cybersecurity - You Are Being Targeted
Business executive with high-level management and hands-on analytical skill sets and over 27 years of professional experience in technical solutions and service offering development and implementation, organizational strategies for efficiency, cost controls, and bottom-line profitability, multi-million dollar enterprise-wide client engagements, compliance with schedule, budget, and quality requirements, hiring and leadership of high-performance IT employees.
Keyven Lewis, CMIT SOLUTIONS- Cybersecurity - You Are Being Targeted.
An overview to help SMB owners understand the dynamics (exp. the who, the why, and the how) of cybersecurity as it relates to their business.
2. People
What role does your staff, contractors,
consultants, freelancers, and business
partners play? What about bad actors
within your ecosystem?
Understanding CybersecurityProtecting all aspects of your business
Policies Procedures
Technology
Do you have security policies? Are
these policies integrated with your
business workflows and behaviors? Do
you meet any regulatory requirements?
Procedures are where the rubber
meets the road. Policies have no
impact without procedures to make the
best intentions reality.
At the core of every business is the
technology infrastructure. Does your
technology support and integrate with
your people, policies, and procedures?
Are your protections proactive,
automatic, and responsive?
https://cmitsolutions.com/security-quiz
3. 3
Who is the Target?
https://cmitsolutions.com/security-quiz
4. 4
Small Business Targets
❯ “43% of targeted
attacks hit companies
with fewer than 250
employees.”- Symantec Internet
Security Threat Report 2016
❯ 99% of computer
users are vulnerable to
software
vulnerabilities –Heimdal Security
❯ “30% of recipients
now open phishing
messages and 12%
click on
attachments”
- Verizon 2016 Data Breach Investigations Report
https://cmitsolutions.com/security-quiz
5. 5
Can you afford a breach?
❯ 44% of small businesses reported being the victim
of a cyber attack – average cost $36,000 - SBA 2016 Survey
❯ 60% of small businesses attacked go out of
business in 6 months – U.S. Nat’l Cyber Security Alliance
https://cmitsolutions.com/security-quiz
11. Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M
(KrebsonSecurity, July 18,2018)
LifeLock Bug Exposed Millions of
Customer Email Addresses
(KrebsonSecurity, July 18, 2018)
12. Phishing
• A skillfully crafted email
• Designed to give up information
• From a seemingly credible source
• An urgent call to action
Email arrives provoking you to update
account information
You click on the link and enter credit
card info on the scam page
Hacker collects your info
Hacker sells or uses your info
maliciously
15. Spear phishing
• Highly targeted phishing
• Research targets over time
• Time is on their side
• Social Engineering – attacking the
soft tissues that make up your cyber
and life profile
Email arrives provoking you to update
account information
You click on the link and enter credit
card info on the scam page
Hacker collects your info
Hacker sells or uses your info
maliciously
Research high-value target
18. 18
Buy Your Data Back for $200
According to the survey’s
other findings
(representing more than
1,000 IT service providers),
the average ransom
demanded ranges between
$500 and $2,000
Datto (2016)
https://cmitsolutions.com/security-quiz
21. Are SMBs Prepared to Mitigate Cybersecurity
Risks?
Today, many small- and medium-sized businesses (SMBs) are ill-prepared when it comes to cybersecurity, due to the
growing sophistication of cyber threats and lack of in-house expertise. The chart below shows the rated effectiveness of the
surveyed organizations' ability to mitigate risks, vulnerabilities and attacks against their businesses.
November 10, 2017
22. Are Outdated Browsers Leaving Businesses Vulnerable?
Running unpatched browsers leaves your network vulnerable to exploits and other malicious schemes that could expose or
compromise company data. The chart below breaks down commonly-used browsers by the percentage of users running outdated
versions of each.
November 4, 2016
23. Is the IT Security Gap a Threat to SMBs?
With lean IT staffs, many small- and medium-sized businesses (SMBs) lack the resources and expertise to manage complex
security infrastructures. While threats to security are proliferating, these organizations aren’t taking the proper precautions to
protect themselves and their networks. The data below shows the gap between the level of concern and the level of protection
for given IT security issues.
November 10, 2017
24. Which Vertical Has the Highest Cost of
Security?Not all data is created equal. While cyber criminals will go after any sensitive information they can get, some industries
come at a higher price tag. Below are the average costs of a data breach per stolen record in 2017, compared to the
four-year average for the respective vertical.
25. What Is the Cost of IT Downtime?
Downtime is an expected yet expensive risk of doing business today. Without the ability to maintain or restore business
operations, it could result in direct losses in productivity and revenue. Below is what businesses claim to be the cost of an
IT downtime incident.
26. The Financial Consequence of a Cyber Attack is
Worsening
The global average cost of cyber crime has seen a steady increase over the past five years, with a significant increase
in the last two years. This trend will likely continue, but businesses can look to invest in managed security services to
mitigate the risks of cyber attack and avoid the increasing financial consequences.
February 9, 2018
27. The Steep Cost of Poor IT Security
Without the proper security tools in place, businesses are at severe risk of falling victim to cyber attack. In fact, the average
total cost of a successful attack is $5,010,600. Below shows the breakdown of all the costs that factor into this high number.
$1,252,650
$1,503,180
$1,152,438$501,060
$400,848
$200,424
System Downtime
IT and End User Productivity Loss
Theft of Information Assets
Damage to Infrastructure
Reputational Damage
Lawsuits, Fines and Regulatory Actions
$5,010,600
Source: Ponemon Institute, The 2017 State of Endpoint Security Risk Report
28. How Dwell Time Can Impact Profitability
Without threat monitoring and detection capabilities, businesses are subject to dwell time that could result in a successful and
costly cyber attack. Below shows the relationship between mean time to identify (MTTI), mean time to contain (MTTC), and the
total average cost of a security incident measured in US$ (millions).
Editor's Notes
A recent Tech Pro Research survey showed that 61 percent of SMBs allocate less than 10 percent of overall budget to IT security.
1 of 3 (32%) security professionals lack effective intelligence to detect and respond to cyber threats.
NIST (National Institute of Security for Technology)
Over 260 million records containing sensitive information have been compromised in the first four months of 2018
Worldwide cyber security spending will reach $96 billion by the end of 2018
23% of phishing emails are opened by recipients
11% that open the phishing email also click on the link or attachment in the message
But the most troubling # is 43% and that's the percentage of spear phishing attacks targeting businesses with 250 or few employees.
14 Million small businesses were attacked over past 12 months
48% more SMBs experienced a breach due to employee neglect in 2017 vs. 2016
1 in 131 emails contains a malware.
This is the highest rate in about five years, and it is further expected to increase as hackers attempt to use malware like ransomware to generate money from unsuspecting people
This photo appeared in Wired Magazine in 2011 titled “How a remote town in Romania has become cybercrime central.”1
There is a supporting economy for cybercriminals.
This is a city of 120,000 has a nickname: Hackerville (only a small percentage of them are actual hackers)
Râmnicu Vâlcea is a town whose business is cybercrime, and business is booming. -
More profitable than the global trade of all major illegal drugs combined
Damage costs to hit $6 trillion annually by 2021*
Social Security number: $1
Credit or debit card (credit cards are more popular): $5-$110
With CVV number: $5
With bank info: $15
Fullz info: $30Note: Fullz info is a bundle of information that includes a “full” package for fraudsters: name, SSN, birth date, account numbers and other data that make them desirable since they can often do a lot of immediate damage.
Online payment services login info (e.g. Paypal): $20-$200
Loyalty accounts: $20
Subscription services: $1-$10
Diplomas: $100-$400
Driver’s license: $20
Passports (US): $1000-$2000
Medical records: $1-$1000*
It’s become a security industry cliché that email is the number one threat vector.
Here’s a recent data point. In the 2017 Threat Landscape Survey: Users on the Front Line, conducted by the SANS Analyst Program, for the Top Threat Vectors - 74% of the threats entered as an email attachment or link. https://www.sans.org/reading-room/whitepapers/threats/2017-threat-landscape-survey-users-front-line-37910
Other studies and estimates have put this percentage as high as 90% or more.
Clearly email is a huge source of risk for modern organizations.
Let’s take a look at some recent examples to unpack the reasons why
These threats are a constant worry for small, medium and large organizations across all industries.
How Effective is it?
Very! Its been around for tens of years and still going strong!
How:
An email that can come from a seemingly credible institution such as a bank, ebay, facebook, paypal etc. It typically has an urgent call to action that will have you clicking on a link, attachment or embedded file. Spoofing / masking of email addresses and links play a big role so beware! Links to apparent institutional websites can be very convincing – so watch what you click. Attachments may seem to do nothing, but may have key-loggers or crawlers running in the background… or worse!
The soft tissues of your cyber self
How Effective is it?
Very! If only because it is a highly targeted campaign.
Typically again through email but will be a lot more polished and convincing. The Social engineering element leverages the human instinct to ‘trust’ others, avoid confrontation and not question authority etc.
Here attackers spend a lot more time studying their subjects – it’s worth it – the rewards can be huge! Attacks can either happen fast, or once in, attackers can ‘sleep’ in your network. Once in, they will take time to learn more about you, your company, your processes etc… whatever they need to launch a highly effective strike against you. Becuase they are so customized, tradition firewalls, web filters and the like are often rendered useless.
The soft tissues of your cyber self
How Effective is it?
Very! If only because it is a highly targeted campaign.
Typically again through email but will be a lot more polished and convincing. The Social engineering element leverages the human instinct to ‘trust’ others, avoid confrontation and not question authority etc.
Here attackers spend a lot more time studying their subjects – it’s worth it – the rewards can be huge! Attacks can either happen fast, or once in, attackers can ‘sleep’ in your network. Once in, they will take time to learn more about you, your company, your processes etc… whatever they need to launch a highly effective strike against you. Pecuase they are so customized, tradition firewalls, web filters and the like are often rendered useless.
1 in 131 emails contains a malware.
This is the highest rate in about five years, and it is further expected to increase as hackers attempt to use malware like ransomware to generate money from unsuspecting people.
54 percent of organizations experienced one or more ransomware incident in 2017
70 percent of businesses paid to get their data back in 2016. (Source: IBM)
According to Dimension Data, ransomware attacks worldwide rose 350 percent in 2017 over the previous year.
In 2017, the average ransom payment grew to $3,675 per ransom.