by Scott Lerner, Director of Mid Market Sales at Verizon Business Markets
Twitter | @Coach_Lerner
You might think you can keep your head down and stay out of cybercriminals’ targets — after all, they’re more interested in the big fish, right? Wrong. Cybercriminals don’t just target large enterprises — based on our analysis, almost two-thirds of data breach victims had under 1,000 employees1.
Most cybercriminals don’t care about the size of your business or who you are — they care about money. According to our research, over 70% of breaches were financially motivated1. And they don’t mind where they get it. Many cybercriminals don’t target their attacks at all. They take a scattergun approach, hitting the organizations with the weakest defenses.
That’s the problem. You’re facing the same threats as large enterprises, but you don’t have an enterprise-level security budget to build a state-of-the-art defense.
Cybercriminals are lucky, not smart
That doesn’t mean you should throw in the towel. Cybercriminals — from the kids operating out of their parents’ homes to sophisticated state-affiliated hackers — are still using the same old tricks to compromise organizations. Mostly, they’re playing an odds game. They don’t rely on their own smarts — they spread their nets wide and wait for you to make a basic mistake. And it’s amazing how many people are still making them.
Surely people aren’t still falling for phishing? It turns out they are. They fall for it time and time again. One in 14 users fell for phishing, and a quarter of those were duped more than once1. And people still haven’t got the message about strong passwords — over 80% of hacking-related breaches leveraged either weak and/or stolen passwords1.
Teach your employees the basics
- Use strong passwords. You should encourage employees to vary their passwords and use two-factor authentication to protect sensitive data/systems. But the strongest passwords aren’t necessarily what you’d expect — four randomly selected words unrelated to you could actually be more secure than an alphanumeric password.
- Don’t get caught by phishing emails. Show your employees what a phishing email looks like. The poor grammar, incorrect branding and “click-bait” messages are easier to spot when you know what you’re looking for.
- Create a culture of security. Your employees should be sending sensitive information over secure networks. And they should extend the same care to physical documents. Develop a culture where printing out sensitive information is frowned upon. If physical copies are necessary, encourage employees to shred documents when they’re finished with them.
- Be alert. Educate your employees about the tell-tale signs of a cyberattack. Is the sudden spike in network traffic really due to increased interest in today’s lunch options? Or are you the victim of a DoS attack? Are your customers encountering problems with your e-commerce site because of a fault or because a cybercriminal has tampered with it?
- Have a clear incident response plan. Your employees need to know who to contact and how to contact them if they suspect an attack or there’s a data breach. Because that’s when every second counts. Your people should know the best way to record a security incident and where to do this. And your IT team should know if an incident needs to be handled by a security provider or if it can be dealt with in-house.
Knowledge is the best defense
The best defense is built by thoroughly understanding your opposition. That means analyzing and learning from your own experiences of cybercrime to avoid falling for the same trick twice. It also means learning from the experience of others. The annual Data Breach Investigations Report (DBIR) is based on an analysis of over 40,000 security incidents and offers an unparalleled insight into the world of cybercrime.
You can get a clearer picture of the biggest cyber threats facing your business using the DBIR’s nine attack patterns — almost 90% of the breaches investigated in the report fall into these patterns1. Understanding them can help you prioritize your defenses and mitigate your cyber risks.
1 2017 Data Breach Investigations Report, Verizon
by Margaret Hallbach, VP of Public Sector Sales at Verizon Business Markets
When you think cyberattack, do you picture a criminal mastermind launching a carefully planned attack on the White House? Can you hear the dramatic music and feel the tension building as the good guys find themselves with only seconds to spare before the country descends into unmitigated chaos.
It’s a successful Hollywood formula. But the reality is much scarier because it’s not just central government and big businesses that are the intended victims of cybercrime — everyone is at risk. You expect that police security camera overlooking your apartment complex to be operational. But is it? What if it had been infected with malware weeks earlier and was “offline for maintenance” during an assault?
Cybercriminals are often motivated by financial gain, but you could fall foul of hacktivism and cyber-espionage. Cities and municipalities have become targets because of limited resources, insufficient expertise, and unknown vulnerabilities.
Attacks that are simply launched for fun can have a devastating impact as well. What happens if your emergency response systems are overwhelmed by a telephony denial of service attack swamping your inbound call takers at your public safety answering centers?
Manage the risk of more tech
Cities are constantly competing against each other. Do people feel safe? Are the schools good? Are companies thriving and providing jobs? To improve constituent experiences and quality of service, while driving cost efficiencies, local governments are leveraging technology. Many cities are now looking to the Internet of Things (IoT) for smart street lighting to reduce energy consumption, and for intelligent traffic systems that cut congestion — there are even systems that detect potholes. The potential benefits are huge.
But as local government becomes more reliant on digital technologies, the consequences of cyberattacks grow. You’re holding more personal data. Your critical systems depend on technology. That means security can’t be an afterthought. When you’re developing new systems, you need to think security first. Imagine your facilities organization is refurbishing a municipal building with a new HVAC system. The automated detectors for sensing employees in the building allows the system to be remotely controlled, managing energy consumption and cutting operating expense. But it could also provide a new entry point for a cybercriminal.
Understanding the threats
Many municipalities and cities are budget constrained. New sources of funding are hard to find and these funding sources are difficult to maintain. IT professionals are aware of the threats, but they don’t have the support from City Councils to earmark dollars. Cybersecurity funding should be no different than traditional public safety.
The 2017 Data Breach Investigations Report (DBIR) draws on the analysis of over 40,000 security incidents and almost 2,000 confirmed data breaches to bring you an unparalleled source of information on cybercrime. The nine attack patterns we first identified in 2014 still cover almost 90% of data breaches. Understanding them can help you gain insight on where and how to invest your limited resources. We are all trying to stay ahead of the bad guys. Ask for advice and guidance – from a colleague, from another city, from a partner, from the industry. And most importantly, take action. Don’t regret the decision that you did nothing.
Think your business is too small to be a target of hackers? Think again.
43% of all cyberattacks are targeted at small businesses*. You could be the victim of cybercriminals targeting your customer and employee data, which they can sell or use for identity theft. You might find yourself locked out of your systems and facing a ransom demand to get back in. You might be a stop on the route to a bigger target, or you might simply be the victim of some kid having some fun by defacing your website.
The bad news is it’s likely you’re an easier target than the large enterprises that have spent millions on cybersecurity. Most cyberattacks are opportunistic—cybercriminals spot a vulnerability they can exploit. If everyone else has stronger defenses, you could be next on the hit list.
What can you do? As a small company, you probably don’t have the expertise to handle cybersecurity in-house, so you’re most likely going to look for external help. But you can’t just offload the problem and then forget about it. Protecting your company isn’t just a job for IT security experts. Many data breaches are the result of human error on the part of employees. And if you are the victim of a cyberattack, handling the aftermath could involve employees across your business.
If you want to improve your chances of staying secure—and recovering fast if you’ve been compromised—it’s vital that you understand the threats you face without having to wade through a dry report full of technical jargon.
Learn from real-life investigations
The Verizon Data Breach Digest makes cybersecurity more approachable by telling the stories of investigations from actual cyberattack incidents. Each of the scenarios in our 2017 report is told from the perspective of key leaders from across the business, which means they can help you understand the critical decisions you’ll need to make if your business suffers a breach.
Read about the regional water supplier defrauded by a trusted partner. Discover what happened when janitors accepted money to plug infected USBs into a company’s systems. Find out how we helped a software-as-a-service company recover from a distributed denial of service (DDoS) attack. We walk you through each case, from initial incident detection and validation, through response and investigation, to resolution and lessons learned.
Each scenario includes an at-a-glance summary in the form of Attack-Defend cards. These explain: typical amount of time for threat discovery and containment; who you’re up against and their motivation; the industries most at risk; key stakeholders in the breach response; and the countermeasures you can take.
The Data Breach Digest isn’t just for IT security experts. It’s written in plain English to make it easy to understand. We hope you enjoy reading the latest edition and, in doing so, learn some key lessons on how you can protect your company’s assets and reputation.
*Internet Security Threat Report, Symantec, April 2016
It’s been a busy week for the Verizon Small Business team. If you are a regular reader of this blog or if you follow us on Twitter or is a fan of the Verizon Small Biz page on Facebook, then you knew about these activities:
- The launch (today) of the Verizon Hardest Working Small Biz Mom contest – any Verizon customer who is a mom and owns her own business can enter to win $5000!
For more information go to www.facebook.com/verizonsmallbiz and click on the ‘Small Biz Mom’ link on the left of the page.
- We held our first live Twitter chat with our featured author, Alan Gregerman. He offered many tips on how a business can give their customers the best experience. To read the tips Alan offered during the live Twitter chat click here.
- We also hosted another free webinar with Alan Gregerman who provided some many tips from his book Surrounded by Geniuses. The replay is already up, click here to watch it.
NOTE: Next Wednesday’s (May 4th at 2 p.m. EST) our free webinar features Scott Belsky founder of Behance will offer tips to build up and engage with your customers. To register for this free webinar click here.
- Reminder: Businesses in the real estate industry can enroll in Verizon’s referral program where agents and brokers can earn $100 gift card.
Below you’ll find some interesting articles I found that you may want to read:
It may be an extra expense for small businesses to offer a wellness program for employees, but it looks like it pays off as it’ll lower health insurance costs and boost workplace productivity. To read the full article from the Wall Street Journal click here.
This should be a good read for every small business – real life lessons in the delicate art of setting prices.
Lastly, the majority of data breaches are avoidable. Is your company’s data protected? I say this as I’m reading an article on attackers attempted to wire more than $20 million stolen from SMB accounts to China over the past year and managed to successfully transfer $11 million, according to the FBI.
To get some more details on how your company can avoid data breaches and insights into the recently launched 2011 Data Breach Investigation Report join this free webinar next Thursday (May 5 at 11:15 p.m. EST) hosted by Wade Baker, Verizon’s director of risk intelligence and Bryan Sartin, Verizon’s director of investigative response.
Have a great weekend!
- Everyone's Tags:
- data breach information business
Cybercrime… does it affect your business or you, personally? These series of
Q & A from Wade Baker, director of risk intelligence at Verizon and principal author of the 2011 Data Breach Investigations Report , offers some interesting insights. To see key findings, get access to the full DBIR report, listen to an audio podcast on this topic or to see additional graphs click this link.
Q: For those that aren’t familiar with the report, what is the Data Breach Investigation Report?
A: It is an annual study into the world of cybercrime that analyzes computer forensics to uncover how sensitive data is stolen from organizations, who’s doing it, why they’re doing it, and, of course, what might be done to prevent it.
And this year, we have the privilege of working with the U.S. Secret Service and the Dutch High Tech Crime Unit, which drastically increases the scope and depth of the report.
Q: What were the major findings from investigations during the past year?
A: In 2010, we analyzed more incidents than ever in which consumer data – payment cards, bank accounts, personal information, etc – was stolen. And cybercriminals appear to be changing the way they accomplish this. Rather than massive breaches against large organizations like we’ve seen in the past, we saw a huge number of lighter, faster, and more surgical strikes against smaller organizations. Since many of the criminals behind those larger thefts are in jail, this trend may represent a tactical shift toward less risky and lower-hanging fruit.
Q: It sounds as though you are suggesting that cybercriminals are pretty organized and savvy – is that true?
A: Absolutely. What many don’t realize is that there’s a very well-organized criminal underworld build around data theft and fraud. They want your information because they can sell it for profit or drain your bank account, make fraudulent purchases, conduct identity theft and all manner of evil. It’s definitely a business for them.
Q: How do these groups steal information and who is vulnerable?
A: Not to sound overly-dramatic, but they’ll use any tactic that works and pretty much anyone is vulnerable. We see everything from hacking into corporate networks, tricking employees, bribing insiders, and even physical theft and tampering. Some of these attacks are very sophisticated, but most of them less so than you might think. You’d be surprised at the kind of stuff used to successfully steal data from corporations and part of the value of this report is identifying what kinds of attacks occur most often and are therefore most critical to combat.
Q: Speaking of combating cybercrime – what are your top recommendations to businesses?
A: After studying thousands of data breaches, I can say with confidence that the overwhelming majority of them are avoidable through relatively basic countermeasures – ones that the victims probably thought were in place. Therefore, the most useful thing organizations can do is to implement procedures to check and recheck and even triple check that they are actually doing what they intend to do consistently and comprehensively.
Next, organizations need to increase their visibility into what occurs in their networks, systems, and applications. It usually takes a very long time for victims to know they’ve been breached and it is usually someone else that tells them about it. This is evidence of very poor situational awareness and that really needs to improve.
Q: And in similar fashion, what would you recommend to consumers?
A: Without a doubt, the most important tip I have is to be aware.
First, be aware of what MIGHT happen. Understand the risks doing business in the online and offline worlds. A lot of people ask me if I’m afraid of buying things online and my answer is always “No – but I am definitely wary of it and act accordingly.”
Second, be aware of what HAS happened. Check your bank and credit card statements. Monitor your credit. If you see something out of place, look into it. This is very important and can save you huge headaches and expense.
Third, use a credit card rather than a debit card when possible. There’s nothing wrong with debit cards per se, but there’s typically less risk to you if your CC# is stolen than your debit card.
Fourth, be stingy with your personal information. Don’t give or store more than you need or want to. For instance, I opt out of storing my CC# when making a purchase online unless I buy from that site frequently. The way I see it, the fewer entities that have my information, the less likely it is to be compromised.
Five – When using an ATM, gas pump, or any public payment kiosk, look for signs of tampering or components that don’t belong. These are common targets for thieves trying steal your payment card info and PIN.
- Everyone's Tags:
- data breach information business