By this point in 2020, most of us feel like runners who left the starting line expecting a 5K and realized we were actually running a marathon. Or an ultramarathon. Or Forrest Gump’s open-ended run across America. Who actually knows? Every week forces a new revision of our pace and overall strategy as the finish line keeps running away from us.
Much of the IT world is still living on stop-gap measures thrown into place in March when it became obvious that ideas about a dispersed workplace were materializing in the span of a week or two. Arizona State University research shows that about 13% of employees worked from home a few weeks before COVID. Now, about 66% of people who still have jobs are working from home.
The old analogy of building a plane while we’re flying it doesn’t even cover the full challenge. Thanks to hackers, we also have people trying to hijack the plane we’re building in mid-flight.
Pratum’s cybersecurity experts have been working daily during the pandemic to help clients adjust to 2020’s constantly revised realities. Here are some key lessons we’ve shared with clients so far:
It’s time to focus on long-term solutions. We can all give ourselves a pass for thinking that the dispersed workforce would be a two-to-three-month phenomenon. But now that we’re hitting five months with no end in sight, it’s time to work on sustainable setups. That requires an investment. It will probably take weeks of discussions among multiple stakeholders to address all the implications of a much larger percentage of employees in a work-from-home environment. Company leaders must be ready to devote those resources to the job.
The “data-centric” mindset is now. Many IT leaders had already started shifting cybersecurity architecture from a focus on devices to the data itself. But the pandemic’s current has pulled in even late adopters. Business now happens in the cloud on a wide array of devices, many of which companies don’t own. That’s forcing IT teams to reconsider how to protect critical files, wherever they travel.
The cloud has its own requirements. Practically overnight, organizations nationwide shifted systems and processes to the cloud or provided remote access before proper security reviews could be completed. Unfortunately, many failed to properly configure their systems, leaving open doors for hackers. This spring, for example, researchers found a real estate database on Google Cloud that required no password or authentication. It contained detailed information on more than 200 million American homeowners.
Personal devices are part of the plan. Most IT teams built security policies for a handful of remote employees, not an almost entirely remote workforce. So revisions are in order to account for a wave of personal device usage that goes far beyond BYOD (bring your own device) phones. Hackers aren’t waiting around for companies to plug the holes. Ransomware attacks have spiked this summer. And one attack earlier this year penetrated a company’s mobile device management platform, giving it access to nearly every connected device.
Social engineers thrive on disrupted processes. Hackers are also capitalizing on the muddled processes that come with dispersing a workforce for the first time. At the beginning of 2020, an office worker who got an unexpected e-mail about an invoice might have shouted over the wall to confirm the payment with a co-worker or manager. Now the communication requires a phone call or e-mail, which may or may not clarify things, and may not even happen. Hackers are counting on that.
Phishing season is wide open. By some estimates, phishing attacks are up 70% since the spring of 2020. Social engineers have long recognized that remote employees often make easier targets since they may feel less connected to the organization and could be less aware of security best practices. Hackers also keep honing their phishing strategy with messages tailored around research into specific organizations and individuals. In today’s phishing e-mails, the tip-off may be as subtle as a mismatched font or referring to someone who goes by “Steve” as “Stephen.”
Clearly 2020 is forcing all of us to rapidly adjust plans while the ground shifts under us. Pratum’s consultants can help. Contact us today!
Proper password habits feel like data security’s equivalent of flossing. Yes, we all need to do better with both. But if we’re pressed on how it’s going, most of us admit that we don’t even know where the floss is and that we keep most of our passwords on three sticky notes hidden under our keyboard.
We get it. Most days feel like a constant obstacle course of passwords and PINS, whether we’re trying to withdraw cash at the ATM, check a retirement account balance, use a retailers’ reward card or just stream a movie. The average American has 50+ passwords—many of which you use once or twice a year. (“Yes, specialty spice retailer, it looks like I DID forget the password that I created for Christmas of 2018!”)
Even the password’s inventor, the late MIT professor Fernando Corbato, turned antagonistic to the monster he created. He told the Wall Street Journal in 2014 that passwords have “become kind of a nightmare on the World Wide Web.”
Password alternatives keep turning up, but no one has quite mastered the alchemy of an easily remembered, hackproof password. The “knock codes” LG added to its phones excited a lot of people, for example. Users simply tap out a chosen sequence on a blank screen to unlock the phone. But it turns out that 20% of participants forget their new codes within 10 minutes. So most people use very predictable patterns for their codes.
Biometrics are an easy-to-use option, but only if a company wants to pay to install fingerprint or retinal scanners on every device.
So the password abides. If we’re following the IT department’s advice, each password contains a different scramble of uppercase letters, lowercase letters, numbers and symbols. No wonder most of us give up and take the easy routes; 59% of us use one password everywhere, according to the password management company LastPass. Most people are willing to gamble convenience against the chance that a hacker will get the keys to their digital life.
As for writing every password down in one place…well, even Professor Corbato, Father of the Password, admitted that he kept a written cheat sheet of 150 passwords he was trying to manage. But the risk of that move isn’t going away. In June 2020, the “hacktivist” group Anonymous broke into the Minnesota Senate’s servers and hacked a file that Senate officials literally called “The Passwords File.”
And one more thing just to make the challenge even bigger: Experts advise against using the “Remember Me” function to log into web pages automatically. If someone gains access to your computer, they will have an open door into any password-protected website you use.
But enough venting about password headaches. What are the current best practices for managing passwords in a way that’s secure and actually practical? Here are guidelines recommended by Pratum’s experts:
If you’re wondering whether your password game is in the sweet spot of security and usability, a Pratum expert can help. To discuss a review of your policies, reach out to our cybersecurity team.
Have you ever put a price on your organization’s data? Some hacker out there is probably prepping right now to help you with that. They’ll gladly hold onto your data until you nail down exactly how much you’re willing to pay to get it back.
Ransomware, if you’re new to the term, works just like it sounds. A cybercriminal gains access to your system, encrypts the data so that you can no longer use it and then demands a payment (typically paid in Bitcoin) to let you back into your own data. If you’re attacked by a less sophisticated hacker, however, the encryption key may not work, leaving your data unusable.
The first big wave in 2015 went after consumer devices and small ransom payments, but attacks on businesses have surged in the last year. Some experts are reporting jumps of 70+% in ransomware attacks this year as millions of workers have begun working remotely. Some recent estimates say that hackers target 90% of financial institutions every year.
Clear ransomware stats are hard to come by since businesses understandably get shy about telling the world that they’ve been victimized. Experts have pegged the average payment at anywhere from $5,900 to $41,000. The highest ransoms, however, surpass seven figures. In June 2020, for example, the University of California-San Francisco announced that it had paid $1.14 million (116.4 Bitcoin) to regain access to its data. (You can see the negotiations between the university and the hacker here.)
For victims, the total tab includes far more than the ransom. A 2017 attack forced shipping giant Maersk to close 17 ports, costing the company more than $200 million. Some companies refuse to negotiate and try to retrieve data through other means, which could get costly if your data wasn’t properly and securely backed up.
A business with little tolerance for downtime and no backup system will be especially likely to pay up. A medical facility that can’t access its patient records or scheduling system, for example, is effectively shut down. And damage to a brand can be a deciding factor. A law firm that loses control of its sensitive data may never regain clients’ trust.
All this shows why paying the ransom frequently feels like the least bad choice—and why industry observers call ransomware “the cybercrime of choice” and “your biggest online security nightmare.”
The ransomware scene has developed all the underworld trappings of a drug cartel or weapons bazaar. Bad actors can visit online marketplaces to bid on access to hacked computers. Or they can hire an RaaS (ransomware as a service) mercenary to do the dirty work for a cut of the ransom. A few ransomware providers even have well-run call centers to ensure that decryption goes smoothly after the payment. No respectable criminal, after all, can afford for victims to tell future targets that paying the ransom is pointless for retrieving data.
And like all innovators, cybercriminals keep creating new products. Some hackers pursue a “leakware” strategy, declaring that if you don’t pay the ransom, they’ll share your proprietary files with the world. So much for your data backup saving the day.
Data kidnappers typically use phishing schemes to trick a user into clicking a malicious file that lets hackers into the system. Organizations with many dispersed users are especially tempting. In other words, nearly every company became a fatter target in 2020 as employees began working at home in large numbers. Other attacks skip the well-meaning end user and simply exploit known security holes.
Once the hackers enter the system, they may spend several days snooping around your files to determine exactly how to hurt you the most. They may also start monitoring communications among key employees—all in the interest of assembling a ransom offer you can’t refuse. With an airtight plan, they encrypt your data and announce the attack tailored just for you.
Obviously, hackers are bringing serious tools to this heist. So let’s consider some best practices for keeping both your data and your money where they belong:
Pratum experts spend every day fending off the latest ransomware. If you’re ready to assess your company’s risk of attack, reach out to our cybersecurity team.