Categories
Security

2023 prediction: Security workforce shortage will lead to nationally significant cyberattack

If 2022 was any indication, businesses are about to face an unprecedented volume, frequency, and sophistication of cyberthreats in 2023. Global cyberattacks have increased by 483 percent over the last two years, and at the current rate of growth, damage from such attacks will amount to $10.5 trillion in 2025.

Against that backdrop, and despite increased spending on cybersecurity, the skills gap has widened to a canyon. According to the (IC)² 2022 Cybersecurity Workforce Study, the global security workforce gap increased by 26 percent, with 3.4 million additional workers needed to effectively secure businesses. It’s this discrepancy that I believe will lead to a nationally significant cyberattack on a major US organization this year.

As an industry, we need to preemptively address these risks, both by immediately hiring and onboarding new cyber talent and introducing new tools and resources to help simplify operations for SMBs and other thinly-stretched teams.

How to find (and keep) diverse security staff—and when to turn to MSPs

Business leaders are doing a lot of hand-wringing these days. Fears of recession, geopolitical instability, and rising tides of cybercrime compete for attention and have already impacted budget decisions for 2023. But with the average cost of a US data breach at $9.44 million—more than twice the global average—many executives are putting their eggs in the cybersecurity basket. A recent Gartner survey of CIOs revealed that two-thirds plan to increase cyber spending this year.

And yet—will that be enough? Cybercriminals don’t retreat in the face of economic trouble. If anything, they up the ante to meet their financial goals, as has been witnessed firsthand with record cyberattack volume since the onslaught of the pandemic. Cybercrime surged to meteoric heights in 2020 and 2021, and 2022 continued the upward trend with an additional 28 percent increase in global attacks. These numbers hardly do the crimes justice, as they don’t include the effect on employee productivity and morale, lost profits and investments, and irrevocable damage to company reputation.

While organizations have made major investments in cybersecurity recently, hiring additional staff members to manage complex systems, processes, and people does not appear to be a priority. In 2022, the security employment gap expanded by 40 percent to 700,000 unfilled positions in the US alone. “The cybersecurity talent shortage is one of the most significant and threatening challenges facing our industry today,” said Barbara Massa, executive vice president at Mandiant, in an article for CNN.

Indeed, an estimated 70 percent of respondents to the (IC)² 2022 Cybersecurity Workforce Study reported that their organization does not have enough employees devoted to security, with more than half saying staff deficits put their company at “moderate” or “extreme” risk of cyberattack. It’s no leap of logic to assume a significant cyberattack will take place in 2023 due to a mistake made by an overburdened employee or an incident that overwhelms an understaffed team.

Signs of impending crisis have already started to show. According to a 2022 survey by Colbalt, a whopping 90 percent of respondents who have suffered shortages or lost team members are struggling with workload management. Talent gaps can have tangible impacts to an organization’s security posture, including difficulty maintaining standards, lackluster or non-existent training deployment, and undetected vulnerabilities slipping under the radar.

When security professionals are barely keeping their heads above water, important tasks slip through the cracks, leaving infrastructure exposed to the potential for massive compromise. That’s why it’s time to start thinking differently about the security talent shortage and look for creative solutions to the growing problem.

Recruiting security staff: fewer certifications, more diversification

Historically, job listings for cybersecurity positions have placed heavy focus on prior experience, often with a legacy security institution, as well as a laundry list of technical skills and certifications. Many businesses also require familiarity with their preferred software, with dozens of programs littering job descriptions. However, rigid adherence to such qualifications is often to blame for positions remaining unfilled for extended periods.

Instead, organizations should ditch preconceived notions that security professionals must possess a plethora of niche technical skills and consider candidates with so-called “soft skills” of creative problem-solving, communication, collaboration, and critical thinking. If the candidate shows strong potential and a willingness to learn—and is a good cultural fit with other team members and employees—they can be trained to pick up the technical skills they lack.

Another habitual practice in hiring security teams is to look at the same job boards or set of schools for graduates in computer science and information technology year after year. Instead, businesses should expand their search beyond the usual places and methods. A college degree is not always necessary for someone to become a talented cybersecurity professional.

Experts recommend looking in-house at employees not currently on the security team to fill open slots. Perhaps someone in IT, Q/A testing, or customer service has expressed an interest and can be easily trained. Capture the flag, bug bounty, and other security contests are also excellent sources of highly-skilled candidates, as are apprenticeship and internship programs. Finally, SMBs might have surprising luck poaching experienced candidates who are looking to make more of an impact from enterprise businesses, though admittedly this does little to address the overall skills shortage.

In addition to expanding skill and location parameters, it’s crucial for businesses to diversify their cybersecurity teams. With fresh perspectives, a diverse IS department can not only look at a problem from new angles but address multiple issues stemming from multi-dimensional adversaries. Diversifying security teams means adding members with different skill sets and backgrounds, including those traditionally excluded from the industry.

Women are a growing, yet still underrepresented group in cybersecurity, cornering just 25 percent of the global security workforce in 2021. Hiring managers can look to nonprofits, such as WiCyS, CybHER, Inteligencia, and the Diana Initiative to connect them with women looking to enter the field. The SANS Institute also offers the CyberTalent Immersion Academy for Women, where candidates receive world-class training and certification.

Businesses should also conduct outreach to tap into Black, Indigenous, and people of color (BIPOC) and LGBTQ+ communities for potential job prospects. A September 2021 study on diversity and inclusion in cybersecurity found that only 4 percent of US security professionals self-identify as Hispanic and 9 percent as Black.

To court ethnically and culturally diverse applicants, add language to job descriptions that explicitly states interest in groups often left out of hiring pools. Let candidates know the company fosters a welcoming environment for all and encourages professional development of its cybersecurity talent. In addition, look for organizations matching diverse hopefuls to job openings, such as CyberSN, Secure Diversity, and Blacks in Cybersecurity.

Retaining security staff: show them the money

Cybersecurity as an industry suffers from a retention problem. A study from the Kapor Center estimated that high turnover has cost the technology sector more than $16 billion annually. At the heart of such turnover: toxic workplace culture. Nearly 40 percent of employees surveyed said that unfairness or mistreatment played a major role in their decision to leave their company.

It follows, then, that creating fair policies for workload, promotion, and pay—plus treating all employees with dignity and respect—can help businesses hang onto talented security staff. Other strategies include:

  • Having a succession plan in place so employees can envision and make reality their career growth within the business.
  • Establishing a mentoring program to allow junior personnel to shadow senior staff and picture what the next stage of their career might look like.
  • Offering security staff opportunities to be involved in the planning stages of projects so they feel their voice is heard.
  • Giving employees ample time off for well-being, including mental health and personal days, to avoid burnout.
  • Allowing flexible in-office hours, including a hybrid or remote work schedule to keep competitive offers at bay.

Finally, of critical importance to attract and retain quality employees is offering a competitive salary. Currently, the median salary for cybersecurity professionals in the US is $135,000, according to (ISC)². The study also shows that 27 percent of security workers enter the sector for the high earning potential and strong compensation packages.

Salaries should increase to keep up with both market trends and increasing responsibilities related to the growing sophistication and frequency of cyberattacks. Between 2020 and 2021, some cybersecurity salaries jumped by more than 16 percent to well over six figures, according to a 2021 report from Dice, a tech recruiting platform.

To MSP or not to MSP

Organizations of every size are in the crosshairs of cybercriminals, but SMBs disproportionately feel the weight of cyberattacks. A 2022 Devolutions report found that 60 percent of SMBs have experienced at least one attack in the past year, and 18 percent have endured six or more. However, 44 percent of respondents indicated they do not have a comprehensive, updated incident response plan in place. Alongside choppy economic waters, 2023 could shape up to be a perfect storm for SMBs who haven’t shored up cybersecurity defenses.

SMBs traditionally have fewer resources than enterprises but are at the receiving end of more attacks. Top threats against SMBs include phishing, credential theft, and ransomware, the latter of which can render a small business bankrupt if not properly thwarted. SMBs need robust security protections, but over 40 percent have no internal IT personnel, and most of these businesses are staffed with just one generalist on call.

The growing complexity of securing ever-widening digital threat surfaces while maintaining industry, national, and international security and privacy regulations has driven many SMBs to turn to managed service providers (MSPs) as a lifeline.
MSPs allow small businesses to cost-effectively supplement or stand in for a full-fledged security team to protect against infections and reduce exposure to threats.

Many SMBs, recognizing that MSPs can be critical partners in helping them overcome security challenges, are planning to increase investment in managed IT and security solutions this year. The widespread and growing need for process digitization, cloud migration, post-COVID collaboration, analytics, compliance, and all-around better security are creating strong demand from SMBs for external expertise in cybersecurity.

SMB investment in MSP solutions will not only provide a shield against the onslaught of digital threats in 2023, but help organizations achieve their business goals while improving collaboration and engagement. Whether your organization has budget to hire a diversified security team or requires an MSP to handle complex security needs, ensuring you have skilled professionals to manage and deploy comprehensive protections will keep your business thriving in the new year and many years to come.

For more information on Malwarebytes’ Managed Service Provider Program, check out our dedicated MSP portal.

Categories
Security

How to protect against Labor Day ransomware attacks

On the last major American holiday, the fourth of July, IT solutions developer Kaseya announced it had become the victim of a ransomware attack — an attack that cascaded down the software supply chain, impacting more than 1,500 businesses. 

Kaseya aren’t the first and certainly won’t be the last victim of a cyberattack over the holidays. In fact, cybercriminals love to pounce when IT and security teams are out of the office for an extended time, or when employees let their guards down because they’re about to go on vacation. 

That’s why it’s important to stay alert before and during the three-day Labor Day weekend.

Weak IoT security should concern consumers, businesses as adoption increases

Labor Day weekend is nearly here, and I bet many employees’ thoughts have already turned to mini getaways, lazy afternoon binge-fests, or that one last barbeque before the weather turns crisp. Cybercriminals are banking on it, in fact, because the best time to attack is the absolute least convenient time for IT and security teams: weekends and holidays.

In fact, there’s a precedent for weekend and holiday ransomware attacks going back at least to December 2018, when cybercriminals leveled Tribune Publishing and other businesses with Ryuk ransomware on Christmas Eve. However, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement on August 31 warning that they have observed an increase in “highly impactful ransomware attacks” occurring over holidays and weekends in the United States over the last several months.

In the last three months alone, three massive ransomware attacks have taken place on US critical infrastructure on or leading up to holiday weekends. Just before Mother’s Day in May, cybercriminals dropped DarkSide ransomware on Colonial Pipeline, one of the nation’s biggest suppliers of fuel. After DarkSide actors gained access to the Colonia Pipeline network, they encrypted and exfiltrated the company’s data before threatening to publish it, attempting to extort them into paying the ransom. The attack resulted in a week-long suspension of operations, which led to panic-buying, price hikes, and crazy lines at gas stations up and down the east coast.

That same month, JBS, the world’s largest producer of beef and pork, was hit over Memorial Day weekend with Sodinokibi/REvil ransomware. The attack affected all US and Australian meat production plants, causing a complete halt in operations. And of course, IT solutions provider Kaseya suffered its breach and subsequent ransomware attack during the Fourth of July holiday weekend. Threat actors gained access to Kaseya’s remote monitoring and management tool, through which they deployed malicious updates to hundreds of organizations — including multiple managed service providers (MSPs) and their customers.

Ransomware has been on a meteoric rise — so much so that John Oliver devoted an entire segment of his HBO show “Last Week Tonight” to the subject last month. While Oliver blamed ransomware-as-a-service (RaaS), the popularity of cryptocurrency, and countries providing safe havens to cybercriminals as the reasons behind ransomware’s ascension, likely the answer is even more simple. Cybercriminals are opportunistic, and ransomware can easily defeat organizations when they don’t have the proper protection in place. Add to that the fact that IT is usually short-staffed over the holidays, and you have the recipe for disaster.

To avoid the fate of Colonial Pipeline, JBS, and Kaseya, take the following actions before and during Labor Day weekend:

  • Run a deep scan on all endpoints, servers, and any other connected systems to ensure there are no threats waiting to pounce when the lights go off.
  • Make an offline backup of your organization’s most critical data.
  • Run any necessary OS or software updates on endpoints to be sure that known vulnerabilities will not be exploited.
  • Employ stricter access requirements for sensitive data, such as multi-factor authentication (MFA).
  • Shut down all non-essential systems and endpoints on Friday evening.
  • Ensure there is always someone watching the network during the holiday, and make sure they are equipped to handle a sudden attack situation.

For more ways to stay safe from ransomware over the holiday weekend, check out this blog from Malwarebytes Labs: https://blog.malwarebytes.com/101/how-tos/2021/08/how-to-stay-secure-from-ransomware-attacks-this-labor-day-weekend/

For the joint statement by the FBI and CISA on increasing ransomware attacks over the holidays: https://us-cert.cisa.gov/sites/default/files/publications/AA21-243A-Ransomware_Awareness_for_Holidays_and_Weekends.pdf

And to watch the John Oliver episode on ransomware: https://youtube.com/watch?v=WqD-ATqw3js

Categories
Security

Business email compromise cost businesses $1.8B in 2020

I know looking back at 2020 for any reason can be a less-than-appealing thought. But in the case of business email compromise (BEC), it would not only be a dangerous oversight, but a costly one. In fact, last year BEC cost organizations nearly $2B.

That’s what the FBI discovered (among many other unsavory finds) in its annual Internet Crime Report released March 17. The report states that businesses suffered losses totaling $1.8B, a more than threefold increase from the $54 million lost in 2019. And although the FBI received the most complaints about phishing scams, BEC far outpaced phishing in financial damage, underscoring its tremendous cost — and the need for more awareness.

Last week, the FBI issued another warning to state, local, and tribal governments about BEC — unfortunately, the BEC attacks do not appear to be slowing in 2021.

BEC a growing problem for organizations

People complained to the FBI about business email compromise (BEC) 19,369 times in 2020. That sounds like a hefty number… until you stack it up against the $1.8B in collective losses caused by BEC, according to the FBI’s annual Internet Crime Report. If we divide the cost of BEC losses among the 19,000+ victims evenly, that’s an average of a little less than $100,000 per business. That’s not a loss many businesses could take on the chin lightly.

While BEC might have barely cracked the top 10 most-reported cybercrimes in 2020, it blew away the competition in victim losses. The second-most costly crime was confidence fraud/romance scams at around $600,000, over $1B less than BEC, and it’s not a cybercrime particularly targeted to businesses.

Yet how many could tell what business email compromise looks like? How to spot a BEC scam and properly report it? The best methods to protect against it? Last year, BEC was the most expensive cybercrime, and it was reported far less phishing and its counterparts — vishing, smishing, and pharming — which ensnared nearly 250,000 in 2020, according to the FBI report.

If you’re wondering why I didn’t mention ransomware, it’s because the $29 million in losses reported to the FBI do not paint an accurate picture of the total devastation ransomware wreaked on businesses last year. The FBI’s record is so low because it doesn’t reflect estimates of lost business, time/productivity, wages, customer and company data, equipment, or any third-party remediation services acquired. Which makes the $4.2B in total losses reported from cybercrime in 2020 that much more nauseating.

Getting back to BEC, last week, the FBI warned state and local governments that the onslaught of BEC attacks is not slowing in 2021. The organization issued a Private Industry Notification stating that these smaller government organizations are being targeted by BEC attackers because they have inadequate resources and cybersecurity controls. The FBI cites two risks contributing to these attacks: the move to remote work and the failure to provide sufficient training to the workforce.

So what does business email compromise, or email account compromise (EAC) as some call it, actually look like? BEC/EAC is a sophisticated scam that targets both businesses and individuals that are transferring funds. BEC typically happens when a threat actor compromises a legitimate business email account through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.

But as cybercrime has evolved, so have BEC/EAC attacks. In 2013, BEC/EAC scams routinely began with the hacking or spoofing of CEO or CFO email accounts. Fraudulent emails were sent to unknowing recipients requesting wire payments. Not wanting to question the directions of their superiors, employees typically responded by sending the money first, asking questions later.

Over the years, BEC has evolved to include compromising not just business emails, but personal, vendor, and lawyer email accounts as well. Fraudulent requests have expanded to include W-2 information, large amounts of gift cards, and other personally identifiable information (PII).

In 2020, the IC3 (branch of the FBI researching cybercrimes) observed an increase in the number of BEC/EAC complaints related to sophisticated, multi-pronged cyberattacks. In these variations, an initial victim is first scammed via extortion, tech support scam, romance scam, etc. into providing the criminal with PII. The PII is then used to establish a bank account that will receive stolen BEC/EAC funds, which are then exchanged for cryptocurrency.

Try getting out of that mess! Actually, as with most cybercrime, the best protection is prevention. Here are a few tried and true tips for protecting against BEC/EAC.

  • Keep an eye on the usual phishing red flags, such as odd formatting, bad grammar, or false email addresses.
  • Mind the money: BEC emails typically target someone with access to financial records/finances and may make strange payment requests, such as wiring money to an unknown location.
  • Pay special attention to emails sent by people claiming to be accountants, lawyers, or executives, especially those with a sense of urgency. They may be trying to convince you to wire money in support of a business deal, such as an acquisition. Even if the deal is real, the request may not be.
  • Watch out for vendor email compromise, especially an attack where a threat actor has successfully infiltrated a vendor’s email account. The sender’s domain name is genuine and the transaction may seem legitimate, often with proper documentation attached (because the account has been hacked, not spoofed). However, the processing details direct payment to a different account controlled by the scammer.
  • Add BEC/EAC awareness to your company’s security training regimen. Your IT/security team should be able to recognize a standard phish from BEC, and your other employees should at least get a sense that something’s not right with this email. Anyone working directly with vendors, processing payments, or handling financial records should sit for this training as well.
  • Training alone isn’t enough. Compliance is required to head off BEC/EAC. Employees targeted by BEC are typically mid-level and might be nervous approaching an executive, lawyer, or other purported requester to verify unless there is an accepted protocol for reporting potential fraud.
  • Build a layered defense with technical controls, including multi-factor authentication, encryption, virtual private networks (VPNs), and enterprise security software, like Malwarebytes Endpoint Detection and Response.

For more on the FBI’s Internet Crime Report and the impact of BEC in 2020, read our Malwarebytes Labs blog:
https://blog.malwarebytes.com/business-2/2021/03/report-reveals-the-staggering-scale-of-business-email-compromise-losses/

To read the full Internet Crime Report:
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

Categories
Security

Don’t forget the cyber criminals

Continuing our media push, I wrote a guest post for Forbes.

High profile news throws a spotlight on how people feel about the privacy of their personal digital data, but for years, cybercrime has been stealing and selling it with very little coordinated public uproar.  This malaise must end.  The very real threat comes not from big faceless companies and governments, but those who seek to hide below the radar and the law.  A combined awakening needs to take place and governments, businesses and Internet users must pull together to fight this very current threat to personal data, because at the moment cyber crime is winning.

Check out the post and let me know what you think!

Categories
General

California looks to fight cybercrime

In August, the state of California created the nation’s largest e-crime unit, “a group of 20 investigators and prosecutors whose sole mission will be to thwart and prosecute cybercrimes like identity theft, Internet scams, computer theft, online child pornography and intellectual property theft across the state.” (source)

While this all sounds fantastic, I strongly doubt a team of 20 investigators can handle the amount of fraud, identity theft, and even such a broad category such as Internet scams which include malicious software. I wonder how closely this e-crime unit will work with reputable companies in the security industry to help find these criminals.