Posts

ALERT: Threatening Emails are Spiking

ALERT

In the last 72 hours, our clients have reported an alarming increase in threatening emails. These emails contain enough personal information to legitimately trigger worry, fear, and in some cases, panic. 

This post covers three types of threatening messages and how to respond.

The Attacks

This type of attack is known as a “Exposure Threat” or “Fear of Exposure” attack. Attackers threaten to release embarrassing or sensitive information about you or your business. They may share bits of information or make claims that imply or confirm that they really do have some information. 

Here are three common forms of the threat:

1 “We Know Where You Live”

The email arrives in your inbox from what looks like a “legitimate” Gmail, Yahoo!, or other email service. The subject line contains your name or that of a family member. The message includes your full address and a valid phone number. In some cases, this threat may also include a picture of your home or office. 

Most often, this type of email does not include any explicit threat or demand.

The implication “we know where you live” is intended to instill fear. The goal is to make you more likely to respond and cooperate with future threats. 

2“We Know What You Did”

This form of attack claims to have documents, images, or video of you doing something embarrassing or illegal. The attacker will claim to have access to your email account, or all of your contacts, and will threaten to share the information if you fail to pay a ransom.

This is an explicit form of extortion.

The attackers are betting that the fear of exposure will cause you to pay the demand and prevent you from reporting the attack.

3“We Have Your Information”

This form of attack threatens to disclose sensitive information about you, your business, or your customers. The threat is the damage a data breach causes. This can include serious and costly legal, regulatory, or contractual issues. The attackers may share a sample that “proves” they have the information on hand.

This attack typically includes a specific threat and an extortion demand.

The preview information shared by the attackers may be from sensitive files, but it may also be available from other sources. This form of attack warrants some investigation.

How to Respond: Do NOT Panic!

First and foremost, do NOT panic. The success of these attacks is dependent upon your fear and your reaction. If you receive an email that is like one of these cases or similar, how you respond can make a difference.

No Specific Threat

  • If the email does not contain a specific threat or demand, your best response is to mark and report the email as spam. Doing so should direct future emails directly to your spam or junk folder.
  • You can take the extra step of reporting the message as abuse to the email server. Here are links to report email abuse for Gmail, Sky/Yahoo!, and Xfinity/Comcast.

With a Specific Threat

  • If the email contains a specific threat, you can and should report the message as spam/junk. We recommend your report this to your IT service provider. Your IT team should investigate the possible risks and take appropriate preventative and responsive measures.
  • Extortion is a crime. While many local law enforcement departments do not have the expertise to investigate cyber crimes, most state police organizations have cyber crime units. You can also report the attack directly to the Internet Crime Complaint Center (IC3). The IC3 will route your report to the FBI and other relevant agencies. Depending on the nature of the attack, the response may range from acknowledgement of the report to a full criminal investigation.
  • If the email includes a threat to show up at your home or business if you do not respond or comply. we strongly recommend reporting the threat to law enforcement.

Possible Data Breach

  • If the threat indicates that the attacker has, or can, access sensitive data, promptly take additional steps to protect yourself and your business.
  • If the attack references personal information, placing locks on your credit reports is always a good step. If the threat mentions (or indicates) a source, such as your bank or investment accounts, report the incident directly to that institution or business. Discuss protections they can put in place on your behalf.
  • If the attack references information from your business, promptly investigate the possible breach. This may involve scanning systems for malware and advanced threats, analyzing logs for unauthorized access, and verifying compliance with security measures. The level of your investigation should match the level of risk. Your IT service provider can help you assess the situation and determine the best course of action.

Your Next Steps

You can protect yourself and your business from these attacks, and other cyber attacks before they happen. Our Security CPR model provides a guide.

  • Communicate and Educate: Learn about, and help your team understand, the risks, nature, and impact of cyber attacks. Communicate the need for vigilance and how their behaviors can enable or prevent a successful attack.
  • Protect and Prevent: Put cybersecurity policies, procedures, systems, and services in place commensurate with your business’s risks, needs, priorities, and budget. This includes advanced threat protection for email and strong settings for your SPF, DKIM, and DMARC protocols in your DNS record. 
  • Respond and Recover: Ensure that you have systems, processes, and services in place to respond and recover should an attack be successful. Beyond restoring data and systems, have resources available to address the legal, regulatory, and customer service issues that often arise. Ideally, have solutions in place that allow you to keep your business running while you respond and recover.

For help assessing your current cybersecurity protections, please send an email or schedule time with one of our Cloud Advisors to discuss our cybersecurity assessments and solutions.

About the Author

Chris CaldwellChristopher Caldwell is the COO and a co-founder of Cumulus Global.  Chris is a successful Information Services executive with 40 years experience in information services operations, application development, management, and leadership. His expertise includes corporate information technology and service management; program and project management; strategic and project-specific business requirements analysis; system requirements analysis and specification; system, application, and database design; software engineering and development, data center management, network and systems administration, network and system security, and end-user technical support.

5 Cybersecurity Standards for Small and Midsize Businesses

5 Cybersecurity StandardsAs small and midsize business leaders, we understand the need to comply with regulatory and industry requirements. We also want and need our IT services to support our business priorities and fit within our budget. So how much cybersecurity is enough? Our cyber insurance partner, Datastream, analyzed policies and coverages for nearly 8 million businesses across dozens of industries globally. The most common cyber attacks exploit weak credentials, human behavior, and out-of-date software to gain access to your systems and data. From there, they can not only launch ransomware attacks, they can initiate business email compromise and other costly and damaging attacks. The result: Datastream identified a bare minimum set of 5 cybersecurity standards

The 5 Minimum Cybersecurity Standards

To address the most common and costly forms of cyber attacks, implement these 5 cybersecurity standards.

1 Multi-Factor Authentication (MFA)

MFA requires a secondary physical authentication when logging in. Whether by text, authenticator app, one-time passwords, or magic links, MFA can prevent attackers from using compromised credentials. According to studies by Microsoft, more than 90% of cyber attacks can be blocked if MFA is in place.

While the minimum standard is coverage for email access and remote network connections, we recommend using MFA for access to any and all critical systems, applications, and data.

2 Encryption

Do you encrypt all sensitive information at rest, including backups?

Most of our systems and applications encrypt data in transit (in motion). Encrypting data at rest, regardless of where it resides, prevents your data from being easily accessed and used in a cyber attack. Encryption should be in place on workstations and personal computers, not just on servers and in cloud-based services.

Just as important, backups should be encrypted. Unencrypted backups provide cyber attackers with easy access to data. Backups should also be stored off-site or in the cloud using immutable storage. This strategy prevents corruption of backup sets in the event of a ransomware attack. 

3 Data Recovery

In the last 6 months, has your company tested its ability to recover all business-critical data and systems within 10 days or less, from offline or cloud backups that are no more than a week old? 

Backing up data and systems is easy. Recovery is hard. Knowing that you can reliably restore your data and systems demonstrates your level of protection and how well you have reduced risks. Documenting this will impact your cyber insurance premiums.

While the 10-day recovery window is a minimum expectation, it may not be sufficient for your business. We recommend analyzing your business needs and setting goals to return to operations in a way that minimizes the impact of any disruption.

4 Automated Hardening Policies

Do you implement automated hardening policies?

Hardening systems is the process of limiting the attack surface of your systems, applications, and data. Hardening tactics include:

  • Removing unused applications and accounts
  • Disabling unnecessary services, ports, protocols, and features
  • Limiting administrative permissions and access
  • Logging appropriate activities, errors, and warnings

The process of configuring and managing hardened systems is easiest to manage with a remote monitoring and management (RMM) system in place.

5 Patches and Updates

Do you apply critical patches and updates to key IT systems and applications within two months?

Updates and patches to operating systems are familiar and comfortable. We regularly receive and apply updates to our smartphones, laptops, and desktops, most often as part of a default, automated process. We may not, however, be as diligent with our business systems and applications.

Updates and patches to databases, applications, and other software often require validation and may require changes to settings and integrations. Regularly reviewing updates and patches, and having a process in place to verify and apply updates, ensures that your systems have current security fixes and features.

Your Next Steps

Having these five cybersecurity standards in place represents a no-nonsense minimum that protects your business and can improve your cybersecurity coverage and premiums.

Our eBook, Cyber Security Requirements for Cyber Insurance, dives deeper to define basic, preferred, and best practices. You can, and should, scale your cybersecurity to meet your business’s specific risks, priorities, and budget.

We offer multiple assessments to help you understand and benchmark your current cybersecurity.

  • Rapid Security Assessment
  • Cyber Insurance Risk Assessment 

These assessments are free with a Referral Code. Contact us or schedule time with one of our Cloud Advisors to learn more and obtain your code.

Help us keep the ideas flowing. If you have any blog posts that are leadership thoughts you want to share, please let us know.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Cybersecurity in the Whitespace

Cybersecurity White Space

A recent online post pointed out that the whitespace in the FedEx logo, between the “E” and “x”, creates an arrow. 

FedEx Logo

Once you see the arrow, you cannot miss it. You will see it every time you look at the logo.

The subtle, almost subliminal, arrow symbolizes a sense of forward motion and subconsciously reinforces the FedEx brand message of on-time delivery.

The power of the logo is not just the name, it is in the symbolism. The same is true for your cybersecurity.

The power of your cybersecurity is not just in the overt actions, success is in the whitespace.

Focus

Our cybersecurity efforts often focus on the concrete measures we can take to protect ourselves and prevent attacks. We deploy hardware, install software, and configure settings to both passively and actively protect our systems, data, and people. These actions are tangible and visible. 

Cybersecurity Whitespace

Equally important, if not more so, are the less visible cybersecurity efforts– your cybersecurity whitespace. Ask yourself these questions:

  • Is cybersecurity awareness a deliberate part of your culture?
    • Do you educate your team on their role in cybersecurity?
    • Do employees and contractors understand which behaviors help security and which can harm it?
    • Does your team understand how to recognize, report, and respond to security risks and attacks?
  • Do you have policies and procedures in place that set expectations for maintaining appropriate cybersecurity?
    • Do these policies and procedures include guidance and limits on human behaviors and actions that can pose or elevate risks?
    • Do you have consequences for negligent or deliberate non-compliance?
  • Do you understand the risks should a cyber attacker gain access to your systems?
    • Do you understand the protections you need in place to limit attacker access to identities and sensitive information?
    • Can you isolate attacks and prevent them from spreading across your environment?
  • Do you have plans in place to not only restore damaged or lost data, but to recover your business from a successful cyber attack?
    • Do you have cyber insurance?
    • Do you have clear action plans for how your business will respond to a successful cyber attack?
    • Will you be able to run your business while you recover your systems and data (and/or while computers are held as evidence)?
    • Do you have plans and resources in place to:
      • Comply with state and regulatory reporting requirements?
      • Communicate effectively with customers, vendors, and partners?
      • Manage your legal and financial liability?

Model for Success

Successful cybersecurity includes the visible and the whitespace. Our Security CPR model and managed security services include all three best-practice pillars:

  • Communication and education
    • Security awareness focused on human behaviors, risk recognition, and responding to suspicious acts.
    • Policies and procedures that guide and protect your business in line with compliance requirements.
  • Prevention and protection
    • Expertise, tools, and services to prevent cyberattacks and protect your business, data, and team.
    • Compliance assessment and management services to benchmark and certify to appropriate industry and regulatory standards.
  • Recovery and response
    • Business continuity services to keep your business running during forensic investigations and data/system recovery and restoration efforts.
    • Data restoration and disaster recovery plans and resources to return your business to normal operations as quickly and effectively as possible.
    • Cyber insurance brokerage partnerships to ensure your business is properly covered within your budget.

Call to Action

If you have not done so recently, now is a great time to step back and assess your IT services and solutions. Our Cloud Advisors are ready to help and assist with any questions or concerns. Start with a complimentary Rapid Security Assessment, contact us, or schedule time with one of our Cloud Advisors

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Best Practice – Completing Security Surveys and Questionnaires

Data Protection & Security

In our recent Security Update Series blog post, New Security Demands & Requirements for Small and Midsize Businesses, we discussed three drivers for increased business security. We noted that expectations will often be expressed in security surveys and questionnaires you are asked to complete. Providing incorrect, incomplete, or misleading answers, whether intentional or not, can impact premiums and your available coverage.

To minimize the risks and potential pitfalls, here are five best practices to follow:

1 Know the Process

Before starting your response, have the broker or agent walk you through the process in detail. What role do the security surveys or questionnaires play in the underwriting process? While some carriers only use a single survey, others will ask for follow-up information and/or request evidence supporting your answers.

Understanding the process will guide how you answer questions and the nature and amount of information you provide.

2 Follow the Rule of Absolutes

Following the “Rule of Absolutes,” answering “yes” or “no” to a question means “yes” or “no” everywhere and in every instance. 

For example, if you answer “yes” to the question, “Do you require multi-factor authentication for user login?”, you are stating that MFA is in place for every possible user login for every system or service. Answering “yes” if this is not the case will be considered a misleading or deceptive response.

The better approach is to answer with commentary that accurately responds to the intended questions without absolutes. Using the above example, provide a list of systems for which MFA is required, optional but recommended, and/or not available. In addition to being a more accurate response, the information will better inform the underwriting risk assessment.

3 Understand the Questions

Not all questions may be clear. Some questions will focus on technology. Others will focus on policies, processes, and procedures. Still others will focus on outcomes.

For example, these three questions:

  1. What security incident and event management (SIEM) system is in place?
  2. Do you have security incident and event management?
  3. Do you monitor, save, and analyze security event logs to identify alerts and conditions that require responsive action?

Question 1 appears to be asking about specific software or tools. The second Question asks about capability; the software tools and operational resources may be implied or assumed with a “yes” answer. Question 3 probes procedures, possibly independent of the supporting technology and/or existence or use of a security operations center (SOC).

If you are not sure how to best answer the questions, consult with the broker or agent for guidance.

4 Pause and Implement

In reviewing the security surveys or questionnaires, you may notice an emphasis on certain aspects of your security systems, solutions, policies, and processes. 

If your answers appear to indicate weakness in these areas, consult with the broker or agent for guidance. You may benefit from pausing the effort until you can update or implement expected services and solutions.

In some cases, indicating that an improvement is in process may be sufficient to move forward.

5 Get Legal Advice

You own and are legally bound by the survey and questionnaire responses you provided. This holds true even if IT providers, vendors, and others have drafted portions of your response.

Before submitting your responses, review the surveys or questionnaires and your responses with qualified legal counsel familiar with cyber security. Understand if answers provided by third parties may create issues or liabilities. Understand any and all commitments expressed and implied in your responses.

What to Do:

The best course of action is to assess and, if appropriate, adjust your security services before you face a survey, questionnaire, or audit. Our Rapid Security Assessment provides a quick review of core security services. Our Cloud Advisors are ready to assist with any questions or concerns.

Contact us or schedule time with one of our Cloud Advisors

About the Author

Bill Seybolt bio pictureBill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management. 

 

3 Questions – About Cyber Security

Data Protection & SecurityShare your answers to our 3 Questions and, in exchange, we will

  • Schedule time (no cost / no obligation) with one of our Cloud Advisors to discuss why the questions are important and to review your answers
  • Provide our Rapid Security Assessment at no cost to you.
3 Questions about Cyber Security:

1) How do you protect your user devices?

  • Anti-virus, next-gen endpoint protection, managed event detection and response, other …

2) Do you require that employees multi-factor authentication (MFA) when connecting to online services?

  • For all services, some services, other …

3) Do you perform backups of critical systems and data?

  • weekly, daily, hourly, other …
Why and How:

These 3 Questions about Cyber Security indicate how well you may be protected, and your ability to recover, from the most common and most costly types of Cyber Attacks on small businesses.

Related Resources

About 3 Questions:

3 Questions is a new program we are launching to help small business owners and IT leaders think about the issues facing their businesses in new ways.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Founded in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions, Allen has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America.  Having started his first business at age 12, Allen is a serial entrepreneur having started strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

 

Debunking 5 Cyber Security Myths for SMBs

Data Protection & SecurityAs owners and leaders of small and midsize businesses (SMBs), we have limited resources for IT and cybersecurity.  We should not be surprised, therefore, that SMBs face the biggest threat from ransomware and other cyber attacks.  Beyond the cost and risk of ransomware and encryption attacks, SMBs face business email compromise (BEC) attacks and threats to disclose regulated information.  Recovery costs, fines, and legal actions resulting from a successful attack can destroy your business. And yet, many SMBs remain unaware of the risk and/or lacking reasonable data protections and security.  This post intends to debunk five (5) cyber security myths for SMBs.

1My company is too
small to be a target

While note every attack is successful, one global report states that 86% of SMBs have been hit by ransomware attacks, with 20% attacked more than six times. With fewer resources and less focus on cyber security, SMBs represent an attractive target for attackers.  The increase in remote work and use of remote desktop protocols creates additional opportunities for attackers. Securing and managing these services requires time and attention.

The impact of a successful ransomware attack continues to increase.  According to Verizon’s 2020 Data Breach Investigations Report, the average cost of a successful ransomware attack grew from an average of $34,000 to just under $200,000.

2I cannot afford to protect
against cyber attacks

Cyber attacks are inevitable. Protecting your business does not require expensive solutions.  Your cost for endpoint protection for your devices, advanced threat protection for email, and security awareness training is pennies per day per person.  You can deploy multi-factor authentication (MFA), local disk encryption, and the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols for free. You can deploy cloud-based business continuity and disaster recovery (BCDR) for less than traditional backup/recovery solutions.

3I have backups,
so I am safe

Not all backup solutions are equal.  Many backup/recovery solutions for SMBs run on the same servers and networks as your business systems. Ransomware and other cyber attacks will seek out and encrypt/damage backup servers to render your backups useless.  Your backup/recovery solutions should be segregated from your production network and systems to shield them from attack.  Business Continuity/DR solutions offer the additional ability to bring systems back on line in an alternate cloud data center while you recover your primary systems.

4Technology alone
will save me

As with most security protocols, people are your first line of defense.  As many as 93% of cyber attacks begin with a phishing attack. People click on links, unwittingly downloading malware or sharing usernames and passwords.

Security awareness training should be a standard practice within your business.  The training is a proven way to reduce risk, decrease infections and help desk requests, reduce the chances of a security breach and strengthen the overall security posture.

5Cyber resiliency is
too hard to achieve

Cyber Resilience is the ability to withstand security attacks and land on your feet, no matter what happens. Cyber resilience protects your business, customers, and employees from ransomware, business email compromise, and other potential issues and attacks.

While some gaps in security will always remain, you can affordably improve your cyber resiliency.

To overcome these 5 small business cyber security myths, review your security footprint, and improve your resilience, please contact us by email, via our website, or by scheduling time directly with one of our Cloud advisors, with any questions or concerns regarding this service update.

9 Cyber Security Tips for Small Businesses

Since the start of the COVID-19 pandemic, cyber threats and ransomware attacks have accelerated, exceeding 30,000 attacks per day in the US. Cybersecurity measures have never been more important. The move to remote working environments as well as the vulnerability of global economies in crisis has created an open-season for cybercriminals. No business—big or small—is safe.

Small and medium businesses (SMBs) seemingly have a target on their backs, so strengthening your SMB security posture is essential right now. The good news: There are ways to protect your business against ransomware attacks. Read on below to learn about our top nine cyber security tips and best practices to keep your small business safe.

Here are nine tips you that boost your business’ resilience to cyber attacks:

Communicate & Educate

1. Conduct a security risk assessment

Understand potential security threats (e.g., downtime from ransomware) and the impact they may have on your business (lost revenue). Use this information to shape a security strategy that meets your specific needs.

2. Create straightforward cybersecurity policies

Write and distribute a clear set of rules and instructions on cybersecurity practices for employees. This will vary from business to business but may include policies on social media use, bring your own device, authentication requirements, etc.

3. Train your employees

Because cybersecurity threats are constantly evolving, an ongoing training plan should be implemented for all employees. This should include examples of threats, as well as instruction on security best practices, and periodic testing.

Prevent & Protect

4. Protect your network and devices

Implement a password policy that requires strong passwords and monitor your employee accounts for breach intel through dark web monitoring. Deploy firewall, VPN, and next-gen antivirus technologies with advanced threat protection. Ensure your network and endpoints are not vulnerable to attacks. Implement mandatory multi-factor authentication. Ongoing network monitoring is essential, as is encrypting hard drives.

5. Keep software up to date

This cyber security tip involves being vigilant about patch management. Cyber criminals exploit software vulnerabilities using a variety of tactics to gain access to computers and data. Your IT provider should automate this for your businesses with a remote monitoring and management. Keep your mobile phones up to date as well.

6. Back up your data

Daily (or more frequent) backups are a requirement to recover from data corruption or loss resulting from security breaches. Consider using a data protection tools that take incremental backups of data periodically throughout the day to prevent data loss. Remember that you need to protect your data in the cloud as well as you protect your data on local servers and workstations.

7. Know where your data resides

The more places data exists, the more likely it is that unauthorized individuals will be able to access it. Use data discovery tools to find and appropriately secure data along with business-class Software-as-a-Service (SaaS) applications that allow for corporate control of data. Eliminate redundant and “Shadow IT” services.

8. Control access to computers

Use key cards or similar security measures to control access to facilities. Ensure that employees use strong passwords for laptops and desktops. Give administrative privileges only to trusted staff as needed.

Respond & Recover

9. Enable uptime

Our final cyber security tip dives into responding and recover. Here, it’s vital to choose a powerful data protection solution that enables “instant recovery” of data and applications. In fact, 92% of managed IT service providers report that companies with business continuity disaster recovery (BCDR) products in place are less likely to experience significant downtime from ransomware and are back up and running quickly. Application downtime can significantly impact a business’ ability to generate revenue. Can your business afford downtime costs that are 23X greater (up by 200% year-over-year) than the average ransom requested in 2019?

Get In Touch To Learn More About Cyber Security Tips and Best Practices

The best defense is a good offense. A robust, multi-layered cybersecurity strategy can save your business. Contact us to learn more and for a free Cyber Security Assessment.

library

2023 OpenText Cybersecurity Email Threat Report

eBook | Source: OpenText Security — Attackers persistently adapted their email-based techniques throughout 2022, introducing more nuances into their methods. This eBook shares current information about Phishing, Business Email Compromise, Cryptocurrency Scams; and the Top Malware Threats. The report provides examples of attacks as a learning tool for understanding attacks, how to prevent them, and how to respond.