October is National Cyber Security Awareness Month

National Cyber Security Awareness Month (NCSAM) kicks off this week. And in the wake of last month’s Equifax breach announcement—in which nearly 145.5 million Americans learned their personal information may have been compromised, coupled with the government’s recent efforts to combat cyber threats—NCSAM’s timing could not be better.

The Department of Homeland Security (DHS) hosts the annual NCSAM and will provide online and in-person tools to engage and educate the private and public sectors about cyberrisks. The DHS will also offer mitigation tips and techniques in tandem with this year’s campaign, which is divided into five different weekly themes:

Week 1: Oct. 2-6         –Simple Steps to Online Safety

Week 2: Oct. 9-13       –Cybersecurity in the Workplace is Everyone’s Business

Week 3: Oct. 16-20     –Today’s Predictions for Tomorrow’s Internet

Week 4: Oct. 23-27     –Consider a Career in Cybersecurity

Week 5: Oct. 30-31     –Protecting Critical Infrastructure from Cyberthreats

But NCSAM’s nationwide events are not limited to those themes and will cover topics that run the cybersecurity gamut through formats like workshops, webinars, twitter chats and conferences – some of which can be livestreamed. One major highlight will be the day-long global launch of NCSAM’s international adoption on Oct. 3 in Washington D.C. Featured speakers at other events include FTC Acting Chairman Maureen Ollhausen, White House Cybersecurity Coordinator Rob Joyce, Senate Homeland Security Chair Ron Johnson, and Palo Alto Networks CEO Mark McLaughlin. Visit here for an event calendar.

NCSAM is part of the ongoing DHS cybersecurity awareness program, Stop.Think.Connect., which began in 2009 as part of President Obama’s Cyberspace Policy Review. Non-profit organizations, government agencies, colleges and universities are encouraged to join Stop.Think.Connect. as “partners,” while individuals can become “friends” to engage their respective communities and memberships. The program also offers handy toolkits organized by topics such as mobile security and phishing, and by audiences, which range from corporate professionals to young children and law enforcement.

Increasingly, the government is taking cyberrisk seriously. In September, the SEC announced two initiatives to enhance its enforcement division’s efforts to combat cyber-based threats and protect businesses, investors and the public. A new Cyber Unit will focus on targeting misconduct which includes market manipulation schemes involving false information spread on social media, violations involving initial coin offerings and distributed ledger technology and hacking, among others. Its Retail Strategy Task Force will combat fraud in the retail investment space, from everything involving the sale of unsuitable structured products to microcap pump-and-dump schemes.

In August, President Trump elevated the United States Cyber Command’s status to Unified Combatant Command, with a focus on cyberspace operations. The elevation, he said, will increase “resolve against cyberspace threats, reassure our allies and partners and deter our adversaries,” by streamlining operations under a single commander, which will also ensure adequate funding. In connection with the elevation, the president said Secretary of Defense James Mattis would examine “the possibility of separating United States Cyber Command from the National Security Agency” and will eventually announce recommendations.

Curb Phishing Damage with a New, Human Approach to Bad Habits

phishing
In the first quarter of 2016 alone, more than 40 organizations, including Snapchat, Moneytree and Sprouts Farmers Market, acknowledged they were victims of phishing attacks. The attacks came via emails seemingly sent from CEOs to their own human resources and accounting departments. In reality, these emails were sent by cybercriminals attempting to steal vital personal and financial information from companies and their employees.

The FBI estimates that phishing attacks have cost companies more than $2.3 billion in losses over the past three years, and since January 2015 alone, the agency saw a 270 percent increase in identified victims and exposed losses from CEO scams.

Recipients who “take the bait” by responding to a phishing email often provide scammers with all the necessary information to perpetrate identity theft, including filing a tax return in someone else’s name. Clicking a link or opening an attachment may also launch malware-intrusive software and seriously compromise the system by initiating malicious background programs.

The stakes are high and regardless of your organization’s size, you are always at risk for an attack. In fact, the Anti-Phishing Workgroup discovers more than 40,000 unique phishing sites targeting about 500 brands per month, while the Department of Defense and Pentagon report receiving up to 10 million phishing attacks each day.

The success of attacks varies, with 30% to 60% of incidents resulting in victimization, according to a 2013 Verizon Data Breach Report. A phishing attempt’s success or failure, however, rests beyond a scammer’s ability to infiltrate the cybersecurity infrastructure of an enterprise.

Your organization’s susceptibility really comes down to your people. Even with training, vulnerabilities depend on a combination of employees’ awareness levels and enduring personal habits, according to research by University at Buffalo (UB).

Companies can implement more effective cyber preparedness measures only when they better understand the ways that their employees think and behave. As phishing attacks continue to evolve and become more sophisticated, the most successful employee cyber defense strategies should involve two critical components: 1) a combination of cutting edge training and testing and 2) support programs to alter the unconscious human behaviors that compromise cybersecurity.

Currently, most businesses train employees to recognize phishing attempts by identifying key elements in an email message, such as finding the sender’s address, noticing hyperlinks and recognizing clues like typos or awkward language. But research has shown that those efforts fail to sustain positive results because organizational training focuses on situational reactions while ignoring employees’ existing habits, which are difficult to break.

For example, an employee may successfully identify suspicious emails when prompted in a training session. When it comes to an average Monday morning, however, opening every email to clear their inbox may be a strong habit that training simply does not offset. Phishing is largely successful for this precise reason. Perpetrators take advantage of individuals who are habitual in the way they respond, despite any awareness they may have developed or gained in training, according to UB findings.

Many employers complement this basic training with follow-up penetration testing to evaluate whether employees recognize the warning signs of a cybersecurity threat in practice. Organizations may send a mock email with red flags that indicate a potential phishing attack, such as a compelling subject line like “Your computer is at risk.” Once opened, the recipient sees that the message is from the employer with a warning about how similar future messages could pose risks.

Penetration testing, however, doesn’t work in the long run because it also fails to acknowledge habitual actions and attempts to change a person’s behavior by simply encouraging them to do more of the same behavior.

Organizations can actually address the bad habits by identifying employees who are most susceptible to phishing and exposing them to higher levels of education with an emphasis on creating better tailored interventions that address the underlying “why” that drives people to fall prey to phishing time and again.

Continuously testing employees can be helpful; however, a company’s security training program must also attempt to adjust the daily unconscious behavior of employees that puts networks at risk. Companies need to provide their employees with a relatable (non-security/IT) team member/colleague to demonstrate what responsible cyber behavior looks like day in and day out.

One way to accomplish this is to create an internal cyber ambassador program that identifies employees who have proven themselves to have especially strong cyber awareness. These employees should be selected from teams such as accounting, sales, HR and administrative support, that are typically vulnerable to phishing attacks. Cyber ambassadors are responsible for promoting cyber best practices within their own teams. This type of program creates a platooning effect, where employees subconsciously emulate the behavior of their ambassador/team member, resulting in a safer cyber environment.

While employees can be your greatest weakness, they can also be your strongest asset in thwarting phishing attacks. Training employees to identify a phishing attempt—either before or after falling victim to an attack—is only half the battle. By better understanding the mechanisms behind employee susceptibility, companies can anticipate individuals most at risk, create dynamic security and training policies that promote safe cyber behavior patterns, and alter employees’ habits through colleague support programs.

Cost of Cyber Crime Up 19% For U.S. Businesses

In its annual Cost of Cyber Crime study, the Ponemon Institute found that the average annual cost of cyber crime per large company is now $15.4 million in the United States. That figure has increased 19% from last year’s $12.7 million, and presents an 82% jump from the institute’s first such study six years ago. This year, losses ranged from $307,800 to $65,047,302.

Globally, the average annual cost of cybercrime is $7.7 million, an increase of 1.9% from last year. The U.S. sample had the highest total average cost, while the Russian sample reported the lowest, with an average cost of $2.5 million. Germany, Japan, Australia, and Russia experienced a slight decrease in the cost of cyber crime over the past year.

To try to benchmark the complete cost of cyber crime, the Ponemon Institute examines the total cost of responding to incidents, including detection, recovery, investigation and incident-response management. While it is virtually impossible to quantify all of the losses due to reputation damage or business interruption, the researchers did look at after-the-fact expenses intended to minimize the potential loss of business or customers.

Check out more of the study’s findings in the infographic below:

global cost of cyber crime ponemon institute

Insider Fraud: How to Identify and Prevent Internal Threats

Organizations of all sizes, across all industries have become data breach victims as cyber crooks become more sophisticated in identifying vulnerable targets. Attackers can compromise an organization within scant minutes in 60% of breaches, reports the latest Verizon Data Breach Investigations Report. Still, insiders persist as one of the biggest fraud perpetrators, costing organizations globally about $3.7 trillion annually in 2014, estimates the Association of Certified Fraud Examiners. The puzzling question is this: With the advances in technology, why aren’t organizations preventing these incidents and why aren’t the offenders being nabbed earlier?

The answer to the insider fraud dilemma lies in a lag in robust risk-management technologies that help organizations identify and prevent insider fraud, especially in such industries as banking. With this type of breach, tracking behavior becomes a key component of managing risks and threats proactively. While basic data tracking isn’t new, what is fresh is grasping the internal behavior of employees in a real time, comprehensive view across multiple platforms and applications.

Unfortunately, disparate legacy systems that don’t share information easily create larger problems by limiting an organization’s ability to monitor across all systems. And siloed information makes it impossible to find “normal” employee behavior that should serve as a benchmark for day-to-day activity.

For example, banks must be on the lookout continually for employees who exhibit illegal behavior when, say, handling a dormant bank account, who are manipulating customer information or who collude with colleagues. By benchmarking regular employee activity and leveraging link analysis to spot relationships across accounts or employees, banks also can monitor for and spot instances of employee negligence that can offer cyber crooks easy access to customer data.

Sophisticated surveillance technology exists that lets organizations monitor and detect suspicious behavior in real time, then analyze and develop an evidence trail. Organizations can use the following activities to help identify and prevent an internal threat before it escalates and triggers substantial monetary and brand damage.

  • Monitor all user activity: It is critical to establish what is normal and what is abnormal. Each organization has different user personas with unique activities considered “normal.” By defining organizational benchmarks for normal versus abnormal activity, risk managers can identify inconsistencies in employee behavioral patterns. Visibility into user activity across applications and networks enables them to highlight incidents that warrant deeper analysis and determine threats.
  • Track behavior in real time: Rather than analyze data retroactively, organizations should adopt a solution which can alert from the moment data is captured from the corporate applications and networks. Long-lead systems or those heavily reliant on log-file data don’t allow for real-time tracking and often result in discovering a breach after the fact.

Enable searchability: Organizations can deploy a user-friendly monitoring system with Google-like searchability features with highly specific behavioral criteria. Moving beyond clunky legacy systems to technology that is intuitive eliminates user error and enables more advanced rule-based monitoring.

  • Record screen activity: Gaining visual evidence of illegal activity while it occurs is critical for use during an investigation. Technology that records screen-by-screen activity at the application level creates the comprehensive data trail needed for courtroom presentation.

A combination of these activities can assist organizations in identifying anomalies in employee behavior, track digital activities and contrast them with an employee’s normal routine or that of a peer group’s pattern. If incongruities appear, advanced risk-management technology develops a data trail and a case strong enough to stand up in court. Leveraging these measures, insider fraud can be discovered at an earlier stage to prevent customer data breaches and malicious attacks.