Reports / Surveys
Global data breach costs will exceed $5 trillion by 2024
Data breaches will cause organizations around the world to lose a total of $3 trillion this year, a recent study by Juniper Research predicts. Moreover, in the coming years, global data breach costs are projected to increase by an average of 11% annually, so that by 2024 they will exceed $5 trillion. The researchers believe artificial intelligence (AI) will transform cybercrime campaigns, making attacks even more difficult to defend against, while organizations will be investing more in cybersecurity awareness training as a way of mitigating social engineering attacks.
AIG cyber claims
Business email compromise (BEC) scams replaced ransomware as the leading driver of cyber insurance claims last year, a new AIG report[pdf] shows. BEC scams accounted for 23% of cyber claims, followed by ransomware (18%), data breaches caused by threat actors (14%) and data breaches caused by negligent staff members (14%). Other incidents resulting in a significant number of claims were impersonation fraud (8%), malware (6%), system failure, including outages (5%), physical loss or theft (5%) and cyber extortion (3%). The study predicts that ransomware related claims will increase this year due to the rise of targeted campaigns.
Ransomware surges by 118%
Ransomware campaigns rose by 118% in the first three months of this year, according to new research[pdf] by McAfee. There was also a general uptick in targeted attacks, with those leveraging PowerShell increasing by a staggering 460%. Targeted attacks mostly relied on spear phishing in order to provide hackers with initial access (68%) and they usually required user interaction (77%).
Targeted phishing hits SMBs but they’re not fighting back
In the past 12 months, phishing attempts involving the impersonation of employees targeted 43% of small to mid-sized businesses (SMBs), two-thirds (66%) of which suffered a breach as a result, a new CybSafe survey indicates. The report, based on UK firms, found that despite these alarming numbers, just 47% of SMBs have implemented a program covering cybersecurity training and awareness. The CEO of CybSafe, Oz Alashe, said SMBs aren’t doing enough to address the severe threat of personalized phishing attacks. Most firms that do anything at all, merely work toward compliance without “demonstrably reducing their human cyber risk.”
Chinese cyber campaign targeted iOS, Android and Windows devices for two years
Researchers with Google have uncovered a two-year-long campaign targeting iOS users via malicious websites that were designed to exploit devices via 5 different exploit chains covering a total of 14 vulnerabilities, including various undisclosed (zero-day) flaws. Subsequent reports by TechCrunch and Forbes found that the campaign was part of the Chinese government’s crackdown on the predominantly muslim Uyghur community in the country's Xinjiang region. According to Forbes, the malicious websites also targeted Android and Windows devices.
Ransomware campaign targets hundreds of dentist offices
A recent ransomware campaign impacted hundreds of US dental practice offices that use DDS Safe, a backup solution for medical records. By compromising the DDS Safe infrastructure, threat actors were able to infect the networks of dental practices with REvil (aka Sodinokibi) ransomware. The two firms behind DDS Safe chose to pay the ransom and subsequently shared the decryptor with impacted dental practices. Over a week after the attack, at least 20% of affected offices were still not operational[pdf].
What You Can Do
One of the biggest issues that many firms have is meeting compliance and including security best practices on the priority list. As mentioned by several security researchers and organizations, security does not equate to compliance. Since many organizations that get compromised meet compliance, organizations should ensure that they are also following security best practices by developing and maintaining security baselines within their organization.
As it relates to phishing, organizations should consider implementing games to reward employees for detecting phishing attacks and other security threats within the organization. One method that proved to be very effective for an organization we recently visited was to reward employees when discovering unlocked workstations. This is more effective since employees will be improving their habits on a daily basis, instead of only when the user awareness training quiz is issued.
Freaky Infosec Fact of the Week
Hackers can scam companies by using AI voice technology to imitate executives
A UK subsidiary was recently scammed out of $243,000 by threat actors who contacted the CEO on the phone using an AI generated voice that mimicked the CEO of the parent company.
About Vonahi Security
Vonahi Security is a cybersecurity consulting firm that offers modern consulting services to help organizations achieve both compliance and security best practices. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io