Mar. 21, 2022, Back Office Geeks, LLC
By B. Reid
Much has changed in the last two years, including the world in which we work and live.
If you are not concerned about online threats, the potential for risk from internet attacks, or wondered about the security of your personal data….start today.
Change your point of view. The tangible evidence is out there to wake you up. Unlike those who, for example, might argue about the legitimacy of climate change and its causes (really, I digress), the current risks and your personal or business vulnerabilities are quite real. Moving forward, you will come to a point when you can no longer procrastinate your action to secure your technical vulnerabilities and risks. Knowledge is power, they say.
When COVID-19 entered the picture two years ago, a drove of businesses sought ways to curb the adverse business impact that would also, most certainly, accompany the pandemic. To maintain business operations, many looked toward ”remote-in” technology solutions, enabling employees to continue working from home as a way to get over the hurdle. Well, hackers and cybercriminals happily welcomed the opportunity to take advantage of security holes and vulnerabilities which also surfaced in the new “remote” climate. Cyber attack activity then shot through the roof.
The fallout from these changes is only one element, too. Other factors also played a role, but there is no doubt that attacks and breaches skyrocketed. The statistics are again, staggering, and again, these continue to increase in frequency and harm. The latest data is not for the faint of heart.
Rather than detail the numbers, we have highlighted some of the significant, scary, and very relevant facts reported in a January 2022 Forbes report. (“Cybersecurity in 2022 – A Fresh Look at Some Very Alarming Stat.” [forbes.com] Jan. 21, 2022; C. Brooks, Contributor).
When it comes to fighting cyber threats, commitment, diligence and knowledge are the suggested weapons. Still, remember none of that matters without action. After all, there is a price to be paid for the luxury of using technology. Pay little, or pay heavy. Your choice. The flags are undeniably red, and the indicators are readily available should you choose to know them:
- High Profile Breaches: Solar Winds, Colonial Pipeline and dozens of others that had major economic and security related impact.
- Ransomware: It has once again jumped in and is growing by leaps and bounds
- Allianz Risk Barometer reported that Global companies are most concerned about cyber threats in 2022:
Ransomware attacks
Supply chain disruptions
IT outages
Natural disasters
COVID-19 pandemic
FACT: “Cybercriminals can penetrate 93 percent of company networks
(Cybercriminals can penetrate 93 percent of company networks (betanews.com)” (forbes.com)
FACT: “Businesses Suffered 50% More Cyberattack Attempts per Week in 2021
(Businesses Suffered 50% More Cyberattack Attempts per Week in 2021 [(darkreading.com]” [forbes.com])
FACT: “ Corporate Cyber Attacks Up 50% Last Year”
(Corporate Cyber Attacks Up 50% Last Year (cybersecurityintelligence.com)” (forbes.com)
“2021 saw 50% more cyber attacks per week on corporate networks compared to 2020.” (forbes.com)
- Corporate attack increases, by sector, over 2020:
Up 75 % Education/research
Up 71% Healthcare
Up 67% ISP/MSPs
Up 51% Communications
Up 47% Government/military
Small-to-Medium sized Businesses (SMBs)
Of course, small-to-medium sized businesses are easier targets, primarily due to the fact they have a less-prepared defense against attacks.
- 43% of 2021 cyber attacks targeted small to medium businesses
Cause?
- 45% say their security measures are insufficient
- 66% say the frequency of attacks is increasing
- 69% say that the attacks are more targeted
Most common of these are:
- “Phishing/Social Engineering: 57%
- Compromised/Stolen Devices: 33%
- Credential Theft: 30%” (forbes.com)
In a CISCO study, the following was discovered:
- “85% of MSPs consider ransomware one of the biggest threats to their SMB clients.”
- 83% of small and medium-sized businesses are not financially prepared to recover from a cyber attack.
- 91% of small businesses haven’t purchased cyber liability insurance.
- One in five small companies does not use endpoint security,
- 52% SMBs do not have any IT security experts in-house.” (forbes.com)
Ransomware attacks statistics that may blow your mind:
- “5 Key Ransomware Statistics
- “Ransomware cost the world $20 billion in 2021. That number is expected to rise to $265 billion by 2031.
- In 2021, 37 percent of all businesses and organizations were hit by ransomware.
- Recovering from a ransomware attack cost businesses $1.85 million c on average in 2021.
- Out of all ransomware victims, 32 percent pay the ransom, but they only get 65 percent of their data back.
- Only 57 percent of businesses are successful in recovering their data using a backup.” (forbes.com)
The attack data for 2022 and beyond is, unfortunately, not improving.
To “wrap your head” around it, it is best to digest the ugliness a little at a time, but DO absorb it. When it comes to security risks, it is apparent that all too many of us need to do more to arm ourselves. with knowledge and solutions.
It is thought that in 2022, the number of connected devices to the Internet will reach 18 billion. (Technative article, “The Cyber Security Landscape in 2022 and why a Zero Trust Approach is Critical;” Feb. 8., 2022)
Fighting it — Zero Trust Model
Zero Trust is the latest technical term in our “geek” dictionary.
It is referenced as, Zero Trust, Zero Trust Access and Zero Trust Network Access (ZTNA). What IS it, though? It is pretty much what it says: Trust nothing and no one. It is a security model for implementation that the security-minded hope to bring to fruition.
It encompasses a wide variety of security solutions and architectures, but it is simply a model by which no one person or device is granted access to anything on the network without having first authenticated in multiplicity. By limiting access and beefing up authentication, the result is that vulnerabilities and risk are greatly diminished.
It is to avoid the avoidable. For example, an employee failed to logout of a device, leaving it exposed. Another employee clicked an email link that was harmful. Keep in mind that negligence is to blame most often versus malicious intent. You get it…
While the concept of Zero Trust may seem simple, it is not always as easy to actually effectuate. The level to which the approach can be done successfully depends upon the corresponding level of tolerance level for the business itself. With a Zero Trust model implementation, when all is said and done, many businesses will resort to coming to a balance. It weighs the scope of business operations and security measures of Zero Trust. That balance is where the correct fit often prevails.
In reality, few embrace change with big open arms. So, do as much risk management as is possible. The risks will be addressed as effectively as possible, because most businesses will be attacked. Whether or not the business suffers or their systems are penetrated may be largely up to your efforts. The responsibility for securing systems belongs to all, and yet, the savings associated from having been diligent may never be realized. It beats the alternative, though.
Protection and Pro-Active Action
The best method to harden systems and minimize security risk is to be diligently committed to securing them. We suggest starting with these actions:
- Designate a single contact for security reporting and advice.
Whether it be IT or an outside vendor, make sure everyone knows how to contact that person. When a breach occurs, time is of the essence to take corrective action.
2. Train personnel how to spot cyber security flags and report them
When it comes to training personnel, if training has been done, you will find people exercise better diligence, more often reporting when something questionable occurs, or even if they have questions.
3. Use Multi-factor authentication
Any resource that requires authentication should have multi-factor authentication.
Usually this requires not only entering an ID and a password to access resources, but also requires an additional code(s).
The second code or validation is temporary but validates the identity of the user attempting to login. It’s easy and very effective.
4. Update software and operating systems.
Often the reason there is a “patch” or a software update available is because there is a security vulnerability.
Software updates often fix security issues. Keep your systems up to date, including firmware.
5. Only use approved devices and connections
Insecure networks contribute to many data breaches, prominently wifi connections. Only use those approved for use.
6. Appropriate Storage of data — personal data separately.
How data and where it is stored is vital.
No one should leave paperwork of a personal or sensitive nature in the open. This is a no-no.
Do not write credit card numbers or personally identifiable information on paper, ever and NEVER repeat a card number aloud when on a telephone call.
These are easy to access by the bad actors, but also very easy to prevent from happening.
7. Perform regular audits of systems
It is a little effort, but the results from having done so are beneficial. If there is a breach, at least it will be known sooner versus later.
8. Beware of impersonation
If your name and your role is public domain and readily available to anyone searching, it makes you more vulnerable.
Management personnel are particularly vulnerable to impersonation, such as hackers sending an email claiming to be
the manager identity, often with a directive.
Remember, if something seems questionable – question it!
~