The Financial Times reports that many nonprofits are vulnerable to cyberattacks.

Many charities simply don’t want to invest time and money defending against hackers. A 2016 study found about half of nonprofits had not conducted a cyber risk assessment, and two thirds had no plans to increase spending on data security. But hackers don’t give nonprofits a pass. The article tells the story of a small, Indianapolis, Indiana-based cancer charity that lost all its client data in a ransomware attack.

“While it is not surprising that charities want to spend scarce resources on housing the homeless or feeding the hungry, some argue that those very services could be at risk if they fail to invest in cyber security tools and practices,” according to The Financial Times report.

A new study notes that despite record spending on cybersecurity, overconfidence may be hurting companies’ ability to protect against data breaches.

Tech publication Information Week reports that the survey of IT professionals, by security firm Gemalto, showed that while 94 percent of respondents said their perimeter security was effective, nearly a third reported breaches within the last 12 months. Surprisingly, 14 percent said they would not trust their own organization to safeguard their personal data.

Why the disconnect? Experts interviewed by Information Week chalked it up to a lack of understanding of cybercrooks’ motivations, and a general lack of knowledge about cybersecurity in corporate C-suites. Click here to read the full story.

It wasn’t a good week for credit reporting agency Equifax, which admitted to a major data breach affecting more than 143 million people.

Consumers’ data was exposed over three months via a vulnerability in a web application, the company said in a press release announcing the breach.

The breach was covered by every major news outlet, but Data Breach Today‘s Jeremy Kirk raises some interesting questions about Equifax’s notification strategy in this piece.

For the latest in breach response protocol in all 50 states, download Data Breach 411, a free app developed by Fox Rothschild’s Privacy & Data Security practice, available in the iTunes Store.

Cybercrooks’ preferred path to critical data is through privileged accounts, those held by users who have broad access and powers within the target’s network.

That’s according to a recent survey conducted by the cybersecurity firm Thycotic at the recent Black Hat conference in Las Vegas, reported Infosecurity Magazine.  About a third of respondents named privileged accounts the fastest and easiest path to critical data, while user email accounts were a close second at 27 percent.

Some 85 percent said human error, not inadequate security or unpatched software, was most to blame for security breaches.

Hackers’ biggest headaches? Multifactor authentication and encryption, according to the survey.

 

 

 

 

 

A German cybersecurity firm reports that manufacturers have become a top target of cybercriminals.

The NTT Security Global Threat Intelligence Center (GTIC) Quarterly Threat Intelligence Report for the second quarter of 2017 notes that manufacturers were targeted in 34 percent of incidents, the highest of any industry segment. About a third of those incidents involved “reconnaissance” which suggests the industry is still in hackers’ sights. “If trends from the past few years continue, this probably indicates that attacks and malware are likely to increase in manufacturing organizations in the second half of 2017,” according to the report.

The report also noted a 24 percent increase in attacks on NTT clients in the second quarter and that cyber criminals go-to attack vector has been “phishing emails with malicious attachments containing PowerShell commands in VBA macros.”

Read the full report.

Computer networking giant Cisco says the recent WannaCry and Petya/NotPetya incidents signal the advent of a new generation of cyberattacks that is aimed more at mass disruption than financial gain. The new breed of “Destruction of Service” attacks will only grow more sophisticated and potent, the company says in its Cisco 2017 Midyear Cybersecurity Report.

The report warns that cybercriminals “now have the ability—and often now, it seems, the inclination—to lock systems and destroy data as part of their attack process.” The report, released July 20, also lays out new threats posed by the growing network of connected devices known as the “Internet of Things” and examines’ hackers’ continued use of Business Email Compromise (BEC) attacks, which it says accounted for $5.3 billion in cybertheft between 2013 and 2016.

Venerable insurer Lloyd’s of London says a global cyber attack on a major provider of cloud services could carry costs of up to $53 billion, reports Data Breach Today.

That’s a hefty price tag that explains the rising demand for cyber insurance. It also sheds light on why insurers are proceeding extremely carefully. The costs of a major data breach can be significant and difficult to predict.

To help define the level of exposure, Lloyd’s worked with cyber consultant Cyence to produce a new report that outlines the direct economic costs of two types of global cyber attacks and estimates the portion of the loss in each scenario that would covered by insurance. In the case of a cloud services attack, only 17 percent of the loss would be insured, Lloyd’s estimates. In the case of a global attack exploiting a software vulnerability, only 7 percent of the estimated loss of up to $28 billion would be assured.

Analysts estimate the cyber insurance market is worth up to $3.5 billion today and could grow to $7.5 billion by 2020.

Yesterday, a massive ransomware attack now known as “Petya” spread across the globe in a similar fashion to the WannaCry cyberattack in May. In an Alert today, Fox Chief Privacy Officer and Partner Mark McCreary breaks down what we know about the attack, how to address it if your organization falls victim to it, and how to minimize the risks of future attacks:

Yesterday’s worldwide cyberattack once again exploited a vulnerability that has been known to experts for many months. These attacks are sure to continue and the best defense is knowledge. Awareness of how malware works and employee training to avoid the human error that may trigger an infection can prevent your organization from becoming a victim.

This latest ransomware variant, referred to as “Petya,” is similar in many respects to the “WannaCry” ransomware that affected hundreds of thousands of computers in mid-May, using the same Eternal Blue exploit to infect computers. The purpose of this Alert is to provide you some information believed or known at this time.

How Is a Computer Infected?

Experts believe the Petya malware is delivered in a Word document attached to an email. Once initiated by opening the Microsoft Word document, an unprotected computer becomes infected and the entire hard drive on that computer is encrypted by the program. This is notably different from WannaCry, which encrypted only files.

Once Petya is initiated, it begins seeking other unprotected computers in the same network to infect. It is not necessary to open the infected Microsoft Word document on each computer. An infection can occur by the malware spreading through a network environment.

To read Mark’s full discussion of the Petya attack, please visit the Fox Rothschild website.

Mark also notes that “I continue to stress to clients that in addition to hardening your IT resources, the absolute best thing your business can do is train employees how to detect and avoid malware and phishing.  In-person, annual privacy and security training is the best way to accomplish this.”

Yesterday we witnessed new ransomware spread across the world with incredible speed and success, bringing businesses to their knees and home users learning for the first time about ransomware and why computer backups are so important.

With over 123,000 computers infected, experts believe the “WannaCrypt/WannaCry/WCry” attacks have stopped after researchers registered a domain that the software checks before encrypting.  However, nothing is stopping someone from revising the software to not require that check and releasing it into the wild.  In other words, do not expect the infections to stop.

To battle the malicious software, Microsoft took the highly unusual step of issuing updates for versions of Windows that have reached their end of life and otherwise are not supported (e.g., Windows XP, Windows 8, and Windows Server 2003).  WannaCrypt/WannaCry/WCry did not even try to target Windows 10 machines, but that does not mean Windows 10 machines cannot be affected and encrypted by the ransomeware.  The blog describing Microsoft’s efforts can be found here and is worth reading.  Although your business may normally take a wait and see approach to software updates to avoid conflicts with other programs, this is a situation you should fast track that process.

If there is any silver lining here, it is that it may lead to more organizations to focus harder on computer security and efforts to battle malicious attacks similar to WannaCrypt/WannaCry/WCry.  Having seen first hand from clients the panic and feeling of helplessness caused by WannaCrypt/WannaCry/WCry in mere hours, it seems likely that companies are starting to better understand the risk, loss of productivity and costs that can be associated with a ransomware attack.

Below is a screenshot of the WannaCrypt/WannaCry/WCry software on an infected machine.  (Note the financial aid offer in the last line of the “Can I Recover My Files?” paragraph.  The bad guys must have a public relations firm!)

wannacrypt

With tax season in full swing, a different season is impacting businesses across all industries: “phishing season.”

Phishing scams
Copyright: fberti / 123RF Stock Photo

“Phishing” or “spear phishing” refers to cyberattack scams that target certain individuals within an organization with the hope of gaining access to valuable information.

These scams take advantage of the busy tax season, the desire to promptly respond to purported upper management and social engineering employees in order to target and trick only employees with immediate access to sensitive employee data. These scams have spread to a variety of for-profit sectors and even nonprofits and school districts.

Spear phishing attacks are virtual traps set up by criminals who, in this case, send emails to employees that appear to come from actual upper management. Typically, they are well-written and look authentic. Usually, there is some explanation or pressing reason offered for why personal information is required. The targets have increasingly become payroll and human resources personnel with the goal of stealing employees’ W-2 information during tax season.

Roughly 100 businesses with more than 125,000 employees were victims of phishing scams last year. This year has already seen a dramatic increase in phishing scams, as approximately 80 businesses have already been targeted during tax season. These are only the businesses that reported phishing scams, and the real number is certainly dramatically larger.

The IRS has previously stated that tax season is likely partly responsible for this surge in phishing emails. Last year, the IRS issued an alert to payroll and human resources professionals about emails purporting to be from company executives requesting employees’ personal information.

“Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

The IRS bulleted some of the requests contained in these fake emails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.

No organization is immune during phishing season. Last year a large social media provider issued an apology and offered two years of identity theft insurance and monitoring after one of its workers inadvertently released sensitive company payroll information to a criminal. The unidentified employee opened an email that appeared to be from the victim company’s CEO. Although none of the company’s internal systems were breached and no user information was compromised, hundreds of employees had their personal information exposed to the public.

The FBI has also warned the public and has published suggestions to avoid becoming a victim during phishing season, including:

  • Keep in mind that most companies, banks, agencies, etc., don’t request personal information via email. If in doubt, give them a call (but don’t use the phone number contained in the email — that’s usually phony as well).
  • Use a phishing filter. Many of the latest web browsers have them built in or offer them as plug-ins.
  • Never follow a link to a secure site from an email. Always enter the URL manually.
  • Don’t be fooled (especially today) by the latest scams.

The Minnesota Department of Revenue recently announced its excellent Stop. Connect. Confirm. program. From the Department of Revenue’s announcement:

When a request for private/sensitive information is made, Stop. Connect. Confirm.

  1. Stop – Stop for a moment before complying with the request and sending that information.
  2. Connect – Connect with the person who sent you the request by phone or by walking over to see them. Do not respond to the email to get confirmation of the sender’s identity. The sender may be a criminal who has disguised his or her identity by spoofing your colleague’s email address.
  3. Confirm – Confirm with the executive requesting the information that the request is legitimate.

Businesses can download and print this poster and display it in their human resources and payroll departments to remind employees to Stop. Connect. Confirm. if a request for employee personal information is made.

If your employer notifies you that your W-2 or other personal information has been compromised:

  • Review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
  • File a Form 14039, Identity Theft Affidavit if your tax return is rejected because of a duplicate Social Security number or if instructed to do so by the Internal Revenue Service.

More of these attacks should be expected as tax season, and phishing season, continue, so organizations should be vigilant about ensuring that all employees are aware about phishing scams.