearly 350 percent. These attacks often appear as emails or mobile notifications denying access to an employees’ computer. If you receive a foreign email, don’t be so eager to open it.
Oregon’s Small Business Development Center network can provide helpful cybersecurity tips to small business owners: https://bizcenter.org/cybersecurity/.
Investing in your employee cyber training
How well is your employee equipped against malicious hackers that aim to steal data? An Entrepreneur article states that with the current IT infrastructure, most hackers can easily manipulate systems and use social engineering to outsmart companies’ employees. Studies indicate that the majority of cyber-attacks are caused by human error – almost 90%, in fact – reinforcing the need for continuous employee education on cybersecurity. CISO and ethical hacker, Remesh Ramachandran, recommends covering these security awareness topics in organizations’ employee training:
- Different forms of cybersecurity threats: To effectively identify and prevent potential security breaches, employees will need an elementary enlightenment of the various ways that a threat can present itself.
- Importance of password security: Explain to your employees that passwords are the first line of protection to protect your sensitive and valuable information from hackers.
- How to identify and report cybersecurity threats: Employees are the eyes and ears of an organization on the ground. Every device they use or emails they receive may contain clues about a lurking malware, virus, password hack or a phishing scam.
- Email, internet and social media policies: Emailing and browsing habits of an employee can expose the company to attacks. Therefore, it is crucial to include policies and guidelines in your training for using email, Internet and social media platforms.
The main purpose of the training process, according to Ramachandran, is to create a sense of shared responsibility and accountability for cyber hygiene so that everyone can keep update on ever-evolving cyber threats.
Underground store selling stolen credit cards hacked
Your organization may be doing all the right things, when it comes to investing in cybersecurity. Even those who do illegal business on the Dark Web get hacked. BriansClub, one of the largest underground stores for buying stolen credit card data, was hacked, as reported by Brian Krebs. In his article, Krebs states that more than 26 million credit and debit card records taken from hacked retailers over the past few years – approximately $414 million worth of stolen credit cards for sale. The Justice Department estimates the losses to be upwards of $4 billion, figuring that each stolen card record is valued at $500 apiece. According to Allison Nixon, director of security research for Flashpoint, a security intelligence firm, breaches of criminal website databases often lead not just to prevented cybercrimes, but also to arrests and prosecutions.
“When people talk about ‘hacking back,’ they’re talking about stuff like this,” Nixon said. “As long as our government is hacking into all these foreign government resources, they should be hacking into these carding sites as well. There’s a lot of attention being paid to this data now and people are remediating and working on it.”
Does this mean an end to the bad guys? Not at all. “Since the demand for stolen credit cards is on the rise, other vendors will undoubtedly attempt to capitalize on the disappearance of the top player,” says Andrei Barysevich, co-founder and Co at Gemini Advisory, a New York-based company that works with financial institutions to monitor dozens of underground markets trafficking in stolen card data.
Cyber Oregon partner blog of interest