The Week in Breach News: 07/13/22 – 07/19/22
It’s game over for security at Bandai Namco, human error causes a breach at a UK college, Lending Tree admits they’ve been breached and the best format for delivering security awareness training.
See cybercrime trends & the results of thousands of phishing simulations in The Global Year in Breach 2022. DOWNLOAD IT>>
Narragansett Bay Commission
Exploit: Ransomware
Narragansett Bay Commission: Utility Company
Risk to Business: 2.783 = Moderate
The Narragansett Bay Commission has been hit with a ransomware attack. The utility runs sewer systems in parts of the Providence and Blackstone Valley areas in Rhode Island. A spokesperson for the company said that the company experiences the encryption of data on some computers and systems in its network. However, service was not interrupted, and the utility does not store customer payment data. No word on what data was stolen or if the Narragansett Bay Commission paid a ransom.
Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.
How It Could Affect Your Customers’ Business: Experts have warned that utilities are key targets for cybercriminals looking for quick money.
ID Agent to the Rescue: Get an in-depth look at how ransomware is evolving and how to help your clients defend against it in our hit eBook Ransomware Exposed. GET THIS EBOOK>>
Lending Tree
https://www.jdsupra.com/legalnews/lending-tree-llc-announces-data-breach-5149163/
Exploit: Hacking
Lending Tree: Financial & Mortgage Services
Risk to Business: 1.672 = Severe
Mortgage giant Lending Tree, LLC recently confirmed that the company has experienced a data breach after cybercriminals discovered a code vulnerability on its website. According to a notice filed by the company, on June 3, 2022, Lending Tree discovered a code vulnerability on the company’s website that likely resulted in bad actors gaining access to sensitive personal information for customers. Lending Tree believes that the vulnerability was in place since mid-February 2022.
Individual Risk: 1.703 = Severe
Exposed information varies depending on the individual, but may include client names, Social Security numbers, dates of birth and street addresses.
How It Could Affect Your Customers’ Business The financial sector was at the top of the cybercriminal hit list in 2021 and that hasn’t changed in 2022.
ID Agent to the Rescue: Training makes everyone more aware of closing security gaps. Learn to build an effective program in How to Build a Security Awareness Training Program. DOWNLOAD IT>>
Family Practice Center
https://www.jdsupra.com/legalnews/family-practice-center-p-c-announces-8570453/
Exploit: Hacking
Family Practice Center: Medical Clinic Operator
Risk to Business: 1.701 = Severe
Pennsylvania-based medical clinic chain Family Practice Center has experienced a data breach. The company filed a notice with the U.S. Department of Health and Human Services saying that on October 11, 2021, it was the target of a cyberattack that attempted to shut down its computer systems. This may have led to an unauthorized party gaining access to sensitive data about 83,969 patients.
Individual Risk: 1.641 = Severe
The breached information includes a patient’s name, Social Security number, address, medical insurance information and health/ treatment information.
How It Could Affect Your Customers’ Business: Medical facilities of all kinds should be strengthening security in response to non-stop threats in the sector.
ID Agent to the Rescue: See the biggest risks that businesses face today and get a look at what cyber threats your clients will be facing tomorrow in The Global Year in Breach 2022. DOWNLOAD IT>>
Get 10 tips to help you build a strong security culture & reduce your risk of cybersecurity trouble! GET INFOGRAPHIC>>
United Kingdom – Morgan Hunt
https://www.theregister.com/2022/07/15/digital_burglary_at_recruitment_agency/
Exploit: Supply Chain Risk
Morgan Hunt: Recruiting Firm
Risk to Business: 1.776 = Severe
British recruitment agency Morgan Hunt confirmed that it has experienced a data breach that resulted in intruders snatching personal data for some of the freelancers on its books. The recruiter pointed the finger at a third party service provider as the source of the problem. Impacted freelancers were sent a letter informing them of the incident.
Individual Risk: 1.741 = Severe
The information accessed included contractors’ names, contact details, identity documents, proof of address documents (including any bank or building society statement provided), National Insurance number, and date of birth.
How it Could Affect Your Customers’ Business: Cybercriminals are hungry for fresh stores of data, making service providers very attractive targets
ID Agent to the Rescue: Get the resources that you need to help you protect clients from complex risks in the Deep Dive Into Cybersecurity Bundle. GET BUNDLE>>
United Kingdom – City College Norwich
https://www.edp24.co.uk/news/education/city-college-norwich-data-breach-investigation-9133192
Exploit: Human Error
City College Norwich: Institution of Higher Learning
Risk to Business: 2.304 = Severe
City College of Norwich is in hot water after an employee mistakenly sent the wrong information to a student’s family. A parent tipped off officials after they were sent an expected attachment in an email exchange with one of the college’s customer service team when she received an unanticipated attachment, a spreadsheet titled “P2E links for scheduled applicants”. That spreadsheet contained the personal data of hundreds of people associated with the college. The incident is under investigation.
Individual Risk: 2.215 = Severe
The spreadsheet included names, telephone numbers, postal and email addresses and other identifying details of students and applicants.
How it Could Affect Your Customers’ Business Humans will make mistakes, but training can help reduce the chance that employees make security errors like this one.
ID Agent to the Rescue Help your clients reduce the chance of a cybersecurity disaster originating from inside the house with the Guide to Reducing Insider Risk. GET EBOOK>>
Gain expert insight in the MSP Cybersecurity Roundtable: How Infrastructure Attacks Can Hurt Every Business. WATCH NOW>>
Japan – Bandai Namco
Exploit: Ransomware
Bandai Namco: Videogame & Toy Maker
Risk to Business: 1.929 = Severe
The ransomware group Black Cat is claiming responsibility for a ransomware attack that hit Japanese entertainment company Bandai Namco. The video gaming giant confirmed that the group’s companies in Asian regions, excluding Japan, were breached by a third party on July 3, 2022. Bandai Namco appeared on the cybercriminal operation’s dark web site immediately afterward. The company said that in a statement “It is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about [the] existence of leakage, scope of the damage, and investigating the cause.”
Individual Impact: No information about consumer/employee PII, PHI or financial data exposure was available at press time.
How it Could Affect Your Customers’ Business Ransomware attacks on all sorts of businesses have soared in the last 12 months as cybercriminals search for new revenue streams.
ID Agent to the Rescue The most likely vehicle for ransomware is a phishing message. help your clients learn to spot phishing red flags with this informative infographic! GET INFOGRAPHIC>>
See five things that you can do to reduce nation-state cyber threat risk for your clients fast. GET CHECKLIST>>
Australia – Deakin University
Exploit: Credential Compromise
Deakin University: Institution of Higher Learning
Risk to Business: 2.017 = Severe
Deakin University in Melbourne has experienced a data security incident. The username and password of a single staff member at Deakin University was hacked and then used to unlock private details of 46,980 past and current students. The hackers then used that data to send phishing messages to students. In the messages, the cybercriminals sent out two links, both of which took the student to a malicious form that phished for information including credit card details. The breach will be reported to the Office of the Victorian Information Commissioner (OVIC).
Risk to Business: 2.213 = Severe
Altogether, bad actors obtained the contact details of 46,980 past and current Deakin students. The haul included student names, IDs, mobile numbers, email addresses and even recent university results.
How it Could Affect Your Customers’ Business Just one compromised credential can open organizations up to a world of hurt and an expensive security nightmare.
ID Agent to the Rescue Get the Building a Strong Security Culture checklist and send it to your clients to help them ensure that they’re making all the right security moves. GET CHECKLIST>>
Learn the Secret of How Cybercriminals Trick Users Into Falling for Phishing Messages! GET EBOOK>>
1 – 1.5 = Extreme Risk
1.51 – 2.49 = Severe Risk
2.5 – 3 = Moderate Risk
Risk scores for The Week in Breach are calculated using a formula that considers a range of factors for each incident
Go Inside the Ink to see how today’s biggest threats can impact your MSP and your customers in our blog.
- 3 Major Email Security Threats & How to Conquer Them
- 3 Bottom-Line Reasons Why Every Business Should Have an Incident Response Plan
- Tips for Navigating the Security Awareness Training Program Development Landscape
- Training Transforms Employees into Security Assets Affordably
- The Week in Breach News: 07/06/22 – 07/12/22
Enhanced Integration with Dark Web ID Protects Passwords in Passly Password Server
The Passly team is excited to introduce a new Dark Web ID workflow integration that protects the passwords in Passly Password Server. This integration is housed within the new Integration Manager section which is accessible via the left-side menu and will serve as the hub for all Passly integrations going forward.
The new Dark Web ID workflow integration protects the passwords in Passly Password Server in three different ways:
1. It blocks the imports of CSV files that contain compromised passwords confirmed with Dark Web ID.
2. It scans shared password vaults for compromised passwords.
3. It blocks compromised passwords from being entered into shared vaults.
Check out this Knowledge Base article for more information on configuring the integration.
* You must have subscriptions to both Passly and Dark Web ID to take advantage of this integration.
Take a deep dive into ransomware and learn to protect your clients affordably with this resource bundle! GET IT>>
Security Analysis Must-Haves to Help You Sell More
Boost your revenue and find new ways to start profitable conversations about security with these tools to help you make sure you’re not leaving money on the table.
The Global Year in Breach 2022 – Explore the cybercrime landscape including the influences that shaped today’s nastiest cyberattacks and what you can do to protect businesses from threats like nation-state cybercrime plus how to secure your clients from the next generation of risks. DOWNLOAD IT>>
Are You Doing These 5 Things to Protect Your Clients from Nation-state Cybercrime? – This infographic gives you tips for keeping your clients out of the crossfire of nation-state cyberattacks. DOWNLOAD IT>>
10 Things to Look for As You Shop for a Dark Web Monitoring Solution – Grab this checklist to make sure the dark web monitoring solution you’re offering (or thinking about offering) truly gets the job done. DOWNLOAD IT>>
Did you miss…The Q2 2022 BullPhish ID & Graphus Product Update Webinar? WATCH NOW>>
Insider risk is swamping your clients. Learn to mitigate it quickly & profitably. WATCH WEBINAR>>
What’s the Best Format for Security Awareness Training?
Boost Client Satisfaction When You Deliver More Effective Training
Your clients are under siege by a never-ending barrage of cyberattacks, and the situation is only growing worse every day. They’re relying on you to help them prevent expensive security disasters like a data breach or ransomware incident. Unfortunately, those disasters are often caused by employees making misguided decisions because they are unable to recognize security threats. Security awareness training helps ensure every end user is able to identify these threats and helps mitigate the risk of a careless decision. It’s also a requirement for compliance with many data privacy rules and statutes. Security and compliance training is a growing profit center for MSPs, so ensuring that you’ve got the right tools to get the job done for clients is essential for your future revenue.
Excerpted in part from the new eBook The Security Awareness Training Guide for MSPs. DOWNLOAD IT>>
Get a step-by-step guide to building an effective security and phishing awareness training program. GET GUIDE>>
Offer Clients Training That Exceeds Expectations
An estimated 93% of employees said that well-planned employee training programs positively affect their level of engagement in security practices and procedures – and engaged employees are employees that prevent security disasters. Worryingly, 45% of respondents in a HIPAA Journal survey said that they don’t need to worry about cybersecurity safeguards because they don’t work in the IT department. That’s a disaster waiting to happen, but the right training program is a game-changer.
From teaching data-handling best practices to preventing a user from downloading a ransomware-laden attachment, security awareness training is the key to helping your clients build a strong defense against today’s biggest cybersecurity threats — and your clients are relying on you to provide the right solution to get the job done. However, it can be a challenge to find a solution that gives you exactly the features that you need to run effective training programs for your clients without overtaxing your staff. Choosing the right format for training delivery is a key element in delivering a high end training experience that will impress your clients and create ahigh degree of satisfaction.
Drill down to the bottom line to see why security & compliance awareness training is a smart investment. GET IT>>
Which Type of Training Delivery is Optimal?
Every client will have varying training needs, but some constants do exist. By and large, in-person training is out of fashion, thanks to decentralized offices and remote workforce support. Companies have largely adopted online training with very positive results. Online training is the most common delivery vehicle due to its flexibility and easy program administration. It is also cost-effective for clients. Let your customers and prospects know that when Microsoft switched its employees from in-person training to eLearning, training costs plummeted from $320/hour to just $17/hour — a savings of almost 95%.
Providing training options in a variety of formats may be your best bet, especially if you have a widely varied client base. Don’t forget that clients may have to conted with complex regulatory requirements around training. Those requirements may demand that a client offer certain types of training or utilize testing after training to ensure employee proficiency. There are a number of other mitigating factors like support for remote workers, accessibility, varying training needs between divisions, specialized industry risks and available language options to keep in mind when choosing training formats.
Watch this webinar to learn how to make Dark Web ID your prospecting secret weapon! WATCH NOW>>
The 4 Best Training Formats
This ranking of training formats from optimal to unimpressive can help you see which format or formats you should offer and which you should avoid.
- Video: Teach employees about security and compliance using short educational videos that are often accompanied by quizzes to measure retention. This is a universally preferred option — 83% of learners prefer video content.
- Interactive/games: Use interactive exercises or gamification tools to deliver knowledge and awareness. Simulators can be highly effective, like phishing simulations. Research shows that trainees who used simulation games had declarative knowledge that was 11% higher than those who did not. They also had 14% higher procedural knowledge.
- Email/newsletter: Publish on a schedule an internal roundup of important security policies as well as security and compliance tips.
- In-office visuals: Posters, flyers, signs and similar tools outlining security policies, procedures and tips around the office or in areas where employees congregate.
Video is the clear winner
Video followed by a quiz on the lesson, a feature available in BullPhish ID, is today’s winning training format. Researchers determined that employees who watched a video with a quiz scored higher than their colleagues who only watched the video and/or only talked about the video with others. In a study on workplace digital learning, researchers compared three training groups: a video group that solely watched the video, a structured discussion group that discussed the video with an instructor and took a quiz and a spontaneous discussion group that talked about the video without a formal structure. Test results showed that employees in the structured discussion group that took the quiz retained knowledge 25% better than the other two groups.
It’s a bird, it’s a plane, it’s your revenue rising into the stratosphere with 6 Power-Ups That Will Make You a Sales Superhero. GET IT>>
What to Look for When You’re Evaluating Solutions
When you’re evaluating training solutions, the answers to these questions should help you find the perfect fit for current and future clients.
Does a solution provide security awareness training, phishing simulation training or both?
Make sure the solution you choose can really get the job done by ensuring that it’s easily scalable and future-proof, enabling you to provide the following types of training that clients need today and tomorrow.
- Security training – Lessons about major security threats and security-related topics that employees are likely to face.
- Compliance training – Lessons about the compliance requirements employees must meet to comply with relevant policies and regulations.
- Phishing simulations – Exercises in which simulated phishing messages are sent to employees, and their actions in response to those messages are measured to determine what tricks employees are likely to fall for as well as who needs education about phishing. Employees who train using simulations retain 11% more knowledge.
Learn the secret to conjuring up amazing stress-free marketing campaigns in 5 Ways to Make Marketing Magic! GET IT>>
Choose the Training Solution That Checks All of the Boxes: BullPhish ID
BullPhish ID is the innovative, affordable, customizable solution you’re looking for, with all of the features you need to deliver effective security awareness and compliance training and phishing simulations that wow every client.
- Easily add BullPhish ID to your technology stack to enter the security awareness training space —then scale profitably as you grow and acquire new security training clients.
- Enjoy time-saving automation and MSP productivity features from a 2022 GOLD Cybersecurity Excellence award-winning solution.
- Gain access to a large library of security and compliance video lessons, updated with at least four new lessons per month on how to avoid cyberthreats like phishing and ransomware or comply with regulations including HIPAA, CMMC, PCI-DSS and PIPEDA.
- Provide effective phishing resistance training with plug-and-play phishing simulation kits or customizable content that can be tailored to fit a client’s unique threats.
- Educate a geographically dispersed user base with training videos available in eight languages: English, Dutch, French, German, Italian, Portuguese, Spanish (Iberian/European) and Spanish (Latin).
Want to learn more about security awareness and phishing simulation training with BullPhish ID? Book a demo
This MSP-focused guide gives you insight into finding the ideal dark web monitoring solution. GET THE GUIDE>>
July 21: BullPhish ID & Graphus Product Update Q3 Webinar REGISTER NOW>>
July 27 – 28: ASCII Success Summit Toronto REGISTER NOW>>
July 28: Dark Web ID & Passly Product Update Q3 Webinar REGISTER NOW>>
August 6 – 7: ISSA Cyber Executive Forum REGISTER NOW>>
Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>
Do you have comments? Requests? News tips? Complaints (or compliments)? We love to hear from our readers! Send a message to the editor.
ID Agent Partners: Feel free to reuse this content. When you get a chance, email [email protected] to let us know how our content works for you!
Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!
Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>
See Graphus in action in an on-demand video demo WATCH NOW>>
Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!