2020 was a rough year for all of us, particularly from a cybercrime perspective. As businesses and schools rapidly pivoted to remote work and remote learning, many cybercriminals changed their tactics and adjusted their focus to take advantage of the situation as well as user uncertainty and fear.
As working and learning from home remain the norm for many individuals and businesses around the world, cybercriminals are poised to continue aggressively targeting users specifically using a blend of online and offline tactics.
The SolarWinds attack, which infiltrated both the US Treasury and the Department of Homeland Security as well as a number of private organizations, rocked the cybersecurity world. Uncovered last December, this wide-reaching, devastating attack is believed to be the work of the Russian Intelligence Agency’s Foreign Intelligence Service and may have been launched as early as March 2020.
Even once experts know the full extent of the attack, the remediation process will be long and grueling. Entire enclaves of computers, servers, and network hardware across both federal and corporate networks will need to be isolated and replaced even as security teams continue to hunt for evidence of malware, determine what information has been compromised, and create and implement strategies to mitigate loss and damage.
Number of Cyberattacks Expected to Rise
In addition to dramatically changing how we go about our daily lives, COVID-19 has also provided a convenient cover for cybercriminals as they shift their attack vectors away from large, well-guarded corporate networks to small, potentially vulnerable home networks. One study suggested that, in 2021, a ransomware attack on a business is likely to occur every 11 seconds, up from every 40 seconds in 2016.
INTERPOL’s assessment of the impact of COVID-19 on cybercrime has shown similar trends, with targets shifting away from major corporations, governments, and critical infrastructure in favor of small businesses and individuals.
As users log in from home, they create personal islands of security: a model where each user is effectively following different (often lax) security protocols. When workers are onsite, all of their traffic is routed through your business’s network, which is likely closely monitored by a professional security team. However, without a dedicated security team watching every employee’s home network and personal device, your organization is exposed to increased risk.
Cybercriminals are taking advantage of this increased attack area to create personalized attack chains. While traditional tactics often involved a “spray and pray” approach (where cybercriminals used generalized social engineering attacks, such as the classic Nigerian prince scam, to target a large number of users in the hopes that a few would bite), recent trends have seen a rise in hyper-personalized attacks that target specific uses with privileged access to sensitive infrastructure, data, and systems.
While this approach is more time-consuming (since attackers need to identify and profile specific individuals to create the targeted attack), this approach is more likely to yield shorter attack-cycles, making it increasingly difficult for organizations to identify and stop attacks in progress.
The work from home era has forced cybercriminals to adapt their tactics, but unfortunately, many have done so successfully. One tried-and-true cybersecurity attack, the phone scam, has seen a resurgence.
A similar but related scam involves scammers offering “relief payments” from government agencies. These calls, text messages, and emails typically follow a general format: The caller says you have been approved to receive money, either via a relief payment or a cash grant or even via a low-interest small business loan and then asking for personal information (to “verify your identity”), banking information (so they can charge you a small “processing fee”) or both. Some scammers also ask for payment via cryptocurrencies (such as bitcoin) or gift cards.
Another twist on the phone scam is the fake tech support scam. This follows a similar format to the scams discussed above but involves cybercriminals asking users to grant access to their computers so they can “conveniently” fix a tech support problem you weren’t even aware you have.
Criminals then use this access to install malware, add backdoors for future access, or log keystrokes (to capture usernames, passwords, banking details, and other sensitive data).
SMBs Likely to Invest More in Cybersecurity
As cyber threats continue to rise in 2021, small and medium-sized businesses are, particularly at risk. This is because, unlike large, enterprise-level organizations, many smaller organizations still believe that they are less likely to be targeted.
The best thing you can do to safeguard your organization’s digital assets is be proactive. Make sure you are up to date on all the latest cybersecurity threats and have a well-rounded and up-to-date cybersecurity incident response program in place.
You should also assess your current cybersecurity posture regularly to ensure it is continuing to meet your needs, and you may want to consider conducting pen (penetration) tests to stress-test your current defenses. You should also make sure that all new employees receive cybersecurity training as part of their onboarding process and that all workers undergo refresher training regularly. You may also want to consider conducting tabletop exercises to give your team a chance to test their cybersecurity response skills in a no-risk environment.
Virtual Armour is Here to Help
Safeguarding your organization from cybersecurity threats can be a lot to handle, particularly if you aren’t already a cybersecurity expert. That’s why Virtual Armour is here to help. Our team of experts can review your current practices with you, help you identify weaknesses, and create a plan to strengthen your defenses. We are also able to monitor your infrastructure, firewall, and endpoints 24/7/365 for potential threats and help you mitigate or even avoid damage should an incident occur.
For more information about our service offerings or to find out what you can do to safeguard your digital assets best in 2021, please contact us today.
The holidays may be a time for spending time with loved ones and exchanging gifts, but the gifts cybercriminals bring aren’t jolly at all. 2020 Has been a rough year, and many organizations have felt the strain, particularly when it comes to cybersecurity and adapting to the changing tactics cybercriminals are employing.
This year, give your organization the gift of a good cybersecurity posture by taking steps to safeguard your digital assets.
The Cybercrime Pear Tree: How the Sudden Shift to Remote Work Has Changed the Workplace Landscape
The sudden pivot to remote work earlier this year left many organizations scrambling to continue daily operations and minimize disruption, which means cybersecurity may have fallen down your list of priorities. 2020 saw an increase in the number of cyberattacks and brought with it new attack surfaces. Paired with a distracted workforce and unanticipated staffing shortages in a multi-stress environment, 2020 created very favorable conditions for cybercriminals that are likely to continue into 2021.
The continued shift to remote work has meant that many organizations are relying on new and unfamiliar infrastructure and processes to continue daily operations. This lack of familiarity and the artificially accelerated shift to remote work means your team may not know about existing vulnerabilities in the software they are using to do their jobs. Cybercriminals are continually exploiting existing vulnerabilities in remote work technologies, so you need to ensure all software used has undergone a security audit.
However, even if your organization has thoroughly vetted all new technologies and processes, you can’t be certain that your business partners, vendors, and other third parties have been as studious, which means you need to be extra vigilant and may need to take additional steps to minimize risk to your organization.
The Human Factor
The pandemic has taken an emotional toll as well, leaving workers distracted and stressed. Personal and financial stressors leave workers more vulnerable to social engineering attacks, and remote workers may not be as vigilant about their cybersecurity posture at home as your internal security team is at the office.
As more workers call in sick or need to take time off or reduce the number of hours they are available to care for dependents or relatives, many organizations are facing unanticipated staffing shortages. At the same time, while many workers used to find working from home increased their productivity, the forced isolation, limited privacy, loneliness, and new demands brought by the pandemic have decreased productivity dramatically.
In the United States, recent data suggests productivity among professional and office workers is down 11%, and manual service and industrial workers are, on average, 17% less productive. In-house security teams have been particularly hard hit as they are forced to operate in an environment where they now face multiple crises on various fronts at any one time, each of which demands significant attention from both management and security teams. Securing a remote workforce is also more difficult than securing an on-site workforce, further adding to security workloads.
The Digital Partridges: Threats to Guard Against
Phishing Attacks Leveraging Video Conferencing Software
Many cybercriminals have begun to leverage video conferencing software such as Zoom and Skype to launch phishing campaigns. Criminals create phishing emails made to look like legitimate pending notification emails coming from Skype, Zoom, or a similar platform. When users click on the link in the email, they are asked for their username and password, which are then harvested by unauthorized users for criminal purposes.
Other groups are sending phishing messages reportedly from Zoom telling recipients they have missed a meeting or their account has been suspended, designed to get users to click on a malicious link to either view the meeting details and reschedule or reactivate their account. Other similar attacks try to trick users into downloading fake video conferencing software installation programs that contain malware.
Social Engineering in the Remote Work Age
We have already discussed in detail how remote work environments make social engineering even more dangerous. Social engineering involves manipulating individuals to infiltrate an organization at the human level by tricking users into revealing sensitive information or granting access to the network.
Since social engineering attacks often rely heavily on email or other communication types such as phone calls or text messages, remote work environments are particularly vulnerable to this type of attack as users trade in-person meetings for phone calls, video conferencing calls, and text-based forms of communication.
Social engineering plays on two main factors: our innate desire to help others and emotions such as fear, urgency, or other forms of psychological distress. Cybercriminals trick or scare users into opening malicious files, click on malicious links, or reveal sensitive information. A sense of urgency prompts users to act quickly before they have had a chance to properly weigh the request and consider it rationally. By the time users or their superiors realize something fishy is going on, it may already be too late.
Protecting Your Presents: Steps Your Organization Can take to Safeguard Your Digital Assets
Adjust Your Cybersecurity Strategy
Most cybersecurity strategies were developed with on-site workers in mind, so it is vital to review your cybersecurity strategy in light of remote work and adjust accordingly. You should already be reviewing your security practices at least once per year, but if your next scheduled review isn’t for a while, it might be a good idea to add an additional review to your list of New Year’s Resolutions.
You should also make sure you have a robust yet flexible cybersecurity incident response program in place. If you don’t already, you may want to consider drafting one as soon as possible. You should also review your incident response program and ensure that it takes remote workers into account and is still able to meet your organization’s security needs.
Secure Your Endpoints
An endpoint refers to any device such as a computer or mobile phone that can be used to access your network. While all the endpoints in your physical office may already be secure, you need to ensure that any home devices being used to access your network meet your security standards. Organizations that rely on BYOD (Bring Your Own Device) policies are particularly vulnerable to cybersecurity attacks since organizations don’t have direct and complete control over how those devices are being used, what other programs are installed on them, and other factors that may compromise your network’s security and leave your digital assets vulnerable.
Regular Cybersecurity Training: The Gift that Keeps On Giving
This holiday season, consider giving your workers the gift of cybersecurity training. All employees, from the lowest ranking intern up to the CEO, should receive cybersecurity training as part of their onboarding process and undergo regular refresher training.
The sudden pivot to remote work has likely affected how workers complete their daily tasks, so you should consider adjusting your current cybersecurity training program to account for these changes. You should also make sure that, as part of this training, you explain to workers why certain steps, procedures, and policies are important and how they contribute to the overall security of your company; When workers understand the “why” behind the “what,” they are more likely to see the value in additional steps and make sure to take them.
Run More Exercises
Exercises such as pen (penetration) tests and tabletop exercises are incredibly valuable.
Pen tests involve hiring an ethical hacker to stress-test your network and look for vulnerabilities. Your team can then use the insight gained by the hacker to improve your overall security. Running a pen test on your network, with a focus on any new software your remote workers are using, can help ensure that your organization isn’t left vulnerable.
Tabletop exercises act like cybersecurity fire drills: workers are given a hypothetical scenario (such as a hack or data breach) and tasked with responding to it effectively. Tabletop exercises allow workers to apply the knowledge they gain in cybersecurity training in a no-risk environment. Once the scenario is complete, you and your team can sit down and review your response’s efficacy and identify any gaps or problems that need to be addressed.
Should you experience a breach or hack, our team can help you fend off the attack, identify the root cause of the issue, and identify steps you can take to mitigate or even avoid damage and create concrete plans to help you prevent similar attacks going forward.To learn more about the cybersecurity threats 2021 is likely to bring, and what steps you can take to safeguard against them, please contact our team today.
CENTENNIAL, Colorado, – (November 30, 2020)– VirtualArmour International Inc. (CSE:VAI) (OTCQB:VTLR), a premier cybersecurity managed services provider, reported results for the third quarter ended September 30, 2020. Financial results are in U.S. dollars, with comparisons made to the same year-ago quarter unless otherwise noted. For complete details, please refer to our financial statements and discussion found here: https://www.sedar.com/DisplayCompanyDocuments.do?lang=EN&issuerNo=00037617
2020-Q3 Financial Highlights
Managed and professional services revenue for the quarter increased to $1.6 million, increasing by 15.6% year-over-year.
Gross profit margins for managed and professional services exceeded 52% with overall gross profit margin, including lower margin resale revenue, of 38.2%.
The company realized $130,000 in operating income in the quarter ending September 30, 2020.
Adjusted EBITDA was $218,000 for the quarter ending September 30, 2020. See Supplemental Non-GAAP Financial Measures below.
Annual recurring revenue (ARR) totaled $5.1 million at September 30, 2020, representing an increase of 8% from $4.7 million at September 30, 2019. ARR is defined as the value of VirtualArmour’s service contracts normalized to a one-year period.
2020-Q3 Operational Highlights
Launch of new Essential Core Managed SOCaaS service offering and initial customer activated to the service. These economical service offerings enable current and new clients to extend, renew, or establish contracts with VirtualArmour given the current market conditions.
Won 595k Managed SIEM, Endpoint Detection & Response contract win with high-tech manufacturing client.
VirtualArmour & Dynamic Funding Partnership enables financial options for clients to defer payments on managed service costs. Locks in for the term – hardware, software, and managed services for reduced upfront cashflow expenditure.
Strengthened relationship within the IBM Partner program, as well as new relationship expansion to Forescout Technologies, driving additional leads into the business.
Digital marketing tactics expanded to Colorado region podcast audio advertisements and The Guardian UK online digital advertisements.
Memorandum of Understanding signed with Teesside University; strengthening the ties with Local University to UK SOC. Allowing VirtualArmour to conduct advanced research and development projects which lead to cutting edge solutions that would solve real life VirtualArmour problems, enriched access to hiring and module input.
2020-Q3 Financial Summary
Revenue totaled $2.76 million for the three months ending September 30, 2020. Managed and professional services revenue totaled $1.6 million in the third quarter reflecting a 15.6% increase in managed and professional services revenue year-over-year and Product revenue increased year-over-year by 11.0% to $1,128,000.
Q3 2020 Cost of sales totaled $1.7 million, same as 2019.
Gross profit was $1.06 million for the third quarter 2020 as compared to $723,000 in 2019. The change in gross profit was due to higher margin revenues from managed services and higher utilization of professional services resources in the third quarter 2020.
Total operating expenses were $926,000 in the third quarter 2020 as compared to $1.07 million in the prior year.
Operating income was $130,000 for the third quarter 2020 compared to an operating loss of $342,000 in 2019. Net income was $185,500 or $(0.00) per share in the third quarter as compared to a net loss of $492,000 or $(0.01) per share in the prior year.
Cash totaled $16,262 at September 30, 2020, compared to $72,358 at September 30, 2019.
Management Commentary
Tianyi Lu, VirtualArmour VP Product Strategy, highlights, “We have had great results from the launch of our new Essential Core Service offerings, so we have expanded these offerings to include SOCaaS. This new offering is intended for businesses that are less complex, but still require management of their SIEM while being mindful of their budgets.”
VirtualArmour CEO, Russ Armbrust, gives an overview of market conditions, “We are seeing an increase in the market for managed and professional security services when working with new clients that are looking to out-source their IT needs.”
VirtualArmour Outlook 2020
COVID-19 pandemic has forced a rapid shift in business to a remote workforce, something most companies were not prepared to do. With employees working from home for the first time, many IT departments are overwhelmed in regard to their cybersecurity posture and the expansion of their Remote Access VPNs. While having employees work from home reduces the risk of spreading and contracting the virus, this also puts business data at risk of malicious security threats. An unprotected remote workforce increases a company’s chance of security threats and can lead to detrimental consequences for a business – some even being forced into bankruptcy. In order to protect the remote workforce and prevent data loss, businesses will need to keep a close eye on security or hire an outside Managed Security Services Provider (MSSP) to ensure their information is secure. Due to its focus and go-to market on Managed Services, VirtualArmour is better prepared operationally and strategically to address these rapidly evolving needs compared to others that may have a narrower focus on just hardware/software resale.
Due to this rapidly evolving environment, VirtualArmour’s customers have approached the Company for needed expertise on filling their ever-changing needs.Companies are laying off IT staff to cut costs which results in an increased reliance on MSPs. Customers are relying on VirtualArmour as their strategic partner to help them with not only the planning and design, but also on-going managed services post COVID. VirtualArmour is well-positioned to capitalize on this growth opportunity and continues to deepen its penetration into the healthcare, financial, retail and service provider industries. VirtualArmour has seen an uptick in professional services around SSL VPN migrations and implementations due to a shifting workforce to all remote employees. The Company’s ability to provide Network Managed Services has been emphasized due to client base having to work fully remote with a reliance on digital communications’ uptime/availability critical to their success.
In order to increase managed services gross margin and further internal operational efficiency, VirtualArmour has enhanced its roadmap for automation. Based on existing KPI’s, it is expected that the productivity of our SOC analysts will drastically increase due to automating more of their typical workload, allowing us to accomplish more with less. SOC automation will allow VirtualArmour to resolve current and future threats quickly with automated proprietary playbooks, as attackers are becoming more sophisticated in their tactics and techniques. This differentiator keeps VirtualArmour at the forefront of stopping cybersecurity threats and increasing our clients’ security postures. The SOC Automation project in conjunction with Teesside University is due to commence in early September and the expectation is that we will start to see results by the end of 2020 – setting the foundations for expansion at scale in 2021.
About VirtualArmour
VirtualArmour International is a global cybersecurity and managed services provider that delivers customized solutions to help businesses build, monitor, maintain and secure their networks.
The company maintains 24/7 client monitoring and service management with specialist teams located in its U.S. and UK-based security operation centers. Through partnerships with best-in-class technology providers, VirtualArmour delivers leading hardware and software solutions for customers that are both sophisticated and scalable, and backed by industry-leading customer service and experience. The company’s proprietary CloudCastr client portal and prevention platform provides clients with unparalleled access to real-time reporting on threat levels, breach prevention and overall network security. VirtualArmour services a wide range of clients, which include Fortune 500 companies and several industry sectors in over 30 countries across five continents. For further information, visit www.virtualarmour.com.
Supplemental Non-GAAP Financial Measures
In addition to GAAP financial measures, management uses non-GAAP financial measures to assess the company’s operational performance. It is likely that the non- GAAP financial measures used by the company will not be comparable to similar measures reported by other issuers or those used by financial analysts as their measures may have different definitions. Generally, a non-GAAP financial measure is a numerical measure of an entity’s historical or future financial performance, financial position or cash flows that is neither calculated nor recognized under GAAP. Management believes that such non-GAAP financial measures can be important as they provide users of the financial statements with a better understanding of the results of the company’s recurring operations and their related trends, while increasing transparency and clarity into its operating results. Management also believes these measures can be useful in assessing the company’s capacity to discharge its financial obligations.
Management assesses adjusted EBITDA as the net gain (loss) for the period as reported excluding depreciation and amortization, change in fair value of warrant derivative liabilities, share-based compensation and interest expense. Adjusted EBITDA is not a term recognized under GAAP and non-GAAP measures do not have standardized meaning. Accordingly, non-GAAP measures should not be considered in isolation or as a substitute for measures of performance prepared in accordance with GAAP.
The table below provides a reconciliation of net gain (loss) for the period as reported to non-GAAP adjusted EBITDA for the three months and nine months ended September 30, 2020 and 2019:
Important Cautions Regarding Forward Looking Statements
This press release may include forward-looking information within the meaning of Canadian securities legislation and U.S. securities laws. This press release includes certain forward-looking statements concerning a service contract VirtualArmour has entered into with a current client, VirtualArmour’s continued relationship with various suppliers, the future performance of our business, its operations and its financial performance and condition, as well as management’s objectives, strategies, beliefs and intentions. The forward-looking information is based on certain key expectations and assumptions made by the management of VirtualArmour. Although VirtualArmour believes that the expectations and assumptions on which such forward-looking information is based are reasonable, undue reliance should not be placed on the forward-looking information as VirtualArmour cannot provide any assurance that it will prove to be correct.
Forward-looking statements are frequently identified by such words as “may”, “will”, “plan”, “expect”, “anticipate”, “estimate”, “intend” and similar words referring to future events and results. Forward-looking statements are based on the current opinions and expectations of management. All forward-looking information is inherently uncertain and subject to a variety of assumptions, risks and uncertainties, including the success of the Company in performing the IT implementation and migration, performance under the contract by all parties, the ability of VirtualArmour to meet timelines, the continued availability of necessary hardware, the absence of any trade war or tariffs affecting VirtualArmour’s ability to perform, competitive risks and the availability of financing. These forward-looking statements are made as of the date of this press release and VirtualArmour disclaims any intent or obligation to update publicly any forward-looking information, whether as a result of new information, future events or results or otherwise, other than as required by applicable securities laws.
Three months ended
September 30
Nine months ended
September 30
Notes
2020
$
2019
$
2020
$
2019
$
Revenue
11
2,762,208
2,429,105
7,891,313
8,679,594
Cost of sales
12
(1,706,870)
(1,705,750)
(4,956,277)
(6,207,712)
Gross Profit
1,055,338
723,355
2,935,036
2,471,882
Expenses
General and administrative
12
466,727
452,492
1,466,969
1,742,458
Research and development
12
97,647
53,034
279,749
154,986
Sales and marketing
12
361,412
559,770
1,231,862
1,815,814
Total Expenses
925,786
1,065,296
2,978,580
3,713,258
Gain (Loss) from Operations
129,552
(341,941)
(43,544)
(1,241,376)
Other Income (Expenses)
Change in fair value of warrant derivative liabilities
131,485
–
20,376
–
Interest expense
(75,678)
(150,096)
(808,851)
(299,362)
Net and Comprehensive Gain (Loss) for the period
185,359
(492,037)
(832,019)
(1,540,738)
Gain (Loss) per share – basic and diluted
0.00
(0.01)
(0.01)
(0.02)
Weighted average number of shares outstanding – basic and diluted
106,508,822
63,599,447
95,546,573
63,599,447
Notes
September 30, 2020
$
December 31, 2019
$
ASSETS
Current Assets
Cash
16,262
145,268
Accounts receivable
3
1,720,878
3,776,520
Other receivables
–
47,513
Prepaid expenses
222,853
279,003
Contract assets
1,010,710
722,683
Total Current Assets
2,970,703
4,970,987
Operating lease right-of-use assets
9
19,860
88,242
Property and equipment
4
331,223
555,860
Intangible assets
5
33,648
45,519
Contract assets
139,937
542,012
Total Assets
3,495,371
6,202,620
LIABILITIES
Current Liabilities
Accounts payable and accrued liabilities
6
1,459,139
5,305,786
Factoring payable
3
501,295
377,740
Deferred revenue
11
2,699,910
1,099,387
Loans payable
7
838,536
1,206,468
Current portion of operating lease liabilities
9
22,578
100,772
Current portion of finance lease liabilities
9
27,632
138,441
Due to related parties
8
–
401,699
Total Current Liabilities
5,549,090
8,630,293
Deferred revenue
11
215,820
626,178
Loans payable
7
429,082
281,984
Warrant liabilities
571,945
–
Finance lease liabilities
9
–
12,188
Total Liabilities
6,765,937
9,550,643
STOCKHOLDERS’ DEFICIT
Common stock, no par value, 300,000,000 shares authorized Issued and outstanding: 106,508,822 (2019 – 63,599,447) shares
Identity management, as a concept, has been around for a while, although many of us are just hearing about it now. It sounds impressive, but what does it really mean, and are there steps your organization should be taking to ensure you have good identity management practices in place?
What is Identity Management?
Identity management (also called identity and access management or IAM) is just a fancy name with a high price tag that essentially covers all of the cybersecurity best practices you likely already have in place. The goal of any IAM strategy is to define and manage the roles and access privileges of all users on your network, and specify the circumstances under which users should be granted or denied privileges.
IAM Takes Cybersecurity Beyond the Workplace
While most organizations have robust cybersecurity practices already in place, the most significant shift IAM brings to the table is bringing cybersecurity out of the workplace and into the personal sphere.
As hacking and other forms of cybercrime become increasingly common, many individuals have begun to pay cybersecurity companies to protect their personal identity by monitoring their personal data for suspicious activities. Though this approach to cybersecurity builds on basic best practices already in place, this is the first time these practices have been applied to individuals in a non-workplace setting as the concept that individuals need to take cybersecurity steps to protect their personal digital assets continues to gain traction.
Identity & Access Cybersecurity Best Practices: A Brief Refresher
We have discussed cybersecurity best practices in the past. However, you should review your current cybersecurity posture frequently so you can ensure your current protocols continue to safeguard your digital assets and meet your needs.
Knowledge is Power
A lack of data can cripple even the best cybersecurity solution. Make sure your network is being monitored 24/7/365 for suspicious activity, and all activity on the network should be logged.
From an identity and access standpoint, suspicious activity may include users logging on at strange hours or from strange locations (a sign that their credentials may have been stolen by cybercriminals) or signs of credential stuffing, where cybercriminals try multiple username and password combinations in rapid succession in the hopes that one pairing will grant access.
Not Everyone Needs to Access Everything
Some areas of your network are bound to contain more sensitive systems and data than others. As such, these areas, such as financial records, should be afforded extra protection. While your network likely already has a firewall around its perimeter, you should consider installing internal firewalls around critical or sensitive systems as a second line of defense if your perimeter is breached.
The Importance of Strong Password Guidelines
Choosing a strong, hard to guess password is a simple step all users can take to improve your cybersecurity posture. To help ensure all users are choosing good passwords, you should be enforcing password best practices. NIST (the National Institute of Standards and Technology) offers comprehensive guidelines on choosing secure passwords in section 5.1.1.1 (Memorized Secret Authenticators) of their Digital Identity Guidelines document.
The Benefits of Password Managers
The best passwords are long and truly random, unlikely to be guessed by anyone in a reasonable amount of time. However, long random passwords are also a pain to memorize, encouraging users to write them down or otherwise store them insecurely, defeating their purpose.
To help ensure users are choosing strong passwords, you may want to consider using a password manager. A password manager works like a book of passwords where only the user has the master key. Passwords within the manager can be randomly generated, and many password managers will flag reused passwords so that users know the password they are using isn’t unique and needs to be updated.
The Power of MFA
Physical devices such as computers and smartphones can be stolen or lost, and passwords can be compromised, which is why many organizations and individuals are turning to MFA. MFA (multi-factor authentication, also called two-factor authentication) pairs a strong password with a second form of identification, such as a hardware element or text message confirmation.
When a user enters their username and password, the system sends them a push notification, often to their smartphone. The push is generated by the MFA app, and the user must acknowledge the push (either by clicking on a link in the message or entering a randomly generated temporary code on the login page) before they are granted access to the network.
Make Sure You Have Offboarding Procedures in Place
While many organizations invest a lot in their onboarding processes to ensure new hires are set up for success, not all organizations invest in offboarding processes. Making sure you have policies and procedures in place for revoking credentials from former employees is vital for good cybersecurity.
Former employees and cybercriminals alike may act unscrupulously and use their old credentials to gain access to the system. If cybercriminals are successful, their unauthorized access may go unnoticed for a while since the former employee is no longer monitoring their old account.
Offboarding is also a good policy to have regarding your personal data. Make sure you are completely aware of any other parties that have access to any personal accounts, including bank accounts or even your Netflix account, and know how to have their access removed should the need arise.
Consider a Zero Trust Approach
Zero Trust Security is exactly what it sounds like: Don’t trust any user until they are verified. Like current best practices, traditional cybersecurity approaches included strong perimeter security, such as firewalls. However, one of this model’s main failings was that if an unauthorized user was able to breach the perimeter, there was little to no internal security to prevent them from accessing sensitive areas of the network.
Zero Trust Security rests on the belief that trust should never be automatically granted either outside or inside a network’s perimeter. All users must verify their identity every time they try and move around the network. This way, even if the perimeter is breached, unauthorized users can be more easily contained to the network’s less sensitive areas.
Further Reading
Cybersecurity is everyone’s business, from the intern in the mailroom all the way up to the CEO, and this idea has spread beyond the workplace and into the home. To help ensure your cybersecurity posture as a business is as strong as possible, you should be:
reviewing your policies regularly
including cybersecurity in your onboarding process for new employees
offering frequent refresher training for all employees
On a personal and workplace front, you should make sure that you, your family members, and your co-workers all understand the importance of good cybersecurity and why each policy and procedure is in place.
If you could use a refresher, we have included a list of articles for your review below. If you have any questions about cybersecurity or could use some expert advice, please contact our experienced team.
Remote work has changed how many of us conduct our day to day work tasks and brought with it new cybersecurity dangers. Though social engineering has been around for decades, the shift to remote work has brought with it a resurgence in this common technique, and many organizations remain unprepared.
Social Engineering: A Brief Primer
Social engineering refers to the use of psychological manipulation to infiltrate an organization or private network at the human level, tricking unsuspecting users into revealing or providing access to sensitive information. Unlike other forms of hacking, social engineering can’t be guarded against using only technology because it exploits the human desire to help and trust easily as well as a fear of trouble or inconvenience rather than relying on technological vulnerabilities.
Social engineering typically happens over email or other forms of communication (such as the phone or text messaging) and is used to invoke fear, urgency, or similar emotions in the victim. This psychological distress causes the victim to click the malicious link, open the malicious file, or promptly reveal sensitive information. The psychological nature of this form of attack means they are difficult for organizations to prevent.
The only way to defend against social engineering attacks is to educate your employees about the dangers of social engineering, how to spot suspicious requests and steps they can take to thwart potential attacks.
How it Works
This attack can take many forms but may go something like this:
The attacker calls or emails your support desk, pretending to be an authorized user. Using this persona, they tell the help desk that they have forgotten their password or are otherwise locked out of their account and concoct a believable story to support this claim. For example, if your organization uses 2-factor authentication, they may claim they dropped their phone in the toilet, so now they can’t receive the necessary verification code.
Using this story, the attacker will convince your help desk employee to reset the target’s email address, password, or other information, thereby providing the attacker with access to the victim’s account. The attacker now has complete access to the victim’s account and may use this access to either steal sensitive information or launch subsequent social engineering attacks using the victim’s email (adding a layer of believability to future attacks).
Cybercriminals may also use social engineering to try and manipulate employees into handing over sensitive information by posing as an authority figure, such as a manager or client. Good employees want to be helpful and may be tempted to co-operate without verifying the requester’s identity first.
How Remote Work Makes Social Engineering More Effective (& Dangerous) Than Ever
Remote work has brought with it a significant reduction in the number of face to face interactions workers have with one another and with clients. While in the past, an employee could verify a suspicious request from a co-worker simply by heading over to their co-worker’s office and asking, now requests and collaboration are happening almost entirely online.
It’s significantly easier for someone to hide their identity online than in person, and as organizations continue to adjust their policies to reflect the reality of remote work, cybercriminals are taking advantage of the uncertainty around new protocols, procedures, and ways of doing things.
For example, a cybercriminal can now explain away the fact that they aren’t calling you from an official business phone number because they are working from home and have to use their home phone. Or maybe they need you to do something for them because you are one of the few workers still onsite. Or maybe they ask you to hop on a video call, but they can’t use their video because they have a “poor internet connection”, so you can’t visually verify who you are speaking to.
How to Recognize Potential Social Engineering Attacks
Be Suspicious
Be wary of unsolicited advice or help, particularly from sources you can’t immediately verify with absolute certainty. This particularly holds true if the person making the request is asking you to do something, such as click a link, download a folder, or re-set a “compromised” password. Any requests for personal information (such as a password, credit card info, or Social Security number) is likely an attack.
Do not provide any personal or sensitive information, and do not click on any links or open any files. If you have been contacted by phone, hang up and contact the company directly using a method you can independently verify (such as an email address or phone number from their website).
Don’t Be Hasty
Social engineering attacks are designed to elicit one of two reactions: total lack of suspicion (so you don’t realize you are handing over access to sensitive information) or panic and fear (to prevent you from thinking rationally). Be cautious if you receive a call from anyone claiming to be from tech support. Tech support personnel are busy enough that they aren’t likely to reach out to check if everything is going fine and instead typically wait for users to contact them with specific problems. They may pretend they are following up with you, but unless you remember putting in a request ticket or can verify that you did (by, say, checking your sent emails), don’t engage.
If the person contacting you is trying to make you act quickly, they may be trying to override your better judgment. You should also be aware of sob stories or any other stories designed to manipulate you. When in doubt, ignore the email or hang up the phone.
Always Double Check
The best thing you can do when you suspect someone has tried to social engineer you is to cross-reference the information they provide and double-check with trusted sources. If your “boss” asks you to do something that seems suspicious or out of character, pick up the phone and call them directly to verify the request before proceeding.
If someone contacts you and asks you to disclose information or perform a task, always verify that the request is legitimate before taking action.
You can’t create good policies and educate your employees on best practices if you don’t know what threats to look for. Stay up to date on the latest cybersecurity threats and pay particular attention to new phishing or social engineering scams that are making the rounds. If you don’t know what types of attacks are out there, you won’t be able to prepare your organization to defend against them.
You should also be aware of common “pretexts” social engineers may use, such as posing as an internal employee with computer problems or an external consultant hired to take a survey or perform an audit. In cases like this, employees should know to always verify with their manager before divulging any information or providing any assistance. It’s better for an employee to cause a slight delay by verifying a request then comply without question and potentially compromise your organization’s security.
Cybersecurity is everyone’s responsibility; make sure all new hires undergo rigorous cybersecurity training and that all employees, from the most junior intern to the CEO, are undergoing regular refresher cybersecurity training.
Make sure you provide employees with a clear set of guidelines on how to respond to common situations. You can’t plan for every possible scenario, but without guidelines, employees may revert to actions they perceive as helpful, causing them to reveal sensitive information inadvertently. Make sure all employees know that if they are unsure about a request or feel it might be suspicious, they should hold off on responding or taking action until they have contacted their boss or another decision-maker and verified that the request is legitimate.
You also need to ensure you are creating a company culture that values security. Telling your employees something important is one thing, but unless your company leadership is leading by example, the message won’t stick.
Keep Your Software Up to Date
Out of date software poses a lot of security threats, which is why hackers frequently use social engineering attacks to determine whether your company is running the latest version of a program or an older, un-patched version that they can exploit. Keeping your software up to date cuts off potential avenues of access to hackers, making it more difficult for them to access your systems even if they are able to sweet talk their way in.
Pause & Reflect Before Sharing
If someone asks you for personal or sensitive information, make sure you pause and reflect before answering. Ask yourself if they actually need the information they are asking for. If it seems unlikely or you aren’t sure, politely decline to provide the information. If the requester persists, escalate the request to your superior or contact your cybersecurity team before you consider responding.
While most individuals try to be helpful and friendly, employees need to understand that this great attitude needs to be tempered with restraint.
Be Stubborn
If you suspect someone is asking for information you shouldn’t release, verify the request with your manager before responding, and make sure all employees know to do the same. This pause and verify approach may cause the social engineer to back off, but if they redouble their efforts, calmly explain that you need to verify their request with your manager before complying. This can be difficult to do on the phone since most people don’t want to be rude, but in this situation, it is better to step away and verify than give in and potentially compromise your organization’s security.
Make sure employees understand that in this scenario, it is better to potentially be perceived as rude and take the time to double-check then blindly offer assistance in the name of good manners.
