Categories
Cyber Security

Nation-State Cybercrime is affecting businesses of all sizes.

April 2022


Is your Business at Risk of Nation-State Trouble ?


Today’s nation-state cybercriminals are going a beyond traditional espionage, expanding their scope of work to include disabling infrastructure, disrupting supply chains, industrial sabotage, misinformation and extortion – and 90% of them regularly attack businesses in the private sector, like companies that provide goods and services or financial institutions.  


Nation-State Danger is Escalating 


Nation-state cyber threats are something that businesses in every sector will have to be prepared to deal with long term. As the world becomes increasingly interconnected and cloud-driven, cybercriminals will have more reason and more opportunity to strike targets that fall well outside their prior theatres of operation. The bad guys are getting better at pulling off successful operations as well. Russian nation-state actors are increasingly effective, jumping from a 21% successful compromise rate in 2020 to a 32% rate in 2021 – and every increase in that percentage is a loss for public and private sector businesses around the world.

Experts around the world have asserted for years that modern wars will carry a heavy component of cyberattack and hacking activity, and they were right. Nation-state threat actors are targeting infrastructure components using malware and ransomware in the Russia/Ukraine conflict. CISA cautions that attacks and damage from the cyberwar component of this conflict may spread beyond Ukraine, saying in an advisory: “Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organisations, may impact businesses both within and beyond the region.” 

The NCSC (National Cyber Security Centre) released a number of advisory recently warning UK businesses of cyberattack danger presented by nation-state threat actors in light of the current Russia-Ukraine conflict. Newspapers in the UK reported similar warnings. Russia is the force behind 58% of nation-state attacks.  


Common Nation-State Cybercrime Terms


Microsoft defines nation-state cybercrime as malicious cyberattacks that originate from a particular country to further that country’s interests. It’s a complex subject that is full of twists and turns, and just like any other field, it also has some very specific terminology. 

Nation-State Threat Actor – Nation-state threat actors are people or groups who use their technology skills to facilitate hacking, sabotage, theft, misinformation and other operations on behalf of a country. They may be part of an official state apparatus, members of a cybercrime outfit that are aligned with or contracted by a government or freelancers hired for a specific nationalist operation. 

Advanced Persistent Threat (APT) – These are nationalist cybercrime outfits with sophisticated levels of expertise and significant resources that work to achieve the goals of the government that supports them, undertaking defined operations with specific goals that forward the objectives of their country.   

Infrastructure Attack – When nation-state actors conduct an infrastructure attack, they’re attempting to damage one of their country’s adversaries by disrupting critical services like power, water, transportation, internet access, medical care and other essential requirements for daily life. Infrastructure attacks are a major component of modern spycraft and warfare.  


Common Tactics Used by Nation-State Groups 


Nation-state threat actors will use a wide variety of means to accomplish their goals, but these are some of their go-to attacks to use against both public and private sector targets. There was a 100% rise in significant nation-state incidents between 2017-2021. 

Phishing Attack – A technique for attempting to persuade the victim to take an action that gives the cybercriminal something that they want, like a password or accomplishes the cybercriminal’s objective, like infesting a system with ransomware through a fraudulent solicitation in email or on a web site. 

Distributed Denial of Service (DDoS) Attack – Distributed Denial of Service attacks are used to render technology-dependent resources unavailable by flooding their servers or systems with an unmanageable amount of web traffic. This type of attack may be used against a wide variety of targets like banks, communications networks, media outlets or any other businesses that rely on network resources.  

Malware Attack – Malware is a toolbox of “malicious software.” It is commonly used as a catch-all term for any type of malicious software designed to harm or exploit any programmable device, service or network. Malware includes trojans, payment skimmers, viruses and worms. 

Ransomware Attack– Ransomware is the favoured tool of nation-state cybercriminals. This flexible form of malware is designed to encrypt files, lock up devices and steal data. Ransomware can be used to disrupt production lines, steal data, facilitate extortion commit sabotage and a variety of other nefarious purposes. Ransomware attacks are highly effective and can be used against any businesses.   

Backdoor Attack – Nation-state threat actors will often intrude into an businesses systems and establish a foothold called a back door that allows them to return easily in the future. It could be months or years before they use it. This also affords them the opportunity to unobtrusively monitor communications, copy data and find vulnerabilities that enable further attacks. 


How Can You Protect Your Company from Nation-State Trouble?  


These tips can help businesses steer clear of a nation-state cyberattack. 

  • Bolster security awareness training. When employees know what to look for, the companies that employ them have 70% fewer security incidents.   
  • Invest in strong email security. The most likely way for your company to encounter nation-state threats is through a phishing email. 
  • Teach employees to spot and stop phishing. Malicious messages can carry ransomware (the top weapon of nation-state cybercriminals) and training improves phishing awareness by 40%. 
  • Patch and update all software and hardware. Nation-state threat actors love to capitalize on vulnerabilities and are experts at leveraging zero-day exploits. 
  • Adopt a zero-trust security model – Add two-factor authentication to all accounts to secure employee credentials, the cornerstone of zero-trust security, and reduce password-based intrusions by 99% 
  • Be on guard for credential compromise – An estimated 60% of passwords that appear in more than one breach are recycled or reused, and therefore easily obtained by APTs from the dark web. 

We Can Help #MSnetUK

Categories
Cyber Security Data Protection

Ukraine Charity Phishing Scams Are Hitting Employee Inboxes

In times of trouble, it’s heart-warming to see people band together to help other people who are suffering, a welcome reminder that there’s more good in this world than we may sometimes think. But for every group of people trying to make a difference by doing good deeds, there’s another group of people doing bad deeds, and the only thing they want to make a difference in is your wallet – and if they can perpetrate some profitable cybercrime at the same time, they won’t hesitate to capitalise on the opportunity, which has resulted in a host of fresh Ukraine charity phishing scams.

It’s unfortunate that tragedies like Russia’s invasion of Ukraine can lead to increase in cybercrime like phishing, but it is the sad truth. Scammers started working on fleecing sympathetic people right away, just like they do whenever there’s a crisis. Russian cybercriminals got right to work too.

Phishing attacks from Russia-based sources have boomed, increasing eight-fold since their attack on Ukraine began. Suspected Russian threat actors also used a stolen legitimate Ukrainian military email address to phish EU personnel working on the scene in Ukraine. Bad actors know that tumultuous times are golden opportunities for social engineering with loads of victims ripe for the picking. With people already unsettled, the bad guys just have to push a little bit to put their victims where they want them.

This was evident from the start of the COVID-19 pandemic, as COVID-19 themed phishing scams bombarded inboxes using fake COVID-19 tracking maps, spoofed government notices, bogus company policy updates and other scams to phish for credentials and spread malware like ransomware. Another major wave of scams hit with the Omicron variant, with email phishing abounding using even more ghoulish lues like spurious layoff or termination announcements, malicious exposure notices and even false information about funeral expense assistance.

Now the bad guys are back at it, and a Ukraine charity phishing scam is sure to be popping up in an inbox near you soon. Make no mistake – scams like these are just as much of a risk to businesses as they are to consumers. With the lines between work and personal devices becoming more invisible every day, chances are high that employees are using work devices for personal business like charitable donations. Plus, with millions around the world still working from home, cybercriminals will be quick to exploit the fact that remote workers are more susceptible to phishing than office workers. Altogether, this is the perfect opportunity for cybercriminals to do a little phishing.

Please don’t let the fact that there are bad actors exploiting this tragedy put you off from helping the millions of Ukrainian victims of Russian aggression. The US Federal Trade Commission (FTC) has guidance available for spotting fake charities.


Fake Email & Website Phishing

There are a host of scams in action doing some old-fashioned email phishing, clever spoofing and malware distribution that are risky for both individuals and businesses. Here are a few Ukraine charity phishing scams to be on the lookout for to avoid ending up on their hooks.

  • Approach emails asking for help for very specific population segments or causes, like orphaned children or homeless pets with extreme caution. While most are generic (everyone wants to help kittens and kids), some of these are tailored spear-phishing efforts. It’s not hard for bad actors to find out what their target is interested in from their social media accounts to up the chance that they’ll successfully snatch the recipient’s credentials.
  • Of course, beware of malicious attachments purporting to share things like war photos, maps, and in one scam, information about companies that are still doing business in Russia. Of course, the only thing these attachments have to offer is malware including ransomware.
  • Be on the alert for sophisticated emails loaded with legitimate-looking formatting like the Ukrainian flag and fancy logos that are supposedly from humanitarian organizations including fake UNICEF and UNHCR abound.
  • Analysts warn of a scheme that uses a Microsoft sign-in theme. In the bogus email, users are warned that there have been unauthorized log in attempts on the recipient’s account, and the location of those attempts was listed as “Russia/Moscow”. The user is urged to update their login info, giving the bad guys their credentials.
  • Another Ukraine email phishing scam discovered in the wild targets organizations in the manufacturing sector for malware using a .zip attachment named “REQ Supplier Survey”. The attackers ask recipients to fill out a survey concerning their backup plans in response to the war in Ukraine. When the target proceeds to open the attached survey, the malicious payload is downloaded and deployed from a Discord link immediately. This attack aims to infect recipients with two well-known remote access Trojans – Agent Tesla and Remcos.
  • Fake charity websites are popping up, too. MSN reported that researchers had discovered a handful of sites decked out in trappings like Ukraine’s colours and war or refugee images that solicit donations but are actually scams. Sites like these often host ransomware.
Categories
Cyber Security Education

Improve your Business IT Security

3 Ways to Improve business IT Security

security-4498306_1920

Computers, devices and the internet are woven into the fabric of our daily lives, making it easy for us to forget that online interactions and email messages aren’t always benign.

The unfortunate results of a barrage of cyberattacks in the past year alone has clearly demonstrated that cybercriminals are putting in work to expand their operations. In fact, recent cyberattacks have illustrated just how many aspects of our daily lives are impacted by cybersecurity from shopping to seeing the doctor.

Protecting your business from cyberattacks may seem like a daunting prospect – in an IBM blog post, 25% of SME business owners said that they didn’t even know where to start with cybersecurity. However, no one has extra budget these days – a third of those SME IT decision-makers pointed to a lack of budget or resources as their biggest blocker to cybersecurity success. But businesses don’t have to blow their budgets to make security improvements.

These three tips can help every business be Cybersmart and stand tall in the face of surging cybercrime for less.

1. Build Better Passwords

The first action that businesses can take doesn’t cost a penny: improve password security.

Cybercriminals know that the easiest, fastest way for them to gain entry to your systems and data is with a legitimate password and they’re doing everything possible to snag one – the more privileged that password is, the better. That’s why it’s paramount that you establish and enforce strict rules about generating passwords in your business. The Verizon/Ponemon Institute Data Breach Investigations Report 2021 revealed that bad, cracked, stolen and recycled passwords were the biggest data breach menace that businesses of every size face. More than 60% of the businesses that they analysed had suffered a cyberattack that began with a compromised credential and ended in a data breach.

3 Fast Facts About Password Danger

Credentials were the top type of information stolen in data breaches worldwide in 2020.

About 60% of passwords that appeared in more than one breach in 2020 were recycled or reused.

An estimated 65% of employees use the same password across multiple work and home applications.

It’s not hard for cybercriminals to find a company’s legitimate passwords through password cracking software or even just outright guessing. How does that work? People love to talk about themselves and their interests online. Does your LinkedIn profile talk about how devoted you are to your favourite football team? Is your Facebook full of Baby Yoda memes? Do you share makeup tips from Instagram influencers every day? All of these things give cybercriminals clues that help them figure out your password.

Simple, common, recycled passwords make a cybercriminal’s job easy if they’re using password cracking or credential stuffing too. Why? Based on an analysis of the data that was collected in 2020, an overwhelming majority of passwords fit into one of 20 common categories. That fact allows cybercriminals to use huge lists of passwords stolen in earlier breaches to conduct future cybercrime operations.

Almost 60% of employees use a person’s name or family birthday in their passwords, 33% include a pet’s name and 22% use their own name. On top of that, 49% of users will only change one letter or digit in one of their preferred passwords when required to make a new password. Don’t make it that easy for the bad guys.  

Password Dos & Don’ts

Don’t reuse or recycle a password anywhere for any reason.

Do build strong unique passwords for every online account

Don’t make passwords that fall into a common category

Do make sure your password isn’t easy to guess

Do consider using a password manager to maintain your list if unique passwords

2. Include everybody on the Security Team

Cybersecurity isn’t just a job for the IT department, but that can be hard for employees to recognise, especially if they don’t consider themselves “tech people”. Unfortunately, that perception often leads to employees not engaging with security awareness training and not carrying the good cybersecurity practices that they learn over into their everyday actions. That expectation may also be at work on the executive end of the equation too. By not running regular training sessions or only giving a few employees training against certain threats, companies fail to utilise all of their human resources to keep an eye out for trouble. Internal blockers can also discourage employees from taking an interest in cybersecurity, a tragedy in a time when businesses need all the help that they can get. Eliminating those blockers will create a stronger security culture, making your business more cyber resilient.

3 Facts About Employee Security Attitudes

Just under 30% of employees fail to report cybersecurity mistakes out of fear. 

A full 50% of employees don’t report clicking on a phishing email to avoid disciplinary action.

An estimated 60% of employees open suspicious emails for fear of misidentifying a message.

No employee should be afraid to ask for help around security issues. When employees fear losing their jobs because of a security mishap, small problems don’t get reported, giving them time to grow into giant disasters. Improved security awareness can also quickly reduce a company’s risk of malicious insider incidents. In a business with a healthy cybersecurity culture, employees feel confident that they can ask for help freely whether they just have a question, they made a mistake, they are unsure about something or think that they have spotted a phishing attempt, and that brings benefits that can’t be measured. 

Security Culture Dos and Don’ts

Don’t threaten employees with termination if they make a security mistake

Do make it easy for employees to ask questions or get help around security

Don’t just make cybersecurity the IT department’s job

Do make every employee feel that they are invested in company security

Don’t fail to set policies that encourage smart security behavior

Don’t have one set of policies for employees and another for executives

3. Empower Employees with the Right Training and Tools

If you want your employees to protect your business from cyberattacks, they’re going to need a quality toolkit and the training to notice potential trouble spots. The power of security awareness training is immense, and it starts right away.

In a UK study on the effectiveness of phishing simulations, researchers discovered that 40 – 60% of the surveyed employees were likely to open a phishing message at the beginning of the study. However, after about 6 months of training, the percentage of employees who took the bait dropped 20% to 25%. Even better, after 3 to 6 months more training, only 10% to 18% were likely to open a phishing message, a steep decline. 

Regular security awareness training clearly works. Having the right tools available is also essential. If you’re relying on old, clunky, hard-to-use tools for your day-to-day operations, you’re not only opening your business up to security risks from potential cyberattacks, you’re also making it hard for your employees to follow safe behaviours or take security seriously – and that can mean the difference between a crisis averted and a disaster landing on your doorstep.

3 Facts About Security Tools

One tool, multifactor authentication, stops 99% of password-based cybercrime

Automated email security catches 40% more phishing messages than conventional security or a SEG

Security awareness training reduces the chance of a damaging security incident by up to 70%

It’s not necessary for businesses to splash out cash on dozens of fancy security tools. Having too many security tools is just as bad as having too few. But it is essential that you provide the right tools and training to build a foundation for cybersecurity success. However, a stunning one in three small businesses with 50 or fewer employees relies solely on free or consumer-grade cybersecurity tools for protection. Even worse, an astonishing 60% of business leaders revealed that their companies didn’t have a cyberattack prevention plan in place at all and had no foundation for incident response. Give your employees the tools, training and support that they need to succeed and they will help keep your business safe in a stormy cybersecurity landscape.

Training and Tools Dos and Don’ts

Don’t use security awareness training as a punishment

Do run security awareness training at least 11 times per year

Don’t make employees afraid to lose their jobs if they report issues

Do make sure that everyone from the Directors to the apprentices receives regular training

Don’t rely on a patchwork of old tools that make maintaining security more challenging

Do make it easy for employees to get help when they have a security issue

Protect your Business from Cybercrime

MSnet was founded with a passion to assist businesses from the threat of Cybercrime.

Our Mission is to empower businesses with the knowledge, Training and Services required in safeguarding them from Cybercriminal activity.

If you would like more information please reach out our team on 01489 539700 or use the Contact US button below

Categories
Cyber Security Education

Gone Phishing?

Gone Phishing

Phishing is the most common cybercrime and the most dangerous for your business. Some of today’s most devastating cyberattacks, including incidents like the Colonial Pipeline ransomware disaster in May 2021, started with a phishing email.

Employees may encounter phishing attempts daily if action isn’t taken to keep phishing messages out of your business.

An estimated 6 billion phishing emails were sent to businesses daily in 2020!

What is a Phishing Attack?

Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information or to deploy malicious software.

Phishing is the type of cyberattack employees see the most, the reason cybercriminals favour phishing is because it has a low barrier to entry, it’s cheap and it’s effective. Phishing is an easy way for Cybercriminals to obtain passwords, user data and other credentials, enabling them to undertake other cybercrime operations like business email compromise or deploy ransomware.

An estimated 75% of organizations in the United States were hit by a phishing attack that resulted in a data breach in 2020.

 

How to spot a phishing attack?

Phishing can be tricky to spot, but these red flags should always give you pause as they’re common indicators that an e-mail is actually a phishing attempt. 

Subject Line

Is the subject line accurate? Subject lines that feature oddities like “Warning”, “Your funds have” or “Message is for a trusted” should set off alarm bells. If the subject or pre-header of the email contains spelling mistakes, usage errors, unexpected elements like emojis or other things that make it stand out from emails you regularly receive from the sender, it’s probably phishing. 

Greeting

If the greeting seems strange, be suspicious. Are the grammar, punctuation and spelling correct? Is the greeting in a different style than you usually see from this sender? Is it generic when it is usually personalised, or vice versa? Anomalies in the greeting are red flags that a message may not be legitimate.

Domain

Check the sender’s domain by looking at the email address of the sender. A message from a major corporation is going to come from that company’s usual, official domain. 

For example, If the message says it is from Sender@microsoftsecurity.com instead of Sender@microsoft.com, you should be wary. 

Word Choices, Spelling & Grammar

This is a hallmark test for a phishing message and the easiest way to uncover an attack. If the message contains a bunch of spelling and usage errors, it’s definitely suspicious. Check for grammatical errors, data that doesn’t make sense, strange word choices and problems with capitalisation or punctuation. We all make the occasional spelling error, but a message riddled with them is probably phishing. 

Style

Does this look like other messages you’ve received from this sender? Fraudulent messages may have small variations in style from the purported sender’s usual email style. Beware of unusual fonts, colors that are just a little off, logos that are odd or formats that aren’t quite right. 

Links

Using malicious links to capture credentials or send victims to a web page that can be used to steal their personally identifiable information (PII) or financial information is a classic phishing scam. Hovering your mouse or finger over a link will usually enable you to see the path. If the link doesn’t look like it is going to a legitimate page, don’t click on it. If you have interacted with it, definitely don’t provide any information on the page that you’re directed to because it’s almost certainly phishing. 

Attachments

Never open or download an unexpected attachment, even if it looks like a normal Microsoft 365 (formerly Office) file. Almost 50% of malicious email attachments that were sent out in 2020 were Microsoft Office files. The most popular formats are the ones that employees regularly exchange every day — Word, PowerPoint and Excel — accounted for 38% of phishing attacks. Archived files, such as .zip and .jar, account for about 37% of malicious transmissions. 

Origin

Is this someone or a company that you’ve dealt with before? Does the message claim to be from an important executive, politician or celebrity? A bank manager or tax agent you’ve never heard of? Be cautious about interacting with messages that seem too good to be true. Messages from government agencies should also be handled with care. Phishing practitioners love using fake government messages.

How Can I Protect My Business from Phishing Attacks

Cybersecurity requires a multi-layered approach to fully protect your business.

Protecting your employees from phishing equally requires a number of different layers of protection.

  1. The first should be training! Security Awareness training, prepares employees to recognise the threat of cybercrime and how to avoid the dangers. 
  2. The second is simulated Phishing E-mails. Test phishing E-mails are sent to employees to allow them to review and fine tune their new knowledge.
  3. Lastly an integrated threat protection service to filter and remove dangerous E-mails and files from reaching employees in the first place.

 

MSnet was founded with a passion to assist businesses from the threat of Cybercrime.

Our Mission is to empower businesses with the knowledge, Training and Services required in safeguarding them from Cybercriminal activity.

If you would like more information please reach out our team on 01489 539700 or use the Contact US button below

Categories
Cyber Security Education

SME Data Breaches

SME Data Breaches in 2021

Security words as a concept

A data breach is a nightmare for any company, and it’s one that more businesses in more industries are having to face today. About 85% of IT professionals foresee a data breach at their business in the next 12 months.

Cybercriminals are hungry for data that they can sell in the booming dark web data markets for a hefty profit, spawning an unprecedented increase in data-focused cybercrime that’s rocking businesses of every size and it isn’t going to stop anytime soon!

Top 10 SME Data Breach Statistics from 2021

  1. The number of recorded data breaches in 2021 has exceeded the total number of events 2020 by 17%, with 1,291 breaches in 2021 compared to 1,108 breaches in 2020
  2. More than 60% of breaches result from misused, stolen or purchased credentials
  3. An estimated 85% of data breaches involve a human element.
  4. Phishing is the top threat action that results in a breach
  5. The number of breaches that involve ransomware has doubled
  6. 34% of data breaches involve internal actors
  7. Over 80% of breaches are discovered by external parties.
  8. An estimated 36% of businesses worldwide had a cloud data breach in the past 12 months
  9. 74% of businesses in the United States have fallen victim to a successful phishing attack that resulted in a data breach in the last 12 months
  10. The US is the leader in phishing-related data breaches for 2021 so far, with rates 30% higher than the global average, and 14% higher than the same period in 2020.

The Cost of a Data Breach

In this year’s IBM Cost of a Data Breach Report, researchers determined that the average cost of a breach in 2021 is estimated at £3.1 million per incident, the highest ever recorded in the 17 years of the study.

The cost of a data breach can change significantly depending upon the initial attack vectors including the top three most common: compromised credentials (20% of breaches), phishing (17%) and cloud misconfigurations (15%).

The cost of a breach can be impacted by the type of data stolen or leaked, like customer personally identifiable information (Pii) – the most frequently breached and the most expensive at £125 per record.

The top country in the world for data breach costs in 2021 (so far) is the US with an average cost of $9.05 million.

Thanks to the hot market for COVID-19 data in 2020, medical data is in second place as the most desirable data to snatch, and healthcare at £6.8 million is the industry with the most expensive data breach costs.

Businesses that operate with 50% remote workers took an average of 316 days to identify and contain a data breach compared to the overall average of 287 days.

Companies supporting a remote or hybrid workforce experienced an increase of up to £750,000 more when a data breach occurred, with the highest rates of £3.5 million in comparison to £2.8 million.

Cloud Data Breaches

The State of Cloud Security 2021” Verizon report asked IT professionals about the circumstances that influence a company’s chance of a possible cloud data breach and these were the factors that they pointed to:

32% say too many APIs and interfaces to govern

31% cite lack of adequate controls and database oversight

27% point to lack of policy awareness around data security

23% blamed old-fashioned negligence

21% said they are not checking Infrastructure as Code (IaC) prior to deployment

20% admitted outright that human factors were at fault

Booming Dark Web Data Markets Drive Data Theft

Most Prevalent Types of Data Stolen in Breaches: 

Credentials: 60%  

Personally Identifying Data (PII): 40%  

Medical Data: 10%  

Bank Data: 10%  

Internal Data: 10%  

Payment Data: 10% 

Is Your Business Protecting Its Valuable Data?

Cybersecurity requires a multi-layered approach to fully protect your business.

Protecting your business Data is a critical priority for any business, not only form a regulatory stance (I.E GDPR, PCI-DSS etc) but also in protecting your customers and employees.

MSnet was founded with a passion to assist businesses from the threat of Cybercrime.

Our Mission is to empower businesses with the knowledge, Training and Services required in safeguarding them from Cybercriminal activity.

If you would like more information please reach out our team on 01489 539700 or use the Contact US button below

Categories
Cyber Security Education

Password Danger

Password Danger is Escalating

Hooded cyber crime hacker using mobile phone and internet hacking in to cyberspace for username and password,online personal data security concept.

The struggle to get users to make good, strong, unique passwords and actually keep them secret is real!

It can be hard to demonstrate to users just how dangerous their bad password decisions can be to the entire business, even though an estimated 60% of data breaches involved the improper use of credentials in 2020.

There’s no rhyme or reason to why employees create and handle passwords unsafely. Employees at every level are unfortunately drawn to making bad passwords and playing fast and loose with them – and that predilection doesn’t look like it’s going away anytime soon.

Managing Too Many Passwords ?

The average adult has an estimated 100 passwords floating around that they’re using. That’s a bewildering tangle of passwords to manage. About 300 billion passwords are currently in use by humans and machines worldwide. The global pandemic helped put even more passwords into circulation as people on stay-at-home orders created an abundance of new online accounts. According to the conclusions of a global study conducted by Morning Consult for IBM, people worldwide created an average of 15 new online accounts per person during the main thrust of the pandemic.

Many of those logins were compromised from the start thanks to abundant dark web data. An estimated 15 billion unique logins are circulating on the dark web right now. In 2020 alone, businesses had to contend with a 429% increase in the number of business login details with plaintext passwords exposed on the dark web. That dramatic increase in risk per user comes back to haunt a business.

The average business is now likely to have about 17 sets of login details available on the dark web for cybercriminals to enjoy and that number is only going to continue to grow thanks to events like this year’s giant influx of fresh passwords from the RockYou 2021 leak!

Bad Passwords

Research by the UK’s National Cyber Security Centre (NCSC) shows that employees will choose memorability over security when making a password. Their analysts found that 15% of people have used their pet’s name as their password at some point, 14% have used the name of a family member, 13% have used a significant date, such as a birthday or anniversary and another 6% have used information about their favourite sports team as their password.

That makes cybercriminals’ jobs easy even if they’re trying to directly crack a single password. After all, those users have probably told them everything that they’d need to know to do the job in their social media profiles.

Password Sharing Is Rampant

Worse yet, employees are sharing their passwords with other people at an alarming rate, even if the people they’re sharing a password with don’t work at the same company. Over 30% of respondents in a Microsoft study admitted that their business had experienced a cybersecurity incident as a result of compromised user credentials that had been shared with people externally.

43% of survey respondents have shared their password with someone in their home
22% of employees surveyed have shared their email password for a streaming site
17% of employees surveyed have shared their email password for a social media platform
17% of employees surveyed have shared their email password for an online shopping account

Top Password fails

Analysis of the top 250 passwords found on the dark web, found the top categories for the weakest passwords in 2020 were:

Weakest Password Categories in 2020

  1. Family Names (I.E Maggie)
  2. Sports Teams (I.E Arsenal)
  3. Favourite Food (I.E Cookie)
  4. Place Names (I.E. London)
  5. Names of Pets (I.E. Rocky)
  6. Famous People/Characters (I.E Tigger)

Top 20 Most Common Passwords found on The Dark Web in 2020

  1. 123456
  2. password
  3. 12345678
  4. 12341234
  5. 1asdasdasdasd
  6. Qwerty123
  7. Password1
  8. 123456789
  9. Qwerty1
  10. :12345678secret
  11. Abc123
  12. 111111
  13. stratfor
  14. lemonfish
  15. sunshine
  16. 123123123
  17. 1234567890
  18. Password123
  19. 123123
  20. 1234567

Stolen Passwords on the Dark Web

Credentials were the top type of information stolen in data breaches worldwide in 2020, (personal information took second place just over financial data in third), and Cybercriminals didn’t hesitate to grab batches of credentials from all over the world. Cybercriminals snatched them up in about 70% of EMEA breaches, 90% of APAC region breaches and 60% of North American breaches. Researchers disclosed that the average company experiences 5.3 credential compromises that originate from a common source like phishing every year, a number that should give every business owner chills.

An abundance of records on the dark web has spawned an abundance of passwords for cybercriminals to harvest, and that’s bad news. Giant password dumps on the dark web like the 100GB text file dubbed RockYou2021 have ratcheted up risk too. That giant dump of of data is estimated to contain 8.4 billion passwords. Cybercriminals make use of that bounty quickly and effectively.

In the aftermath of an enormous 2020 hack, ShinyHunters breached the security of ten companies in the Asian region and brought more than 73 million user records to market on the dark web. A group like ShinyHunters will of course try to profit by selling that stolen data at first, but when the data has aged or there are no interested buyers, cybercriminals will just offload it in the vast data dumps of the dark web making it available for anyone to sift through.

Protect your Business from Password Danger

Password shenanigans can put any business at risk of a devastating and expensive cyberattack, but protecting your business from password-related danger isn’t hard to do or expensive.

Protecting your business from password dangers requires a multi-layered approach, incorporating both training and technology.

Training will educate your employees into the dangers of Cybercrime and what they can do to recognise the threat and how to avoid the dangers.

Technology and policy ensures a correct framework is in place to remove the complications around employee passwords, ensuring a robust and centralised credential management system is in place to protect your business. 

MSnet was founded with a passion to assist businesses from the threat of Cybercrime.

Our Mission is to empower businesses with the knowledge, Training and Services required in safeguarding them from Cybercriminal activity.

If you would like more information please reach out our team on 01489 539700 or use the Contact US button below

Categories
Cyber Security

Stay Cyber Safe

Here are a few straightforward tips to help reduce your cybersecurity risk, whether you’re online or offline.

1. Always be wary of any unexpected contact. If your bank, or any organisation you have dealings with, gets in touch out of the blue, treat it with caution. If you receive any emails that ask you to confirm personal information, assume it is a scam. Don’t click on any links and don’t provide any of your personal details. Instead, call the company that the communication claims to be from using a recognised telephone number and make sure that you’re dealing directly with them before sharing any of your details or responding to any requests.

2. Safeguard yourself against identity theft by making sure you never give out personal information to an unrecognised party. This can be used to steal your identity and access your accounts, so keep it safe. Don’t confirm any details to cold callers, even if they’re just asking you to verify information they claim to already have on file, and avoid entering your details into any promotional emails.

3. Keep operating systems and virus protection software up-to-date. Don’t ignore software updates on your mobile phone, computer and other devices, as these can often include measures to protect against new kinds of scams, viruses and ransomware.

4. Make sure all your accounts have a strong password using a mixture of letters (lower and upper case), numbers and symbols. Don’t use the same password for multiple accounts and try and get into the habit of changing them regularly as this helps to reduce the risk of a cyber security attack. Ideally use a Password manager, or Complex Passphrase’s instead.

5. Be careful when using public WiFi. Use safe and secure WiFi connections and avoid public WiFi when you can. Your standard 3G or 4G connection will usually be a lot more secure than the one in the coffee shop or restaurant.

By following these simple cybersecurity steps you’ll be going a long way to helping keep your information safe online. An important rule to live by is that prevention is usually better than the cure! So, if you’re unsure about a potential risk, it’s better to proceed with caution rather than potentially put yourself in a compromising position.

Categories
Cyber Security

The Risk of Ransomware and its impact on Businesses

Avoid becoming a victim of the next ransomware attack — protect yourself with a Business Continuity plan. Get in touch today to find out how our reliable solutions can help. #ransomware #cybersecurity #MSnetUK

Categories
Cyber Security

Stay Connected and Productive While WFH

Spending the day working on your own? Take time to pick up the phone and talk to colleagues and contacts. Having a conversation can be much more stimulating and productive than a chain of emails. #MSnetUK

Categories
Cyber Security

Ransomware 2020 Report

92% of IT pros predict ransomware attacks will continue at current, or worse, rates. You cannot assume you are immune from a ransomware attack — cybercriminals do not discriminate. #ransomware #cybersecurity #MSnetUK