Learn about the email security threats that dominated 2020, and strategies for keeping them out of your inbox.
Good morning and thank you for joining us today. My name is Jeff Lauria and I’m the Vice President of Technology here at iCorps Technologies and today we’re going to talk about phishing and threats to business. But before we do that we have a little bit of a housekeeping. Today we’re using Microsoft Live Meeting and if you have a question, what you need to do is up on the right hand side - just push the little button that is a question, type it in and we will get back to you. Hopefully if you ask questions during the presentation I can answer them live. If not I'll answer them at the end. Joining me today are our awesome people from our marketing department, Marin and Adam. Adam is running the back end slides and presentation and Marin is here to help as well, so why don’t we start?
So lets talk a little bit about our year review. As we've all been dealing with COVID and our workforce has shifted to at home versus going to work in the office, there are folks taking advantage of this. Phishing attacks are up 667% over the prior year. That is an amazing number, and these phishing attacks are not necessarily based around COVID. There are increases because as employees work from home they tend to drop their guard a little, and tend not to have those technical controls that they may have at work. We also see an increase in ransomware. If you watch the news you know that there are many municipalities, businesses, and universities that get struck with ransomware, and the problem with ransomware is, not only do they hold your data for ransom, but for a lot of companies it actually creates a compliance issue and we’ll talk about that further on in the presentation.
Approximately 60% of all organizations had some sort of malicious activity take place this year. Now these numbers are not numbers we made up here, these numbers come from the FBI, Mimecast, and Flextera. FBI is focused on the crime part of it, Mimecast is focusing on the spam and phishing attack, and Flextera is looking at and collaborating all of the information. So those are some incredible numbers and they continue to grow. The reason they continue to grow is that this is a billion-dollar business on both sides, the preventative side and the cyber criminals side. If there was no money, they would not be doing what they do.
Users are more likely to click on pandemic-related phishing attacks. Hackers get someone to click on a link and put in their credentials, which then allows the hacker to sell user names and passwords on the dark web, and also spread files maliciously through online meetings. We’re seeing this grow. So this has become our landscape in how we’re actually going to extract information from you and again you know we all of those controls we had in the office, some are missing and when people work from home they tend to be a little more lax about things. They tend to click on things. They mix their personal business with their business email so maybe their Gmail, their Hotmail, their Outlook mail with their corporate mail and they tend to blend them all together so whatever security awareness they were aware of when they were in the office goes away.
So let’s move on to unsecure remote desktops. This issue is not just related to phishing, it is also related to remote computing. As everyone moved out of the office space, we started implementing Go To Meeting and platforms similar to that. Roughly 40% of these remote desktop machines were unprotected in many different ways. Either single factor authentication, loose passwords, just malicious code, not patching. If you think about this, before we were working from home these machines were all protected by the firewalls within our business, while today these machines are all exposed to the internet. We’ve seen an increase in there by 40% and that actually is a lot. The number doesn’t seem to be big but that is very big attack. In March and April there was a 400% increase in remote desktop protocol attacks. It’s not just a Microsoft Product, or an Apple Product, but we’ve seen these attacks all across the board. We’ve seen phishing attacks and we’ve seen remote worker attacks.
At a very high level, phishing is phishing. However, with AI, Artificial Intelligence, phishing is now more targeted. So, for example, spear phishing – highly targeted customized content. For example, an employee typically maybe a C- level employee or a high value target, are targeted and there is a custom phishing attack based around them. Either to get money or to give money. It is very serious if your business email is being compromised. There’s a lot of organizations that say you know my email, ah it’s only my email no need do any propriety stuff, I’m not worried about it. But when an email is compromised, the person compromising the emails only cares about your address book and your sent items. What they’ll start doing is they’ll start impersonating you to try and get something from somebody. So let’s say you’re doing business with a company and you sent out electronic invoices, well what they’ll do is they’ll impersonate you and maybe change that invoice to get people to pay.
If you’re ever a victim of compromise either you have somehow unfortunately transferred money to some place and realized that was a bad thing, or a client of yours paid money in error because something happened, go to the FBI immediately. They have something called RAC, which is a Rapid Access Company or Rapid Access Team, and what they do is they will get the money back from the banks, but you need to notify them immediately. So if you’re a victim of a wire transfer right or wire fraud, go right to the FBI as soon as you know and file a complaint. What they will do is they will go to the banks and get your money back. The longer you wait to report these things is less chance you will have on getting your money back.
Ransomware comes in many different ways. Ultimately ransomware encrypts your data and holds it hostage until you pay. Now depending upon where you are and depending upon your industry, it could be a few hundred bucks or it could be millions of dollars. We’ve seen 10, 20, 30, million-dollar ransomware, depending upon the value of asset. There are lots of tools we can use to mitigate the threat, but keep in mind that folks that work remotely, are going to be more subject to ransomware because one of the things that happens is they’re using their tools at home, they’re using their desktop, they might be using their iPad. Lets say they’re using their desktop, so I have my Gmail open here and I’m doing stuff and there might be some ransomware that comes in that way, not through the business account. Now my computer gets affected. Well unfortunately my computer may be connected to my network via that VPN, and now that is spreading across the network. So remember, ransomware doesn’t have to happen in the office, it can happen remotely and it can spread across the VPNs.
31% of businesses experience data loss due to not having a cyber plan. If you have ransomware and it traps your data and you don’t have good backups and you can’t afford to pay, all that data is lost. Now you’ve lost all that data because you haven’t thought about what happens when this happens. We try to prevent things from happening, we put controls in, we do all this great stuff, but at some point in time, you may get caught. There is a very good change that you’ll get caught in some sort of malicious activity. The prior screen said 60%. That’s 6/10. That’s a pretty big number that had some sort of malicious activity, so with that said you should always have a really good cyber security plan. Knowing what to do when you’re attacked, how to recover, and how to resume business are very important.
During a phishing or ransom attack 29% of companies have experienced downtime this year due to emails. A couple of years ago HIPPA classified ransomware as a reportable incident and also getting access to someone’s email is a reportable incident. Ransomware is when you’ve lost control of your data and it's being held for ransom, but no one really knows what’s going on in the back end. They could be stifling off your data as their waiting for you to pay. So once you lose control of your data you need to report it.
When we talk about email compromise, here in Massachusetts, New York and Philadelphia, and really nationally, if your email is compromised you need to call it a data breach. So now what happens is as an organization, we need to notify the regulatory folks, the secretary of state, and tell them that a breach took place, that public information has been leaked. HIPPA has their own set of frameworks, SOX has theirs, Gramm and PCI have theirs as well. These are only four of multiple regulatory frameworks. All of the frameworks have one fundamental piece, which is if you lose control of your data, you need to notify someone. Some people will say that their data is encrypted, but when someone gets into your system, it doesn’t matter if your data is encrypted or not because they’re going to take it. There’s a term called ‘data rest’ and ‘data in transit’. Data rest is while the data is sitting there, on the hard drive, it’s encrypted. So just because it’s encrypted doesn’t mean your protected. I strongly recommend that you have a conversation with the compliance officers or talk to an IT organization that specialized in cyber security such as iCorps, and we can provide you some additional information.
One of the things that is very important is strategic solutions. It’s a lot more effective to be preventative than to be reactive. It is a lot more cost effective too. If you’re on the Microsoft 365 platform, Exchange has this tool that’s called Microsoft Defender. Now when we think of Defender we used to think of it a separate, but it is now bunched under the Microsoft umbrella for email or work stations. These vendors, Microsoft, Google, IBM, all provide you with tools to actually implement some controls. Some are on by default and some need to be turned on. For example here with Exchange online with the Defender product, you have the ability to put in some spoofing intelligence. What that means is that it looks at what’s coming in and looks at it to see if its spoofed, but here’s some of the problems. A lot of organizations will reduce their security posture for the convenience of the end users. We have the ability to make a bunch of settings within Office 365 and Microsoft 365 that looks at the history, looks at the email coming in and tries to make a judgement call.
Now like everything else, you want to try and think about using multiple levels of security. That technology is not just limited to Microsoft Office and as the screen comes in it’ll check if it looks like a spoof. If it should ask for authentication, it runs through a myriad of processes before it gets into your inbox. One of the things you should be aware of is that when you implement these controls there is sometimes a delay in receiving your email. We are used to here on the East coast receiving an email from someone on the West coast within 15-20 seconds and if we don’t get it then, we’re probably hitting the send and receive key multiple times wondering "Where’s my email?" When you implement these controls there may be a delay. Could be a minute or two. However, people are used to a near instant response and in that case leverage other tools such as Teams for chat, Skype for business and so forth.
Here is the information for Microsoft Defender. You can make it meet your business needs such as turning on notifications when someone sets an auto forwarding role. One way to know that your email was compromised is through auto forwarding. A lot of these criminals will - when they log in - set an auto forwarding rule, so when you get bounce backs, you’ll never see them and they’ll go somewhere else. So again, look at Microsoft Defender, a part of Microsoft 365 suite of services. This is not specified to Microsoft, as each vendor provides their own kind of services. Google workspace is the same thing. You can turn banners on for emails, so when an email comes in it’ll let the user know that it came from an external source and that you should double check and look at it to make sure it’s legit. One of the things we’ve always talked about historically is when you click on a link and you go out to a website, look up at the top left hand corner and see if you can see if its secure. You’ll be looking for an SSL, that was the old way of thinking. Now, most websites use SSL, so they all use HTTPS, so that’s no longer a good way to tell if the email is legitimate or not. So, you do need to look at the email and see if it is safe. You can put up banners to notify you if it comes from an external source. For example, here at iCorps every email that comes in from outside says that it is from an external source.
There are additional features in Google, not just Microsoft, so we want to compare both because they tend to be the two biggest players there. You can also use a third-party feature. Here at iCorps, one of our standards is Mimecast. Microsoft and Google do a great job and they have a great set of tools, however, that's their set of tools. Getting an independent set of tools and tiering your protection, its called defense in depth, having more than one tool look at your email is very important. 90% of breaches start with email. They start with someone clicking on a link, someone entering their username and password, someone opening a bad attachment. This is the door in for cyber criminals. I’m sure there are people here saying that they’ve been banging their heads against a wall for the past four years on this, I don’t need this. But I go back to my earlier statement - billions of dollars are being made here and it is very effective. Organizationally, we need to train our folks and get them to understand that email is not this comfort zone, everything that comes in is a threat, which is why we use a third party tool in conjunction with these other tools. This site out in the cloud and looks at all the inbound and outbound emails coming in. Outbound is similar to a white list. It also looks for impersonations and will scan for viruses. It sits on the border and actually looks to see what happens and having a multiple tier approach is a really great idea.
Training is very important and so isn’t backups. Backups are key. Downtime is a result of not being prepared and is very important. Being able to recover from an attack is critical, so our recommendation is to have a backup situation in place that will help you backup your data, will help you with eDiscovery, and will help you with compliance. Microsoft and Google don’t backup your data and if you were a victim of phishing or ransomware, you can’t call Google and say, “Hey get my data back”. They’re going to say that’s your responsibility. In their service of terms and agreements that say that they back up data for them, not for the user, and that the user should be backing up their data themselves.
There are two things that I think every organization should be doing. The first is cyber security awareness training. Our folks only know what they know. You don’t put someone in a car without sending them to drivers-ed, same thing. Folks need to learn how to use email. Learning how to use email is not learning how to write an email and hit send, but it’s also understanding the threats associated with sending emails.
Phishing attacks are phenomenally successful. We have a way to protect the organization from this. One of the ways we do this is through phishing simulations. We have a company that we work with, Sophos, that does phishing simulations. One of the keys to phishing simulations is understanding your users. A lot of phishing simulations send out generic attacks such as misspelling out words and stuff that is pretty obvious. We like to use this system where you sit down with the champion of the business, talk about what the business does and then you craft around that. This tool has about 150 different templated that you’ll see that are well crafted. Real life phishing attacks are targeting and trapping people so what we try to do is to be on the same level as these people. We have the ability to customize the content in here, so we want to sit there and craft training.
Training is very important. Training can’t be 30 minutes, it should be 1.5-2 minutes that really reinforces something. People are going to click off after a couple of minutes so trainings should be short, and relevant and non-threatening. This tool lets us customize out content, be non-threatening and allows us to train and provide feedback for those organizations that are having regulatory compliance. It gives you a list of the folks who have filed and succeeded so really a great tool. This is a tool where as a company we find it to be successful. To be successful in your phishing campaigns, you need to understand the business, you can’t just blindly send phishing attacks. This helps determine if people are subjected to phishing.
When you do a simulation you want to make sure you have different simulations for different departments and you want to be able to measure success and target. These are four key bullet points to what phishing simulation should be, but again this is only one part of a whole process. Don’t forget that security awareness training is also a requirement across the board. Try to get folks involved in security awareness training. Employee training is key. Start thinking about how to use encryption. Anti-virus software is also very important. If you’re using Microsoft 356 platform leverage your spend there because they have a whole set of tools that are very deep and include anti virus protection for he desktop and Microsoft Defender for email. Also leverage Microsoft Office and Google Workspace, whatever it might be, but also start some training. Backup training is key, make the training fun and engaging. Don’t do a 90 minute 2 hour, 3 hour training. You have to make it interactive. Sticking them in front of a video doesn’t work. At iCorps well do things with our marketing department like sending out newsletters and tips of the day and week and that seems to engage folks.