Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: The cost of invoice redirection fraud to Irish businesses in 2020, the increasing value of your passwords, and a statistic that has nothing to do with cybersecurity but still blew me away.
This week’s action: Stop relying on passwords to protect your data. Yes, I know you have heard this before. But you need to listen.
- More than €10m was stolen from Irish businesses in 2020 due to invoice redirection fraud
More than €10m was stolen from Irish businesses in 2020 due to invoice redirection fraud. This figure does not include the frauds that were spotted early enough to allow the money to be recovered. “In many instances the business does not know it is a victim of this crime until sometime later when the legitimate supplier sends a reminder invoice for payment”. Invoice redirection fraud is simple but ensuring you are next the next victim is also simple – The ‘Payments’ section of my guide to cybersecurity basics describes some simple steps you can take to reduce the risk of being the next victim of this fraud.
Read more: https://www.independent.ie/news/more-than-10m-stolen-from-irish-businesses-in-2020-through-invoice-redirection-fraud-40180162.html
- 775% increase in the use of cloud-based systems; 260% increase in attacks trying to get your password for these systems
In the last 12 months, there has been a 775% increase in US businesses using cloud-based systems (e.g. Microsoft 365 / Google email; web-based CRM systems). This is according to a report released by the US Chamber of Commerce. Systems that were once installed in a company’s physical office, locked behind security firewalls and only accessible to authorised people using authorised devices are now potentially accessible to any person using any device from any location. It’s Christmas every day for the bad guys. They know that there are probably only two things between them and your valuable data – Your email address (which they already know) and your password (which they can find out by fooling you with a well-designed phishing email). Enable Two Factor Authentication (2FA) / Multi-Factor Authentication (MFA) if these are available. Find an alternative solution if they are not. An internet-accessible system that stores valuable data but only requires a password is no longer fit-for-purpose.
Read more: https://www.uschamber.com/cybersecurity-covid/assets/BINK_USChamber_CyberRisk_Covid_V1.pdf (mentioned at https://businessinsights.bitdefender.com/remote-work-long-term-impact-risk)
- Read this if your business uses Microsoft Exchange Server
Many businesses have moved to cloud-based email solutions – For example, Microsoft Office365 or Google WorkSpace / Gmail. But if your business has not yet moved to the cloud, check if your email system depends on Microsoft Exchange Server. If it does, make sure someone has taken action to deal with a very serious security problem that has emerged in recent weeks and caused hundreds of thousands of businesses to be hacked.
Read more: To identify if you have been a victim and how to resolve the issue is, refer to Microsoft’s guidance. If you want a detailed timeline on the attack, check out KrebsOnSecurity.
- 61%: The percentage of malware delivered using cloud applications [Warning: This comes from a report by a cloud security vendor so take
it with a pinch of salt]. In plain English, the report suggests that when a cyber-criminal uses a phishing email to try to fool one of your staff members so they download malware (e.g. ransomware), the email is unlikely to contain an attachment. It is more likely to contain a link to a file that is stored on the internet. If the user clicks the link, the file will be downloaded, and this file will run the malware.
(reference: https://www.netskope.com/netskope-threat-labs/cloud-threat-report, via https://securethevillage.org )
- One in six: A statistic that is unrelated to cybersecurity. It’s far more important than that. One in six of us will have a mental health disorder this year, according to psychiatrist Jim Lucey (former medical director of St Patrick’s University Hospital in Ireland). He believes at least one member of every family is in mental distress at this very moment. If it’s not you, it’s someone close to you. Be careful out there.
ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.
- Stop relying on passwords: This week’s recommended action was going to be something else entirely. After all, ‘passwords’ was the action a few weeks ago and you already know that passwords are a problem. But I can’t say this enough – If the only thing between you and your valuable information is a password, and a cyber-attacker figures out that password (e.g. by fooling a staff member with a well-written phishing email), you are going to have a a significant data breach that will be expensive and could shut your business down. In 2021, you are winging it if you are storing valuable information in an internet-accessible system that only requires a username and password to log in. If you want to learn why passwords are a problem, read about password thefts in the ‘Real Risks’ section of my cybersecurity guide. If you want to learn more about how to address this, take a look at the ‘Reducing Impact’ section of my guide to the basics.