Four Elements of CyberSecurity for Small Businesses

Full Article Available Here:

Has your small or midsize business finally decided to bite the bullet on cybersecurity preparedness by adopting software to protect the firm’s sensitive information? If so, the key task for you now is to determine whether these new cybersecurity protections are, in fact, working. After all, data breaches do not hit the same firm every day, and you probably have many other things to do in lieu of becoming a part-time IT expert.

As the co-founder of a firm that provides cybersecurity software to financial firms, I can tell you that it’s important to have cybersecurity tools and protocols that can be trusted to counter preventable attacks and mistakes, as well as execute proper and timely incident response for unpreventable data breaches.

In practical, concrete terms, these are four items that can drive the effectiveness of a cybersecurity platform for your company:

1. Impartial Risk Assessment

Good technology conducts an ongoing impartial assessment of your firm’s potential vulnerability to hackers and human error. This allows whoever is responsible for cybersecurity at your company to customize the weighting of the firm’s risk parameters, while still adhering to regulatory constraints.

Ideally, the technology would grant each firm and user an easy-to-understand grade to this effect, along with how that figure compares with others in your specific industry. Comparables demonstrate whether serious work is required to reach par, or whether you’re ahead of the curve. Proprietary software built in-house at a small or midsize firm is unlikely to have access to such information.

2. Third-Party Vendor Diligence 

In today’s environment, which is defined by the proliferation of third-party service and solution providers, up-to-date and industry-specific technology should offer third-party vendor due-diligence features. Paramount among any set of vendor due-diligence features is the ability to identify and conduct a comprehensive risk assessment on every vendor the firm uses.

Those assessments should be based on commonly accepted, industry-specific criteria, not artificial benchmarks devised in vacuum by the firm or its cybersecurity provider, which tend to be self-serving. The assessment should collect and validate the responses from each vendor, then give a grade to each vendor.

In addition, the technology should restrict access to a firm’s data to only pre-approved vendors whose workers use devices that a cybersecurity provider can actively monitor, or those vendors with a satisfactory record of meeting regulatory and compliance standards.

3. Testing And Remediation 

Your cybersecurity tools should perform periodic incident response tests on users, devices and networks to evaluate the firm’s readiness and follow-through in real-life hacking or phishing attacks. Since bad actors intend to exploit common weaknesses — including impersonating trusted individuals or institutions to alter or retrieve passwords — your software should train your team to resist them.

When users do fall victim to scams, either simulated or malicious, automated playbooks or remediation processes should kick in. For example, the software should update the grade of the firm and user, track the incident in accordance with compliance policies and give the compromised user real-time onscreen education to internalize best practices.

4. Cyber Insurance

Many business owners have property and casualty or liability insurance. The same principles of coverage, preparedness and policy relevance should also apply to cybersecurity protections for your company.

Cyber insurance should be specific to your firm’s business model and user behavior. Relevant insurance protects firms against direct monetary expenses stemming from data breaches. These may involve replacing software and hardware, client lawsuits or fines from regulatory violations, such as lapses with customer data.

In addition, cyber insurance should come with a straightforward and speedy application process that lets the firm modify coverage to fit its needs, while still providing every user with sufficient coverage. Because good behavior should be rewarded, ideally the insurance package’s pricing and range of protections would factor in the grade that the firm’s cybersecurity technology assigns.

A large company with hundreds of employees spread across the country who work with dozens of third-party vendors to sell many lines of service is fundamentally different from a five-person company in a single office selling a handful of products. Likewise, those two firms require vastly different cyber insurance packages.

How To Keep Your Team Informed

Unless you are your firm’s chief information officer or chief compliance officer, you probably don’t have constant, hands-on interaction with or decision-making responsibilities for cybersecurity tools and processes. But all employees and firm leaders should have easy access to the firm’s written data protection policies and protocols.

Those documents should detail the features of your firm’s cybersecurity providers, as well as guidelines you and other users should follow to mitigate the risk of a breach. Those guidelines should include tips on how to spot fraudulent or suspicious activity before data is compromised, steps to act fast in case of a cyber incident and the individuals at the firm responsible for ensuring that these processes, policies and protocols are carried out.

When all of this is in place, then — and only then — will you have a reasonable level of confidence that your firm’s cybersecurity preparedness resources are working effectively.

Poor Information Security Habits Put Taxpayers At Risk

Full Article Text Here:


Four in 10 taxpayers in a new study said they were worried about falling victim to tax fraud or tax identity theft during tax season, but 45% admitted that they stored tax paperwork in a box, desk drawer or unlocked cabinet at home or at work.

Not only that, one in five said they did not shred tax paperwork or physical documents containing sensitive information before throwing them away.

Shred-it, an information security service provided by Stericycle, commissioned the mobile survey, which was conducted by Pollfish on Feb. 5 among 1,200 respondents 18 and older.

Forty-eight percent of survey respondents said they would file their own taxes online via tax preparation software, while 37% said they would file with a certified tax preparer.

Forty-four percent in the latter group said they did not know how the person preparing their tax returns would store or dispose of documents containing their personal information. This finding underscores the need for conversations around data protection during tax season, according to Shred-it.

“The Tax Season and Fraud Prevention Report reveals how common these risky tax filing habits are and how they put taxpayers in jeopardy for fraud or identity theft,” Monu Kalsi, vice president of marketing for Stericycle, said in a statement.

“As we near the April 15 tax filing deadline, we encourage everyone to reassess how they are handling their own tax documents that contain sensitive information and also question how those preparing taxes for us are doing the same.”

Risky security habits could be contributing to tax identity theft and tax fraud, according to the report, which found that 26% of respondents knew someone who had been a victim of tax fraud.

Tax fraud fears hit millennials hardest, with 43% saying they were worried about becoming a victim of tax fraud or tax identity theft, compared with 34% of baby boomers and 33% of Gen Z taxpayers.

Sources of Fraud Susceptibility

According to the survey, 54% of taxpayers thought tax documents, such as W-2 and 1099 forms, were the most susceptible source of information fraud or identity theft. This compared with 15% who worried about auto loan documents and 6% who were concerned about mortgage documents.

Fifty-seven percent of women expressed concern about information fraud or identity theft from tax documents, versus 49% of men.

And two-thirds of millennials and more than half of Gen Zers considered tax documents most susceptible to information fraud or identity theft, compared with fewer than four in 10 boomers.

Thirty-five percent of taxpayers thought the greatest risk of becoming a victim of tax fraud or tax identity theft came from filing taxes online with tax preparation software.

This compared with one in four who thought filing taxes with a friend or family member put them at the greatest risk, and one in 10 who worried about doing so with a certified tax preparer.

Despite concerns around filing taxes online, 54% of millennials said they would file their taxes online with tax preparation software, followed by 45% of boomers and 43% of Gen Zers.

Forty-two percent of taxpayers in the survey said they kept tax documents for more than seven years before disposing of them, 26% kept them for four to seven years, 22% did so for one to three years and 5% kept documents for less than a year.

Men were slightly more likely than women to keep tax documents (e.g. W-2 and 1099 forms) for less than a year before disposing of them. About four in 10 Gen Zers and millennials said they held on to tax documents for one to three years.

Ransomware Attacks Becoming More Widespread


More ransomware attacks made news headlines this month, with the most notable being the Oslo, Norway-based aluminum manufacturing Norsk Hydro being shut down by ransomware.

The company manufactures aluminum products, manufacturing close to half a million tons each year, and is also a significant provider of hydroelectric power in the Nordic state.

The LockerGoga malware was used to disrupt operations at one of the largest global aluminum manufacturers. According to Techcruch, “Employees were told to ‘not connect any devices’ to the company’s network.”

Wired magazine offered this Guide to LockerGoga, the ransomware that is crippling industrial firms.

Here’s a quote from the Wired article: “Since the beginning of the year, LockerGoga has hit a series of industrial and manufacturing firms with apparently catastrophic consequences: After an initial infection at the French engineering consulting firm Altran, LockerGoga last week slammed Norwegian aluminum manufacturer Norsk Hydro, forcing some of the company’s aluminum plants to switch to manual operations. Two more manufacturing companies, Hexion and Momentive, have been hit by LockerGoga—in Momentive’s case leading to a “global IT outage,” according to a report Friday by Motherboard. And incident responders at security firm FireEye tell WIRED they’ve dealt with multiple LockerGoga attacks on other industrial and manufacturing targets they declined to name, which would put the total number of victims in that sector at five or more.”

The Cost of Ransomware

At the beginning of 2019, Digital Guardian chronicled the history of ransomware attacks in this article which does a good job of defining terms, describing the effects of ransomware, explaining how the fraud works, and projecting future trends, but also underestimates the costs of ransomware in my view.


Because the research lists that ransomware costs are under $2.4 million (US), but the cost already associated with the Norsk Hydro event alone are reported to be at least $40 million – with costs still growing.

HealthITSecurity offers an article with the headline “71% of Ransomware Attacks Targeted Small Businesses in 2018. Here’s an excerpt: “About 70 percent of ransomware attacks in 2018 targeted small businesses, with an average ransom demand of $116,000, according to a recent report from Beazley Breach Response Services.

Beazley researchers analyzed 3,300 ransomware attacks against their clients last year and found the highest ransom demand was $8.5 million. The highest demand paid by one of their clients was $935,000. …”

According to Coveware’s recently released 2018 Q4 Ransomware Marketplace Report, we’re seeing scary trends in ransomware attacks:

  • Ransoms have increased by an average of 13% over Q3 in 2018 to $6733
  • Attacks on backups as part of the ransomware attack have increased by 39% over Q3 2018
  • The average victim company size has risen from 38 to 71 employees

Ransomware Attacks on Governments Continue

In the past few days, the City of Albany, New York, was attacked by ransomware, according to their mayor.

Over the past year, there were numerous cities, counties and state government agencies hit by ransomware.

Back in 2017, I wrote this piece of ransomware attacks in government up to that time. And since 2017, attacks have only accelerated.

If you think insurance will take care of any costs, you may need to think again. I was surprised to read that some insurers are not paying if they can claim “an act of war.” Consider this article:

Citing “Act of War” Clauses, Insurers Refusing to Compensate Firms Hit in Ransomware Attacks – “Global insurance firm Hiscox is the now second insurance firm known to have refused to pay out a company damaged in a NotPetya cyberattack, Verdict reports. …

Danish shipping giant Maersk has reportedly claimed that NotPetya malware, whereby hackers encrypt data and will not release it unless a cryptocurrency ransom is paid, resulted in losses of $378 million to the company.

FedEx subsidiary TNT Express pegged NotPetya losses at $374 million.

The other insurer that has reportedly used “Act of War” provisions to refuse to make NotPetya payout is Zurich, insurer of Mondelez, a large American food company.

Mondelez is now suing Zurich for $100 million. Mondelez says that 1700 servers and 24000 laptops were destroyed in its NotPetya hack.”

Closing Thoughts

At the beginning of 2019, many predictions were made about the growing spread of ransomware, and growing amounts of destructive malware. Those predictions are happening before our eyes.

One year ago, I wrote a blog on the difficult decision that many governments face regarding whether to pay the ransom or not when they are infected – especially if they don’t have adequate backups. I urge tested data backups as an important step to protecting your organization from an attack. Also, prepare for cyber incidents in advance with these helpful tips from NIST.

What is clear is that our ransomware problems are getting worse, and the stakes are getting higher, with more destructive malware being used against critical infrastructure every day.

Your IT Data Might Be At Risk

The cyber security industry is growing as you’re reading this. More specialists join the ranks, more malware is being launched every day than ever before. In 2015, 230,000 new malware sample were recorded daily. Naturally, more resources are being deployed to counter cyber attacks. That’s why I thought it would be helpful to sum up 10 cyber security facts that define the current information security landscape.

Don’t think that hackers are only targeting corporations, banks or wealthy celebrities. They go for individual users like you and me also.

Read the full article at the link above…