Category: Cybersecurity News

The U.S. Department of Veteran Affairs (VA) has encountered a data breach that affected the personal data of about 46,000 veterans.

Hackers obtained access to a web application that the VA Financial Services Center (FSC) used and tried to reroute payments made to community care providers for the veterans’ health care. The attackers used social engineering tactics and exploited authentication protocols to get access to the application and alter bank account details.

When FSC discovered the breach, the payment processing program was taken offline to stop sending any further payments. It is not clear how many payments had been sent prior to the discovery of the cyberattack. It is also not clear if the attack was discovered just in time to stop the fraudulent transfers. The FSC stated the breached payment processing program will continue to be offline until the comprehensive security review of the Office of Information Technology is done.

The primary reason for the cyberattack seems to be the re-routing of payments; nevertheless, the attackers stole the personally identifiable information and Social Security numbers of approximately 46,000 veterans and may use the information for fraudulent activities.

FSC already notified by mail all veterans who had their information potentially exposed in the attack and offered them free credit monitoring services. The veterans also received instructions on what they need to do to monitor and take action against fraudulent use of their data.

The VA’s financial services system is presently having a big update. There were a number of delays, therefore, the undertaking will probably not be complete until 2030. The FTC just released a request for information in search of cybersecurity audit services. The cybersecurity audit is meant to deal with compliance, technique, and sustainment. The audit contractor needs to present a gap analysis on the cybersecurity solutions, processes and controls that the government must use and give recommendations regarding methods to enhance visibility and incident response time that adhere to VA’s best practices.

Utah Pathology Services reported the unauthorized access to an employee’s email account and the attempt of the person to reroute funds from Utah Pathology. The service provider detected the breach promptly and secured the compromised email account. The attempted fraud did not succeed and did not compromise any patient information.

Third-party IT and forensic experts helped with the investigation to determine the magnitude of the breach. The investigation is not yet over, but the investigators have confirmed that the compromised email account contained the personal and protected health information (PHI) of about 112,000 patients.

It seemed that the attacker’s purpose was to redirect funds to an account controlled by the attacker and not to steal patient information. Nevertheless, it cannot be completely certain there was no data theft. Utah Pathology Services is now notifying the affected individuals about the data breach.

Aside from patient names, the compromised email account contained the following information: Gender, birth date, email address, mailing address, telephone number, medical insurance data, internal record numbers, and diagnostic details associated with  pathology services. The Social Security number of some people were also exposed.

To date, there is no evidence found that suggests the misuse of patient data, however, as a safety precaution, Utah Pathology Services offered the affected persons free membership to Cyberscout’s identity monitoring service for 12 months.

The privacy policies of Utah Pathology Services are under review. Additional required security measures will be put in place to avert other breaches later on.

Ransomware Attack on Valley Health Systems

Valley Health Systems suffered a ransomware attack on or around August 22, 2020. This healthcare provider caters to around 75,000 patients living in southeastern Ohio, southern West Virginia, and eastern Kentucky.
In this manual ransomware attack, the attacker exfiltrated data files prior to the encryption and threatened the healthcare provider to pay the ransom, otherwise the data will be published online. Some of the stolen data was published on a leak site.

Valley Health Systems did not stop providing patients with medical services while restoring its systems. A number of systems are still being restored and will be accessible online. Third-party cybersecurity professionals are helping investigate the incident and fast track recovery.

Databreaches.net shared a statement from VHS which mentioned the unfortunate reality that the threat actor disclosed some stolen information. VHS is doing everything to determine which data is at risk to protect patient data. According to Databreaches.net, the attacker used Sodinikibi (REvil) ransomware.

VHS will take action after the complete forensic review. Affected patients will be notified accordingly. The provider already notified the FBI and is fully cooperating with the investigation of the incident.

The HHS’ Office for Civil Rights has not published the breach yet on its website. Hence, the number of affected individuals is still unclear.

Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000

Anna Zur, 39 years old of Franklin Park, IL was a former employee in a nursing home accused of identity theft. She used the accounts of many nursing home residents for paying her bills.

Zur worked in the business office of a nursing care facility and took advantage of her data access rights and sent the personal and financial information of residents to her personal email account. She was charged with identity theft and using the residents’  accounts for buying products and services and paying her bills.

It took the Palos Heights Police Department a year to investigate cases of identity theft and fraud. After which, a warrant was issued for Zur’s arrest. On August 26, 2020, she was taken into custody. Her charges include felony counts of wire fraud and engaging in  financial crimes enterprise. There were 35 cases of identity theft linked to Zur and she was charged with defrauding people in the amount of $25,000.

Patient Data Theft Due to a Ransomware Attack on Ventura Orthopedics

A manual ransomware attack on the healthcare company Ventura Orthopedics in California resulted in the theft of patient information that was published on the internet. Databreaches.net discovered the stolen data while investigating a new data leak site built by Conti-Ryuk ransomware operators. The stolen data was also discovered on a leak site run by the Maze ransomware operators.
The published information included the following patient information: names, birth dates, prescribed medicines, and laboratory test results. About 1,800 files were exposed online.

Ventura Orthopedics did not make any announcement about the ransomware attack as of this writing and the HHS’ Office for Civil Rights breach website has no published information yet. Hence, the number of affected persons is still uncertain at this time.

Magellan Health Ransomware Attack Impacted Comanche County Hospital Authority

Comanche County Hospital reported the compromise of the protected health information (PHI) of 1,112 persons due to a ransomware attack on Magellan Health, its pharmacy benefits vendor, last April 2020.

According to Magellan Health’s investigation, only some benefit plan members’ health data was compromised, which included names, addresses, medical insurance account details, payment, and treatment data. The Social Security numbers or financial data of plan members were not compromised.

In 2019, Heritage Valley Health System based in Beaver, PA took legal action against Nuance Communications because of a NotPetya malware attack in 2017. A federal judge for the US District Court of the Western District of Pennsylvania recently dismissed the lawsuit.

The NotPetya attacks happened sometime after the 2017 WannaCry ransomware attacks and exploited the same flaws in Windows Server Message Block (SMB). The NotPetya ransomware encrypted the vulnerable computer’s master boot record making it useless. The attacks happened in June 2017, which was about three months after the release of a Microsoft patch for resolving the SMB vulnerability.

The NotPetya cyberattack on Nuance Communications resulted in the encryption of 26,000 workstations and 14,800 servers. The magnitude of the attack required the replacement of 9,000 workstations and 7,600 servers. The attack also affected Heritage Valley Health System and the investigation showed that the malware spread to its computer network through a virtual private network (VPN) link with Nuance. As soon as NotPetya was transmitted to Heritage Valley, encryption of its servers and workstations occurred making data inaccessible.

The legal case that Heritage Valley filed against Nuance alleged that the NotPetya cyber attack was the consequence of negligence, governance oversight, and bad security practices. In addition, the lawsuit alleged unjust enrichment and breach of implied contract. Because of the damaged computer systems, Heritage Valley had to put its patient care services on hold for about one week. The health system lost millions as a result of the cyberattack.

The ransomware attack could have been prevented if Nuance had applied the patch three months before the attack. The forensic investigators stated that Heritage Valley was affected because of Nuance. The dismissal of the lawsuit was because of Heritage Valley’s contract with its vendor Dictaphone Inc. signed in 2003. Nuance acquired Dictaphone in 2006.

Heritage Valley asserted that Nuance is responsible for any contractual responsibilities and tort liability stemming from the plaintiff’s utilization of products obtained from Dictaphone. Nuance must also be responsible for bad security practices and governance oversight since it had a wider obligation to avert the cyberattack.

From 2006, in addition to Dictaphone, Nuance had bought over 50 other firms and had over 150 subsidiaries. Making a meaningful integration of bought systems and proper segmentation of Nuance’s expanding worldwide network were difficult. Every acquisition and worldwide expansion increased Nuance’s exposure to cybersecurity risk. At the same time, Nuance lacks the management or resources to adequately protect its network against these risks.

In its motion to dismiss, Nuance contended that it cannot be held responsible for negligence since it wasn’t the party that signed the Master System Procurement Agreement. It was an agreement between Dictaphone and Heritage Valley and Heritage Valley bought the hardware and software program from Dictaphone in 2003. Maintenance of the hardware and software was undertaken via a private portal-to-portal system.

The judge recognized Heritage Valley’s explanation and didn’t challenge the points of the claims, however decided to exempt both Dictaphone and Nuance from product liability claims because external sources were engaged. Nuance cannot be responsible since the 2003 agreement was made between Heritage Valley and Dictaphone.

A database that comprises the personal information of about 3.1 million patients was exposed on the web and was later erased by the Meow bot.

Security researcher Volodymyr ‘Bob’ Diachenko identified the unsecured database on July 13, 2020. Password was not required to gain access to the database containing the patients’ names, phone numbers, email addresses, and location of treatment. Diachenko tried to find out who owns the database and knew that it was created by Adit, a medical software business. Adit offers to medical and dental practices its online booking and patient management software. Diachenko sent a message to Adit to notify it concerning the unsecured database but received no response. A few days later, Diachenko found out that the Meow bot erased the data.

In late July, the Meow bot appeared scanning the world-wide-web for unsecured databases. Security researchers including Diachenko explore the net to look for exposed data and then lets the data owners know about the unsecured information. But the Meow bot’s operation involves searching and destroying data. After locating the exposed database, the Meow bot overwrites it with non-specific numbers and adds the word “meow.”

Whoever is behind the Meow bot is unknown. The intention of the attacks is also unknown. Many threat actors find exposed databases on the web with the intention to steal or encrypt files, afterward, they extort ransom from the data owners. But the Meow bot finds and attacks exposed databases without any apparent financial reason.

There’s no certainty if the Meow bot steals information before being overwritten, but, some security researchers have stated that the goal is not data theft, but to keep cybercriminals from getting the data of individuals and/or inform data holders of their failure to secure the data or it will result in data destruction.

By erasing the database, cybercriminals won’t get the information. Nevertheless, a previous study done by Comparitech showed that malicious actors continue to scan for unsecured information and normally identify unsecured Amazon S3 buckets and Elasticsearch databases within several hours after exposure. Since the information was exposed for around 10 days before the Meow bot searched and destroyed it, several parties likely identified and acquired the information prior to deletion.

In this breach incident, there’s limited personal data exposed, but cybercriminals may still have accessed that data and used it for phishing campaigns.

The 10-hospital integrated healthcare system known as Northern Light Health Foundation, which is based in Brewer, ME, has stated that the recent ransomware attack on Blackbaud Inc. has affected its databases.

The affected databases contained the information of donors, prospective donors, and people who may have joined a fundraising event previously. Patient medical data were stored separately and were not impacted. The databases included information about 657,392 individuals.

Blackbaud based in South Carolina is one of the world’s largest providers of education, fundraising, administration, and financial management software. A firm as big as Blackbaud is clearly targeted by cybercriminals. Blackbaud mentioned it experiences hundreds of attacks per month but its cybersecurity staff efficiently defends the firm against those attacks, though in May 2020 an attack prevailed.

The ransomware attack may have been a lot worse. Blackbaud discovered the ransomware attack immediately and took action to prevent the attack. Blackbaud had stopped the ransomware from totally encrypting its records, and just a subset of the firm’s 25,000+ clients was affected. The attack failed to impact its cloud system and the bulk of its self-hosted environment was not affected.

As is right now typical in manual ransomware attacks, prior to encryption of files, the attackers exfiltrated data. Blackbaud stated in a breach notice that the attackers just copied a subset of data and did not steal highly sensitive information such as bank account information, Social Security numbers, and credit card information.

Because safeguarding customers’ information is Blackbaud’s main priority, the firm paid the cybercriminal’s ransom demand with the assurance of deleting the copied information. According to the findings of the investigation, it is thought that the cybercriminal held no information, and will not misuse, disseminate, or make it accessible to the public.

It is presently uncertain how many Blackbaud clients were impacted by the ransomware attack. Northern Light Health Foundation stated in its breach notice that it was impacted. A number of other healthcare companies in Maine stated the same. Other healthcare companies identified to have been impacted were the Cancer Research Institute based in New York City and the Prostate Cancer Foundation based in Santa Monica, CA.

The BBC states that no less than 10 universities in the UK, Canada, and the US were impacted, which includes Emerson College in Boston, Rhode Island School of Design, and Harvard University, together with charities, media companies, and a number of private-sector firms. Although the attack took place in May 2020, the affected clients did not receive notices until July 16, 2020. It is not clear why alerting the impacted clients was late, particularly considering plenty of those clients are based in the EU. The EU General Data Protection Regulation (GDPR) necessitates the sending of notices to data protection government bodies in 72 hours of a breach incident. Data controllers must likewise be informed quickly.

NIST has released the finalized copy of the zero trust architecture guidance document (SP 800-207) to enable private companies to utilize this cybersecurity principle to enhance their security position.

Zero trust is an idea that entails altering defenses from fixed, network-based perimeters to concentrate on users, materials, and resources. By using zero trust, resources and user accounts aren’t absolutely trusted according to their physical or network position or asset ownership. With the zero trust strategy, authentication and permission are discreet features that take place with subjects and devices prior to setting up a session with a business resource.

The usage of credentials for getting access to resources has been a useful security precaution to avoid unauthorized access; nonetheless, credential theft – by means of phishing campaigns for example – is currently common, thus cybersecurity defenses must change to better safeguard resources, workflows, services, and network accounts from cyberattacks.

Commonly, threat actors steal credentials and use them to obtain access to business networks unnoticed. Threat actors frequently get access to networks for a number of days, weeks, or months prior to the discovery of an attack. At this time, they can freely move laterally and exploit a whole system. The rise in remote employment, bring your own gadget initiatives and using web-based tools that aren’t based inside the traditional network border has caused the traditional perimeter-based strategy to network protection to become less efficient.

A zero trust architecture will help to resolve these problems and boost cybersecurity defenses. As per NIST, zero trust works on safeguarding resources (resources, services, workflows, system accounts, etc.), since the network position is not seen anymore as the primary aspect to the security position of the resource.

The guidance document offers an abstract description of zero trust architecture (ZTA), discusses the zero trust fundamentals and logical elements of zero trust architecture, and consists of general deployment models and utilize instances where the zero trust approach could enhance a company’s IT security standing.

NIST points out in the guidance how to merge the zero trust model with the NIST Risk Management Framework, NIST Privacy Framework, and other established federal guidance and describes how companies could more to zero trust architecture.

At first, companies ought to look to restrict resource access to people who need access in order to do their work responsibilities and to just give minimum privileges like read, write, delete. In several companies with perimeter-based security, people usually have access to a much bigger selection of resources as soon as they are verified and signed in to an internal system. The difficulty with this strategy is unauthorized lateral movement is very easy for internal or external actors by means of stolen data.

The zero trust security model assumes that an attacker is present in an environment, therefore there’s no implied trust. Business networks are viewed in a similar way as non-enterprise systems. With the zero trust strategy, organizations continuously evaluate and analyze risks to assets and company functions and then enact protections to offset those dangers.

Moving to zero trust isn’t about the extensive replacement of systems or procedures, instead, it is a journey that requires slowly bring in zero trust concepts, processes, technology options, and workflows, beginning with safeguarding the top value assets. The majority of companies will stay in a hybrid zero trust and perimeter-based setting for a while as they carry out their IT modernization strategy and completely move to zero trust architecture.

The guidance is the end result of the effort of a number of federal bureaus and was monitored by the Federal CIO Council. The guidance was created for business security architects and is additionally a helpful reference for cybersecurity professionals, network managers, and managers to obtain a greater knowledge of zero trust.

The document is downloadable at NIST.

IBM Security just published its 2020 Cost of Data Breach Report and revealed a 1.5% cut down in expenses caused by global data breaches, from $3.92 million per breach in 2019 to $3.89 million.

There was a significant deviation in data breach costs in varied areas and industry sectors. Businesses in America encountered the largest data breach costs, having a common breach with costs at $8.64 million, higher by 5.5% from 2019.

COVID-19 Envisioned to Raise Data Breach Costs

This is IBM Security’s 15th year of doing the research. Ponemon Institute carried out the study and included facts from 524 breached institutions, and questioned 3,200 persons from 17 nations and places and 17 industries. Research for the study was performed between August 2019 and April 2020.

The study was generally performed prior to the COVID-19 outbreak, which is possible to have a consequence on data breach expenditures. To look into how COVID-19 will impact the data breach costs, the Ponemon Institute called again research contributors to question about their perspectives. 76% of research participants believed the rise in remote working would expand the time it takes to identify and control a data breach and 70% mentioned remote working could raise data breach costs. The average data breach cost increase as a result of COVID-19 was determined to be $137,000.

Healthcare Data Breaches are the Most Expensive
Healthcare data breaches were the priciest to deal with. The average expenditure of a healthcare data breach is $7.13 million around the globe and $8.6 million in the U.S.A. The total data breach cost may have dropped all over all places and industries, but healthcare data breach costs have heightened by 10.5% year-over-year.

The worldwide average cost per breached record is $146, which has gone up to $150 per breached record the moment PII was breached, then it has gone up to $175 per record the moment PII was breached due to a malicious attack.

The average days to identify and control a breach is 280 days, however, it requires 315 days to identify and resolve a malicious attack, with each one rising by 1 day beginning 2019. In the U.S.A. the average days to recognize a data breach is 186 days but 51 days to resolve the malicious attack. The healthcare sector took the most time of 236 days to recognize data breaches and control it in 93 days for 329 days in total.

The expenditures of a data breach are extended over a few years, with 61% of costs encountered in the year 1first year, 24% in the second year, and 15% in the third year and further. In seriously regulated industrial sectors like healthcare, the rates were 44% (in the first year), 32% (in the second year), and 21% (in the 3rd year).

For the third year, IBM Security computed the costs of huge data breaches – those affecting over 1 million records. The cost of a data breach affecting 1 million – 10 million records is an average of $50 million, the cost of breaches affecting 10 million – 20 million records is $176 million on average, and the cost of a breach affecting 50 million records is $392 million.

Most Prevalent Reasons for Malicious Data Breaches

19% of breaches were a result of malicious attacks and were mostly a result of wrong cloud settings and breached credentials.
16% of breaches were because of vulnerabilities in a third-party application
14% of cases were as a result of phishing
10% were because of compromises of physical security
7% were a result of malicious insiders
6% were attributable to system errors and other wrong settings
5% were caused by business email compromise attacks

Breaches associated with compromised credentials were the priciest. Breaches caused by vulnerabilities in a third-party application and cloud misconfigurations were the second most costly.

Of all the attacks, 53% were financially driven, 13% were due to nation-state hacking organizations, and 13% were a result of hacktivists. The attackers associated with 21% of the breaches were not known. Financially inspired attacks were the least pricey, having a global average cost of $4.23 million and the most pricey were attacks brought on by nation-state hackers, which cost $4.43 million on average. The average expense of a malicious attack was $4.27 million. Detrimental data breaches associating ransomware cost $4.4 million on average and detrimental malware, which includes wipers, costs $4.52 million on average.

50% of data breaches in the healthcare industry were a result of malicious attacks, 23% were caused by system glitches, and 27% were a result of human mistake.

The biomedical community is spending a lot of time creating a vaccine to protect against SARS-CoV-2 and finding new cures for COVID-19. Cybercriminal groups and nation-state hackers and are focusing their campaigns against those organizations to get research information.

Lately, security agencies in Canada, the United States, and the United Kingdom published an advisory regarding the attack of Russian state-sponsored hackers on institutions engaged in COVID-19 study and vaccine creation. The security agencies discovered information that the APT29 Russian hacking group was actively scanning the external IP addresses of the organizations engaged in the COVID-19 study and vaccine development. Also, the information stated that hackers are connected with the Russian intelligence services.

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI also released a joint advisory stating that the hackers associated to China were doing the same attacks on pharmaceutical firms and academic research centers to get intellectual property and sensitive information relevant to COVID-19. There were also information about hackers from Iran that carry out identical attacks.

Considering the latest attacks and targeting of research centers, BitSight carried out an investigation to assess the COVID-19 vaccine producers and biomedical firms with regards to their capability to protect their programs and information from hackers. BitSight researchers evaluated 17 firms that played a big role in COVID-19 research and development of vaccines. Those firms included small companies having less than 200 workers and big companies having over 200,000 workers.

BitSight discovered a number of security vulnerabilities that hackers could exploit to access data related to intellectual property, the vaccine and the COVID-19 study. The security vulnerabilities fall under four aspects: Open ports, web app security, unpatched vulnerabilities, and systems that were already compromised.

BitSight discovered 8 of the 17 firms had compromised systems last year and their computer systems were made part of a botnet. Seven firms had their computers included in a botnet in the last 6 months. BitSight looked for software operating on the systems not installed by the firms. Nine company systems had these Potentially Unwanted Programs (PUPs)and 8 firms had PUPS installed in the last 6 months. Five firms had computers used to send spam and the investigators discovered unsolicited messages at three firms. Compromised systems indicate the failure of the companies’ security controls and the likelihood that the companies may or were already hacked by people trying to get COVID-19 data access.

Most firms had open ports that showed insecure services online, which include 7 firms having exposed Microsoft RDP and 7 more with LDAP compromised. 5 firms had insecure MySQL, MS SQL or Postgres SQL databases and 5 more had a compromised Telnet service. The compromised Microsoft RDP was of distinct concern because hackers and ransomware groups are actively looking for compromised RDP devices.

Of the 17 firms, 14 had unpatched vulnerabilities that hackers could possibly exploit remotely. 10 firms had over 10 unpatched vulnerabilities, 6 of which had unpatched vulnerabilities with a greater than 9 CVSS score.

Web application security concerns were additionally prevalent, for example, insecure redirects from HTTPS to HTTP, a combination of secure and insecure information on websites and insecure authentication. A lot of the firms had at least one web application security problem. These security concerns put the companies in danger of cross-site scripting and man-in-the-middle attacks, which could probably allow hackers to capture sensitive information, get credentials, and compromise email systems.

Knowing about these threats, the bioscience community needs to improve its cyber vigilance. A hacker could gain access to systems with just a misconfigured software, unintentionally insecure port, or a vulnerable remote office system and get scientific data, intellectual property, and the personal information of individuals engaged in clinical trials. Companies should review basic cybersecurity hygiene procedures and find established and efficient methods to continually find and deal with risk exposure — throughout the expanded attack surface and third-party environment. This is to ensure the prioritization of remediation and life-saving science development.

A number of threat actors are currently doing dual extortion attacks. They steal data before deploying the ransomware payload. The first to do this is a Maze ransomware gang, which threatened the victim to publish the data in case of not paying the ransom. The gang did publish the data on its web page in November 2019. A number of other ransomware gangs followed this tactic, such as REvil/Sodinokibi, NetWalker, and DoppelPaymer.

These groups often deploy ransomware after several days, weeks, or sometimes months following the first system breach. While waiting for deployment time, the attackers proceed laterally to access many systems and then appoint their attacks to bring about the utmost trouble. It is very likely that the systems of a number of healthcare companies are already compromised, even if the ransomware is not yet deployed.

These high profile ransomware gangs are targeting entities in industries that have a lot to lose from having their data published or sold, such as legal companies, healthcare organizations, and companies in the financial industry. These attacks usually get headline news, however, they just represent about 10% of successful ransomware attacks. Beginning January 1, 2020 until June 30, 2020, there were 100,001 ransomware attack reports to ID Ransomware and just about 11% or 11,642 submissions were about ransomware variants employed by groups well-known for stealing data before encrypting files.

Emsisoft remarks however that although a number of ransomware gangs notify the victim about stealing their data to boost the chances of getting ransom payment, some ransomware gangs are probably discreetly stealing information.

Emsisoft explained that all ransomware groups could exfiltrate information. Although certain groups discreetly steal information and use it to threaten the victim as extra leverage to get ransom payment, other groups probably discreetly steal it. Although groups stealing discreetly may not exfiltrate all the information that groups seeking to utilize it as leverage, they could extract information that obviously has considerable market value or could be used for attacking other entities.

Preventing Ransomware and Limiting Damage

The ransomware attacks will continue as long as they stay highly profitable and pretty low risk. Therefore, healthcare companies need to make a move to strengthen their protection against cyber attacks. To prevent attacks and minimize the resulting damage of successful attacks, Emsisoft gives healthcare organizations the following advice:

Use patches right away, control admin rights, set up multi-factor authentication, shut off PowerShell when not required, use network segmentation, use the internet and email filtering tools, and disable RDP if not being used and use securely if necessary. Workers should have security awareness training regularly. Service providers that are given access to healthcare data should undergo audits to be sure they are HIPAA compliant.

The latest study done by Sophos showed that 96% of firms are worried about the condition of their public cloud security. There seems to be a legitimate rationale for that issue, as 70% of firms that host information or workloads online have encountered a breach of their public cloud environment in the last year. Attacks most frequently include malware (34%), data exposure (29%), ransomware (28%), compromises of account (25%), and cryptojacking (17%).

Information for the study were sourced from a study done by Vanson Bourne that was participated by 3,521 IT managers from 26 countries such as Canada, the United States, France, India, Germany, and the United Kingdom. Over 10 industry markets were represented. Participants employed at least one public cloud provided by Azure, AWS, VMWare Cloud on AWS, Oracle Cloud, Alibaba Cloud, IBM Cloud and Google Cloud. Sophos published the results of the survey in a report entitled The State of Cloud Security 2020.

The three major areas of concern seem to be detection and response, loss of data, and multi-cloud management. Firms that utilize two or more public cloud providers encountered more security breaches compared to firms with only one cloud service provider. Firms using several cloud service providers encountered up to two times more breaches as those only utilizing one public cloud provider.

India had the most number (93%) of companies that encountered a cloud security breach. Italy had the least number (45%) of companies that experienced a breach. The United States reported that 68% of companies experienced a public cloud data breach last year. Sophos explained that the United States’ comparatively low number of cloud security breaches is because U.S. companies have a lot better understanding of their security responsibilities. 90% of the survey participants from the United States state that though the cloud service provider makes certain the platform is safe, each cloud customer is also responsible for its security. Firms must diligently manage and keep track of cloud environments to always stay one step ahead of attackers.

The top prevalent reason for public cloud security breaches include:

• In the U.S., 75% of breaches were because of misconfigurations and 23% were because of stolen credentials.
• 66% of public cloud security breaches were due to wrong system configurations and problems in firewall apps allowing cybercriminals to access sensitive information.
• 44% of attacks were associated with misconfigured web program firewalls
• 22% were because of the wrong cloud resource configurations.
• 33% involved the theft of account details.

As firms bring in much more cloud services, complexity and the attack surface increases, and there is more opportunity for misconfigurations. It is consequently crucial for firms to have the appropriate tools to give complete awareness into their cloud environments and to have personnel with competence in cloud security. In spite of the high volume of public cloud data breaches, just one in four companies were thinking about a shortage of staff competence, indicating that a lot of organizations ignore the skills needed to make a great cloud security posture.

Organizations must constantly track their cloud resource settings to detect misconfigured cloud services. The latest study done by Comparitech revealed that cybercriminals are performing automated scans to find misconfigured cloud services and unprotected resources are quickly located and attacked. In the Comparitech research, which employed a compromised Elasticsearch honeypot, the initial data access attempt happened within 9 hours of creating the resource.

Companies likewise must proactively process cloud access. The Sophos study showed that 91% of participants had over-indulged identity and access management functions. By making sure users just get access to the needed cloud resources, problems can be lessened in case of a breach.

The growth of remote working because of COVID-19 has likewise introduced new options for cybercriminals. Remote employees must use VPNs to make sure they have secure access to cloud resources. Monitoring of access attempts must is also necessary. There must also be a multi-factor authentication implemented. 98% of survey participants stated they had deactivated MFA with the use of their cloud provider accounts.

Microsoft shut down a big-scale phishing campaign performed in 62 countries. Microsoft’s Digital Crimes Unit (DCU) first identified the campaign in December 2019. The phishing campaign aimed at firms and was executed to acquire Office 365 credentials. The attackers use the credentials to gain access to user accounts to get sensitive information and contact lists. The attacker then uses the accounts for business email compromise (BEC) attacks to get bogus wire transfers and redirect payroll.

Primarily, the emails utilized in the campaign seemed to have come from an employer and included business-related information along with a malicious email attachment entitled Q4 Report – Dec19. Lately, the phishing campaign evolved and the attackers used COVID-19 lures to take advantage of financial concerns associated to the pandemic. One of the baits utilized the phrase “COVID-19 bonus” to get the victim’s attention to open malicious email attachments or malicious links.

Upon clicking the email attachments or links, users were led to a site holding a malicious application. The web programs closely look like genuine web applications that are frequently utilized by businesses to enhance work productivity and security and help remote workers. Users were asked to give Office 365 OAuth applications to get access to their Office 365 accounts.

When permission is given, the attackers get access and refresh tokens that permitted them to get access to the Office 365 account of the victim. Besides getting access to contact lists, emails, attachments, notes, projects, and profiles, they at the same time got access to OneDrive for Business, the SharePoint document management system and any information in those online storage accounts.

Microsoft executed technical measures to obstruct the phishing emails and registered a civil case in the U.S. District Court for the Eastern District of Virginia to acquire a court order to take six domains from being utilized by the scammers to hold the malicious applications. Lately, the court order was acquired and Microsoft has now shut off the domains. Without access to their infrastructure, the scammers are unable to perform cyberattacks. A cybercriminal organization is considered to be behind the campaign rather than a nation state-sponsored group.

Microsoft additionally shared guidelines to assist businesses to enhance defenses against phishing and BEC attacks:

• The initial step to take is to allow multifactor authentication on every email accounts, whether for business or personal.
• Organizations ought to give training to personnel on identifying phishing and BEC attacks.
• There must be security alerts enabled for suspicious links and files.
• Any email forwarding guidelines must be examined to identify suspicious activity.
• Companies must instruct their staff about Microsoft permissions and the consent framework.
• There must be audits conducted on applications and consent permissions to make sure that programs are simply given access to the data needed.

The ransomware attack on Magellan Health in April 2020 is now published on the HHS’ Office for Civil Rights breach portal. There were 6 Magellan entities impacted, each of which reported the incident. A few other organizations likewise filed breach reports to affirm the effect on their patients and customers.

It is still premature to say precisely the number of persons impacted by the ransomware attack, although by July 1, 2020, the total is over 364,000. Hence, this breach incident is currently the third biggest healthcare data breach in 2020. Certain entities might have not documented the impact of the breach yet.

The entities which have affirmed being affected by the breach are mentioned below.

• Merit Health Insurance Company – 102,748 people impacted
• Magellan Healthcare, Maryland – 50,410 people impacted
• Magellan Rx Pharmacy – 33,040 people impacted
• Magellan Complete Care of Florida – 76,236 people impacted
• Magellan Complete Care of Virginia – 3,568 people impacted
• National Imaging Associate – 22,560 people impacted
• University of Florida, Health Shands – 13,146 people impacted
• University of Florida Jacksonville – 54,002 people impacted
• University of Florida – 9,182 people impacted
• Total people impacted were 364,892

Numerous healthcare ransomware attacks that were reported recently utilized brute force attacks on remote desktop services or took advantage of VPN vulnerabilities. But this attack is totally different as it utilized spear-phishing email which impersonated a Magellan customer. The attacker sent the email on April 6 and installed the ransomware under a week after.

In the substitute breach notification letter of Magellan submitted to the California Attorney General’s Office, it was stated that the attacker deployed malware that was created to swipe login information and passwords, and obtain access to just one of Magellan’s corporate server and stole personnel data. The attackers stole information linked to active personnel and contained these details: Address, employee ID number, and 1099 or W-2 information like Taxpaper ID number or Social Security number. For certain workers, the attacker likewise obtained their usernames and passwords.

The notice of breach incident published on the Magellan Health websites verifies that Patients of Magellan Health and its affiliates and subsidiaries were affected, too. These types of information were compromised: Treatment details, medical insurance account data, member ID, other details associated with health, telephone numbers, physical and email addresses. Social Security numbers were likewise impacted in some cases.

On the June 12, 2020 website notice, it was not mentioned if there was stolen protected health information (PHI) in the attack. In all instances, Magellan Health claims there is no proof found thus far that indicates the improper use of any patient or worker data.

North Shore Pain Management (NSPM) located in Massachusetts began informing 12,472 patients about the theft of some of their protected health information (PHI) by hackers. NSPM detected the breach on April 21, 2020 and upon investigation, it was confirmed that the hackers initially accessed its systems on April 16, 2020.

NSPM did not give any information regarding the nature of the attack on its substitute breach notice posted on its website. However, Emsisoft and databreaches.net confirmed the incident as a ransomware attack using AKO ransomware. The group behind the attack dumped 4GB of stolen data on their Tor site when no ransom payment was made.

The dumped data consist of a variety of sensitive information of employees and patients. The NSPM breach notice stated that the stolen data included patient names, birth dates, medical insurance data, account balances, financial data, diagnosis and treatment data. For a number of patients, ultrasound and MRI images were also included. Some patients who used their Social Security numbers as health insurance /member number also had their SSNs exposed.

Because cybercriminals exposed the stolen data on the internet, affected patients were instructed to keep track of their financial accounts and explanation of benefits statements for any indication of data misuse. NSPM offered free credit monitoring and identity theft protection services to the patients who had their Social Security numbers compromised. NSPM hired a new IT management vendor to strengthen cybersecurity.

The AKO ransomware attackers are similar to a lot of gangs that manually deploy ransomware. They steal data before encrypting files to have greater chances of getting ransom payment. The AKO group usually demands two ransom payments from companies with big incomes. One is for covering the cost of the decryptor and the other is for ensuring the deletion of the stolen data. The cost of ransom payment to delete files varies from $100,000 to $2,000,000.

The group said that certain healthcare providers pay only the ransom for deleting data and not for the decryptor. It is uncertain if NSPM paid a ransom.

Ransomware Attack on Florida Orthopaedic Institute

Florida Orthopaedic Institute based in Tampa, FL reported a ransomware attack on April 9, 2020 and the encryption of patient data stored on its servers. The institute conducted an internal investigation, which showed potential theft of personal data and PHI of patients before file encryption. Florida Orthopaedic Institute has not received any report of patient data misuse that resulted from the attack.

Florida Orthopaedic Institute hired a third-party computer forensic company to help with the investigation and took steps to recover the encrypted information and secure its servers. The institute already notified the affected patients and offered free credit monitoring, identity theft restoration services and fraud consultation.

The data encrypted and potentially acquired by the attackers included names, birth dates, Social Security numbers, medical data associated to appointment times, doctor’s locations, diagnosis codes, the amount paid, insurance plan ID numbers, claims addresses, payer ID numbers, and/or FOI claims history.

Florida Orthopaedic Institute hired third-party specialists to improve security to avoid other cyberattacks down the road.

The HHS’ Office for Civil Rights breach has not yet posted the incident to its breach portal, thus the number of affected patients is currently uncertain.

The latest Mimecast State of Email Security report states that during the COVID-19 pandemic, there’s been a surge in email impersonation attacks on companies. In the initial 100 days of 2020, there was an increase of email impersonation attacks by 30%.

Vanson Bourne on behalf of Mimecast conducted a survey on 1,025 IT decision-makers in the UK, U.S., Germany, Australia, Netherlands, South Africa, Saudi Arabia and the United Arab Emirates (UAE) from February to March 2020. The survey was performed while firms were fighting the COVID-19 pandemic. Mimecast analyzed over 1 billion emails processed by the firm’s email security solutions.

60% of survey respondents claimed a rise in email impersonation attacks like business email compromise (BEC) in the last 12 months. Respondents detected an average of 9 email or web spoofing cases last year, though some others were not identified.

DMARC is vital for defending against email impersonation attacks and avoiding brand ruin. Although 97% of respondents knew about DMARC, only 27% of the survey respondents mentioned they implement it.

Ransomware is still a concern among businesses. 51% of survey respondents reported having ransomware affecting their business last year, and the attacks caused 3 days of downtime on average.

58% of surveyed participants noted an increase in phishing attacks in the last year. 72% of participants this year reported having an increase or retaining the same level of phishing attacks compared to 69% of participants in the last 2019 survey.

IT decision-makers doubt that the circumstance will get better. 85% of participants mentioned they think that email and internet-based spoofing attacks will possibly keep on at a similar level or go up in the following 12 months. There is also little confidence with regards to repelling the attacks. 60% said that the situation is either inescapable or an email-related data breach is very likely.

The rather hopeless outlook is influenced by the change in working practices due to the pandemic. Shifting from a predominately office-based labor force to one that’s nearly completely home-based has presented new problems and made it more difficult for IT security teams to keep out attacks.

Even if there is a great risk of encountering an attack, there’s still insufficient cyber resilience readiness, and the value of standard employee security awareness training doesn’t seem to be highly sought. In spite of the threat of phishing and other email-based attacks, as much as 55% of respondents reported that no security awareness training was provided to the employees regularly and 17% mentioned that security awareness training was offered only once a year.

Businesses pay a high cost because of the attacks. 31% of study participants said they suffered data loss and business disruption because of an email attack, and 29% stated having a downtime because of not being prepared.

The report additionally indicates that many businesses lack email security protection.

• 40% have no system for tracking and safeguarding against email-based attacks or information leakage in internal mail systems
• 39% don’t have monitoring or protection against email-based malware
• 42% have no system that instantly eliminates malicious or unwanted email messages from the inboxes of employee

The survey showed that businesses know the value of having a strategy on cyber resilience. In 2019, 75% of survey respondents stated that they have or were preparing a strategy. This year, the percentage is higher at 77%. Looking at the number of survey respondents that have encountered a loss of data, downtime, and a decline in performance because of email attacks, implementation of the strategies cannot be expected soon.

Cybercriminals are changing their tactics, methods, and procedures during the COVID-19 health crisis and are targeting remote employees by using COVID-19 related lures in their phishing emails. The number of phishing attacks focused on people using mobile devices such as smartphones and tablets has sharply increased as per the latest report by Lookout mobile security company.

Throughout the world, there was a 37% increase in mobile phishing attacks on corporate users from Q4 of 2019 to the end of Q1 of 2020. In North America, there was even a 66.3% increase in mobile phishing attacks. Attackers are targeting remote employees in particular industry sectors like healthcare and financial providers.

Though the big increase in mobile phishing attacks is ascribed to the shift in working practices because of the COVID-19 pandemic, mobile phishing attacks have been steadily rising in the past few quarters. The success rate of phishing attacks targeting mobile device users appears to be higher because users are more inclined to click links than if they are working on a desktop or laptop computer since the phishing URLs are more difficult to recognize as malicious on little screen sizes.

Although the full link is probably shown on a laptop computer or desktop, a mobile device will just show the last part of the link, which would make the link look authentic on mobile devices. If doing a job from home, workers more likely to choose to use their mobile phones to do tasks to remain productive particularly those who have no large screens or multiple monitors at home.

Mobile devices usually do not have a similar level of security as laptops and office computers, so it is less probable to stop phishing messages. There are additionally more ways that phishing links may be delivered to mobile devices than laptop computers and desktops. On a desktop, phishing links will typically be delivered via email, but on mobile devices, they can easily be delivered via email, messaging apps, SMS, and social media and dating apps. There is also a tendency for mobile device users to work more quickly and not stop to consider whether a request is legit, even if they may be especially cautious on a laptop or desktop.

The increase in phishing attacks directed at mobile gadget users is a security issue and one that must be dealt with by company employers via education and training on security awareness, particularly with remote workers. Phishing awareness training must tackle the threat of mobile phishing attacks and demonstrate how links can be previewed on mobile gadgets and other measures that must be taken to check valid requests.

If the message seems to comes from somebody you know but appears like a weird ask or takes you to a peculiar webpage, get in touch with that person directly, and confirm the communication. When doing remote work, it’s even more essential to confirm any sort of unusual communication.

Education only may not be adequate. Security software must also be utilized on mobile devices to better protect end-users from phishing and malware attacks.

The American Hospital Association (AHA) and the American Medical Association (AMA) have created joint cybersecurity guidance for doctors working from home because of the COVID-19 outbreak to help them keep their mobile devices, computers, and home networks secure and offer patients safe remote care.

Doctors can utilize their mobile gadgets to access the medical records of patients over the web just like they were in the clinic. They can use teleconferencing solutions to do virtual visits, using audio, video and text messages to check and treat patients. However, working from home presents risks that could endanger patient data privacy and security.

The AMA/AHA guidance is meant to help doctors secure their computers and network at home and keep patient data and their work environment protected from cyber threats including malware and ransomware that could negatively affect patent safety and health. It provides essential steps to help make sure that a home office is tough against viruses, malware and cybercriminals.

The guidance consists of a checklist for computer systems, which details a number of steps that ought to be taken to reinforce security and minimize vulnerability to threats like phishing, ransomware and malware. The guidance additionally gives a collection of best practices to adopt, including using multi-factor authentication, account lockout feature, more verbal authentication processes, and consistently backing up records.

The AMA and AHA advise the usage of virtual private networks (VPNs) whenever accessing EHRs and other information databases. Physicians need to communicate with their EHR vendors to get advice on using VPNs and web-based technologies to enhance security.

The guidance additionally addresses mobile device and tablet security and offers a comparable checklist for keeping those devices secure. The AMA and AHA advise doctors to use apps on mobile gadgets and tablets to connect to the office to secure medicines and tests. Applications like TigerTouch may also be employed on these gadgets to enable doctors to offer telemedicine assistance to patients. These applications also wholly integrate with EHRs.

Besides securing devices, physicians should take steps to reinforce the security of their home networks. Vulnerable home networks can be exploited and any device that links to the network may be compromised allowing an attacker to access patient information. The guidance additionally details how to use medical equipment and determine and minimize cyber threats.

To view the guidance on working from home during the COVID-19 pandemic, go to this page.

An Advanced Persistent Threat (APT) group called Kwampirs, otherwise known as OrangeWorm, is still attacking healthcare providers and infect their websites with the Kwampirs Remote Access Trojan (RAT) along with other malware payloads.

The threat group continues to be active since around 2016, however activity has gone up recently with the FBI currently having given three warnings regarding the APT group to date in 2020. Symantec’s report in April 2019 was the first to file a report of attacks on healthcare providers through the supply chain.

The APT group is targeting various industries, including healthcare, energy, engineering, and software supply store. The attacks on the healthcare industry are considered to have happened via the vendor software supply chain and hardware merchandise.

According to the FBI, the attacks were very successful. The APT group has compromised a lot of hospitals all over the United States, Asia and Europe, including local hospital associations and big transnational healthcare organizations. The campaigns typically infect local equipment and enterprise with malware.

The APT group to start with gets access to the devices of victim companies and makes a wide and consistent presence utilizing the Kwampirs RAT so as to carry out computer network exploitation (CNE) activities. The attacks comprise of two stages. The first entails using the Kwampirs RAT to obtain broad and prolonged access to hospital networks which frequently includes delivery of a number of secondary malware payloads. The second involves adding extra modules to the Kwampirs RAT to permit further exploitation of the victims’ networks. The added modules are customized according to the organization that has been attacked. The reports of the FBI states that the threat actors maintain control on a victims’ networks for long time periods, from 3 months to 3 years and carry out detailed reconnaissance.

The threat group has targeted major and secondary domain controllers,  software development servers, engineer servers, and file servers that are utilized as repositories for R&D data. As soon as deployed, the Kwampirs RAT executes an everyday command and regulates communications with IP addresses and domains hard-coded in the malware and exfiltrates data.

The primary purpose of the APT group seems like cyber espionage, however the FBI states that an analysis of the RAT showed a number of code similarities with the Shamoon (Disttrack) wiper that was utilized in the attack on Saudi Aramco in 2012. Nevertheless, the FBI states that it has not noticed the integration of any wiper modules in Kwampirs up to now.

The FBI has provided a number of recommendations and best practices to do to enhance security and minimize the threat of infection. These guidelines include:

• Update software and operating systems and apply patches
• Utilize user input validation to limit local and remote file inclusion vulnerabilities
• Utilize a least-privileges scheme on the Web server to decrease the possibilities for escalation of privileges and pivoting side to side to other hosts, and to regulate file creation and execution in specific directories.
• Setting up a demilitarized zone (DMZ) from the internet-facing systems to the company network
• Make sure all Web servers have got a safe configuration and all unneeded and unused ports are deactivated or blocked
• Utilize a reverse proxy to limit accessible URL paths to identified legitimate ones
• Use a Web application firewall
• Carry out frequent virus monitoring and code reviews, application fuzzing, and server network examinations
• Do frequent system and application vulnerability checks to avoid areas of threat.

The COVID-19 outbreak is driving a lot of employees to work from home and human-operated ransomware gangs arr targeting the system employed to support those employees. Although a number of ransomware gangs have expressed they would stop attacking healthcare providers while the COVID-19 public health emergency is in effect, not every gang does the same.

A number of cybercrime gangs are taking advantage of the COVID-19 outbreak. Tactics, techniques, and procedures (TTPs) were altered due to the pandemic. Cybercriminals are currently applying social engineering techniques to target fears regarding COVID-19 and to access credentials that would allow them to exploit healthcare networks.

In general, a ransomware attack on hospitals could result in substantial disruption. But during this time that hospitals are responding to the pandemic, a ransomware attack could seriously hinder the treatment of COVID-19 patients. Microsoft has decided to help secure critical services throughout the COVID-19 crisis and give guidelines to healthcare providers to defend against human-controlled ransomware attacks.

Microsoft is actually monitoring the ransomware gangs’ activities and based on the information acquired from its comprehensive network of threat intelligence sources, certain human-controlled ransomware gangs are taking advantage of vulnerabilities in gateway gadgets and virtual private network (VPN) equipment that permit remote employees to sign in to their networks.

REvil (Sodinokibi), one of the high profile human-controlled ransomware gangs, has been taking advantage of vulnerabilities in gateways and VPN equipment for a while. After exploiting vulnerabilities to steal credentials and escalate privileges, the attackers compromise a lot of devices prior to deploying ransomware or other malware payloads.

Microsoft states that the attackers have a high level of skills, substantial expertise in systems management, and know-how to exploit prevalent network security misconfigurations. The threat actors adjust their strategies according to the defense weaknesses and vulnerable services they find when investigating healthcare networks and frequently deploy ransomware after several weeks or months within networks.

Microsoft’s report talks about how the REvil gang scans the internet to discover vulnerable systems and exploit the growing use of VPNs and gateways to help remote employees for the duration of the COVID-19 outbreak. Because the exploited vulnerabilities are typically regarded as a low priority, they stay unresolved for a long time.

Microsoft discovered a number of hospitals that have vulnerable gateways and VPN devices in their system. The identified vulnerabilities are like those which the REvil gang exploited. Microsoft has informed the hospitals about the vulnerabilities and has strongly advised the performance of updates immediately to avoid exploitation.

Microsoft discussed that running VPNs and virtual private server (VPS) infrastructure calls for an understanding of the present state of associated security patches. It is a must for all organizations with VPN and VPS infrastructure to perform a comprehensive review and identify available updates and implement those updates immediately.

For many months now, nation-state and cybercriminals are targeting unpatched VPN systems. Exploits target remote employees, usually using the updater services employed by VPN clients to release malware payloads.

Microsoft issued the following recommendations for healthcare organizations:

• Apply all VPN and firewall configurations security updates
• Keep track of remote access infrastructure and inspect anomalies right away
• Do a password reset upon identification of a compromise
• Initialize attack surface reduction guidelines to prohibit credential stealing and ransomware action.
• Obstruct macros, executable content, process creation, and injection started by Office apps.
• Activate AMSI for Office VBA when using Office 365.
• Strengthen internet-facing assets and utilize the most recent security updates
• Protect Remote Desktop Gateway and utilize Multi-Factor Authentication (MFA) or activate network-level authentication (NLA).
• Implement the rule of least-privilege
• Sustain good credential hygiene.
• Keep track of brute-force attacks and check out too much unsuccessful authentication attempts
• Check clearing of Event Logs, particularly the PowerShell Operational logs and Security Event log.
• Find out where highly privileged accounts are signing in and disclosing credentials.
• Make use of the Windows Defender Firewall as well as your network firewall to avoid RPC and SMB transmission between endpoints

Organizations uncertain regarding the best way to protect their VPNs and VPS infrastructure could get more data from the National Institute of Standards and Technology (NIST) as well as the DHS Cybersecurity and Infrastructure Security Agency (CISA). The two are the agencies behind the publication of the guidance on VPN/VPS infrastructure security.

With attacks escalating it is crucial to follow cybersecurity measures for keeping remote workers protected against phishing attacks and malware infections.

Companies need to make sure to utilize the newest versions of VPNs and apply patches immediately. The DHS Cybersecurity and Infrastructure Security Agency (CISA) gave another caution on March 13 regarding patching and making updates VPNs for remote employees to address vulnerabilities. Companies were additionally advised to employ multifactor authentication with regard to all VPNs to improve security. VPNs must likewise be configured to begin automatically whenever devices are turned on instead of depending on workers to manually set.

It is likely that the COVID-19 outbreak will last for a few months. In this time period, numerous software and operating systems will need updating. Scanning devices and making certain that patches are used becomes much more complex with remote employees. Because it is hard to keep a persistent and routable connection to end-users’ devices when working via a network, the cloud ought to be taken into consideration for dealing with cybersecurity rather than in-house corporate cybersecurity strategies.

Ensure to implement multifactor authentication for all applications used by remote employees. More phishing attacks aimed towards remote workers suggests it is very likely for account credentials to be compromised. With multifactor authentication. stolen account credentials could not be utilized for accessing company resources.

It is essential for people working from home to have efficient security solutions on their devices. IT teams must be sure to deploy email security, web security, and anti-virus software on worker-owned devices that are permitted to link to the network.

Use a zero-trust protocol on the network for remote employees and enforce the rule of least privilege. Make sure that remote workers only get access to the resources they require to do their work responsibilities and limit privileges as much as is possible. In case credentials are compromised, this will restrict the damage that could result.

There is a greater risk of device thievery whenever employees work from home. To avoid data loss and impermissible disclosures, make sure to encrypt all data on portable devices. On Windows 10 devices, this is uncomplicated to execute by activating BitLocker. Make sure to encrypt all web and FTP information in transit. Firewalls must also be enabled on the devices of remote workers.

IT departments are currently seeing big numbers of new devices remotely linking to their networks, a few of which have not connected to the network in the past. That makes it harder to determine attackers and less difficult for them to conceal their associations from the security team. Therefore, monitoring should be stepped up to determine malicious and suspicious actions to track down cyberattacks in progress.

Make sure to have adequate licenses for software programs and SaaS applications to manage the growing number of remote workers. Adequate bandwidth should be provided to deal with the growth in remote traffic. Determine how much bandwidth is needed, then double it.

It is essential not to undervalue the value of training. A big proportion of cyberattacks happen due to user error. Refresher training is crucial for all remote workers to remind them concerning the dangers of phishing and spoofing. Because phishing attacks on remote workers are soaring, phishing simulations and training are more vital than ever.

Certain workers may be using laptops to link to work networks initially. It is important for them to get training in using new applications and security programs. Unfamiliarity heightens the potential for errors.

Remote employees must also be told about fundamental IT security procedures that should be used when working from home. Remote workers should also be reminded regarding the steps for reporting risks and possible compromises, and what must be done if they think they have been victimized by a scam.