The recent reports of Bank of America’s data exposure, stemming from the United States’ Paycheck Protection Program, highlights the need for businesses to stay vigilant with cybersecurity, but it doesn’t tell the whole story. Sexy headlines about multi-national companies and data breaches will always grab attention over smaller incidents. These stories, however, are just a glimpse into cyberattacks against the business community at large.
“Bank of America blames PPP applications leak on faulty SBA test server” read a recent headline from znet.com, May 20, 2020. According to this article, “Bank of America blames the entire incident on a test platform managed by the US Small Business Administration (SBA), the government agency responsible for processing and approving PPP loan applications filed by the bank in the name of its customers”.
Reading further into this PPP incident, you realize quickly that this was not actually a hack. It was human error that led to the data being exposed. The untold story of cybersecurity is how criminals leverage the imperfect nature of humans to further their own goals.
Understanding the Goals of a Cyberattack
Most breaches are where the damage begins, not ends. Unless espionage is the goal, the value of exposed data depends on whether it can be monetized. Bad actors can begin their plans of monetization once access to infrastructure is gained. This is achieved by using stolen data from the initial breach as well as additional social engineering techniques. Some attacks involve encrypting your data, followed by a ransom demand under threat of exposure or deletion. Malware can also be installed to the hacked device, turning infected computers into worker bees. Once launched, the malware can extract resources from infrastructure by mining cryptocurrency or weaponizing the computer to attack additional targets.
The methods and tools are many, but the strategies typically require some form of human interaction to achieve their goals. The human component and how it is taken advantage of is what we examine below.
Social Engineering and Human Behavior
With security, as in business, if you’re not moving forward, you’re falling behind. Bad actors are constantly honing their skills and, without businesses implementing counter measures, will eventually gain the upper hand.
Social engineering can be incorporated into any cyberattack, whether targeting email, cloud-based software, social media, or other platforms. These tactics are chosen because it is easier to exploit human nature than to bypass security safeguards directly. Social engineering is used in cyberattacks to prey on human behaviors, such as curiosity and trust. These behaviors lead unsuspecting and well intentioned people to click, download, and send data, personal information or money. In most cases, breaches occur on trusted sites that businesses visit frequently. Social engineering attacks come in a variety of shapes and sizes. They can involve high pressure phone calls, urgently demanding information due to an emergency scenario. Some attacks use information pulled from social media accounts to bypass security questions.
Proofpoint, an industry leading software company focused on technology security, shared their findings based on data collected across their global customer base and more than 1 billion messages per day passing through their servers. Some of the more notable discoveries are:
- Very Attacked People™ (VAPs) aren’t usually VIPs – The most attacked people are often easily discovered identities or “targets of opportunity.”
- Social engineering is pervasive, whether in rampant sextortion schemes, business email compromise (BEC), credential phishing, or other attacks that prey on human nature – and human error.
- Domain fraud plays a key role in lending a sense of legitimacy to attacks
Proofpoint further reports that “99% of the phishing attacks Proofpoint observed in 2019 required human interaction to succeed, resulting in malware installation, wire fraud, and unwitting data disclosures”.
Webroot, a cloud-based data security company, noted “In the case of social engineering, the user is the vulnerability. The more unaware they remain of the importance of good security hygiene, and their role in maintaining organizational security, the greater the risk of a successful attack.”
Cyberattacks Capitalize on Fear During Times of Crisis
Cyber criminals are opportunists and will capitalize on fear during times of crisis. The massive uptick in cybercrime during the Covid pandemic highlights this pattern. Google saw more than 18 million daily malware and phishing emails related to COVID-19 in just one week during the month of April. This preys on people’s stress and fears, strong psychological motivators. The social unrest surrounding the Black Lives Matter movement is also creating an opportunity for bad actors. There has been a recent uptick in phishing scams using “Black Lives Matter” in their subject lines. In each case, attacks focus on triggering human action based on heightened awareness of the situation being exploited.
“Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses” according to sba.gov. The FBI’s Internet Crime Report states that “cyberattacks are a growing threat for small businesses and the U.S. economy”.
Social Engineering Mirrors Marketing Techniques
Cyber criminals are mirroring established marketing techniques to advance their attacks. According to the “Human Factor 2019” report by Proofpoint, “Social engineering is at the core of the majority of attacks we observe. Approaches range from simple lures designed to spark sufficient curiosity for victims to open a malicious document attachment—for example, a fake invoice sent to an accounts payable team or a résumé emailed to Human Resources staff—to much more elaborate schemes.”
The use of timely email subject lines to trigger human interaction is similar to the exploitation of a crisis as described earlier. During tax season for instance, we see an uptick in phishing schemes using “W2” in the subject lines. Successful attacks can lead to devastating effects for those falling prey to these tactics. Much like an email campaign, significant numbers of ‘phishing campaigns’ begin on Sundays because most business owners and executives read their email either late Sunday or early Monday morning. “Attackers also focus on target of opportunity, often going after shared accounts that are difficult to secure or accounts with large public and social media footprints”.
Remote Employees are Cutting Corners with Security
Before rolling out a “work from anywhere” plan for staff, you need to review your cybersecurity strategies. Working remotely exposes your team to threats typically managed by a professional IT team when in an office environment. According to a recent survey by Carbonite, “a staggering 52% of remote employees admit that they are cutting cybersecurity corners while working from home.” This statistic highlights that while training staff to focus on security is important, putting policies in place as a backstop to support any lapses in their attention will be critical to a well-constructed cybersecurity plan. Listed below are some “work from anywhere” security issues to consider. You can read more about remote security in our article here.
Home Network and Public WiFi Security: Home networks and public Wi-Fi do not generally have the security features that an enterprise solution will provide. Consumer firewalls aren’t typically configured to secure traffic, and aren’t patched regularly to shore up security holes. Most enterprise networks will also have the advantage of dedicated IT staff continuously monitoring traffic.
Internet of Things (IoT): Most consumer IoT devices are not intended to be used in a business environment and haven’t been secured properly. At home your staff, their smart TV, smart refrigerator, and smart goldfish bowl, are transmitting data on the same network. Unless these devices are placed onto a separate network, your business’ data may be an easy target for theft.
Personal Computers: If your staff is working on a non-secured personal device while at home, your data is in jeopardy. Provisioning a secured computer in advance of staff going remote would be optimal. If staff is forced to use personal devices, consult with your IT provider to determine the best path forward. Most personal devices will not have the security tools in place that an employer provided computer will. Have your IT provider ensure all devices used by remote staff are secured. This is critical to minimize vulnerabilities and security issues when connecting to your network.
Returning to the office So, you sent your workers home for a few months during the Covid pandemic for safety. Now, as the economy opens up, they are trickling back into the office with their computers. Has your IT team checked these devices before allowing them back onto the internal network? It’s best to ensure they haven’t picked up any viruses, spyware, or other bugs before re-connecting. Also, updating their operating systems and software with all necessary security patches should be part of your security plan.
Cybersecurity Tools and Mitigating Human Error
The good news is that there are plenty of technology solutions to mitigate cyberattacks and compromises related to human error. A multi-layered approach with end user training has proven to be the most effective strategy. A trusted technology provider guidance can help prevent the crippling loss of money, time, and reputation due to a cyberattack.
Network Security Assessment: Your IT provider should be able to ensure that there are no unprotected or unknown devices on your network. Safeguards for securing traffic, such as a VPN, should be implemented for all remote workers connecting to your network. Your staff should only be able to access the network with approved devices. Mobile devices should be isolated on a separate partitioned network by VLAN or similar methods to prevent intrusion.
Antivirus Protection (Enterprise-grade): The security benefits of cloud-based, AI enabled, professionally monitored anti-virus software are significant. Real-time alerts to your IT provider can save valuable time in remediating a threat before it can do more damage. Another benefit of enterprise antivirus is they tend to be very lightweight. Consumer antivirus software tends to be bloated with extras that can slow your computer down significantly.
Email Spam and Phishing Protection: Preventing malware and phishing schemes before they reach your staff is a huge, inexpensive win. Spam filtering also rids your inbox of unwanted solicitations, a time saver and productivity boost for your entire staff!
DNS Protection: A common hacking strategy involves routing an unsuspecting user to a fake website designed to harvest information. Redirecting your employee’s web traffic through a DNS security checkpoint adds an extra layer of protection. Secure your staff’s web browsing, enforce web access policies, achieve regulatory compliance, and minimize threats. DNS protection will still allow VPNs, firewalls, and other network security tools to continue unhindered.
PC Threat Monitoring: Threat monitoring amounts to an anti-virus on steroids. Endpoint monitoring provides operating system event log monitoring, breach detection, threat hunting, and malicious process, file, and intrusion detection.
Secure File Sharing and Cloud Collaboration: Collaboration is still an integral part of a remote workforce. Sharing and collaborating on files via an encrypted cloud environment is a great way to improve security and efficiency. Cloud-based solutions also eliminate much of the need to connect directly to your business network, thereby minimizing exposure.
PC Backup and Data Protection: A business continuity and disaster recovery (BCDR) policy protects data from corruption, damage, and ransomware attacks. The same considerations apply to a remote workforce. You’ll need to implement individual cloud backup for remote devices if your BCDR doesn’t include them. Minimize the costs of downtime by making sure lost data can be recovered quickly.
Education: At Amicus MSP, we are firm believers in the benefits of technology when combined with staff education and training. Make sure the ‘human factor’ remains a strength, not a weakness for your business. Successful training strategies begins with discovering where your weak points are, and leads to a culture with staff as part of the solution! Your IT provider should be able to offer cyber security training for you and your staff on a regularly scheduled basis.
To learn more about how Amicus MSP can help your business, click here. or call us at (800) 804-1477.