In 2014, Apple's introduction of the iPhone 6 was more than just an exciting iteration of its flagship product – it was the launch of Touch ID. This blockbuster device ushered in a new era of widespread biometric data use for the layman. Fingerprints had replaced passcodes as device gatekeepers, charged with protecting the most important, sensitive information.
Read More
As companies collect and store more and more personal information, they face data privacy risks on many fronts. Increasingly, they are being held accountable for protecting their customers’ digital privacy. New regulations, led by Europe’s General Data Protection Regulation (GDPR) in 2018, are quickly becoming normative in countries around the world. In total, 58% of all countries have some form of privacy regulations on the books, and another 10% are drafting legislation.
Read More
Data privacy regulations are quickly becoming par for the course in countries around the world, each one bringing new, nuanced responsibilities for companies to follow. While Europe’s expansive General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) have made most of the headlines, we are just months away from the latest privacy regulation, New York’s “Stop Hacks and Improve Electronic Data Security (SHIELD) Act.”
Read More
Good password hygiene is one of the easiest ways for businesses and consumers to protect their accounts from the millions of attacks threatening personal data every day.
Read More
Since the start of the new year, we’ve been sifting through billions of compromised email addresses and passwords found on the Dark Web looking for interesting trends in password behavior. Rather than just give you the top 10 passwords to avoid, we wanted to take a closer look at user behavior when creating passwords and how those behaviors lead to predictability and potential exploits. Passwords are often deeply personal expressions of oneself with the goal of making them easier to remember. However, remembering which password is which is becoming increasingly difficult in our hyper-digital daily lives. In fact, it is estimated that average US adult has between 90 and 135 different applications that require a set of credentials (typically a username and/or email address and password combination) for access.
Read More
After years of seemingly unending data privacy violations, governments around the world have begun enacting regulations intended to bolster personal privacy in the digital age. Most prominently, in 2018, Europe’s General Data Privacy Regulation (GDPR) set a new standard for data security, prompting companies around the world to take the issue more seriously by instituting financial penalties against organizations that fail to protect their customers’ data. In the US, California’s Consumer Privacy Act is scheduled to go into effect on January 1st, 2020, bringing comprehensive regulation to the US and further promulgating the legal ramifications of data security standards. In total, 58% of all countries have some form of privacy regulations on the books, and another 10% are drafting legislation. These laws are intended to support rapidly shifting consumer sentiments that value data protection and personal privacy, two priorities that have gone wildly adrift in the digital age. Unfortunately, despite their best intentions, there is growing evidence that privacy laws aren’t improving consumer confidence in data security. In response, every company should be mindful of this attitude, as it will inevitably shape the business landscape for years to come. Consumers Don't Trust Companies Until recently, digital platforms participated in a quiet arrangement with their customers who gained free access to platforms in exchange for copious amounts of personal data. Today, that information is some of the most valuable in the world, often compared to digital gold, which companies deploy to provide targeted advertising and other personalized services that drive their bottom lines. However, today’s consumers are well-aware of this arrangement, and many are fighting back. For example, after Facebook’s now-notorious Cambridge Analytica scandal, nearly half of users aged 18 - 29 deleted the app from their phones, signaling a distrust of the platform’s data management standards and disgust with its practices. Moreover, after a data breach, 81% of consumers indicated that they would stop engaging with a brand online, and many consider cybersecurity a prerequisite for making purchases.
Read More
Over the past several years, holiday shopping trends have shifted significantly. Standing in long lines or driving to crowded malls has been replaced by browsing on social platforms and entering discount codes at website checkouts. This year, Cyber Monday online sales hit an all-time high, reaching a nearly 20% year-over-year increase with online shoppers spending $9.4 billion. However, the allure of single-day shopping sprees has been extended to encompass a full season. Since November 1st, shoppers have spent a record-setting $81.5 billion. In the days and weeks ahead, the figures will continue to add up as the shopping boon crescendos on Christmas and continues for weeks to come. While this is excellent news for SMBs, bad actors have also taken notice. Hackers are zeroing in on this holiday shopping season as the perfect opportunity to siphon off money and credentials from unsuspecting consumers and unprepared companies. Fortunately, neither party is defenseless in this regard. Follow along to learn how we can work together and protect our privacy and security this holiday season, keeping spirits high to usher in 2020. Shoppers Beware 2019 is on pace to be the worst year yet for data breaches, and hackers are capitalizing on the treasure trove of information available from these events to execute phishing scams targeted at shoppers. In November, the number of e-commerce phishing URLs accessed or sent via email spiked . Already, instances of this malicious activity are up 233% since November 2018. Amidst the slew of holiday deals, it’s easy for cybercriminals to send phishing links or exploit shoppers with seemingly valid websites that deploy hallmarks of internet security, like HTTPS encryption. In 2018, the risk was so severe that the Cybersecurity and Infrastructure Security Agency issued a warning to consumers, urging them to “be cautious of unsolicited emails that contain malicious links or attachments with malware, advertisements infected with malware, and requests for donations from fraudulent charitable organizations, which could result in security breaches, identity theft, or financial loss. Collectively, these threats increase the impetus for consumers to be vigilant about evaluating their digital communications during the busy holiday shopping season. Moreover, they should protect their accounts using strong, unique passwords while enabling two-factor authentication whenever possible. It’s estimated that the vast majority of consumers, as many as 66%, use weak passwords to protect their accounts, and more than half use the same password across multiple logins. In other words, simple password management is a foundational practice for guarding against cybercrime and stopping the Grinch from finding his way to the presents underneath your Christmas tree.
Read More
A data breach is disastrous for any company in any industry, but the healthcare sector is an especially high-stakes arena where data security is of utmost importance and under continual attack. Few types of data are as valuable as Personal Health Information (PHI) and other health-related data like prescription information, health insurance login information, or insurance data. There is a ready market for this information on the Dark Web where healthcare provider information is known to sell for as much as $500 per listing. While patient information goes for significantly less money, as little as $3.25, hackers can make up the difference by selling in bulk, which is part of the reason that today’s hackers are more ambitious than ever, and they are taking the fight to healthcare providers’ digital front doors. Indeed, no one has been spared from the scourge of data breaches afflicting the healthcare system. In October, we reported on a data breach at Tu Ora Compass Health, a national health service that implicated the personal data for more than a million New Zealanders. However, hundreds of smaller healthcare providers, lab service providers, and other healthcare SMBs managing copious amounts of patient data are also under attack. McAfee Labs identified the healthcare sector as one of the most frequently targeted sectors today, far outpacing finance, media, retail, technology, and many others. In total, more than 38 million healthcare records have been exposed this year alone, and this trend shows little sign of abating, which means that defense is the only option. Keep reading to gain a better understanding about the current state of data security in healthcare, which serves as a cautionary tale for companies in every sector striving to keep their data secure. The Current State of Data Security in the Healthcare Sector Never ones to miss an opportunity, cybercriminals have been upping their game in 2019, adapting their techniques to extract data from healthcare providers. A recent survey by Malwarebytes identified a 60% increase in trojan malware detections in the first nine months of 2019, compared to all of 2018. At the same time, ransomware attacks are inflicting costly damage on patient records. In the first quarter alone, hospitals saw a 195% increase in this attack strategy. These data breaches are more than just a costly inconvenience. In the health care sector, it can cost patient lives. Hard data is emerging that connects data breaches and patient outcomes. For instance, researchers found that, after a data breach, “as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined in the new study.” In a very real way, data security is a life or death issue that relies on many moving pieces to ensure data security and patient well-being. For better or worse, not all data breaches occur in house. Third-party software vendors continue to be a top attack point; however, in many cases, it’s not the software that’s to blame. According to a report on the state of cybersecurity in the healthcare industry, staff negligence provides an open door for phishing and spear phishing attacks that ultimately compromise patient data. With a robust market for patient data and other healthcare-related information, hackers will continue to innovate their methodologies, making it increasingly difficult to identify their tactics. That doesn’t mean that your business is defenseless. How You Can Protect Yourself Despite a complicated cybersecurity environment, healthcare providers aren’t powerless to protect themselves against costly data breaches. Notably, malware attacks - both ransomware and otherwise - require employees to engage with the malicious material for it to be effective. Simply put, bad actors may be able to target healthcare providers with copious amounts of harmful material, but, without an adequate response, much of their efforts are fruitless. Similarly, phishing and spear phishing campaigns can’t compromise credentials unless users hand them over. It’s estimated that 80% of data breaches are attributable to employee negligence, as scams and other malicious emails routinely make their way to employee inboxes causing breach fatigue that puts patient data at risk. Therefore, healthcare providers who offer comprehensive employee awareness training improves their chances of successfully defending against these attacks. In an ever-evolving threat landscape, this training prepares all employees to become a defensive asset in the quest to protect patient data. At the same time, simple security upgrades like two-factor authentication and strong, unique passwords across all accounts can minimize risk exposure while placing barricades in the way of anyone trying to steal patient or company data. Conclusion In 2019 and beyond, providing the best patient care will require a revised take on the Hippocratic Oath. Simply put, first doing no harm will require intentional efforts to protect patient data. It’s a difficult task, but it’s not impossible. Rather than leave it up to chance, partner with ID Agent, which offers an array of products and services that support your data security initiatives: Designed to protect against human error, BullPhish IDTM simulates phishing attacks and manages security awareness training campaigns to educate employees, making them the best defense against cybercrime. When paired with AuthAnvilTM, you can protect your employees’ password integrity by offering integrated multi-factor authentication, single sign-on, and identity management solutions to protect your credentials and your data. With a robust market on the Dark Web, cybercriminals have millions of reasons to continue attacking healthcare IT, which means that defensive maneuvers need to begin right away.
Read More
Few cyber threats are as prevalent and costly as phishing attacks. In 2018, Microsoft documented a 250% increase in phishing campaigns, which masquerade as legitimate products or services but actually carry malicious payloads that steal credentials and compromise IT integrity. To no surprise, the rise of phishing attacks continues to trend upward and is wreaking havoc for SMBs and enterprises alike. Even as companies implement automated defenses intended to keep phishing attacks out of employee inboxes, many inevitably make their way through. A recent survey found that nearly half of respondents reported malicious emails reaching employee inboxes every week, and 20% indicated that they experienced a data breach as a consequence of a phishing vulnerability. In fact, Verizon’s 2019 Data Breach Investigations Report concluded that ⅓ of all cyberattacks begin with a phishing scam. To maintain an edge, hackers are continuously evolving their strategies and improving their attack methods, making their efforts increasingly difficult to detect. In other words, employees may not be fooled by phony emails from a foreign leader or celebrity, but they could be compromised by a call or IM from their manager or CEO. Follow along as the ID Agent team outlines four of the latest phishing attack trends that you’ll want to know in order to protect your business. #1 Increased Personalization The past several years have seen billions of records compromised, and the consequences far exceed the immediate media scrutiny and consumer backlash that follows in the wake of breach. Cybercriminals are repurposing exposed information to craft sophisticated phishing campaigns that are camouflaged with authentic-looking information purportedly from known and trusted sources. For example, we recently reported on an Ocala City employee who transferred $640,000 to a fraudulent bank account in response to a spear phishing campaign that contained a legitimate invoice amount from one of the city’s construction contractors. Similarly, Italian precision engineering companies are facing a slew of phishing attacks that seem to originate from potential clients. Such emails will include company and sector-specific details and be embedded with a Microsoft Excel document that hosts malicious, credential stealing code. #2 Multi-platform Approaches Phishing scams are commonly associated with email messages, but today’s cybercriminals are taking advantage of diverse communication platforms to posit messages in our various inboxes. Often hackers leverage SMS and social media accounts to reach their victims. SMS phishing attacks, colloquially known as “smishing,” are targeting users’ reflexive instinct to trust and respond to text messages on their phone. Targeting users on their social media is no different and can have a similar result. In 2019, Facebook is the most impersonated social media platform, with a 176% year-over-year increase in phishing URLs. To be effective, hackers rely on the perception of authenticity, and reaching users on these familiar platforms can trick unsuspecting victims into handing over the keys to their accounts. #3 HTTPS Encryption In addition to reaching users in familiar territory, hackers are deploying the internet’s sign posts of security to elicit the trust of their victims. Specifically, cybercriminals are manipulating HTTPS, the internet protocol that denotes encryption and security, to trick users into a false sense of security. It’s estimated that 58% of all phishing campaigns use HTTPS, which both makes it less likely that users will identify the fraudulent website and that internet browsers will flag the unsecured connection. This tactic has become so prevalent that the FBI issued a public warning this summer urging people to take special care to evaluate their digital communications for intent rather than relying on traditional representations of internet security. #4 Dynamic BEC Campaigns Between the treasure trove of data available on the Dark Web to the information readily published on company websites, hackers can effectively impersonate higher-ups or IT administrators with staggering effectiveness. Business Email Compromise (BEC) scams rely on personalization, and today’s hackers dialogue directly with their victims to gain trust. Once achieved, hackers send a simple request, like editing a document or filling out a form that ultimately directs victims to a phishing website. To increase their efficacy, many cybercriminals include these links in attachments, which makes them both harder to detect by software and less likely to be identified by readers. Staying one step ahead It’s evident that phishing scams will continue to keep IT admins up at night for years to come. However, there is a silver lining. Unlike other cyber attacks, phishing scams are only effective if they are acted upon, and companies can mitigate such threats with regular, comprehensive awareness training to their employees. With the right solutions provider, you can equip your employees to stay abreast of emerging threats, report potential misuses of data, and transform themselves into the first and best line of security against cybercriminals. Whether you’re a small business or large enterprise, you have the power to stop phishing attacks from stealing employee credentials or proprietary information. Our BullPhish ID™ program simulates phishing attacks and conducts security awareness training campaigns to educate your employees, making them the best defense against cybercrime. Click the link to get started: https://www.idagent.com/bullphish-id.
Read More
It’s no secret that the costs associated with data breaches are trending upward at alarming rates. Just this year, IBM’s annual Cost of a Data Breach Study found that the average cost of a single data breach is approaching $4 million. Although IT repair, identity monitoring services, and regulatory fines quickly make their way to financial statements, others covertly chip away at the bottom line over time. Simply put, it’s not enough to add up the quantifiable costs of a breach when assessing the ROI of cybersecurity in the equation. Companies must also factor in the unseen consequences of a data breach, which can often result in even more damage than initial costs. Patching up vulnerabilities and offering free credit monitoring as a post-breach response only treats the symptoms, while the underlying disease continues to progress. Keep reading to learn about four cascading consequences of data breaches that can impact your company in the long run. #1 Reputational Damage Reputational damage and brand erosion in the wake of a breach is not easily measured, as it is carries on for years after news of an attack. The Ponemon Institute estimates that 65% of data breach victims lose their trust in a brand after a data breach. Even worse, consumers voice their displeasure within their circles, a phenomenon that is magnified with the advent of the internet. Interactions Marketing notes that 85% will tell others about the breach, and more than 30% will take to social media to complain about the company. For today’s consumers, a data breach is akin to a scarlet letter that can brand a business for years. Whether it’s an SMB or large corporation, the efforts to overcome this stigma greatly outweigh the costs of protection, since companies often don’t always have a say in whether or not customers will give them a second chance. #2 Customer Attrition As frightening as it may sound, today’s consumers do not forgive companies that cannot protect their data and are increasingly more likely to stop spending altogether after a breach. A recent study by Business Wire found that 81% of consumers would stop engaging with a brand online following a breach, destroying years of relationship-building and promotional efforts. In fact, 80% of customers are willing to take their business elsewhere. Ultimately, customer rejection can be the proverbial nail in the coffin that prevents companies from ever truly recovering from a data breach. It’s estimated that 60% of SMBs fold within six months of a data breach. As one enraged Equifax consumer told The Wall Street Journal, “if I can’t trust Equifax to do their own job, I’m not going to hand them my money and say, ‘Hey, watch this for me.’” This customer’s sardonic take serves as an eerie warning to all businesses: data breaches have lasting effects. #3 Continued Attacks Companies compromised by a data breach can find themselves or their customers victimized again in the future. The rise of credential stuffing attacks makes it increasingly likely that hackers will apply previously stolen data to easily access accounts and IT infrastructure, often without detection. Nearly a quarter of all data breaches occur due to stolen credentials, and successive attacks only make reputational recovery and renewed customer confidence more difficult to achieve. Find out how Dark Web ID™ can shield your organization from credential stuffing attacks here: https://www.idagent.com/dark-web/ #4 Increased Premiums Cybersecurity insurance are becoming a widely adopted practice within the industry, yet their value can be easily skewed. As we reported last month, such plans do not holistically cover the cost of a data breach. As more customers cash in on these insurance plans, the costs increase and companies that file a claim can expect their premiums to rise. Moreover, many businesses discover that their policies provide insufficient protection against financial loss, as insurance companies battle to restrict payouts. In one case, a cyberinsurance company only agreed to pay $50,000 on damages to a company that exceeded $2 million. Cybersecurity insurance is by no means a “silver bullet” and could even invite additional costs after a data compromise. Applying the best solution Although the unseen consequences of a breach may appear worrisome, we’re not here to spell out doom and gloom. By being proactive, you can protect your institution from being victim to a breach, and future-proof yourself in the event of an attack. Cybersecurity needs to be a bottom-line, top priority at every company. Especially for SMBs who often lack the financial and personnel resources to recover from a breach, partnering with a managed service provider can provide the oversight and protection needed to navigate today’s digital environment. ID Agent provides a comprehensive set of people-centric cybersecurity solutions to private and public sector organizations worldwide. See how you can leverage solutions for Dark Web Monitoring, password management, and employee training to safeguard your customers, employees, and organization from breach. Resources https://www.ibm.com/security/data-breach https://www.centrify.com/media/4772757/ponemon_data_breach_impact_study_uk.pdf https://www.interactionsmarketing.com/press-releases/interactions-finds-45-percent-of-shoppers-dont-trust-retailers-to-keep-information-safe/ https://www.businesswire.com/news/home/20191022005072/en/ https://www.forbes.com/sites/forbestechcouncil/2017/12/08/mind-the-trust-gap-how-companies-can-retain-customers-after-a-security-breach/#2235b64f6c95 https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html https://www.wsj.com/articles/the-capital-one-hack-life-in-the-time-of-breach-fatigue-11564824600 https://info.idagent.com/blog/stop-credential-stuffing-attacks https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf https://info.idagent.com/blog/the-week-in-breach-09/25-10/01/19 https://slate.com/technology/2018/07/cyberinsurance-company-refuses-to-pay-out-full-amount-to-bank-after-hacking.html
Read More