In August, Malwarebytes Labs analyzed the damage caused by COVID-19 to business cybersecurity. Because of immediate, mandated transitions to working from home (WFH), businesses across the United States suffered more data breaches, lost more dollars, and increased their overall attack surfaces, all while experiencing a worrying lack of cybersecurity awareness on behalf of workers and IT and security directors.
Today, we have parsed the data to understand the pandemic’s effect on, specifically, small- and medium-sized businesses (SMBs).
The data on SMB cybersecurity is troubling.
Despite smart maneuvering by some SMBs—like those that provided cybersecurity trainings focused on WFH threats, or those that refrained from rolling out a new software tool because of its security or privacy risks—28 percent of SMBs still paid unexpected expenses to address a malware attack, and 22 percent suffered a security breach due to a remote worker.
Those numbers are higher than the averages we found for companies of all sizes in August—by a respective 4 percent and 2 percent.
The numbers don’t look good. But perhaps more worrying than the actions that befell our respondents are the actions they might fail to take themselves. For example, while a majority of SMBs said that they planned to install a more permanent WFH model for employees in the future, the same number of SMBs said they did not plan to deploy an antivirus solution that can specifically protect those distributed workforces.
Further, while SMBs widely agreed that they were using more video conferencing, online communication, and cloud storage platforms during WFH—thus expanding their online attack surface—a worrying number of respondents said they did not complete any cybersecurity or online privacy reviews of those software tools before making them available to employees.
Thankfully, there are some basic steps that SMBs can take in the coming weeks and months to better protect themselves and their employees:
- Provide cybersecurity trainings that are tailored not just for the threats of WFH, but also the threats that employees may face depending on their job responsibilities and the level of access they have within the business
- Install long-term online privacy and cybersecurity reviews, remembering to review internal products—which may necessitate additional employee access points—as much as new, external software tools
- Deploy an antivirus solution that can better handle a remote workforce
The cybersecurity posture of organizations of all sizes, including SMBs, can and should be taken seriously—especially as WFH becomes the new normal.
A closer look at SMB cybersecurity
Today’s data represents a follow-up to our August report, Enduring from Home: COVID-19’s Impact on Business Security, in which we surveyed more than 200 IT and cybersecurity executives, directors, and managers from businesses of all sizes. Our analysis today takes a magnifying glass to the more than 100 respondents who work for companies that have between 100 and 1,249 employees.
We separated the data into three bands according to company size: companies with 100–349 employees; companies with 350–699 employees; and companies with 700–1,249 employees.
At times, certain patterns or unique findings emerged within those bands.
For example, larger SMBs had far greater concerns about the effectiveness of a remote IT workforce. When asked about their biggest cybersecurity concerns with employees now working remotely, 50 percent of respondents working at companies with 700–1,249 employees said “our IT support may not be as effective in supporting remote workers.”
Respondents from smaller organizations, however, were not as concerned. Only 27.3 percent of respondents from the smallest businesses we surveyed (100–349 employees ) and 21.6 percent of midsized companies (350–699 employees) answered the same.
Intuitively, this makes sense—larger companies have more employees and more potential opportunities for ad-hoc cybersecurity and IT issues that should be addressed. But without an office, those issues might be ignored by employees. Similarly, those issues might become so frequent that they overwhelm remote IT workers.
Elsewhere in the data, in at least one situation, we found a potential correlation between company size and pandemic impact.
Like we said above, across all SMBs, 28 percent said they paid unexpected expenses to address a malware attack.
But that percentage increased depending on the size of the company affected. Surprise malware expenses hit 21.2 percent of companies with 100–349 employees, 29.7 percent of companies with 350–699 employees, and 30.4 percent of companies with 700–1,249 employees.
Maybe, then, there is some truth to the age-old saying: They bigger they are, the harder they fall.
In fact, that idea bore some truth when we broadened the analysis of our data. By comparing the responses of SMBs to the responses of enterprise companies—which, in our data, included companies with 1,250–4,999 employees, and companies with 5,000 or more employees—we found that large enterprises were more likely to report financial damages, but less likely to report cybersecurity damages.
The starkest differences can be found in the 60.5 percent of enterprise respondents who said they froze all or nearly all hiring compared to the 50.9 precent of SMBs who said the same; the 43 percent of enterprise respondents who said they froze all or nearly all promotions and pay raises compared to the 33.6 percent of SMBs; and the 29.1 percent of enterprise respondents who said they lost contracts or clients, compared to the 21.6 percent of SMBs.
However, enterprise respondents were far less likely to say they paid unexpected expenses to address a malware attack—18.6 percent versus 27.6 percent of SMBs—and they were slightly less likely to say they faced a security breach due to a remote worker—16.3 percent versus 22.4 percent of SMBs.
It’s difficult to pinpoint why enterprise companies proved more resilient to cybersecurity damages—they said they performed cybersecurity and online privacy reviews of new software tools, deployed new antivirus tools, and provided WFH-tailored cybersecurity trainings at nearly the same rates as SMBs, and, surprisingly, enterprise respondents said they urged employees to use an antivirus tool on personal devices at a dramatically lower rate—29.1 percent of enterprise companies compared to 45.7 percent of SMBs.
The one sticking point, however, may be in device usage. Enterprise respondents used their personal devices less frequently for work than their SMB counterparts, with just 20.9 percent of respondents saying they now used their personal devices for work more than work-issued devices, compared with 32.8 percent of SMB respondents.
Good trends in SMB cybersecurity
The immediate transition to WFH hit businesses everywhere, no matter their size. With no preparation time and sometimes lacking clarity from local and state governments for what was considered safe, businesses were forced to chart their own paths.
Despite these pressures, many SMBs rose to the occasion to protect their businesses and their employees, while also providing their workers with the tools and software necessary to succeed in their roles.
For example, 58.2 percent of respondents said their business provided work-issued devices as needed, and 41.4 percent said their business deployed previously unused software tools to maintain communication and productivity. Further, 56.9 percent of respondents said their business performed a cybersecurity and online privacy analysis of newly deployed software tools, while 21.6 percent said that those reviews led to a decision to not deploy a software tool.
Finally, 55.2 percent of respondents said their business provided cybersecurity trainings focused on the specific cybersecurity threats of WFH, with information on the importance of secured home networks, strong passwords, and unauthorized device access.
As SMBs showed promising action in the immediate transition to WFH, they also responded with encouraging preparations for the future.
More than half—56.9 percent—of respondents said their business would “develop stronger remote security policies,” 50 percent said their business would “host more cybersecurity trainings tailored for working from home,” and 48.2 percent said their business would “develop cybersecurity and online privacy reviews for new, necessary software in the transition to working from home.”
That last point is a welcome one. Though, as we showed, 56.9 percent of respondents said their business “performed a cybersecurity and online privacy analysis of any newly-deployed software tools,” those reviews may have been ad-hoc. Codifying these types of reviews into a broader set of policies is a good practice.
While all of these are encouraging trends, we cannot neglect some of the more worrying data points. In fact, one of our survey respondents accurately described some of same risks that we uncovered.
“Employees are not as vigilant as they would be working from home about potential cyberattacks,” said a Florida IT director at a company of 100–349 employees. “We’ve seen some lax efforts from some of our better more observant employees in the last few months.”
Conflicting postures in SMB cybersecurity
In our main report in August, we found potential cases of security hubris—the simple phenomenon in which a business believes it is more secure than it actually is. In our deeper analysis of SMB cybersecurity, similar trends emerged.
For example, when we asked SMB respondents to rank their preparedness to transition to WFH on a scale from 1–10, a majority ranked themselves highly—62 percent gave their business an 8 or higher, and 74.1 percent gave their business a 7 or higher.
However, our respondents’ actual transition to WFH did not involve the type of preparation and cybersecurity protection that would typically warrant such high evaluations.
Yes, 55.2 percent said they provided cybersecurity trainings focused on the specific cybersecurity threats of WFH, but think about the 44.8 percent who did not respond that way. Yes, 57 percent said they performed a cybersecurity and online privacy analysis of new software tools, but that likely means that more than 40 percent did not. Also, only 34.5 percent of respondents said they deployed a new antivirus tool for devices provided by the organization, which leaves us scratching our heads about the roughly 65 percent who did not say the same. What gives?
Amidst the transition to WFH, our SMB respondents entirely agreed on one aspect—they are using more tools, more frequently.
We found that 81.9 percent of SMB respondents said that their usage of video conferencing platforms, like Zoom, and Microsoft Teams, had increased “slightly more” or “significantly more,” 75 percent said the same about their increased use of online instant messaging platforms, and 69.8 percent said the same about their increased use of cloud storage platforms. Relatedly, 33 percent of respondents said they are using personal devices for work more often than their work-issued device, compared to the time before the pandemic.
Put into perspective, more software tools being used more frequently, with some employees reporting more frequent personal device usage, all points to one big problem—an increased attack surface.
And yet, even with this hard data showing an increased attack surface, 65.5 percent of respondents said their organizations were at least “equally secure” as they were before the pandemic; within those numbers, 35.4 percent went further, saying their business was actually “slightly more” or “significantly more” secure.
On our podcast Lock and Code, security evangelist and Malwarebytes Labs director Adam Kujawa explained why these positions are likely impossible to square.
“For the most part, I don’t see how people can actually say they’re more secure,” Kujawa said about the results from our broader COVID-19 report in August. “There may be an idea that, because folks are distributed—because remote workers are no longer located in a single, physical space—that they are somehow decentralized, and therefor harder to gain access to by cybercriminals.”
Kujawa continued: “The reality is that that is complete baloney.”
The clearest discrepancy between the words and the actions of SMBs came in the responses to their future. When asked about future plans to protect their businesses, 54.3 percent of SMB respondents said they would “install a more permanent work-from-home model for employees who do not need to be in the office every day.” However, just 38.8 percent said they would “deploy an antivirus solution that can better handle a more dispersed, remote workforce.”
This is disappointing because it seems so obvious. Any plans to install a more permanent workforce must include plans to protect that workforce.
Protecting a business from cybersecurity attacks is difficult. Protecting a business during a pandemic, with employees dispersed across multiple geographies, is only harder.
Like we said above, there are several steps that SMBs can take in the near future to better protect themselves and their employees.
SMBs should provide cybersecurity trainings that are relevant to employees’ job responsibilities. Blanket cybersecurity policies rarely grab any employees’ attention, which could lead to lapses in cybersecurity hygiene.
Also, it’s a good idea to considering installing a more permanent WFH solution today, because, when the pandemic finally does end, your business will get a boost in cybersecurity posture even if employees are working remotely for other purposes, like traveling for conferences.
Finally, since we found that SMBs were more likely to suffer a security breach because of a remote worker, seriously, consider rolling out an antivirus solution that can protect those employees. We understand that cybersecurity is hard, and that the budget pressures of SMBs are unique, but small- and medium-sized businesses should not have to risk higher threats of breaches just because of their sizes.
Further, since SMBs reported far higher increases in personal device usage for work-related activities, they could also consider urging employees to use an antivirus solution on those devices.
Companies can come in many, many sizes, but none of those sizes are too small to care about cybersecurity.
Remember to read the full report for more information.
The post SMB cybersecurity posture weakened by COVID-19, Labs report finds appeared first on Malwarebytes Labs.
The team at Malwarebytes Labs is at it again, this time with a special edition of our quarterly CTNT report—Cybercrime tactics and techniques: the 2019 state of healthcare. Over the last year, we gathered global data from our product telemetry, honeypots, threat intelligence, and research efforts, focusing on the top threat categories and families that plagued the medical industry, as well as the most common attack vectors used by cybercriminals to penetrate healthcare defenses.
What we found is that healthcare-targeted cybercrime is a growing sector, with threats increasing in volume and severity while highly-valuable patient data remains unguarded. With a combination of unsecured electronic healthcare records (EHR) spread over a broad attack surface, cybercriminals are cashing in on industry negligence, exploiting vulnerabilities in unpatched legacy software and social engineering unaware hospital staff into opening malicious emails—inviting infections into the very halls constructed to beat them.
Our report explores the security challenges inherent to all healthcare organizations, from small private practices to enterprise HMOs, as well as the devastating consequences of criminal infiltration on patient care. Finally, we look ahead to innovations in biotech and the need to consider security in their design and implementation.
Key takeaways: the 2019 state of healthcare
Some of the key takeaways from our report:
- The medical sector is currently ranked as the seventh-most targeted global industry according to Malwarebytes telemetry gathered from October 2018 through September 2019.
- Threat detections have increased for this vertical from about 14,000 healthcare-facing endpoint detections in Q2 2019 to more than 20,000 in Q3, a growth rate of 45 percent.
- The medical industry is overwhelmingly targeted by Trojan malware, which increased by 82 percent in Q3 2019 over the previous quarter.
- While Emotet detections surged at the beginning of 2019, TrickBot took over in the second half as the number one threat to healthcare today.
- The healthcare industry is a target for cybercriminals for several reasons, including their large databases of EHRs, lack of sophisticated security model, and high number of endpoints and other devices connected to the network.
- Consequences of a breach for the medical industry far outweigh any other organization, as stolen or modified patient data can put a stop to critical procedures, and devices locked out due to ransomware attack can result in halted operations—and sometimes even patient death.
- New innovations in biotech, including cloud-based biometrics, genetic research, and even advances in prosthetics could broaden the attack surface on healthcare and result in far-reaching, dire outcomes if security isn’t baked into their design and implementation.
To learn more about the cyberthreats facing healthcare and our recommendations for improving the industry’s security posture, read the full report:
Cybercrime tactics and techniques: the 2019 state of healthcare
The post Labs report finds cyberthreats against healthcare increasing while security circles the drain appeared first on Malwarebytes Labs.
Today marks a big milestone for Veracode, and for the application security industry – we’re releasing the 10th volume of our State of Software Security (SOSS) report. 10 SOSS reports and 80,000+ apps later, we’ve accumulated a lot of data, and a lot of insights, about application security trends and best practices. This year, we took a look back at the AppSec picture over the past 10 years, and dug into the data amassed from our security scans from April 2018 to March 2019. Some big takeaways:
The more things change, the more they stay the same: We’ve seen some positive movement this year, but we’ve got a long way to go. The same vulnerabilities are populating the top 10 list, and the percentage of applications that have at least one vulnerability on initial scan has remained high and stagnant over the past 10 years. Secure coding training is clearly still a critical component of any security program.
We’ve moved beyond just finding flaws to fixing them: Our VP of Services Pejman Pourmousa was recently quoted saying, “you can’t scan your way to secure code.” And that sentiment appears to be gaining momentum. This year’s data, especially compared to data over the past 10 years, reveals that developers are indeed focused on fixing the security flaws they find more than ever before. For example, half of applications showed a net reduction in flaws over the sample time frame. Another 20% either had no flaws or showed no change. This means 70% of development teams are keeping pace or pulling ahead in the flaw-busting race!
Security debt is piling up: Although fix rates are improving, most organizations are prioritizing newly found security flaws, while letting older, unaddressed flaws linger. This accumulation of security debt is both illustrated in our SOSS data and has started to emerge as a pain point in our conversations with customers. But this year’s data also provides some compelling evidence surrounding steps organizations can take to start chipping away at that debt. In particular, organizations that are scanning the most are carrying 5x less security debt than those scanning the least.
See below for the data highlights, and check out the full report for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.
Today, we released the final episode of Lawfare’s narrative audio documentary, The Report, which recounts the story Robert Mueller lays out in his 448-page report.
This episode details the challenges Mueller faced as he tried to reach a conclusion about the president’s conduct. After two years of investigating, Mueller confronts a series of hurdles in making his final judgment about obstruction of justice. Some factual questions stand in his way, but Mueller’s most formidable obstacles all come from the Department of Justice itself. An old Office of Legal Counsel opinion and the intervention of Attorney General Barr both mute the impact of Special Counsel’s final report:
The first seven episodes of The Report unpack Volume I; they tell the story of Russia’s efforts to interfere with the 2016 presidential election and the Trump campaign’s interaction and involvement with those efforts. Episode 1 covers the Russian social media operation and the activities of the Internet Research Agency. Episode 2 focuses on the Russian hacking campaign; the stealing of documents and emails from the Democratic National Committee, Democratic Congressional Campaign Committee and figures associated with the Clinton campaign; and the leaks of stolen materials timed to affect the U.S. election. Episode 3 covers the Trump campaign’s involvement in the distribution of hacked materials. Episode 4 tells the story of Trump Tower Moscow, which Donald Trump sought to build even as he was denying having any business in Russia, and Trump Tower New York, where Russian representatives showed up promising “dirt” on Hillary Clinton. Episode 5 recounts the stories of three men associated with the Trump campaign and their various ties to Russia: George Papadopoulos, Carter Page and Paul Manafort. Episode 6 details backchannel attempts by the Russians to influence the Trump campaign and transition team on policy matters—an effort to reboot U.S.-Russia relations one secret meeting at a time. Episode 7 covers the special counsel’s charging decisions—which individuals Mueller decides to prosecute, whose prosecutions he declines, and the reasons for his decisions.
We turned to Volume II in Episode 8, which offers the necessary legal and factual context to understand this second half of the report on possibly obstructive activity. Episode 9 details national security adviser Flynn’s lie to federal investigators about his phone call with the Russian ambassador and the White House response to learning of that lie. Episode 9 also charts the president’s turbulent relationship with FBI Director James Comey, which led the two men to a fateful Oval Office encounter. Episode 10 covers Attorney General Jeff Sessions’s decision to recuse from the Russia investigation, Trump’s reaction to the recusal, and the sudden firing of Comey. Episode 11 explains Trump’s furious reaction to the news of Mueller’s appointment and the development that the president was now personally under investigation. Episode 12 shows Trump’s attempts to cover up two damaging stories: one revealing his son’s troubling exchange with a Russian lawyer and one detailing the president’s demand to Don McGahn that he get rid of Mueller. Episode 13 details President Trump’s campaign to influence three of his associates who might reveal information about the President’s behavior to Mueller’s team. Episode 14 offers a look at the President’s ever-evolving relationship with Michael Cohen and Trump’s efforts to keep his former fixer “on the team.”
This episode explains how Mueller dealt with a series of legal and evidentiary challenges after he had completed the investigation. If there was no underlying crime, could the president have obstructed justice? Obstruction usually happens behind closed doors, but what if the president interferes with the investigation in plain view? How can you establish the president’s intent if Trump refused to sit for an interview with investigators? Is it even possible for a president’s behavior to qualify as obstruction? Mueller successfully navigated these questions but struggled to deal with two obstacles from within his own agency, the Department of Justice. The special counsel felt bound by an Office of Legal Counsel opinion barring indictment of a sitting president. And Attorney General Bill Barr pre-empted the release of Mueller’s report by issuing his own summary, filled with misleading generalizations about the special counsel’s conclusions. Mueller goes to testify before Congress a few months later, but he never strays from his laconic injunction: the report speaks for itself. Although Mueller’s work is done, the story is far from over. It’s up to Congress and to Americans everywhere to decide: is this all ok?
The Report has now surpassed two million downloads. The Report may be finished, but we hope you’ll continue to subscribe, rate and share it widely. Continue following this feed for bonus episodes and additional content in the future.
We are grateful to the William and Flora Hewlett Foundation and the Democracy Fund for their support for this project. If you want to support work of this type at Lawfare, please consider becoming a monthly donor by clicking here:
Google announced the addition of a new feature which warns users of sites that try to pose as recently visited pages and a Google Chrome extension designed to allow them to report suspicious sites to Google’s Safe Browsing team. […] BleepingComputer