This is a listing of my posts on cybersecurity (and privacy) to the Kelowna (Tech) and/or Built in Kamloops Slack workspaces, starting June 2021, when I started keeping track of my posts. My posts to these two workspaces are headed with "Cybersecurity tip of the week (or so)". I'm logging my posts here because all posts disappear very quickly in Slack free workspaces.
A great article on the 2022 TELUS Canadian Ransomware Study. Juicy tidbits:
- 83% of Canadian businesses reported attempted ransomware attacks and 67% have experienced one.
- The average ransom paid by Canadian organizations is $140,000. However, the real cost of a ransomware breach can be much higher.
- "The data shows that while the ransom payment often gets a lot of attention, it accounts for only 16% of the direct costs of an attack. The total costs can exceed $1 million, which includes downtime for the company, the cost of mitigation and recovery, and regulatory fines."
- Of those [organizations] that paid the ransom, only 42% told the TELUS survey that they had their data fully restored.
If your org hasn't standardized on a password manager, hasn't issued it to all employees, and/or hasn't required its proper use (and the proper use of credentials) in the org's information security policy(ies), you absolutely should.
Here is a good article explaining why and how. (And BitWarden is widely regarded as an excellent choice for a password manager.)
Why your remaining IT budget should be used on a company password manager | Bitwarden Blog
This month's tip is actually an event: a free talk I'm doing at ORL Kelowna downtown at lunch time on November 9 (this Wednesday).
ORL's event page: Cybersecurity Essentials for Small Businesses and Professionals, https://orl.evanced.info/signup/EventDetails?EventId=67626
It's a dangerous (cyber) world! Join cybersecurity consultant Garland Sharratt for an hour-long lunchtime talk covering the most common security threats faced by businesses and how to protect against them.
Among the mitigation topics covered will be passwords, two-factor authentication, email and cellular, cloud services, websites, remote work, devices, user awareness, training, and finally, considerations for larger organizations.
October is Cybersecurity Awareness Month! Phishing is one of the top risks for most small and medium businesses, and the GOC has a page with resources on fighting it: October is Cyber Security Awareness Month in Canada - Get Cyber Safe
Only one in 10 worried about cyber attacks and that's a concern | National Post
This is probably because, it's been shown many times, most people think they are above average intelligence (which is statistically impossible).
If your employees fit the description in this article, despite the high level of cybersecurity risk today, you'll have to work hard to ensure they are properly trained in security awareness, e.g., how to detect phishing and other attacks. And as a manager/owner you need to make sure you give your employees the right tools, such as a password manager (e.g., Bitwarden, 1Password, LastPass) and, at a minimum, a TOTP 2FA authenticator app like Authy.
Or maybe there's no need to worry at all: "almost half [of business owners] said they were not concerned because they think their company isn’t an attractive threat to cyber criminals." Don't believe it!
If a security-minded organization like Twilio (you might know them for their excellent Authy 2FA authenticator) can be breached by phishing, your organization can be too. Make sure your employee security awareness training program is very strong. A slide deck or video once a year is not enough.
Twilio hacked by phishing campaign targeting internet companies | TechCrunch
According to the company, the as-yet-unidentified threat actor convinced multiple Twilio employees into handing over their credentials, which allowed access to the company’s internal systems. It
The attack used SMS phishing messages that purported to come from Twilio’s IT department, suggesting that the employees’ password had expired or that their schedule had changed, and advised the target to log in using a spoofed web address that the attacker controls.
Twilio said that the attackers sent these messages to look legitimate, including words such as “Okta” and “SSO,” referring to single sign-on, which many companies use to secure access to their internal apps.
Privacy and security are quite related, but unlike security, privacy is a legal requirement. So it pays to pay attention to privacy compliance and privacy incident response. This article (by a vendor) has a nice checklist that all organizations should consider:
Today is World Password Day!
- It's a reminder that all your passwords (except for a few exceptions like device passwords/PINs) should be strong: random, long (a minimum of ~15 characters but why not choose 30), and unique (i.e. no password ever used for more than a one account). This may sound hard to do but it's easy with a password manager (e.g., BitWarden, 1Password, LastPass).
- To go along with strong passwords you should enable two-factor authentication (2FA) on all your accounts that support it. For most users the TOTP type of 2FA (e.g., Authy, Google Authenticator) is a good balance of security and usability; use the SMS type of 2FA only if there is no other type available.
- If you do nothing else, make sure your primary email account follows the above guidelines: if an attacker can take over that account, they can take over most of your other accounts by doing a password reset on them.
- For larger organizations, Single Sign-On (SSO) is a nice way to get rid of most passwords for users.
The Office of the Chief Information Officer (OCIO) of the Province of British Columbia publishes a nice weekly Security News Digest. It's a quick read and a great week to learn more about cybersecurity and the threats facing BC businesses.
You can use this link to subscribe: mailto:OCIOSecurity@gov.bc.ca?subject=Security%20News%20Digest%20Subscription%20Request
- "A quarter of Canadian businesses say they have already been the victim of a cyber attack in 2021"
- "more than half (56 per cent) of Canadian organizations targeted by malware have paid the money demanded by cybercriminals"
- "surprised that only 40 per cent of respondents plan to train their employees in [prevention]"
Good cybersecurity hygiene measures would prevent most cybersecurity attacks.
If you have a mobile phone and use SMS (text messaging) for authentication or two-factor authentication (2FA) -- and everyone does -- I recommend this great article on SIM swapping attacks.
I'll add these protections you should implement that are not mentioned in the article:
1. Put a strong, unique password on your cellular account login. (The article mentions "variation of unique passwords" but that's not secure.)
2. Call up your cellular carrier and tell them you want to place a special password on your account to block malicious porting (= SIM swapping) of your phone number.
3. Put a PIN on your phone's SIM card. (You do this from your phone. This is actually to protect you in case your phone gets stolen, not to prevent SIM swapping. The effect of a stolen phone is essentially the same as that of SIM swapping: your accounts that use SMS for authentication can get taken over.)
4. As for all passwords/PINs you have, make sure you store the three passwords/PINs above in your cloud-based password manager, and make sure you can access your password manager from all of your devices.
This is actually a request, not a tip like usual. Over the last three years I've been doing lots of talks about cybersecurity and information security, almost one every two months -- and it's time for another one.
So if you're an SMB, my request is: What would you like to learn about? I often speak about the basics such as passwords, password managers, two-factor authentication, data backups, device hardening, and user awareness. But maybe there's something more advanced that you'd like to hear about?
If so, please DM me here.
This Security Planning tool from Consumer Reports is a great way to easily work on improving your cybersecurity over time:
If you're looking for a Xmas gift to help friends and family with cybersecurity:
There's a 50%-off link in the article for 1Password Families. 1Password is probably the best password manager on the planet, and it's Canadian.
This is a good high-level view (and a quick read) of how to secure your business:
Being prepared for the storm: maintaining a proactive cybersecurity strategy | LinkedIn
1. Understand the cyber threat landscape of your business
2. Conduct a comprehensive risk assessment -- and implied is: implement mitigations for the highest risks
3. Train employees to detect potential threats
4. Evaluate and test cyber incident response plan
This is a great article that applies to any password manager (PM). If you've implemented a password manager for you or your org, there is more to do! Here are some additional suggestions that build on the article:
- Treat as a crown jewel the email account that owns your PM account and all your other cloud accounts. If baddies can take over that account, they can take over almost all your accounts by doing password resets.
- You have to properly use a PM to get the value: it's not enough to just have a PM account and store your logins in it. For starters, for your important accounts, change their passwords to long random strings, and use the PM to autofill your credentials into web login pages; that will make you very resistant to phishing.
- Two-factor authentication (2FA) is critical for your important accounts, including your PM and email accounts. Authy is an excellent 2FA authenticator app/service.
- Backing up your vault is a great idea, but be aware that if you're on a Windows PC, your main drive is not encrypted unless you have enabled BitLocker (or the Device Encryption found on Microsoft Surface-type devices); so you'll need to store your PM vault export somewhere else.
If you or your org haven't yet implemented a PM, it's usually the very first thing to do (along with 2FA) to improve your cybersecurity. Three excellent PM to consider are BitWarden, 1Password, and LastPass. Check out their business tiers if your org is multi-person.
Information security tip of the month (or so):
For many organizations the plague has resulted in employees joining and leaving more frequently. This article is a good reminder that departing employees can be a security risk and tells you how to reduce the risk.
A good overview of the security risks when employees leave the organization, especially when the offboarding process is weak:
If you think that ransomware is just about malicious data encryption in place and that you can mitigate a ransomware attack by backing up your data, think again:
Criminals now typically use as many as four different techniques to squeeze victims into paying the ransom.
2. Release of data…
3. Denial of service attacks…
4. Harassment… the attackers contact customers, business partners, employees and news media to alert them to the attack, thus embarrassing the victim.
If ransomware worries you, and it probably should, this is a nice list of actions to take. It's aimed at critical infrastructure providers, but the Short-Term list applies well to any business.
One thing missing is security awareness training for all employees, execs, directors, etc. I'd put this close to the top.
You’ve likely heard that passwords need to be strong and unique across your accounts, but you may not fully understand why. This excellent post will tell you everything you need to know.