Get the inside scoop on the metrics that matter.
The Top Cybersecurity Threats Of 2016: An Overview For Board Meetings
Boards today have a vested interest in the cybersecurity posture of their companies. Because of this, board members are increasingly interested in being briefed on top cybersecurity threats and understanding the countermeasures that should be taken to avoid them.
Below, we’ve detailed two of 2016’s biggest threats—ransomware and targeted spear phishing attacks—with details your board will be interested in hearing.
Ransomware
This quarter, the FBI issued a guidance post and a podcast on this threat. The bureau noted that there has been a recent increase in reported instances of ransomware and warned against paying ransoms. Lately, we’ve seen several reports of hospitals being targeted by ransomware. Take these two cases, for example:
1. Hollywood Presbyterian Medical Center
On February 5, 2016, a hacker used CryptoLocker software to hijack the hospital’s network and demanded a ransom of 40 bitcoin in exchange for access to their files. At the time, this was equivalent to about $17,000. The hospital purportedly paid the ransom before reaching out to law enforcement, which is contrary to FBI advice.
2. Lansing, Michigan, Board Of Water & Light (BWL)
Just this week, the Lansing BWL was the victim of a ransomware breach. An employee opened a malicious email attachment, which then encrypted files on BWL’s file servers. It is unclear whether a ransom was demanded, but it has all the other indications of a ransomware breach.
What should boards keep in mind about ransomware?
Often times the dollar amount demanded by the attackers that are employing ransomware is relatively small, especially if you’re a large organization. What seems to be more difficult to deal with is the loss of productivity. In the case of a hospital, the loss of time when you’re forced to send people back to paper and pencil to document and process health records is a problem.
There are a few pieces of advice that are important to keep in mind when it comes to ransomware:
- Back up files regularly. Not only should your files be regularly backed up, but they should also be stored somewhere that isn’t directly accessible from your desktop system. If you are hit by a ransomware attack, you’ll have a backup of files and likely will not have to pay the ransom if they’re updated.
- Stay up on patching. Hackers will try to exploit some kind of vulnerability—or even multiple vulnerabilities—which makes your patching cadence important.
- Make sure your company network is segmented. If you are hit with a ransomware attack and it starts to infect the network, it’s best if the attack is only able to hit a segment of the network and not the entire infrastructure.
Targeted Spear Phishing Attacks
Ransomware is definitely hot in security news right now, but another thing we’re seeing pop up quite a bit are targeted, sophisticated spear phishing attacks.
Phishing attacks have changed substantially over the years and are far more targeted than they once were. Hackers today will often use names of administrators or C-level executives to give their emails the gravitas they need. These spoofed emails are then used to request, say, W-2 information or a bank transfer so it can be exploited.
Several schools have fallen victim to spear phishing attacks so far in 2016:
1. Kentucky State University
KSU experienced a phishing attack in late March 2016, when an attacker spoofed the email address of a senior administrator and was able to obtain “KSU W-2s for 2015 and University identification information.”
2. Tidewater Community College
Also in March 2016, an employee of Tidewater Community College in Norfolk, Virginia, was sent a request for information from a spoofed employee email address, which resulted in the compromise of tax information of 3,000 school employees. The information compromised included “names, Social Security numbers, 2015 earnings, withholding and deduction information.”
What should boards keep in mind about spear phishing attacks?
- Train employees to be skeptical. User awareness training should be mandatory so employees are skeptical of what they’re sent and diligent about following up on potential threats through the proper channels.
This training can cover myriad topics, but should certainly cover the following:
- Employees should not ever rely on a single email to take some kind of action or give up information.
- Attachments in suspicious emails should not be opened.
- Links in suspicious emails should never be opened. Even emails to view banking or credit card statements can be altered slightly to the hackers advantage—so it’s best to log in to see information through the typical portals.
- Consider employing email authentication technologies. There are some technologies, like Open SPF, DKIM, and DNSSec, any organization with a website should consider using to limit the possibility of their domain being used for a phishing scam. This solution isn't a panacea against spear phishing, but it can reduce an organization's likelihood of exploitation. That won’t stop you from being the target of a spear phishing attack, but it will reduce the likelihood of your domain being used in one.
In Summary
The commonality between ransomware and targeted spear phishing attacks is the end user. Both threats are typically the result of some kind of user action. So while it may seem (particularly from the examples above) that users are a weak point, they’re also an important point of strength. If your employees—your last line of defense against these types of cybersecurity threats—are well-trained on detection, you will have a strong overall cybersecurity system.