Managed Service Providers

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Making the case for MDR: An ally in an unfriendly landscape

Vulnerability reigns supreme

On Oct. 26, we co-hosted a live virtual event, Blackpoint ReCON, with partner Blackpoint Cyber. The event brought together industry experts and IT professionals to discuss how security professionals can continue to navigate the modern threat landscape through a pragmatic MDR approach. During the event, we learned how the increase in ransomware attacks underscores the value of a robust defense and recovery strategy.  

A recent string of notable attacks including Microsoft Exchange, Kaseya, JBS USA, SolarWinds and the Colonial Pipeline, have clearly demonstrated that businesses and critical infrastructure are under assault. The spike in sophistication and speed of attacks has even caught the attention of the White House. It issued an Executive Order in May 2021, calling on the private sector to address the continuously shifting threat landscape.

For small to medium-sized businesses (SMBs) and managed service providers (MSPs), addressing these threats is made more difficult by resource-strapped teams at mid-sized organizations and budgetary constraints at small businesses.

Addressing ongoing SMB and MSP challenges

SMBs, unlike enterprise-level organizations, often suffer from a lack of adequate resources to effectively manage, detect and respond to ongoing security threats before they become full-blown attacks with dire consequences for continuity and productivity.

“Small businesses remain a prime target for threat actors. With minimal margins and few resources, one cyberattack could put a SMB out of business in a matter of days,” says Tyler Moffitt, senior security analyst at Carbonite + Webroot, OpenText companies.

For MSPs, their mid-market customers may not be at the scale or size of an enterprise to respond effectively to cyber threats. They may require additional resources to help boost defense infrastructure among customers. This leaves SMBs and MSP clients more vulnerable to attacks with the potential to cripple their business operations.

SMBs and MSPs don’t have to approach the evolving threat landscape alone. Managed detection and response (MDR) offers a reliable defense and response approach to cyber threats.

What is MDR?

Managed detection and response is a proactive managed cyber security approach to managing threats and malicious activity that empowers organizations to become more cyber resilient.

Carbonite + Webroot, OpenText companies, offers two new MDR options for customers looking for a threat detection and response system that meets their specific needs:

  • Webroot MDR powered by Blackpoint is a turnkey solution developed by world-class security experts to provide 24/7/365 threat hunting, monitoring and remediation. Guided by a board of former national security leaders and an experienced MDR team, Webroot MDR constantly monitors, hunts and responds to threats.
  • OpenText MDR is designed for SMBs with specific implementation and integration requirements determined by their business and IT environments. Backed by AI-powered threat detection, award-winning threat intelligence and a 99% detection rate, this MDR solution gives your business the ability to remain agile.

Having a MDR solution can:

  • Reduce the impact of successful attacks
  • Minimize business operations and continuity
  • Boost the ability to become cyber resilient
  • Achieve compliance with global regulations
  • Bolster customer confidence

In our 2020 Webroot Threat Report, we found that phishing URLs increased by 640% last year. Similar attacks, business email comprise (BEC) for instance, are a major scam malicious actors use to lure unsuspecting end users. BEC attacks have cost organizations almost 1.8 billion in losses, according to FBI reports. MDR helps to reduce costs and secure an organization’s overall security program investment.

In today’s ever-evolving threat landscape, no business can go without a proactive security program. As threat actors become increasingly more complex, their impact to SMBs and MSP customers becomes more severe. To prepare, manage and recover from threats, SMBs and MSPs should consider joining forces with a trusted partner to help boost their customer’s overall protection and remain prepared to tackle whatever threats may impact business continuity.

To learn more about how Webroot can empower your business and get your own MDR conversation started, get in touch with us here.

Shining a light on the dark web

Discover how cybercriminals find their targets on the dark web:

For the average internet user, the dark web is something you only hear about in news broadcasts talking about the latest cyberattacks. But while you won’t find yourself in the dark web by accident, it’s important to know what it is and how you can protect yourself from it. Afterall, the dark web is where most cybercrimes get their start.

The dark web explained

In short, the dark web is a sort of online club where only the members know the ever-changing location.

Once a criminal learns the location, they anonymously gain access to sell stolen information and buy illicit items like illegally obtained credit cards.

Innovations in the dark web

The dark web isn’t just a marketplace, though. It’s also a gathering area where criminals can recruit each other to help with their next attack.

In fact, the rising rates of malware and computer viruses can partially be explained by cyber criminals coming together to pool their talent. They’ve created a new model for cybercrime where criminal specialists sell their talents to the highest bidder. Criminals might even loan out new technology with the promise that they get a portion of any stolen funds.

Protecting yourself and your family

The first step in protecting yourself from criminals in the dark web is to have a plan. The right cybersecurity tools will keep your important financial documents and your most precious memories safe from attack – or even accidental deletion.

And while cybercriminals are developing new methods and tools, cybersecurity professionals are innovating as well. Strategies for cyber resilience combine the best antivirus protection with state-of-the-art cloud backup services, so you’re protected while also prepared for the worst.

Ready to take the first step in protecting you and your family from the dark web?

Explore Webroot plans.

Resilience lies with security: Securing remote access for your business

Remote access has helped us become more interconnected than ever before. In the United States alone, two months into the pandemic, approximately 35% of the workforce was teleworking. The growth of remote access allowed individuals to work with organizations and teams they don’t physically see or meet.

However, the demand for remote access has critical implications for security. Businesses now more than ever are expected to strike a balance between providing reliable remote access and properly securing it. Striking this balance also gives businesses the opportunity to retain customer loyalty and maintain a positive brand reputation. According to one study by Accenture, over 60% of consumers switched some or all of their business from one brand to another within the span of a year. Needless to say, securing remote access has major implications for business productivity and customer retention.

What is secure remote access?

Simply put, secure remote access is the ability to provide reliable entry into a user’s computer from a remote location outside of their work-related office. The user can access their company’s files and documents as if they were physically present at their office. Securing remote access can take different forms. The most popular options include virtual private network (VPN) or remote desktop protocol (RDP).

VPN works by initiating a secure connection over the internet through data encryption. Many businesses offer workers the opportunity to use this method by providing organizational connectivity through a VPN gateway to access the company’s internal network. One downside of using a VPN connection involves vulnerability. Any remote device that gains access to the VPN can share malware, for example, onto the internal company network.

RDP, on the other hand, functions by initiating a remote desktop connection option. Through the click of a mouse, a user can access their computer from any location by logging in with a username and password. However, activating this default feature opens the door to vulnerabilities. Through brute force, illegitimate actors can attempt to hack a user’s password by trying an infinite number of combinations. Without a lockout feature, cybercriminals can make repeated attempts. “This is where length of strength comes into play. It is important to have as many characters as possible within your password, so it’s harder for cybercriminals to crack,” says Tyler Moffitt, security analyst, Carbonite + Webroot, OpenText companies.

Overcoming obstacles

While the steps for securing remote access are simple, the learning curve for adoption may not be. Users, depending on their experience, may feel reluctant to learn another process. However, education is critical to maintaining a business’ security posture, especially when it comes to ransomware.

“The most common way we see ransomware affecting organizations – government municipalities, healthcare and education institutions – is through a breach. Once a cybercriminal is remoted onto a computer, it’s game over as far as security is concerned,” added Moffitt.     

Benefits

The primary benefit of securing remote access is the ability to connect, work and engage from anywhere. A secure connection offers users the chance to work in locations previously not possible.

“The workplace will never be the same post-COVID. As more clients continue to maintain flexible working arrangements, it becomes even more important to secure clients remotely,” says Emma Furtado, customer advocacy manager, Carbonite + Webroot.

Adopting secure remote access also supports the maintenance of client satisfaction, overcoming reluctance and building brand advocacy.

“Carbonite + Webroot Luminaries, a group of managed service providers (MSPs), rely on their clients’ cyber resilience – and trust – to grow their businesses. After implementing Webroot products, many of their clients are open to multiple forms of secure remote access, such as VPN,” Furtado added.

Advice for organizational adoption

  • Test, test, test. Like many applications, ongoing maintenance is key. Conducting frequent connection and penetration testing is important to ensure constant viability for users.
  • Two-factor authentication. Whether it’s via email or text message, this additional security layer should be embedded within an organization’s remote access protocols. 
  • Document your procedures. Develop a standardized policy across your organization to ensure users understand the expectations surrounding remote access. This helps to build security awareness among users, which lessens the likelihood they will adopt shadow IT.

Embracing remote work with reliability and safety in mind

Securing remote access allows businesses to save money, reduce pressure on internal teams and protect intellectual property. As part of a robust cyber resilience strategy, businesses should prioritize developing the necessary backup, training, protection and restoration elements that will help maintain business continuity and enhance customer loyalty and trust.

To start your free Webroot® Security Awareness Training, please click here.

To learn more Webroot® Business Endpoint Protection, please click here.

NIST and No-notice: Finding the Goldilocks zone for phishing simulation difficulty

Earlier this year, the National Institute for Standards and Technology (NIST) published updated recommendations for phishing simulations in security awareness training programs. We discussed it on our Community page soon after the updated standards were released, but the substance of the change bears repeating.

“Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear-phishing attacks, malicious web links.” – NIST SP 800-53, Rev. 5, Section 5.3 (pg. 60)

This update includes a recommendation for “no-notice” phishing simulations to be delivered at the beginning of security awareness training programs to more accurately gauge the readiness of a set of users to recognize a phishing attempt.

The thinking obviously being that letting users in on the phishing simulation game will heighten suspicion of their inbox and skew baseline results. This concern can be thought as a spin-off of the well-studied “Observer Effect” known in many scientific fields; observing the behavior of something necessarily changes that behavior.

While it might be tempting for a Chief Information Security Officer (CISO) or other IT professional to take high grades on a phishing simulation a sign of a job well done, that can be a dangerous conclusion to draw. Phishing tests that are too easy do little to address a problem that’s become one of the most common methods of entry for ransomware attacks.1 If IT professionals grade on a curve here, they’re doing very little to improve their organization’s overall cyber resilience.

Combatting this false sense of confidence about users’ ability to spot phishing attacks requires making sure simulations aren’t too easy to spot.

What makes a phishing simulation too easy?

After putting some thought into that question, NIST researchers published a paper last year in the Journal of Cybersecurity citing three key criteria for determining if a phishing simulation makes for good training.

According to the authors, “low click rates do not necessarily indicate training effectiveness and may instead mean the phishing emails” were:

  1. Too obvious – Either errors were too overt or these templates were running something akin to the Nigerian Prince scam. Either way, they won’t help an employee overcome today’s more sophisticated phishing attempts
  2. Not relevant to staff – We’re all busy at work. So deleting an email offering 25% off at Ed’s Golf Cart Repair Shop doesn’t mean a user is an expert at spotting scams. It just means there was nothing in the simulation that enticed anyone to click.
  3. The phish was repeated or similar to one that was – Phish me once, shame on me…but seriously, this drives home the importance of having a wide range of phishing templates. These programs work best when they’re ongoing, so it’s important to switch it up.

On the other hand, a phishing simulation is convincing if it does the following to some degree:

  • Mimics a workplace process or practice
  • Has workplace relevance
  • Aligns with other situations or events, including those external to the workplace
  • Presents consequences for NOT clicking (e.g., buy gift cards or we lose the client)
  • References targeted training, specific warnings or other exposure

Tip: NIST has devised a weighted version of this scale, “the phish scale,” you can use to determine the difficulty of your simulations. A phishing simulation that has all of the above characteristics would be considered extremely difficult. That’s good, right?

Too much difficulty can be dangerous, too

Any security awareness training program that’s too difficult is liable to leave learners feeling put off, resigned to failure, or worse, coming away without any practical security learnings. This is especially true if users are punished too harshly for failing to spot a difficult phishing simulation.

Any program that’s both difficult and relying on a stick rather than a carrot for motivation runs the risk of:

  • Reinforcing negative stereotypes of security training programs
  • Encouraging employees to “game” the system by sharing information about tests
  • Fostering animosity towards the organization’s overall security posture
  • Inviting legal trouble from dissatisfied employees

For security awareness training to be successful, it has to be collaborative. Learners should feel like they’re part of something constructive, rather than just subjected to another type of performance review.

Hitting the sweet spot

Finding the appropriate difficulty level for phishing simulations is one of the reasons the initial, no-notice NIST recommendation is so important. It helps administrators establish baseline results that most accurately reflect users’ real understanding of phishing attacks. But we don’t recommend a training program be hidden from employees forever.

Instead, after initial results have been established, it’s better to announce the program publicly along with its goals, evaluation criteria and a point of contact for those interested in learning more. Once users are in the know, subsequent phishing simulations can focus on incremental improvements over the baseline results. As scores rise across the board, the difficulty can be gradually increased over time.

One essential recommendation: Always report publicly on positive results. Let users know they’re managing to catch more and more difficult simulations. Be as specific as possible, as in, “click-through rates dropped from A to B in this exercise.” This will help establish a sense of shared responsibility for organizational security and “gamify” the experience.

Calibrating your security awareness training is an ongoing experience. Don’t be afraid to adjust your simulations based on results. Happy learning.

Ready to establish your own successful security awareness training? Try us out free for 30 days

1. Hiscox. “Cyber Readiness Report 2021.” (April 2021)

Survey: How well do IT pros know AI and machine learning?

What do the terms artificial intelligence and machine learning mean to you? If what comes to mind initially involves robot butlers or rogue computer programs, you’re not alone. Even IT pros at large enterprise organizations can’t escape pop culture visions fed by films and TV.

But today, as cyberattacks against businesses and individuals continue to proliferate, technologies like AI and ML that can drastically improve threat detection, protection and prevention are critical. This is even more true as workforces continue to operate remotely in such numbers.

That’s why, for a few years now, we’ve been conducting surveys of IT professionals to determine their familiarity with, and attitudes toward, artificial intelligence (AI) and machine learning (ML). For the purposes of this report, we surveyed IT decision-makers at enterprises (1000+ employees), small and medium-sized businesses (<250 employees), and consumers (home users) throughout the U.S., U.K., Japan, and Australia/New Zealand. 

As a result, we learn about:

  • Baseline cyber hygiene, including what cybersecurity tools are in use and how they’re used
  • General experience with data breaches and attitudes toward the safety of their data
  • How many organizations use cybersecurity tools with AI components
  • Whether IT admins feel that AI actively contributes to the safety of their organizations or is marketing fluff

We titled this year’s survey Fact or Fiction: Perceptions and Misconceptions of AI and Machine Learning and expanded it to include professionals in the enterprise, mid-market organizations and private individuals. It’s one of the largest and most thorough reports on the topic we’ve put together to date and is packed with interesting findings.

Historically, we’ve seen significant confusion surrounding AI and ML. IT professionals are generally aware that they’re in-use, but struggle to voice how they’re helpful or what it is exactly that they do. In Australia, for instance, while the bulk of IT decision makers employ AI/ML-enabled solutions, barely over half (51%) are comfortable describing what they do.

Nevertheless, adoption of AI/ML-enabled technologies continues to rise. Today, more than 93% of enterprise-level businesses report using them. Overall, slightly less than half (47%) call increasing adoption of AI/ML their number one priority for addressing cybersecurity concerns in the coming year.

Here are a few other key takeaways regarding enterprise attitudes toward AI/ML:

  • Understanding is growing – But more education is still required, so vendors must focus on benefits of AI/ML in terms of the bottom line and an enhanced security posture.
  • AI/ML are key to repelling modern threats – Especially for remote workforces, advanced technologies are emerging as a key component for ensuring uptime and availability for clients.
  • AI/ML can differentiate a business – Buyers are looking to invest in their tech stacks to stay out of the headlines for suffering a breach. As understanding of AI/ML grows, more are looking for these capabilities in their cyber defenses.

For the mid-market and individuals, another theme has persisted through our studies: overconfidence.

Among IT professionals at businesses with fewer than 250 employees, almost three-quarters (74%) of respondents believe their organizations are safe from most cyberattacks. But 48% have also admitted to falling victim to a data breach at least once. Interestingly, despite their confidence in their cybersecurity, the same respondents also believe their security situation has been worse by COVID-19.

Other notable findings among small and mid-sized businesses include:

  • They’re beginning to recognize they’re targets – SMBs are catching onto the fact that cybercriminals pick off weak targets and realizing this fact’s implications for their supply chains.
  • Limited IT budgets must be spent wisely – Without the resources to hire full-time IT staff, it becomes critical that a security stack defends against all the most common forms of attack (and their consequences).
  • User education is key – If a business can’t spring for top-of-the-line cybersecurity solutions, educating users on how to keep from enabling breaches can go a long way towards building a strong defense with relatively little investment.

Consumers continue to report abysmal habits in their personal online lives. Less than half use an antivirus or other security tool. Only 16% report using a VPN when connecting in public spaces and 48% have had data stolen at least once. On the brighter side, constant headlines concerning corporations leaking consumer data have made consumers wary about who they give their data to and how much. This healthy skepticism is a good sign as the next large data breach is likely just around the corner.

Some valuable learning from the consumer sector, and how it bleeds over into the corporate sector, include:

  • Business breaches affect consumers’ data – And they know it. Consumers are wary of providing too much sensitive data to companies after being barraged by news of high-profile hacks and data breaches.
  • Consumers ARE NOT taking proper precautions – Fewer than half of home users have antivirus, backup or other cybersecurity measures in place. In all, 11% take no precautions online. This finding is especially relevant if remote workers are using personal devices for business.
  • Unsurprisingly, AI/ML knowledge is lacking – When paid IT professionals don’t understand the technology, it may not be practical to expect the average consumer to be. But consumers should do their research on the tech powering their protection before committing to a VPN, antivirus or backup solution.

For the report’s complete findings, including a breakdown of cybersecurity spending by business size, download the full report.

NIST’s ransomware guidelines look a lot like cyber resilience

When the Institute for Security & Technology’s Ransomware Task Force published its report on combatting ransomware this spring, the Colonial Pipeline, JBS meatpacking and Kaseya VSA attacks were still around the corner.

Nevertheless, the report took the danger presented by ransomware to both businesses and global security for granted. Already in 2020, according to the report:

  • 2,4000 governmental agencies, healthcare facilities and schools had been hit with ransomware
  • $350 million had been paid out ransomware actors, a 311% increase over 2019
  • It was taking 287 days on average for a business to fully recover from a ransomware attack

Even given what we now know – that 2021 would feature some momentous ransomware attacks against physical and IT infrastructure – the report’s expert authors recognized the threat was dire. That led to them devising a “comprehensive framework for action, ”policy recommendations, in other words, for tackling the threat.

The immediate physical and business risks posed by ransomware are compounded by the broader societal impact of the billions of dollars steered into criminal enterprises, funds that may be used for the proliferation of weapons of mass destruction, human trafficking, and other virulent global criminal activity.” -Ransomware Task Force, IST

While many of these would fall to law enforcement, U.S. and international governments to enact, the report makes for fascinating reading for anyone interested in ransomware. It also provides a number of helpful tips businesses of all sizes can enact to protect themselves against ransomware.

A key recommendation throughout is that business’ anti-ransomware policies “should be consistent with existing cybersecurity frameworks,” like those released by NIST, “but specific to ransomware.”

Luckily, it wouldn’t be long before NIST would publish its ransomware-specific recommendations for businesses. It just so happens, their recommendations look a lot like our cyber resilience framework.

Meeting NIST benchmarks

Earlier this summer, NIST released updated tips and tactics for dealing with ransomware.

The recommendations are split between actions users can take avoid infection and those businesses can take to quickly recover in case their compromised. This dual-focus approach to prevention and recovery aligns neatly with cyber resilience best practices (and similar thinking influenced our product roadmap).

On the preventative side, NIST advises:

  • Using antivirus software at all times
  • Keeping computers fully patched with security updates
  • Using security products or services that block access to known ransomware sites on the internet
  • Configuring operating systems or using software allowing only authorized applications to run
  • Restricting or prohibiting the use of personal devices for work

It’s worth noting that blocking access to known ransomware sites is a recommendation that can be accomplished with network-level security. When paired with the strong recommendation to use antivirus software at all times, NIST’s recommended prevention measures already cover two key areas of focus in a cyber resilience strategy: endpoint security and network protection.

On the recovery side, NIST urges the following:

  • Develop and implement an incident recovery plan with defined roles and strategies
  • Carefully plan, implement and test a data backup and restoration strategy
  • Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement

Another core aspect of cyber resilience is the ability to recover data and return to business in the event of an attack. While natural disasters and unplanned outages were once the focus of these contingency plans, ransomware’s current popularity is another reason to ensure backup and recovery are accounted for.

NIST notes the importance of making sure backups are isolated from one another to prevent infections from spreading between them. For more information on configuring backups and meeting NIST’s other backup guidelines, check out our guide to disaster preparation, recovery and remediation.

Don’t overlook security awareness training

One aspect of ransomware prevention not mentioned by NIST is the importance of security awareness training. The RTF report cites a lack of understanding among business leaders as a contributing factor to its success and recommends increasing knowledge of the problem as a recommended objective.

But, perhaps because it’s seen primarily as a phishing-related problem as opposed to a ransomware-related one, NIST’s tips do not mention user education. We recommend this be added as a key component of a comprehensive ransomware protection plan – or any cyber resilience strategy, for that matter.

In a report by insurance firm Hiscox, phishing was by far the number one method of infiltration in ransomware attacks. Our data show that regular, ongoing training can help cut phishing by up to 72%. To tackle the root cause of ransomware infections, security awareness training should be considered an essential element of a cyber resilience strategy.

It’s time to ask: Is ransomware insurance bad for cybersecurity?

The issue at the heart of ransomware insurance will be familiar to most parents of young children: rewarding bad behavior only invites more of the same, so it’s generally not a good idea. But critics of the ransomware insurance industry argue that’s exactly what the practice does.

Ransomware insurance has by now long been suspected of excusing lax security practices and inspiring confidence among cybercriminals that they’ll receive a timely payment following a successful breach.

Exactly how widespread ransomware claims by businesses are is difficult to determine since companies don’t exactly jump at the chance to discuss their run-ins with ransomware publicly. But it’s safe to assume that claims have risen alongside an undeniable surge in ransomware attacks.

Another issue with the cyber insurance industry stems from the fact that paying a ransom is no guarantee that data will be returned. In our recent report on the hidden costs of ransomware, nearly 20 percent of respondents were not able to recover their data even after making an extortion payment.

The Paris-based insurance giant AXA broke new ground this year by announcing it would stop insuring against cyberattacks, citing a lack of guidance from French regulators about the practice. It’s worth remembering that the FBI “does not support paying a ransom in response to a ransomware attack.”

So, if U.S.-based insurers were to follow AXA’s logic, they too would stop covering ransomware payments. So far, few have. For now.

Doomed to be a short-lived sector?

The industry publication InsuranceJournal.com recently wrote in a post on its site that “pressure is building on the industry to stop reimbursing for ransoms.” Before ransomware went rampant, the article notes, cybersecurity insurance was a profitable sub-category of the insurance business as a whole. But those days may be numbered. The sector is now “teetering on the edge of profitability” according to the post’s author.

It’s well-known within cybersecurity circles that ransomware actors will conduct advanced research to determine if a potential target is insured. If so, it’s hardly a deterrent since it increases the likelihood a payment will be made.

It winds up being a self-reinforcing cycle. As ProPublica wrote in its study of the industry, “by rewarding hackers, it encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies.”

A commonly cited defense of ransomware insurance is that they not only protect against the cost of the ransom, but also against knock-on expenses from ransomware like downtime, reallocation of tech resources and reputational damage. We know from our own research that these costs can be significant, so there’s some validity to this argument.

But the real question the cyber insurance industry needs to answer is whether it can ever again be profitable. A recently released paper from the British defense think tank Royal United Services Institute (RUSI), titled Cyber Insurance and the Cyber Security Challenge, identified this as one of the key challenges to the industry’s viability.

That paper found that “there is arguably too little global premium to absorb losses from a systemic event.” In other words, the next NotPetya could sink the industry.

Ransomware on the whole has caused losses in the cyber insurance industry, not least because, “unlike the majority of risks insurers cover, ransomware attacks are both a high-impact and a high-probability risk.”

Addressing cybersecurity insurance shortfalls

Importantly, the RUSI paper in the end reported that it was unable to find empirical evidence that “cyber insurers may be unintentionally facilitating the behavior of cybercriminals by contributing to the growth of targeted ransomware operations.” While that fact undermines arguments that cyber insurers are a boon for ransomware actors, it doesn’t speak to the question of viability.

As with any nascent industry, ransomware insurance vendors have some tough issues to grapple with concerning how they do business. The “race to the bottom,” which RUSI describes as a combination of cheap premiums and loose restrictions on underwriting (not requiring basic cybersecurity measures as part of the deal, for example), represents the real risk to the industry.

Its possible cyber insurance companies could drastically reduce claims by mandating a cyber resilience posture as a condition of being insured. Like a higher life insurance premium for a career stunt man, organizations without robust cybersecurity in place (including defense plus backup and restoration capabilities) could be forced to foot a higher bill. While this is already standard practice among many insurers, industry regulation may be required to prevent the opening of a market for insurers with more lax baseline cybersecurity requirements.

At the very least, insurers should insist on three core elements of cybersecurity strategy before underwriting:

  • Endpoint and network level security to guard against attacks. Devices secured with antiviruses and networks secured by DNS filters or firewalls should be the bare minimum requirement for protecting against ransomware attacks. Without them, ransomware actors are being invited in the front door.
  • Mandated ongoing security awareness training for employees. User-enabled breaches remain one of the most common causes of a successful ransomware attack. Without addressing end users’ tendency to fall for phishing and other social engineering attacks, while ransomware actors may find the front door locked, they know there’s a good chance it will be opened for them by someone on the inside.
  • Proven data backup and security protocols. Maintaining complete copies of mission-critical data is one of the simplest ways to undermine ransomware actors. By collectively removing this key piece of leverage, organizations can go a long way toward normalizing the non-payment of ransomware demands, easing the burden on cyber insurers.

Making the above the minimum standard for organizations would both minimize the damage caused by ransomware actors and increase the viability of ransomware insurance as an industry. By prioritizing cyber resilience over any one category of security, businesses can prevent breaches and get back to work easier when they do occur.

IT Management Solutions protects its clients with Webroot® Business Endpoint Protection

A cyber resilience strategy

“I have used a lot of different security products over the years, and I get approached by a lot of vendors,” says Pedro Nuñez. As president and CEO of New England based MSP IT Management Solutions, Nuñez is always on the lookout for products that go beyond just a traditional security operations center.

That’s what lead him to work with Webroot® Business Endpoint Protection.

“To make any kind of difference, you need a way to mitigate a security incident automatically.” It’s not enough to just monitor his clients’ networks and notify him if there’s a security incident. If that’s all a tool can do, it’s then up to his team to manage every incident manually – even the smallest ones.

Saving time

And with over 85 clients, Nuñez needs time to focus on the most serious threats. The automation that comes with Webroot and its integration with Blackpoint Cyber means his clients’ endpoints, networks and even IoT devices are monitored for any anomalies. Once something is noticed, there’s no delay in automatically hunting down the threat.

“We effectively save up to 40 help desk hours a week, sometimes more” with the managed detection and response from Webroot.

That means when there’s a persistent attack on a server or when a client falls victim to a phishing attack, he has a head start on tackling the problem.

Protection in practice

Recently one of Nuñez’ clients, a municipality in Massachusetts, was targeted by a hacking group based out of Romania. The municipality was particularly vulnerable because of their old and out-of-date systems.

“The city would have been overrun with ransomware, but we started getting alerts right away from Webroot and Blackpoint,” Nuñez remembers. Since there was no delay in responding to the attack, he was able to get the ransomware under control so it couldn’t take over.

Even though it was a persistent attack, the security controls held up. The incident created thousands of tasks on individual devices, and it took weeks to fully stop. But in the end, the city experienced virtually no downtime. “There are a lot of city systems that can’t afford to go down, so making it through the attack without downtime . . . was a major win,” says Nuñez.

Businesses make their own luck

The next town over was also hit, but their security didn’t hold up. Their data was stolen, and they ended up having to pay a ransom. Smiling, Nuñez says that “The city that was my client can consider themselves lucky. But really, it wasn’t luck.”

His hands-on approach combined with the right tools saved his client from suffering a major incident.

For IT Management Solutions, the next step is end user training. Afterall, Nuñez notes, it no one had clicked the malicious email then the ransomware attack could have been prevented.

Watch Pedro Nuñez, President and CEO of IT Management Solutions, talk about his approach to cybersecurity.

New Languages Added to Security Awareness Training (Nov. Update)

Updated November 23, 2021

Dutch, Spanish and French were just the beginning of expanded language offerings from Webroot Security Awareness Training, with German and Portuguese added as of November, 2021! Stay posted to learn about expansions to more languages coming in the future.

A Global Challenge

The steady stream of cyberattacks seen throughout 2019 turned into a torrent over the last year – ransomware, phishing scams and data breaches are now at an all-time high. Of course, the growing cybersecurity threat isn’t contained to just one country. The effects are being felt the world over.

The National Cybersecurity Agency of France (ANSSI) is trying to tackle the 255% surge in ransomware attacks reported in 2020. Meanwhile Spain is trying crack down on malicious actors operating inside the country.

And in an interview with workers in the U.S., Japan, Australia and throughout Europe, 54% say they spend more time working from home now than they did at the beginning of 2020. The blurred lines between home life and work life leads to the use of improperly secured personal devices with ramifications being felt by small, medium and large businesses. But with cyberattacks at an all-time high, 63% of companies have kept their cybersecurity trainings at the same level that it was at the end of 2019.

Tackling Cyber Threats

Our networked world connects us to points all over, so it’s no wonder cybersecurity needs to be taken seriously across the globe. The fight against these threats is complicated, but most successful attacks share a common vector – the human factor.

Because of this shared element, security experts know where to focus their energy. In fact, research shows that Webroot® Security Awareness Training improves cyber resilience and helps defend against cyberattacks.

Expanded Offerings

The truly global nature of cyber threats is why Webroot is expanding its language offerings for our Security Awareness Training. This training helps employees keep security top of mind so businesses become more secure.

Now offered in Dutch, Spanish, French, German, and Portuguese, our Security Awareness Training features native narration throughout. Other available options offer courses with only translated captions overlaid on existing content while our trainings convey important security information in an engaging experience.

Why Training is Critical

Often, attackers have a built-in advantage when they zero in on a target – they can practice. They can probe for different ways in and try a variety of tactics, like email attacks or SMS and voice phishing. And they only need to be successful once.

That’s why training is such a critical part of security. It levels the playing field by letting end users practice what they learn while they discover how to keep themselves and their business safe.

Podcast: Can we fix IoT security?

For many U.S. workers the switch to remote work is a permanent one. That means more high-stakes work is being conducted on self-configured home networks. For others, home networks are simply hosting more devices as smart doorbells, thermostats and refrigerators now connect to the internet.

Security experts warn that while the internet of things (IoT) isn’t inherently a bad thing, it does present concerns that must be considered. Many devices come pre-configured with inherently poor security. They often have weak or non-existent passwords set as the default.

As our guest and host Joe Panettieri discuss, these are issues that would be addressed on corporate networks by a professional IT administrator. The conversation covers the issues of IoT and home network security both from the perspective of the average family household and what the age of remote work means for employees working on their own networks.

Security intelligence director Grayson Milbourne brings a unique perspective to the podcast. Having held senior roles in both threat intelligence and product management, Milbourne is acutely aware of what the threats security products come up against. He knows both the cyber threat landscape and the consumer internet security market, so he’s able to provide insightful advice for how tech-loving homeowners can keep personal networks powerful and protected. 

Milbourne suggests problems of IoT and home network security could be addressed with a cybersecurity version of ENERGY STAR ratings. A program could formalize current IoT security best practices and incorporate them into a standard consumers recognize.  

During this informative podcast, Panettieri and Milbourne discuss that idea and more cybersecurity topics related to IoT devices. They cover:

  • The difference between device security and the security of the app used to control it
  • How to leverage user reviews while researching IoT devices and what security concerns to check on before buying
  • Privacy and data collection issues, including why one of the most common IoT devices may be among the most intrusive
  • Configuring IoT devices to prevent them from joining rogue IoT zombie networks

Whether you’re an IT administrator trying to secure remote workers or just own a smart TV, there’s something in this conversation for you. Be sure to give it a listen.

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction

It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed to prepare and respond to cyber threats or attacks against your organization.

It may be as simple as the deployment of antivirus plus backup and recovery applications for your end users, or a more complex approach with security operations center (SOC) tools or managed response solutions coupled with network security tools such as DNS and Web filtering, network and endpoint firewalls, VPNs, backup and recovery and others.

It’s also essential to ensure end-users are trained on ransomware threats as a part of a good security awareness training program. The bottom line is, if prevention tools and training fail and your organization is compromised, you need to have a protection plan that gets your company assets and resources back to work quickly and securely.

What preparation is needed

When contemplating an in-depth plan, specific questions come to mind—the whats, the hows, the whys, and most importantly, the whos must be defined in the plan. When asking these questions, we need to be prepared to identify the resources, people and applications inlcuded. We must determine how to react to the situation and execute the logical steps and processes required to reduce damage as quickly as possible. 

Below are some questions to get us started.

Key questions

  1. Who will be involved in recovery and communication when your DR plan is in action?
  2. How much downtime can your organization withstand?
  3. What service level agreement (SLA) do we need to provide to the business and users?
  4. What users do we need to recover first?
  5. What tools do we have to reduce risk and downtime within the environment?
  6. How are user networks separated from operational or business networks?
  7. How quickly can data protection tools get us up and running again?
  8. Can users get their data back if an endpoint device is compromised?
  9. Can we determine when the ransomware first hit the network or endpoint devices?
  10. Are we able to stop the proliferation of ransomware or malware throughout the network?
  11. Can we recover quickly to a specific point in time?
  12. Can our users access their data from the cloud before it has been restored?

Application Needs

The solutions below, coupled with an exercised BC/DR plan, will help reduce your organizational risk exposure and allow for quick remediation.

  • An endpoint security solution capable of determining what events took place and when
  • A DNS security solution capable of turning away security threats at the network level
  • A solution for endpoint backup and recovery that can safeguard data should these other solutions be compromised

Lines of Communication

Equally important as the technology are the people who manage and maintain the systems that support the different business units within an organization. For example, your security team and your endpoint support team need to be in regular discussions about how the teams will communicate when under attack. You need to determine who is responsible, what systems, and when they should be brought into the process when under attack.

System Response Ratings

A system response rating system can assist in determining which systems or employees require a higher degree or speed of response. To do this, organizations must specify the value of the system or resource and where that resource sits regarding protection or remediation priority. This is often determined by the value of the resource in monetary terms. For example, suppose the loss of a specific system would incur a massive loss of incoming revenue. In that case, it might be necessary to place a higher priority in terms of protection and remediation for it over, say, a standard file server. 

The same can be said for specific individuals. Often C-level resources and mid-tier executives need to be out in front of a situation, which highlights the importance of making sure their resources like laptops and portable devices are protected and uncompromised. They are often as important as critical servers. It is necessary to classify systems, users and customers regarding their criticality to the business and place priorities based on the rating of those resources.

Now that we know a bit of the who, what, and how, let’s look at how to recover from a single system to an entire enterprise.

Recovery and Remediation

Recovery is an integral part of any BC/DR plan. It gives organizations a playbook of what to do and when. But it’s not enough to recover your data. Admins also need to understand the remediation process that should be followed to prevent further infection of systems or proliferation of malware within an organization.

Scenario

Ransomware hits user’s laptops, encrypting all of the data. The laptops have antivirus protection, but no DNS protection. All network security is in as firewalls and VPNs, with some network segmentation. There is also a security team in addition to the end-user support team. The ransomware that hit is polymorphic, meaning that it changes to prevent detection even if the first iteration of the ransomware is isolated.

Solution

The first step is consulting the endpoint security console to learn when and where the malware was first seen. If backups are still running, they should be suspended at this point to prevent infected data from being being backed up with malware. This can be done either from the dashboard or from an automated script to suspend all devices or devices that have been compromised.

A dashboard should provide the ability to do single systems easily, while scripts can help with thousands of devices at a time. APIs can help to automate processes like bulk suspend and bulk restore of devices. At this time it may be prodent to block traffic from the infected areas if network segmentation is enabled to prevent the spread of malware. 

Now it’s time to review the protection platform to determine the date the file was noticed, the dwell time and when the encryption/ransomware started executing. Once these facts have been determined, it’s possible track down how the organization was breached. Understanding how malware entered the network is critical to prevent future infections. Since, in our example, ransomware infected devices, a tested and reliable recovery process is also necessary.

Understanding the timeline of events is critical to the recovery process. It is essential to know the timing for the first step in the restore process to set your time to restore. Once an admin can zero in on date and time to restore, affected devices can be compiled into a CSV file and marked with a device ID number to reactivate any backups that were halted once the breach was discovered..

Once the data, source, target device IDs, date, and time to restore from are combined with a bulk restore script, a bulk restore can be pushed to the same laptops or new laptops. As heppen, solutions offering web portals can return to work quickly.

Summary

Thre right tools, planning, importance hierarchy and communication channels across a business are essential for establishing cyber resilience. Once a timeline of a breach has been determined, these elements make restoring to a pre-infection state a process that can be planned and perfected with practice.  

Oh no! A client failed a pen test. Now what?

In a previous post, we talked a bit about what pen testing is and how to use the organizations that provide them to your benefit. But, what about when one of them hands a client a failing grade?

Consider this, you’re an MSP and you get a letter or email from one of your customers that reads:

“Dear ACME MSP,

We regret to inform you that you’ve had a Penetration Test Failure produced by: “FreindlyHacker-Pentesting Inc” and we’d like to discuss the details further to determine if you have what it takes to continue to handle our security needs.

Regards,

Largest MSP Customer.”

A customer may not pass along this exact wording, but the implications are clear. The results can be embarrassing or at worst devastating. When a customer reaches out after failing penetration testing, it can put an MSP on its heels and create unnecessary angst. Should the MSP have been more involved in the testing? Did my tools cause the failure Has the MSP soured its relationship with its client? Will the business be lost?

So, how should an MSP respond when a customer fails a pen test?

Some MSPs turn to self-doubt and start wondering if the layers of protection they’ve put in place are worth the costs. Others will immediately start pointing fingers at the tools that were identified in the pen test report. When a report comes through with a failure, it’s usually unexpected and can take time away from more important activities.

To save time and effort if this should happen to you, here are a few key elements of a good response to a pen test failure.

Immediately start asking questions.

  • What kind of penetration testing was involved?
  • Who performed the testing and what are their credentials?
  • How was the penetration testing organization positioned to start taking action?
  • Where the testers acting as “Red Team” or “Blue Team” actors?
  • When did the testing take place?
  • May I examine the data and reporting?

Review your tools configurations.

Rather than immediately assume bad tech, it’s best to step back and evaluate each tool identified in the pen test report and the associated configurations, policies and control points. Often, a security tool is designed to identify, evaluate and/or stop bad actors along the threat chain. If it failed, it could be that a setting was disabled or miss-configured. Review all tools’ “best practice” guides, documents and suggestions before making assumptions.

Ask for partnership with the customer during their next review.

If the customer did not provide a heads up or pretesting communication, request that you be more involved during their next review. If pen testing is important enough for them to do once, it’s probably that they’ll do it bi-annually or annually, depending on the industry and regulatory concerns. It’s always good to be involved in advanced than after the fact.

Blue Teams vs. Red Teams: Which type of test was conducted?

The difference between a Blue Team and Red Team is how much previous access they have to a target’s networks and devices. This can make a huge difference in how the results of a pen test are interpreted. When a Blue Team—with some previous knowledge of an organization and its IT systems—is able to breach a business, it may not be representative of real-world circumstance. It could be an internal IT admin who was able to find a vulnerability after poking around in a system she previously had access to.

When a Red Team compromises a client, on the other hand, it’s time to examine the reporting closely. Starting with zero knowledge of an organization’s systems, this type of breach could point to serious flaws in the defenses an MSP has set up for a client. Likely there are real holes here which need to be patched.

Evaluate the pen testing organizations

While there are many levels of testing capability, keep in mind that pen testers come from many IT walks of life. Former sysadmins, hackers and network administrators make the most common tester. They come with their own experiences, specialties and biases.

One question to always ask is, what are the testing organizations credentials? What is their background and how did they come to the business? How long have they been testing?

The goal is to guage whether the individuals who’ve conducted the test are knowledgeable enough to make judgments about your organization’s defenses? Did they actually breach the defenses or are they simply reporting on a “potential” for a breach?

Not all testers are alike, not all testing organizations are alike.  Each has to successfully make the case of its own expertise in coming to the conclusion that it has.

As I say, trust but verify. And be prepared to ask LOTS of questions if a client ever fails a pen test.