Last Thursday Matt Landis and I joined forces with Omega Systems to provide an update on managing cyber security to the Central PA Chapter of the Association of Legal Administrators. Here are a few of the latest cyber security threats:
- Gmail phishing attack – A new evolution of the traditional phishing attack has recently been targeting Gmail users. Starting from a compromised Gmail account, the criminals send e-mails to their contacts, often with subject lines from real e-mails with that contact. When the user seeks to open the attachment in Gmail’s previewer, the user is prompted to confirm their credentials. DON’T DO IT. The convincing login box is actually a trap that will give the criminals access to your account. The criminals then quickly use your compromised account to continue the attack.
- Pay the ransom… or else I will release your data? – You have probably heard of ransomware like Cryptowall that encrypts your data and forces you to pay a ransom to unlock it again. Traditionally, an effective defense against this type of attack is having a backup you can use instead of paying the ransom. A new evolution is targeting victims with particularly sensitive information, such as hospitals. Under this new version, having a back-up is not enough because the criminals threaten to publicly disclose the information unless the ransom is paid. If you are a business with sensitive records (like medical records protected under HIPAA and HITECH), the costs of such a public disclosure can be huge, including civil penalties, mandatory user notifications, and more.
- RaaS (ransomware-as-a-service) is now a thing – You may have heard of cloud-based software options SaaS (software-as-a-service) and PaaS (platform-as-a-service). Now imagine combining the convenience of the cloud with the criminal gains of ransomware. That’s right, even if you do not have the technical savvy to implement a ransomware attack on your own, sophisticated criminals are now making their skills available (for a cut of the ransom, of course). They even offer two-factor authentication so, you know, criminals cannot steal other criminals ransom proceeds. No honor amongst thieves, I guess.
Cyber security risks are constantly evolving. To protect yourself: (1) stay up-to-date on the latest threats by doing your own research, discussing them with your IT department or services provider; (2) consult with a knowledgeable attorney to make certain you have appropriate cyber security policies and procedures in place; and (3) provide your end-users with periodic training on how to recognize common threats.