SMBs: 5 Ways to Avoid Becoming a Small Phish in a Big Pond

In the fall of 2016, I watched a good friend get her business ready for opening in her first retail space. She had previously run everything from her home and now she was entering a whole new phase. I observed her interactions during a few visits and she knew when I gave her that “look,” there was something that needed improving.

“What Wi-Fi network do you have your register assigned to in the shared retail space? You should put a password on that register device you’re using, so when you’re across the store someone can’t open your register.”

The best part of helping her set that device password was watching her millennial daughters return to the store and try to guess the password – listening to their theories on creation was most amusing.

Following are 5 ways you can protect YOUR small business from phishing and other cyber threats.

  1. Train Your Employees!

A majority of small businesses have fewer than 50 employees. Ensure your staff are trained on the basics of cybersecurity for their roles. There are a number of free (YES really free!) resources available online to provide the basics: phishing, passwords, internet browsing and data protection.

The number one threat that will impact your business is phishing. Start with the simple actions. Teach employees to diligently check links – hover to see the real destination. If they did click on that link, do they have someone to tell? What if it took them to a website asking for their username and password?  If there’s an attachment, did it come from a trusted sender – if so, were they expecting to receive that invoice or resume file?

In June this year, the FBI issued a warning about the dramatic increase in business email compromise (BEC), which results in financial loss for the business targeted. The BEC scam is a simple email from a fraudster masquerading as a legitimate business executive asking for funds to be wired. These messages are typically targeted to individuals in the organization that process invoices or payments.

With a small staff, it’s not always easy to build your processes to include segregation of duties. But having controls in place related to handing out funds will not only save you on insider theft, it will also reduce the potential wire fraud from a random email spoofing your email address to your finance team. If your business does become a victim, the FBI encourages you to report the incident.

Remember the Target breach? The malicious actors started with sending a phishing email to the HVAC maintenance technician – a small business.

  1. Get Cyber Insurance.

You have an insurance policy on your car to protect you if you’re in an accident. You purchase liability insurance to cover your risk, should you encounter an unforeseen disruption in your business. In order to protect your business from a security incident that could result in a data breach or business disruption, you should invest in a cybersecurity insurance policy.

  1. Invest in IT/Cybersecurity Services

Enlisting the help of your teenage nephew is great for setting up your new phone or laptop, but that’s not the best solution to support your growing business. There are plenty of managed service providers to contract support for your technology and cybersecurity needs. Tap into your local small business networks or professional sharing networks for recommendations.

  1. Protect your Online Business Accounts

I put it in the cloud! The cloud service offerings today are far more readily available and robust than even five years ago. Entering your credit card info to purchase a piece of the cloud is easy, but make sure you know what you’re putting where. Keeping an inventory of these services, along with the type of data your storing, is important if the service experiences a breach or an outage.

While it might be easy to use that same username and password across all your accounts, it only takes one data breach to put all these services at risk. Get a password vault to manage these accounts.

  1. Protect your Social Media Accounts

As a small business owner, your number one “go to” place for your marketing campaign is social media. Managing these accounts is critical to protecting your online identity. Who has access to post on your behalf? Limit who has access to the account. Review your profile settings to ensure you have the highest level of security enabled. If the provider allows you to enable two-factor authentication – ENABLE IT!

Learn what two-factor authentication is and how to enable it at https://www.lockdownyourlogin.org/

YOU can do this – small steps can make a BIG difference!

Whether your family business was handed down to you through generations, or you’re a new start up, or  a nonprofit, small city, county, or community organization – you have intellectual property or personal data that you need to protect. And you have employees that need to take actions to support your business.

You built your business to live your dream; don’t let a malicious actor take that away from you! As you grow your business, make sure you grow your cybersecurity capabilities right along with it.

Hey! I know I’ve never talked to you before – but can you send some money – QUICK!

Business Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually.

What makes BEC campaigns different?

In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching the organization, identifying execs whose high-priority messages would make employees respond ASAP.

Though this type of threat is fairly new in the phishing landscape, it is very successful. Actors have been able to make off with millions of dollars, using networks of mules to move the money back to the mothership.

In recent months, there has been a shift in the type of currency requested—gift cards. They’re easy to obtain and, if requested in smaller amounts, can go unnoticed but still add up. Researchers have also been doing their work, hunting these criminal groups with much success. Last summer the FBI announced the arrest of 74 fraudsters, all related to BEC. When an organization realizes it’s been hit with a BEC attack, it can reach out to the FBI, which will work with financial institutions to block the transfer of funds.

What can you do? A few tips.

I remember a few years back when this threat started to surface. I couldn’t help but think back to my days in finance and IT compliance, with a focus on Sarbanes-Oxley, and think about the controls breakdown BEC triggers. Here are some ways to KEEP control.

First and foremost, train your employees to be on the lookout for these types of messages. Secondly, implement controls within your payment process to require a secondary signature for release of funds. When I worked in the treasury department for a retail chain, there were many days I would have to walk to the Controller’s or CFO’s office to get a REAL signature on a check greater than $50,000 or a request for a direct wire. Also, look to the gateway controls and implement DMARC /DKIM as discussed in our previous blog post.

There is another control that is starting to become a best practice—tagging external messages in the subject line or message body and letting your employees know the message originated outside the organization. This tag is helpful in spotting BEC messages. Many times, executives or high value targets are reading their messages on mobile devices. The mail client on these devices doesn’t display the fully qualified email address, making it difficult to assess the validity of the message sender.

A BEC sample:

The importance of tagging for viewing on a mobile device – mail client vs mobile:

If your organization becomes the victim of a BEC scam, report it quickly to help the authorities stop the funds from going through. Reporting also provides law enforcement with more information about the threat actor, which further helps to fight these crimes.

Learn more about phishing threats and protection in the Cofense State of Phishing Defense report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

When Sharing Isn’t Caring: Phishing Attacks Are Abusing File-Sharing Sites

Cofense™ has predicted continued growth in phishing attacks that abuse file-sharing services, for example, Google Docs or Sharepoint. In this post, I’ll examine why and how threat actors are doubling down on this tactic.

First, here’s the full prediction from Cofense threat analysts Nick Guarino and Lucas Ashbaugh:

“The majority of phish seen in the wild in 2019 will live in historically ‘trusted’ sharing services like Google Docs, Sharepoint, WeTransfer, Dropbox, Citrix ShareFile, and Egnyte. It’s difficult for these services to keep up with the constant barrage of varied phishing tactics (Whack-A-Phish, anyone?). In fact, the service providers can be really slow about staying on top of this stuff. Traditional security tools (firewalls, anti-virus) have no insight into the files housed on these services. As a result, it is incredibly difficult to protect users against these phish hiding in plain sight.”

Why is file-sharing a target? Because users trust these services.

In a recent post on credential phishing threats, we referenced the cloud as an attack surface. One of the emotional triggers that a threat attacker will pull is trust. When users get an email pointing them to, say,  Dropbox, there’s a greater likelihood they will engage with the message. These services have become trusted brands, so it’s only natural for a threat actor to leverage them.

It’s difficult for email gateway controls to block messages that link to these cloud-based services. Because the file is hosted outside the organization’s perimeter, traditional security solutions such as firewalls or anti-virus don’t have visibility. Threat actors are well aware of this fact, which is why they’ve been so successful with these types of campaigns.

User interaction is related to the business process.

We often see threat actors use generic messages as shown in the example below. In it, you won’t find any brands that would make the user more likely to interact with the message. The likelihood of user interaction is related to the business process presented—easily shared files.

This particular organization has URL defense protections enabled. It has also added tags to the message to alert the user that it is potentially harmful, since it originated outside the organization. These additional defenses can be helpful, but they make it difficult for the user to assess if the URL is legitimate.

One thing you can do: focus your phishing defense program on current threats, like attacks that abuse file-sharing. Teach users to identify phishing emails that link to file-sharing sites and condition them to ask questions before replying, for example:

  • “Am I expecting to receive an invoice from the sender?”
  • “Does my job normally require me to process invoices from unknown sources?”
  • If yes, “Does our business process require the finance teams to validate that an invoice or purchase order is expected or legitimate?” This might be possible in a smaller organization where teams interact with each other more frequently, however, it’s most likely not the case in larger, more diverse organizations.

To repeat, as long as these types of attacks are successful, we will continue to see them near the top of the phishing charts.

View all 6 Cofense phishing predictions for 2019.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Expect Credential Phishing to Continue Surging in 2019

“Hackers don’t need to break in, they only need to log in.” This was a quote mentioned at a conference I attended last December and which I repeated in an e-book Cofense™ recently published, 6 Phishing Predictions for 2019. My prediction was that hackers will continue to go full bore with credential phishing, emails that specifically ask for username and password.  

October may be over – but phishing attacks never stop. Here’s how to make security awareness successful all year round.

Part 4 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 3 here.

As October comes to a close, so too does National Cybersecurity Awareness month. But not so fast – Security Awareness isn’t just about October. It’s all year long and it never stops, it’s ever evolving.

I developed this four-part blog series during National Cybersecurity Awareness Month to provide key industry insights and proven methodologies for building and enhancing your security awareness program. We started in week 1 with building a program strategy, followed up by discussing program content in week 2. Last week with focused on the alignment of the security awareness function with the organization. This week we’ll wrap up the series with some key findings published in the ISC2 Workforce Study. According to the report, lack of focus on security awareness is the top challenge for ensuring long-term security awareness program success.1

Figure 1, left and 2, right – Image source: https://www.isc2.org/Research/Workforce-Study

5 Ways to Bring Focus to Security Awareness Programs

As noted in the charts above, there are several reasons, all with fairly equal representation, as to why security awareness programs lack focus. I’m going to break down each of these reasons and explain how you can overcome that hurdle to bring more focus to your awareness programs.

  • Low security awareness among end users. This is a no-brainer. It’s important that security awareness programs are rolled out to everyone in the organization, not just select groups. While some programs start with training a few key groups to benchmark results, it’s important to get buy in to enroll the entirety of the organization to build resilience to attacks across all teams with on-going training.
  • Not enough skilled cybersecurity professionals available. This report cited end users – people – can lead to more security vulnerabilities*, so it’s no surprise to see that the security awareness function sits at the top of the chart as a much-needed area of expertise. Many organizations still assign this as a part time job function along with other security hats to wear, preventing focus. Instead, have a dedicated security awareness lead running the programs while working alongside other internal security professionals to ensure the programs remain well-rounded and effective.
  • Inadequate funding. Security awareness is a necessary and essential component to larger threat defense strategy and needs to be a budget priority in order to begin reducing your organization’s cybersecurity risk and building resiliency to today’s top threats. At some point, perimeter technologies will fail to stop a phishing attempt and it’s up to resilient, trained humans to recognize and report suspicious emails – thinking of this as a last line of defense is an area worth investing in.
  • Too much data to analyze. As more and more humans are enrolled and participating in security awareness program, that also means more data points to digest and analyze on the state of threat susceptibility, resilience, program participation and success. Identify and prioritize the key data sets needed to demonstrate the security posture of the organization and collaborate with security teams to report and analyze program trends to reflect changes in that security posture. This may include your organization’s phishing resilience and reporting rates, for example, compared with inflated metrics such as click rates or susceptibility rates.
  • Lack of management support/awareness. This is often one of the biggest hurdles in preventing a security awareness program from reaching its full potential and scope. Having management understand the necessity of security awareness as a foundational component of a strong threat defense strategy is key. An idea is to run a phishing simulation trial with key management members to understand how susceptible the organization is from the top down. Once management realizes how easy it is for a phishing email to replicate a real one, there might be more awareness and inclination to engage in security awareness practices than before.

You’ve Launched a Successful Security Awareness Program – How Do You Keep it Successful?

Every day is a new beginning when it comes to cybersecurity. Threats and vulnerabilities are always changing – so your security awareness program needs to be able to nimble and fluid to mitigate those evolving threat vectors. Behavior improvements are ongoing and so should your security awareness programs. Organizations are constantly under attack as the threat actors continue to find ways to get past technical defenses of an organization, such as perimeter technologies and email gateways.

How do you keep your program aligned with the current threats? Reach out to your cyber threat intelligence or incident response teams. These teams are constantly researching the current threat landscape and identifying if and what impact it has on the organization. Download the latest white paper on cybersecurity or threat landscape. Read technical blogs from trusted cybersecurity solution providers to stay abreast of current news and threat trends. Another great resource is setting up Google Alerts for key words: phish email, data breach, malware, cyberattack, cybersecurity, Cofense™, awareness training, threat intelligence.

Jumpstart Your Efforts Today with Free Security Awareness Resources

Remember that building a program takes time to evolve and mature. Recognize small wins for the organization and continue to move forward to mature the program. Just as the threats are never ending, so too is the security awareness function.

As you set your priorities for the program, don’t forget that Cofense provides a wealth of training modules for free, which includes specific topics and compliance modules to meet your regulation requirements. If you’re just getting started on building your security awareness program, there are plenty of free security awareness resources available to you when you’re on a shoestring budget, including a turn-key security awareness program kit, posters, presentations and other resources to get you started.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

References:

1Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018

*Source: “Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens,” (ISC)² Cybersecurity Workforce Study, 2018

 

Where Do Security Awareness Programs Belong on the Org Chart?

Part 3 of a 4-part series in support of National Cybersecurity Awareness Month. You can read part 2 here.

For this blog series on building a security awareness program, we started in week 1 with how to build a strategy. Last week we discussed how to select and use content in your overall program and specifically your phishing program. This week we’ll focus on program alignment – in other words, where does the security awareness role report within an organization?

Security Awareness: Choosing Methods and Content that Work

Part 2 in our 4-part series in support of National Cybersecurity Awareness Month. You can read part 1 here. 

Last week we examined the importance of setting a strategy and goals for your security awareness program.

Now that you’ve selected the user behaviors you want to address, the next step is to think about methods and content to nudge users to the correct behaviors.

We live a fast-paced world of information overload. You have seconds to get your message across to engage your users. You need to choose proven learning methods and focus your educational content on the behaviors that matter most. More than anything, your training must be simple and to the point.

Simulations Are the Best Way to Teach the Right Behaviors

Everyone has a different style of learning and consuming information – video, newsletters, blogs, computer based training modules (CBT), etc. According to the National Training Laboratories (see charts below) people retain more information from simulations than any other method.

After years of enabling companies to run simulated phishing campaigns, we have a vast amount of data to support this method of learning. The experience of clicking and having that “Oh no, what just happened?” moment, is really how the recipient learns.

Running a simulated phishing attack IS the learning moment. It’s not the education presented during the campaign on the website or attachment. This is also supported by the data we see over the years of capturing how long the user stays on the page to read the education. They don’t – the largest segment of users falls in the 0-9 seconds range for “time spent on education.” Yet the data indicates a reduction in susceptibility rate and increase in reporting rate.

The data also supports the reduction in susceptibility as we look at the number of campaign it takes to reduce that click rate. When you’re trying to address perpetual clickers, increase the number of campaigns while shortening the time between campaigns. When increasing the number of campaigns, focus on the active threats in order to reduce the risk faster.

Source: 2015 Cofense Enterprise Resiliency Report

Focus Your Training on Real Threats

As you start to condition users to report real phishing emails, not just simulated phishes, you’ll want to focus on malicious emails that are getting through the spam filters. In other words, base your simulations on the real attacks your company sees. This will help your users quickly spot the real thing. The goal is to build a resilient workforce that can identify and report potential malicious emails quickly. This drives down the risk to the organization, allowing the security team to mitigate the risk and avoid an incident.

You will never get to a zero click rate. Phishers are too smart. They craft their emails to look like they’re part of your normal business processes, especially financial transactions. They also constantly change techniques to avoid controls that block their messages.

So, what does this all mean when we talk about educational content? If you’re focusing on behaviors that you’re looking to improve, you don’t want to hit users with content overload. Instead, create a plan for covering a theme to each quarter. Use this theme in your newsletters, videos, or learning modules. However, allow for flexibility to shift if a threat is now affecting your organization (HeartBleed, Meltdown, etc.).

Let’s take one more example of using content to nudge the user to the right path. It’s the example used in last week’s blog on program design—how to change users browsing behaviors. Presenting the user with a simple banner at the moment they’re exhibiting the wrong behavior, we can direct them to take the right action. You can adjust this banner as the behavior changes. Once you curb their habits to click through to unknown sites, your metrics may reveal category that needs to be addressed – such as software downloads.

Cofense recognizes that you have regulatory and compliance requirements to provide annual security awareness training to our organization. To help you focus your resources to elements of your program that actually make an impact, we provide a series of modules for FREE to any organization (even if you’re not a customer).

http://cofense.com/awareness-resources

In summary, keep your security awareness content simple with clear direction—and even better, fun and engaging—and you’ll soon be able to experience a shift in behavior!

Recommended reading: If you’re looking to expand your knowledge on how to create content and simple messaging for your program, I suggest getting a copy of Made to Stick, Why Some Ideas Survive and Others Die, by Chip and Dan Heath.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Building a Security Awareness Program? Start with Strategy and Goals

Part 1 of a 4-part series on building and maintaining a security awareness program, in support of National Cybersecurity Awareness Month.

In 2011, I began my journey into security awareness. At that time, there were limited resources and most programs were still compliance focused. Even though I had previously spent 5 years in IT compliance, I knew this wasn’t the right approach to get users to learn or care about security. I kept telling the director that owned the role, “Compliance focus is wrong –you have to market to the users.”

Here’s a Free Turnkey Phishing Awareness Program for National Cybersecurity Awareness Month

So….it’s September and October is only a few weeks away. Have you started putting together your campaign for National Cybersecurity Awareness Month (NCSAM) yet? If not, you’re in luck – we’ve created a complimentary turnkey phishing awareness program for you to quickly launch and look like a super hero to your leader AND your organization! And best yet, these resources can be used all year round – BECAUSE security awareness goes beyond October.