Cyber Liability – Zero Trust Security Explained

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

Traditional cybersecurity protocols can’t keep up with the rapidly evolving modern workplace environment. The complexity of hybrid work, the rising number of fully remote employees and the dramatic increase in the use of cloud-based systems make traditional perimeter security ineffectual. A new security model is needed to keep the corporate network safe. This model is “zero trust.”

Zero trust is adapted to the modern workplace. It embraces mobility and protects people, networks, applications and devices, regardless of their location. Review the following guidance to learn why zero trust is important, how it works and how it can benefit your organization.

What Is Zero Trust?

Traditional network security trusts the identity and intentions of users within an organization’s structure. This puts the organization at risk from malicious internal actors and rogue credentials by allowing unauthorized and uncompromised access to the organization. The phrase “trust, but verify” is often used to describe traditional network security approaches.

The zero-trust approach removes the concept of trust from within an organization’s structure. With zero trust, a data breach is assumed with every access request. Every access request must be authenticated and authorized as if it originated from an open network. The concept “never trust, always verify” is emblematic of the zero-trust approach.

What Are the Benefits of Zero Trust?

The zero-trust approach is one of the most effective ways for organizations to control their network, applications, and data.

This is especially important today, as companies expand their infrastructure to include cloud-based applications and servers. The growing usage of locally hosted machines, VM and Software-as-a-Service products, and a dramatically increasing number of remote employees have made it difficult for organizations to secure their systems and data.

Implementing a zero-trust approach benefits companies in a wide range of ways, including:

  • Minimizing your organization’s attack surface—By granting the lowest level of access possible for users and devices to perform their essential functions, organizations can minimize the affected area within their organization should a breach occur.
  • Improving audit and compliance visibility— The first step to implementing zero trust is for an organization to know what devices exist and which credentials are on each device. In this way, devices are constantly kept in an audit-ready state.
  • Reducing risk, complexity and costs—All access requests are vetted prior to allowing access to any company assets or accounts. This dramatically increases real-time visibility within the organization and helps prevent costly data breaches.
  • Providing Layer 7 threat prevention— Layer 7 refers to the application level of the Open Systems Interconnect model. This layer identifies communicating parties, supports end-user processes and applications, and consults privacy and user authentication. By establishing who can access the different levels of your organization at any given time the zero-trust approach stops unauthorized users or applications from accessing your organization’s crucial data and prevents the unwanted exfiltration of sensitive information.
  • Simplifying granular user-access control—  Zero trust requires an organization to define which users may access certain aspects of an organization. As a rule, each user is granted the least privilege possible to perform their necessary functions.
  • Preventing lateral movement—Segmenting the network by identity, groups and function allows organizations to contain breaches and minimize the damage from a hacker who was allowed to move freely within the organization’s perimeter.

How Does Zero Trust Work?

By combining a wide range of preventative techniques, including identity verification, behavioral analysis, microsegmentation, endpoint security, and least privilege controls, implementing a zero-trust approach can significantly reduce an organization’s risk of becoming a data breach victim.

Zero trust relies on three essential principles:

  • Verify explicitly. Every user request must be authenticated and authorized using all available data points. This step is designed to ensure the person or application requesting access is who they say they are.
  • Use least privileged access. Users should be given the least amount of access necessary to perform their authorized functions. Just-in-time (JIT) and just-enough access (JEA), risk-based adaptive policies and data protection can all help secure data and user productivity.
  • Assume breach. Use end-to-end encryption to prevent data from flowing to undesired endpoints. Use analytics to drive threat detection, improve visibility and enhance defenses.

How Can I Implement Zero Trust?

Zero trust is relatively simple to deploy. Adopting the principles of zero trust doesn’t require any costly products. Use the following principles to employ zero trust at your organization:

  • Define the attack surface. To adopt a zero-trust framework, your organization’s critical data, assets, applications and services must be identified. This critical information forms a “protect surface,” which is unique to every organization.
  • Create a directory of assets. Determine where the sensitive information lives and who needs access to it. Know how many accounts there are and where they connect. Consider removing old accounts and enforcing mandatory password rotation.
  • Adopt preventative measures. Give users the least amount of access necessary to do their work. Use multifactor authentication to verify accounts. Establish micro-perimeters to act as border control within the system and prevent unauthorized lateral movement.
  • Monitor continuously. Inspect, analyze and log all data. Escalate and store logs with anomalous activity or suspicious traffic. Have a clear plan of action for how to handle anomalous activity.

For additional risk management guidance and insurance solutions, contact us today.

Read more
No Comments

Identifying And Avoiding Phone Scams

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

 

Every year, people report fraud, identity theft and bad business practices to the Federal Trade Commission (FTC) and law enforcement partners. According to FTC data, more than 2.8 million people reported fraud in 2021, and 1 in 4 said they also lost money. The median loss in scams that start with a call is $1,200, higher than any other contact method.

As such, the chances are likely that you have or will be on the receiving end of a phone scam. Technology has made this even easier as scammers leverage robocalls or spoofing tools to change phone numbers. This article highlights the warning signs of scams and tips on protecting yourself from phone scams.

Warning Signs

Recognizing the common signs of a scam could help you avoid falling for one. Here are some general indications that a call or text is a scam:

  • Scammers pretend to be from a familiar organization. Scammers may pose as someone from a charity, utility company, law enforcement or federal agencies. They may use a real organization name or make up something that sounds official.
  • Scammers say there’s a problem or a prize. Remember, if you have to pay to get the prize, it’s not really a prize.
  • Scammers pressure you to act immediately. Legitimate businesses will give you time to think about their offer. Real businesses won’t make you stay on the phone (so you can’t check out the story) nor threaten to arrest you, sue you or take away your driver’s license.
  • Scammers tell you to pay in a specific way. There’s never a good reason to send cash, pay with a gift card, wire money or pay using a transfer app. These methods make it difficult for you to get your money back, which is ideal for scammers.

Phone scams come in many forms, but they often make similar promises or threats. Trust your gut if something seems off or too good to be true.

Consumer Tips

To prevent unwanted robocalls and phony texts and potentially avoid phone scams, the FTC recommends the following tips:

  • Block unwanted calls and text messages. Talk to your phone company about call blocking tools they may have and check into apps that you can download to your mobile device to block unwanted calls and text messages.
  • Register your number on the Do Not Call Registry. Legitimate telemarketers consult this list to avoid calling both landline and wireless phone numbers on the list.
  • Don’t answer calls from unknown numbers. If you answer a robocall, hang up immediately. Remember that even though caller ID may show a “local” number, the call isn’t necessarily from a local caller, as it could be spoofed.
  • Don’t provide your personal or financial information in response to a request that you didn’t expect. Legitimate organizations won’t call, email or text to ask for your personal information, such as your Social Security number, bank account or credit card numbers.
  • Understand how scammers tell you to pay. Never pay someone who insists you pay with a gift card or a money transfer service. Additionally, you should never deposit a check and send money back to someone.
  • Resist the pressure to act immediately. Legitimate businesses will provide you time to make a decision or provide payment. If it seems rushed or threatening, it’s likely a scammer.
  • Don’t click on any links even if you get a text from a company you usually do business with and think it’s real. Instead, contact the company using a trustworthy website or look up their phone number. Don’t call the number they provided or the number from your caller ID.
  • Talk to someone you trust. Before you do anything, tell a friend, family member, neighbor or other trusted person what happened. Talking about it could help you realize it’s a scam.

If you spot a scam or have given money to a scammer, you can report it to the FTC by filing a consumer complaint online or calling 1-877-FTC-HELP (382-4357). You can also visit the agency’s website to learn more about other consumer topics and more ways to protect yourself from scammers.

Read more
No Comments

Smishing Explained

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

 

Most businesses and individuals are familiar with phishing, a cyberattack technique that entails cybercriminals leveraging fraudulent emails to manipulate recipients into sharing sensitive information, clicking malicious links or opening harmful attachments. While these email-based scams remain a pressing concern, a new form of phishing—known as smishing—has emerged over the years, creating additional cyber exposures for businesses and individuals alike.

Smishing relies on the same tactics as phishing. The sole difference between these two cyberattack techniques is that smishing targets victims through text messages rather than emails. As a growing number of individuals utilize their smartphones for both personal and work-related purposes (e.g., interacting with colleagues and clients on mobile applications), smishing has become a rising threat. In fact, recent research found that nearly three-quarters (74%) of organizations experienced smishing incidents in the past year, while just 23% of the workforce recognizes this term.

With these numbers in mind, it’s evident that businesses need to address smishing exposures within their operations. The following article provides an overview of smishing and offers best practices for businesses to protect against this emerging cyberattack technique.

What Is Smishing?

Smishing follows the same format as phishing, using deceiving messages to manipulate recipients. These messages are generally sent via text, but can also be delivered through mobile instant messaging applications (e.g., WhatsApp). In these messages, cybercriminals may implement a wide range of strategies to get their targets to share information or infect their devices with malware. Specifically, they will likely impersonate a trusted or reputable source and urge the recipient to respond with confidential details, download a harmful application or click a malicious link. Here are some examples of common smishing messages:

  • A message claiming to be from a financial institution, saying the recipient’s bank account is locked or experiencing suspicious activity and asking them to click a harmful link to remedy the issue
  • A message impersonating a well-known retailer (e.g., Amazon, Target or Walmart), encouraging the recipient to download a malware-ridden application to receive a gift card or similar prize
  • A message claiming to be from an attorney or law enforcement, saying the recipient is facing legal trouble or criminal charges and urging them to call an unknown number for more information
  • A message impersonating the government, asking the recipient to click a suspicious link for details on their taxes or participation in a federal loan program
  • A message claiming to be a research organization, requesting the recipient download a malicious application to complete an informational survey
  • A message impersonating a delivery service, informing the recipient that they are receiving a package and providing them with a fraudulent link for tracking the item

If a recipient is tricked into doing what a smishing message asks, they could end up unknowingly downloading malware or exposing sensitive information, such as login credentials, debit and credit card numbers or Social Security numbers. From there, cybercriminals may use the information they obtained from smishing for several reasons, such as hacking accounts, opening new accounts, stealing money or retrieving additional data. Since individuals may use their smartphones for work-related tasks, smishing has the potential to impact businesses as well. For example, an individual who falls for a smishing scam could inadvertently give a cybercriminal access to their workplace credentials, allowing the criminal to collect confidential data from the victim’s employer and even steal business funds.

The nature of smishing has made this cyberattack technique a significant threat. This is because individuals are typically not as careful when communicating on their smartphones compared to their computers, often engaging in multiple text conversations at a time (sometimes while distracted or in a rush). After all, research from Experian found that individuals between ages 18-24 exchange around 4,000 texts each month. Considering these findings, individuals may be less wary or observant of a text message from an unknown number than an email, making them more likely to interact with a malicious text.

Furthermore, many individuals falsely assume that their smartphones possess more advanced security features than computers, thus protecting them from harmful messages. However, smartphone security has its limits. Currently, these devices are unable to directly safeguard individuals from smishing attempts, leaving all smartphone users vulnerable. That’s why it’s important for businesses to take steps to protect against smishing.

How to Protect Against Smishing

To effectively minimize smishing exposures and prevent related cyberattacks, businesses should:

  • Conduct employee training—First, businesses should educate employees on what smishing is and how it could affect them. Additionally, employees should be required to participate in routine training regarding smishing detection and prevention. This training should instruct employees to:
  • Watch for signs of smishing within their text messages (e.g., lack of personalization, generic phrasing and urgent requests)
  • Refrain from interacting with or responding to messages from unknown numbers or suspicious senders
  • Avoid clicking links or downloading applications provided within messages
  • Never share sensitive information via text
  • Utilize trusted contact methods (e.g., calling a company’s official phone number) to verify the validity of any request sent over text
  • Report any suspicious messages to the appropriate parties, such as a supervisor or the IT department
  • Ensure adequate bring-your-own-device (BYOD) procedures—Apart from providing smishing training, businesses should establish solid BYOD procedures to ensure employees act accordingly when utilizing their personal smartphones for work-related purposes. Such procedures may include using a private Wi-Fi network, implementing multifactor authentication capabilities, conducting routine device updates and logging out of work accounts after each use. These procedures can help deter smishing attempts and decrease the damages that may ensue from smishing incidents.
  • Implement access controls—Another method for limiting smishing exposures is the use of access controls. By only allowing employees access to information they need to complete their job duties, businesses can reduce the risk of cybercriminals compromising excess data or securing unsolicited funds amid smishing incidents. To further protect their information, businesses should consider leveraging encryption services and establishing secure locations for backing up critical data.
  • Utilize proper security software—Businesses should also make sure company-owned smartphones are equipped with adequate security software. In some cases, this software can halt cybercriminals in their tracks, stopping smishing messages from reaching recipients’ devices and rendering harmful links or malicious applications ineffective. In particular, smartphones should possess antivirus programs, spam-detection systems and message-blocking tools. Security software should be updated as needed to ensure effectiveness.
  • Purchase sufficient coverage—Finally, it’s vital for businesses to secure proper cyber insurance to protect against potential losses stemming from smishing incidents. Businesses should reach out to their trusted insurance professionals to discuss specific coverage needs.

Conclusion

In summary, smishing is a serious cyber threat that both individuals and businesses can’t afford to ignore. By staying aware of smishing tactics and implementing solid mitigation measures, businesses can successfully protect against this rising cyberattack technique, deterring cybercriminals and minimizing associated losses.

For more risk management guidance, contact us today.

Read more
No Comments

Cyber Risks & Liabilities

This article is from RISQ Consulting’s Zywave client portal, a resource available to all RISQ Consulting clients. Please contact your Benefits Consultant or Account Executive for more information or for help setting up your own login.

Research Shows Malicious Document Downloads Are Surging Overview

Using malicious software—also called malware—to compromise a victim’s data or technology is one of the most common cyberattack methods. Malware is typically triggered by clicking on the deceptive links or dangerous attachments that often accompany phishing emails. In fact, recent research found that malicious document downloads are currently on the rise.

According to Netskope Threat Lab’s latest report, 40% of malware attacks have been deployed through the medium of harmful email attachments during 2021, representing a 20% rise over last year’s data. Specifically, these email attachments have been disguised as office documents—including Microsoft Office files, PDFs and Google Docs.

This rise in malicious document downloads is likely tied to cybercriminals taking advantage of shifting work arrangements during the ongoing COVID-19 pandemic. After all, the significant increase in remote operations over the past year has led to more employees relying on digital platforms (e.g., email and online messaging) to communicate with their co-workers.

With remote employees using virtual mediums to share important information and files, cybercriminals have been able to trick some of these workers into downloading malicious office documents via deceitful emails. For instance, a cybercriminal may impersonate a victim’s co-worker and email them a harmful file titled “Monthly Financial Report” in order to manipulate them into downloading it.

In light of this trend, it’s critical for employers to take the following steps to protect against malicious document downloads:

  • Educate employees on how to recognize and respond to phishing emails. In particular, workers should always verify the sender’s identity by double-checking their address before interacting with an email and avoid opening any attachments from unknown sources. Further, employees should report any suspicious email activity to the IT department.
  • Implement antivirus programs and endpoint detection and response systems on workplace technology to help minimize malware threats. Update this software regularly.
  • Install email security features (e.g., spam filters) to help prevent malicious messages from landing in employees’ inboxes altogether.

Cybersecurity Considerations for Hybrid Work

COVID-19 pandemic has greatly changed how employees across the country work and live. That is, the past year saw a substantial proportion of the workforce transition to remote operations. Looking ahead, a recent study found that the majority of remote employees (83%) are wanting to continue working from home in some capacity. As a result, nearly half (45%) of employers are planning to implement hybrid work arrangements in the near future. Such arrangements allow for employees to split their time between working remotely and on-site. For example, employees may work in the office every Monday and stay remote for the remainder of the week.

While hybrid work models can offer various benefits to both employers and their workforces, these arrangements also carry unique cybersecurity risks. First, remote work environments often provide less secure network settings than on-site setups, leaving employees more vulnerable to cloud-based cyberattacks. In fact, such attacks have skyrocketed by over 600% since the pandemic began.

What’s worse, by alternating between remote and on-site networks, employees could potentially expose a greater proportion of workplace technology and assets amid a cyber incident. In other words, if an employee unknowingly has their laptop hacked by cybercriminals while working remotely and connects that device to an on-site network a few days later while working in the office, all workplace technology is then at risk of being compromised by the hackers.

If you are considering a hybrid work model within your organization, consider these best practices to help minimize cybersecurity exposures:

  • Utilize a virtual private network (VPN). Having a VPN provides your employees with a private, protected network connection—both remotely and on-site. VPNs offer various cybersecurity features, such as hiding users’ IP addresses, encrypting data transfers and masking users’ locations. If you don’t already have a VPN, this is a crucial step in developing a secure hybrid work model, as it can reduce network vulnerabilities when employees work remotely. If you already have a VPN, be sure it is fully patched.
  • Train employees. Require staff to participate in routine cybersecurity training. This training should help employees stay up to date on the latest cyberthreats, emerging attack methods and top tips for protecting against these concerns. Additionally, this training should address specific risks related to hybrid work arrangements and how to properly mitigate them.
  • Safeguard all devices. Make sure all workplace devices—including those used remotely—are equipped with adequate security software (e.g., antivirus programs, firewalls, endpoint detection and response systems, and patch management products). Ensure this software is updated as needed to maintain its effectiveness.
  • Foster open communication. Lastly, encourage employees to consult the IT department if they encounter any cybersecurity issues or suspect a potential cyberattack.

Educate Employees on This Emerging Phishing Scam

While phishing scams have been a persistent issue for employers of varying sizes and sectors, cybersecurity experts recently confirmed that a new phishing tactic has emerged.

This scam entails cybercriminals impersonating a trusted cybersecurity company and emailing their victims a “secure message.” The email then asks victims to click on a harmful link to view their “secure message.” However, clicking on the link opens a malicious website that attempts to compromise victims’ devices.

So far, this emerging phishing tactic has been detected in over 75,000 employees’ email inboxes across industry lines. The message is typically sent to multiple employees within the same organization, often from different departments. Targeted employees have included both individual contributors and those in leadership positions.

It’s vital for employers like you to educate workers on the latest phishing tactic. Be sure to show employees the key signs of this scam and encourage them to report suspicious messages to the IT department.

Contact us today for additional cybersecurity resources.

Read more
No Comments