Is Your Website a Bait Shop for Phishing Attacks?

October 2022 Newsletter - If you’d like to read this newsletter at the same time as our subscribers, please sign up here: protectnowllc.com.

Is Your Website a Bait Shop for Phishing Attacks?

Welcome to Cyber Security Awareness Month. Since 2004, this month has been designated as a time for business owners and individuals to consider their role in preventing cyber attacks.

One very simple way to limit your risk is to limit what you publish online. Is your email online? What about your phone number? Do you have a website that includes the names and roles of your executive team? In just a few minutes, cybercriminals can take that information and weaponize it to attack you or your business. Over and over again, we see companies with huge investments in cyber security undone because an employee thought they got an email from the boss asking for a password or asking to download a file.

This month’s featured story examines the risks of publishing personal information online and provides some tactics any organization can use to reduce those risks. It will make you think twice about that online employee directory.

BREAKING: Australian Executives Echo Common Concern, Give Wrong Answer to PricewaterhouseCoopers

In a new survey conducted prior to the devastating Optus data breach, 90% of Australian executives said they would be reluctant to come forward and report an intrusion or cyber attack, reports PwC. The survey also found 81% of executives opposed mandatory reporting on the grounds that it would stop companies from getting in touch with law enforcement when intrusions or ransomware attacks take place.

Australian executives cited concerns over lost business and lost competitive advantage as reasons for wanting to keep a cyber attack quiet. As I have pointed out before, this is the wrong answer to the challenge, and it compounds problems when you have a breach.

Unless your cyber security is so bad that you lose data every week, you MUST be transparent about an attack as soon as it occurs. The only exception is when law enforcement asks you to delay reporting so that they can investigate the source.

Your customers will thank you. Customers deal with cyber-attacks and phishing attempts in their own lives. They know that you are constantly under attack. When criminals break through your defenses, your customers want you to admit it and tell them what you plan to do about it.

Believe it or not, this can actually increase loyalty because customers will see your business as transparent and responsible. Just don’t give them a feel-good statement like, “Our technicians are working on it,” or “We’re sorry for the inconvenience. Here’s some free credit monitoring.” Tell your customers that you’re sorry. Explain what happened. Tell them why it won’t happen again. Offer support for those who had their information compromised, such as free password management for a year, which is far more valuable than credit monitoring that they probably already have from the last breach.

Stat of the Month: $43,792

The maximum possible fine, per violation, per day, for failure to comply with the revised FTC Safeguards Rule. Companies considered “financial institutions” by the Federal Trade Commission (a group that is absolutely not limited to banks) have until December 7 to comply with the new standards. Find out who’s affected and what they need to do to comply. If your business or organization is involved in any kind of financial activity, this is a must-read.

DDOS Attack on U.S. Airlines Exposes Nuisance Risk

A recent attack on U.S. airports and airlines, attributed to a Russian hacker group known as Killnet exposed the potential for distributed denial-of-service (DDOS) attacks to create chaos.?On October 10, 2022, several airports, including New York Laguardia, LAX and Chicago O’Hare saw customer-facing systems go offline amid a deluge of information requests.

No systems that included operations or customer data were impacted, but the attack prevented customers from getting information about flight schedules. DDOS attacks are one of the oldest types of cyber attacks, employing thousands of computers to overwhelm a website with bogus information requests that overwhelm servers, taking a website offline.

While it is a bit unusual for a hacker group to resort to this kind of nuisance attacks, it illustrates how simple it can be for hackers to disrupt online operations. Not all airports were victims, and those that were likely lacked protections against DDOS, which include firewalls, limited access to server-intensive operations and load balancing to protect servers. Most organizations can prevent these attacks by examining apps and online systems for vulnerabilities, or by working with Web hosts to identify unusual bursts of traffic and stop them from reaching the server. If you have custom apps or custom code that powers your operations, talk to a cyber security specialist to learn how to protect against these attacks. Organizations that supply real-time information used by the public should consider themselves especially vulnerable.

Affordable Dark Web Monitoring for Small Business Is Coming

Protect Now is expanding its service offering to include low-cost Dark Web monitoring for businesses and their employees. This is the same level of monitoring employed by Fortune 500 companies to anticipate cyber and phishing attacks, at a price any small business can afford.

Dark Web monitoring can be your first line of defense against potential cyber-attacks or the first warning you receive of a breach. By searching for new information specifically about your organization on the Dark Web, our monitoring service uncovers data that can be used to phish your employees. New data can indicate a sophisticated breach. This is a service that no small business should go without.

This is a service that no small business should go without. To learn more, call us at 1-800-658-8311 or contact us here and ask to learn about Dark Web monitoring.

Thanks for spending a few minutes of Cyber Security Month with me. During this month, I like to think about where we were and where we are in cyber defense. There is no doubt that we have raised awareness in recent years, which is a big step forward. We still have a lot of work to convince everyone who is at risk that they need to take action now, before the attack happens.

One of the biggest obstacles out there remains denial. “We’re too small to notice.” “Who would attack us?” “There are much bigger targets out there.” The bigger targets already have protection in place. Cybercriminals aren’t all out looking for million-crypto paydays; most would be satisfied to shake a few thousand bitcoin out of your business and the dozen other businesses they successfully attack each week. Meanwhile, the war in Ukraine has brought cyber warfare to North American cyberspace. I’ll have more to say about that next month.

?Stay safe out there,

Robert & the Protect Now Team

Robert Siciliano

Partner & Head of Training

[email protected]