All posts by Rob Sobers

12 TED Talks That Will Change the Way You Look at Business Cybersecurity

cybersecurity TED talks

The cybersecurity landscape is constantly evolving. New security threats pop up daily, and threat actors can be an employee in the next cubicle or a blackhat hacker in a coffee shop in Bangkok.

Additionally, cybersecurity has real-world implications that reach far beyond the boardroom — everything from Internet-connected teddy bears to the stability of world governments is impacted by cyber. As such, it’s more important than ever that everyone in your organization is up to date on the latest security trends and information.

To this end, we put together a list of our top 12 TED Talks on cybersecurity. These discussions touch on everything from how to create a strong password to the impact hackers have on world peace. The talks inform, inspire and engage — and they might just change how you look at your organization’s cybersecurity.

Business cybersecurity TED talks

In a landscape of ever-evolving, ever-improving threats, is your business ready to face the next one? Take our risk assessment to find out.

The World’s Most Creative Data Centers: Infographic

creative data centers

Data centers are facilities used to house computer systems and associated components. They are vital to the daily operations of a network and are home to it’s most pivotal systems and equipment. Sound glamorous? Actually, it is.

As data privacy becomes more and more important, data centers need to be placed in extraordinary locations in order the ensure maximum security. This need for security, coupled with the fact that data centers are required to be as energy efficient and effective as possible, means they’re anything but boring.

From facilities with roofs made up entirely of plants, to centers located in mines 22 stories below ground, networks are becoming more and more creative with the ways they house their data.

So, where do some of the world’s most established companies house their data centers? With more than half a million data centers worldwide, there are plenty to discover. Here are some of the most interesting.

Data never sleeps and the Internet is constantly growing. In fact, there are 2.5 quintillion bytes of data created each day and more than 3.7 billion people use the Internet. These data centers are inventive responses to growing technology and the challenges it presents every day.

With the rapid growth of data, comes the increased number of data breaches. Data security is one of the largest concerns impacting the world today and networks are working hard to give us the data protection we need in order to stay safe. Assess your risk today to make sure you are playing your part and staying cyber safe.

Sources:
Data Center Knowledge: 1, 2, 3, 4, PR Newswire, AIS, InformationWeek, Switch, Cyberbunker, Wikipedia

The Top Skills of Fortune 100 CISOs

Coworkers bumping their fists

The role of CISO is constantly expanding and evolving with the growing awareness of cyber attacks. As cyber attacks increase in density and sophistication, organizations are beginning to look at security as a business priority and the role of CISO has become more critical.

Companies need to look beyond basic technical expertise and the necessary leadership skills and instead look for someone who can also understand their organization’s operations and can express IT security priorities from a business perspective. In addition to skills in IT security, it is evermore important to have a business background as well as leadership and management soft skills like teamwork and communication in order to make your way to the top.

So what does it actually take to become a leading CISO?

In an effort to shine some light on this query, we analyzed the CISOs of Fortune 100 companies. By looking at their common endorsements and educational backgrounds on LinkedIn, we were able to gauge what it takes to become one of the top leaders in cybersecurity today.

Check out our infographic below to learn more about the expertise and educational background of the world’s top cybersecurity leaders.

what it takes to become a fortune 100 CISO

Because of the increase in cyber attacks, the role of CISO is constantly evolving to fit cybersecurity business needs. By diversifying their skill sets, these top CISOs are paving the way for a better future in cybersecurity. In addition, check out the top 10 female CISOs that are leading the way for women in tech.

How to Turn Cybersecurity Jargon into a Language Everyone in Your Office Ca...

translate cybersecurity jargon

Explaining how cybersecurity affects an entire organization can be complex. The field is filled with jargon and buzzwords that can hinder understanding for those outside of IT. What’s more, everyone in an organization views cybersecurity through a different lens, depending on what their role in the company is.

In order to explain important aspects of cybersecurity and how they affect your company, you must be able to communicate without using jargon that business stakeholders may not understand.

To simplify the process, we’ve broken down how to explain 10 common cybersecurity buzzwords and why it matters for your business.

10 Common Cybersecurity Terms

Cybersecurity touches every part of an organization, and misconceptions around cybersecurity can put your company at risk. As such, it’s vital to that you’re able to effectively communicate industry buzzwords to every person in your office.

To best communicate the importance of the information you’re trying to relay, first determine the role of the person you’re talking within the organization as a whole. Then, consider what might be most important to them. Does what you’re talking about solve a pain point for them? Does it offer a solution? Communicate that.

Once you’ve looked at the situation from the lens of the person you’re speaking with, offer concrete examples and solutions, not just conceptual ones. Addressing how your proposal will affect their part of the organization in real-life terms, not just hypotheticals, will better help you convey the importance of your message.

Are These 10 Cybersecurity Myths Putting Your Business at Risk?

business cybersecurity risks

Cybersecurity preparedness is one of the major obstacles facing businesses today. Despite the increased focus on making companies cybersafe, there are several common cybersecurity misconceptions that still pervade the business world.

If you or your employees believe any of the myths below, you could be opening up your business to unknown risk. Check out the full list, or jump to our infographic for tips on how you can bust these myths and keep your business cybersafe.

strong password cybersecurity myth

Strong passwords are one of the foundations of good cybersecurity practices, especially for businesses. However, implementing and enforcing strong password policies is only the start. In fact, one of the major components of cybersecurity preparedness that companies overlook isn’t how people access the information — it’s what information is available in the first place.

Not only do employees need strong passwords, companies need to be more aware of who they allow to access what data. In a recent study, we found that 41 percent of companies had at least 1,000 sensitive files open to all employees. Many companies also don’t have a system in place to monitor admin access. Strong passwords help keep your company safe, but there’s a lot more at risk once employees are in the system.

small businesses aren't hacked myth

The proliferation of high-profile hacks in the news cycle often tricks small- and medium-sized businesses into thinking that they won’t be targets of attack. In reality, the opposite is actually true. In fact, according to the 2018 Verizon Data Breach Investigations Report, 58 percent of data breach victims are small businesses.

This happens for several reasons. Many businesses aren’t targeted specifically, but instead are victims of what’s known as “spray-and-pray” attacks — hackers set up automated systems to randomly infiltrate businesses. As these attacks are random, any business can be damaged, regardless of size.

Small businesses tend to be “softer” targets, as they have less funding for advanced data protection software and often don’t have skilled security teams, which makes them more likely to fall victim to spray-and-pray attacks. Targeted attacks also tend to focus on small businesses, precisely because they’re unprotected.

vulnerable industries hacking myth

Much like some businesses believe they won’t be attacked because of their size, other businesses wrongly assume that they won’t be attacked because of the industry they’re in. This myth also goes hand-in-hand with the belief that some companies don’t have anything “worth” stealing. The reality is that any sensitive data, from credit card numbers to addresses and personal information, can make a business a target.

What’s more, even if the data being targeted doesn’t have resale value on the darkweb, it may be imperative for the business to function. Ransomware, for example, can render data unusable unless you pay for a decryption key. This can make attacks very profitable for cyber criminals, even if the data is deemed “low value.”

anti-virus cybersecurity myth

Anti-virus software is certainly an important part of keeping your organization safe — but it won’t protect you from everything. Software is just the beginning of a comprehensive cybersecurity plan. To truly protect your organization, you need a total solution that encompasses everything from employee training to insider threat detection and disaster protection.

insider and outsider security threats

While outsider threats are certainly a concern and should be monitored extensively, insider threats are just as dangerous and should be watched just as closely. In fact, research suggests that insider threats can account for up to 75 percent of data breaches.

These threats can come from anyone on the inside, from disgruntled employees looking for professional revenge to content employees without proper cybersecurity training, so it’s important to have a system in place to deter and monitor insider threats.

IT's role in cybersecurity

While IT has a big responsibility when it comes to implementing and reviewing policies to keep companies cybersafe, true cybersecurity preparedness falls on the shoulders of every employee, not just those within the information technology department.

For example, according to Verizon, 49 percent of malware is installed over email. If your employees aren’t trained on cybersecurity best practices, like how to spot phishing scams and avoid unsafe links, they could be opening up your company to potential treats.

public wifi misconceptions

If your business has employees who travel often, work remotely or use shared workspaces, they may incorrectly assume that a password keeps a Wi-Fi network safe. In reality, Wi-Fi passwords primarily limit the number of users per network; other users using the same password can potentially view the sensitive data that’s being transmitted. These employees should invest in VPNs to keep their data more secure.

computer virus myth

A decade or so ago it may have been true that you could tell immediately if your computer was infected with a virus — tell-tale signs included pop-up ads, slow-to-load browsers and, in extreme cases, full-on system crashes.

However, today’s modern malware is much more stealthy and hard to detect. Depending on the strain your computer or network is infected with, it’s quite possible that your compromised machine will continue running smoothly, allowing the virus to do damage for some time before detection.

BYOD at work

Employees often assume that their personal devices are immune to the security protocols the company’s computers are subjected to. As such, Bring Your Own Device (BYOD) policies have opened up companies to cyber risk they may not be aware of. Employees who use their personal devices for work-related activities need to follow the same protocols put in place on all of the network’s computers.

These rules aren’t limited to cellphones and laptops. BYOD policies should cover all devices that access the internet, including wearables and any IoT devices.

achieving cybersecurity preparedness

Cybersecurity is an ongoing battle, not a task to be checked off and forgotten about. New malware and attack methods consistently put your system and data at risk. To truly keep yourself cybersafe, you have to continuously monitor your systems, conduct internal audits, and review, test, and evaluate contingency plans.

Keeping a business cybersafe is a continuous effort, and one that requires every employee’s participation. If anyone at your company has fallen victim to one of the myths above, it may be time to rethink your cybersecurity training and audit your company to assess your risk.

download cybersecurity myths inforgaphic

The World in Data Breaches

The World in Data Breaches

Data security is one of the largest concerns impacting the world today.

The increasing sophistication of cyber attacks coupled with the overall lack of cybersecurity has led to the greatest data breaches and the loss of data records on a global scale.

However, not all data breaches are the same worldwide — various factors such as laws, population, and the size of data breaches influence the number of stolen records in each country.

Data Breaches Worldwide

The number of lost or stolen data records varies around the world. Data records refer to any piece of information that can put an individual or organization at risk, including email address, date of birth, account credentials, medical files, and banking details. Using data from the Breach Level Index, we visualized where these records are concentrated based on the locations of the organizations that reported them.

The map puts into perspective the discrepancies in data records on a global level.

world in data breaches

Almost 64 percent of the total stolen data records occurred in the United States, whose large population, concentration of major companies, and rate of technological adoption make it the most massive “hotspot” on this map. Countries like China and India are also major centers of data breaches.

However, we also see densely populated countries like Brazil and larger countries like Italy represented as small regions on the map. This means that having a large population is only half of the picture, especially if we take a look at the ratio of the population to data breaches.

According to the Breach Level Index, over 9.7 billion data records have been lost or stolen globally since 2013 as a result of data breaches and cyber crime. Here a few of the most alarming data breach statistics:

global data breach stats

Data Breaches by Country and Population

The below graphic shows the countries that have the highest ratio of data records stolen relative to their population. With over 6 billion stolen records, the total number of records in the U.S. exceeds the population by 19 times.

However, countries like South Korea and Canada have substantial data theft in relation to their smaller populations, suggesting that other factors influence stolen data records.

Identity Theft Worldwide

While data breaches refer to specific incidents that lead to data loss, identity theft is the moment one’s compromised data is used for malicious purposes. There have been a total of 10 million stolen identities stolen since 2013. Like the total number of data records, identity theft also contains geographic differences that aren’t caused by just population.

identity theft around the world

The United States leads other countries with almost 85 percent of identities stolen worldwide. While population size explains this amount, the United States’s stringent data breach reporting requirements suggests that the identity theft count in other countries may be underreported.

Despite their smaller populations, countries like South Korea and Canada are among the most hacked. According to Symantec, these countries were affected by “mega breaches” — breaches affecting more than 10 million identities. For example, the Dailymotion breach in France exposed 85 million identities, almost equal to the total data records stolen for the whole year. We also see other smaller countries like Sweden and the Netherlands sized much larger proportionately.

These geographic views reveal that dense populations and first-world power are not the sole sources of data breaches. Specific events and laws create gaps between countries, leading to major breaches that steal more data records than the populations that exist in some countries. With global data privacy regulations like GDPR and NDB taking place, it’ll be interesting to see how data breaches continue to impact the world.

Sources:

Breach Live Index | Gemalto | Symantec | Guiding Tech | Worldometers | Risk-Based Security | TechInsurance | CSO Online | Checkmarx | The Register

The Average Reading Level of a Privacy Policy

privacy policies of tech companies after gdpr

On May 25th, 2018 the European Union’s General Data Protection Regulation, better known as GDPR, became an enforceable law. The policy was implemented primarily to create greater transparency regarding how companies handle personal data, and to enforce stricter requirements around the use and sharing of that personal data.

While the regulation pertains to the personal data of EU citizens, the law and fines for misconduct still apply regardless of whether the person is paying for the service or whether the company has operations within the EU. The result has been a swath of privacy policy updates here in the U.S.

Since privacy policies are often overlooked — in 2014 half of internet users didn’t even know what a privacy policy was according to the Pew Research Center — added complexities from GDPR are surely making things worse, right?

We decided to look at the individual privacy policies of the top websites on the web to check word count, reading time and reading grade level before and after GDPR to determine just how easy these companies are making it for users to understand their policy changes.

What Did Privacy Policies Look Like Before GDPR?

privacy policies before gdpr

As you can see, Reddit had the longest reading time, of almost 27 minutes to read. Facebook and eBay are a close second. Overall with eBay’s third highest word count and highest reading level of 18 (which is essentially a senior level college student) eBay was effectively the most difficult privacy policy to read.

Yahoo was by far the easiest the shortest read of the group at under 8 minutes. Their reading level site just above the average of 13.6. Perhaps fittingly, Facebook’s reading level was the easiest reading level of 11 given their push to be more transparent about their privacy.

So, how did things change once GDPR caused these sites to update their policies?

How Did Privacy Policies Change After GDPR?

privacy policies after gdpr

The major change seen here is that eBay not only increased their word count to the highest on the list, but their reading level now sits at 20. Yahoo is still the the lowest word count and reading time, but Reddit now has the easiest reading level. We dig deeper into each site to understand the changes after GDPR below starting with the most popular site on the web, Google.

Google privacy policy after GDPR

Google processes over 40,000 search queries every second, which translates into 3.5 billion searches every day. Since search is only one avenue for Google to collect data from users, the amount of raw data collected is mind blowing. By some estimates, Google owns and stores about 15 exabytes of data. To put this in perspective, 1 exabyte equates to 1 million terabytes.

The large number of products and users Google has opens up their exposure to data breaches. It might not surprise you that with the introduction of GDPR law, Google’s privacy policy increased by more than 48 percent.

Facebook privacy policy after GDPR

Following intense public scrutiny following the Cambridge Analytica scandal, Mark Zuckerberg testified before Congress and the European Parliament. After his testimony, the chair of the European Parliament Civil Liberties, Justice and Home Affairs said, “Mr Zuckerberg and Facebook will have to make serious efforts … to convince individuals that Facebook fully complies with European data protection law.”

How did Facebook’s efforts to increase the readability of their privacy policy measure up as a result of GDPR? Although they shortened the time it takes to read by over 5 minutes, the reading level increased by two full grades.

Reddit privacy policy after GDPR

Reddit is the self-proclaimed “front page of the internet” and, with over 1.5 billion monthly active users and over 1.2 million total subreddits, that tagline has become a self-fulfilling prophecy. There are subreddits dedicated to blackhat hacking techniques and other subreddits that have been targeted for the very nature of their existence.

In December of 2017, the cryptocurrency focused r/btc subreddit was targeted by a series of hacks that resulted in users bitcoin cash wallets being depleted. The very nature of Reddit, which involves sharing links to third-party sites, exposes users to threat of malicious intent. With this in mind, it’s a little surprising to see the word count decreased by 38.20 percent.

Amazon privacy policy after GDPR

Amazon has grown into more than just the largest eCommerce company in the world. Their cloud computing platform, Amazon Web Services, is now responsible for 10 percent of the company’s revenue. Security is more important than ever since Amazon now houses sensitive data of individuals — the cloud platform reached 1 million users in 2016.

The company also stores the information of companies and governments. An Uber breach in 2016 that compromised the information of 57 million users worldwide was linked to a compromised Amazon Web Services account.

Amazon’s privacy policy changes resulted in increases across the board: the web count, time to read, and reading grade level all went up.

Wikiedpia privacy policy after GDPR

Wikipedia was launched in 2001 with the goal to increase the availability of information worldwide, and the English edition has reached since reached 5.6 million articles. While the often-cited website has since become one of the most popular in the world, it’s information isn’t always completely reliable. The free encyclopedia was built around a model of openly editable content, which means that anyone with access to the Internet can edit it, even anonymously or using a pseudonym.

While the website has policies in place to remove false content, the reliability of the website is often in question — Turkey banned the site in 2017 after the company refused to take down an article with validity in question. Wikipedia’s privacy policy saw the largest increase in word count at nearly 95 percent; the time to read increased as well.

Yahoo privacy policy after GDPR

A golden child of the dot-com bubble, the domain “yahoo.com” was purchased on January 18, 1995. By 1997, Yahoo was the second most visited website on the internet, after AOL, and Yahoo’s valuation skyrocketed to $125 billion before the bubble popped and the company’s stock fell dramatically. When cooler heads prevailed, the stock price began to normalize and the company maintained its position as one of the most frequently viewed websites in the U.S.

In 2016, Yahoo reported a security breach that the company believed comprised the privacy of 1 billion accounts. In 2017, it was revealed that in actuality every single Yahoo account — over 3 billion accounts in total — had been hacked, making it the largest data breach in history. It might not be surprising to see the word count of their new privacy policy increase by 38.11 percent, but this could also be a result of their acquisition by Verizon in 2017.

Twitter privacy policy after GDPR

Twitter launched in 2006 after the founding team failed in starting Odeo, a podcasting company. The team included current CEO Jack Dorsey who sent the first “tweet” when it was an SMS service. The company had their initial public offering in 2013 with over 200 million monthly active users and over 500 million tweets per day.

In 2016, the company created the “Twitter Trust & Safety Council” to ensure users feel safe using the product. The company has had a string of security breaches, including one as recent as May 2018 when the passwords of 330 million accounts were exposed in plain text. Although the reading level has remained consistent, Twitter’s new privacy policy has grown by more than 29 percent.

Ebay privacy policy after GDPR

eBay, another veteran member of the Silicon Valley dot-com bubble on this list, started as an online auction marketplace. In fact, the company was started to help the founder’s fiancée trade her collection of Pez dispensers. With their “Buy It Now” feature, the company has moved beyond their original auction-style business model and solidified their place in eCommerce.

Certainly not immune to the tech industry’s privacy and security issues, eBay has had their fair share of public scrutiny. In 2014, eBay revealed that usernames, passwords, phone numbers, physical addresses and even banking information had been released for millions of users. It’s interesting to see that the privacy policy has become more difficult to read, increasing by two reading levels, yet the word count has increased only a little more than 8 percent.

instagram privacy policy after GDPR

Social media photo- and video-sharing app Instagram has a wealth of information to protect: As of 2017, the app has 800 million users, 500 million of which are daily users. Additionally, more than 40 billion photos have been uploaded to the app as of October 2015; this number doesn’t reflect the number of videos (or “Stories”) uploaded to the app, as that feature launched in 2016.

Instagram isn’t a stranger to breaches of this information, either. In 2017 the app suffered a data breach that left the personal information of approximately six million users vulnerable. Among the information affected were the phone numbers and email addresses of high-profile users, which was then made available on the dark web. The company is also owned by Facebook, which faced widespread criticism following the 2018 Cambridge Analytica scandal.

Instagram’s policies increased across the board: It’s word count increased over 40 percent, while the time it takes to read increased a full 6 minutes.

Netflix privacy policy after GDPR

What began as a DVD rental service in 1997 quickly expanded and exploded with the proliferation of technology: Today, Netflix is a subscription-streaming service provider and content producer with over 125 million users worldwide. The company also expanded globally in 2016, simultaneously launching in 130 countries and bringing its total availability to 190 countries.

The company has also been hacked: In 2015, security company McAfee released a report that detailed how you can buy access to streaming accounts, like Netflix’s, on the dark web. A file containing 1.4 billion hacked passwords, which was leaked on the dark web in 2017, also included Netflix login information.

Overall, Netflix’s privacy policy has seen an increase in word count, reading time and reading grade level, although the increases are slight compared to some.

How Privacy Policies Have Changed Overall?

how privacy policies have changed since gdpr

The goal of the updated privacy policies is to simplify the process of managing user privacy concerns and accessing user data. However, you might be surprised to see how the privacy policies have changed. Eight out of 10 companies we analyzed actually increased their privacy policy word count and the subsequent time it takes to read them.

Wikipedia showed the largest update, with a word count increase of almost 95 percent. Only two companies — Facebook and Reddit — decreased both the word count and the reading time of the privacy policies.

download gdpr privacy policies infographic

Sources
Google – Old | New | Facebook – Old | New | Reddit – Old | New | Amazon – Old | New | Wikipedia – Old | New | Yahoo – Old | New | Twitter – Old | New | eBay – Old | New | Instagram – Old | New | Netflix – Old | New | IBM Watson – Natural Language Understanding | IBM Watson – Tone Analyzer | Readability Formulas | Alexa | Niram | EU – GDPR

What Does it Take to Be an Ethical Hacker?

how to be an ethical hacker

What do you think of when you hear the term “hacker”?

If you immediately envision a mysterious figure out to illegally access and compromise systems with the intent to wreak havoc or exploit information for personal gain, you’re not alone.

While the term “hacker” was originally used within the security community to refer to someone skilled in computer programming and network security, it has since evolved to become synonymous with “cyber criminal,” a change in perception largely due to portrayals in movies and in the media.

As such, the cyber community has developed several terms to differentiate malicious, illegal hackers (known as “black hat hackers”) from other cyber risk and programming professionals without malicious intent.

Read on to learn more about ethical hackers, or jump to our infographic to learn how to become one yourself.

What is a White Hat Hacker?

A white hat hacker — also referred to as a “good hacker” or an “ethical hacker” — is someone who exploits computer systems or networks to identify security flaws and make improvement recommendations. A subset of ethical hackers are penetration testers, or “pentesters,” who focus specifically on finding vulnerabilities and assessing risk within systems.

Unlike black hat hackers, who access systems illegally, with malicious intent and often for personal gain, white hat hackers work with companies to help identify weaknesses in their systems and make corresponding updates.

In many ways, white hat hackers are the antithesis of black hat hackers. Not only do white hat hackers break into systems with the intention of improving vulnerabilities, they do so to ensure that black hat hackers aren’t able to illegally access the system’s data.

Ten Influential White Hat Hackers

White hat hackers are the “good guys” of the hacking world. They exploit systems to make them better and keep black hat hackers out. Below are some of the most influential white hat hackers.

Tim Berners-Lee
One of the most famous names in computer science, Berners-Lee is the founder of the World Wide Web. Today he serves as the director of the World Wide Web Consortium (W3C), which oversees the development of the web.

Greg Hoglund
Computer forensics expert Hoglund is best known for his work and research contributions in malware detection, rootkits and online game hacking. In the past, he worked for the U.S. government and the intelligence community.

Richard M. Stallman
Founder of the GNU project, a free software project that promotes freedom with regard to the use of computers, Stallman is a prime example of a “good guy” hacker. Stallman founded the free software movement in the mid-1980s, with the idea that computers are meant to support cooperation, not hinder it.

Dan Kaminsky
A well-known figure within the cybersecurity world, Kaminsky is the chief scientist of White Ops, a firm that detects malware activity via JavaScript. He’s best known for discovering a fundamental flow in the Domain Name System (DNS) protocol that would allow hackers to perform widespread cache poisoning attacks.

Jeff Moss
Ethical hacker Jeff Moss served on the U.S. Homeland Security Advisory Council during the Barack Obama administration and co-chaired the council’s Task Force on CyberSkills. He also founded hacker conferences Black Hat and DEFCON, and is a commissioner at the Global Commission on the Stability of Cyberspace.

Charlie Miller
Miller, who’s largely famous for finding Apple vulnerabilities and winning the well-known Pwn2Own computer hacking contest in 2008, has also worked as an ethical hacker for the National Security Agency.

Linus Torvalds
Software engineer Torvalds created and developed the Linux kernel, which is the kernel which eventually became the core of the Linux family of operating systems.

Kevin Mitnick
Once one of the most notorious black hat hackers around, Mitnick became a white hat hacker after a highly publicized FBI pursuit landed him in jail for computer hacking and wire fraud. Today, he runs Mitnick Security Consulting, which performs security and penetration testing for companies.

Tsutomu Shimomura
White hat hacker Shmomura is best known for assisting the FBI in taking down Mitnick after the black hat personally attacked Shimomura’s computers.

Marc Maiffret
Now the chief technology officer at a leading security management company, Maiffret’s accolades include the invention of one of the first vulnerability management and web application products. He’s also credited with discovering some of the first major vulnerabilities in Microsoft software, including Code Red, the first Microsoft computer worm.

Get a Job as an Ethical Hacker

While the term “hacker” may not have the most positive connotation in today’s vocabulary, it actually encompasses a wide range of professionals with a number of motivations. To learn more about the different types of hackers — including how to become a white hat hacker — check out the full infographic below.

how to be a white hat hacker

Sources:
Malware Fox | Lifewire | Investopedia | MakeUseOf | Gizmodo | Business News Daily | SC Magazine | Payscale | PCMag | Pluralsight

60 Must-Know Cybersecurity Statistics for 2018

cybersecurity facts 2018

Cybersecurity issues are becoming a day-to-day struggle for businesses. Trends show a huge increase in hacked and breached data from sources that are increasingly common in the workplace, like mobile and IoT devices.

Additionally, recent research suggests that most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data lass.

We’ve compiled 60 cybersecurity statistics to give you a better idea of the current state of overall security, and paint a picture of how potentially dire leaving your company unsecure can be.

Data Breaches by the Numbers

The increasing amount of large-scale, well-publicized breaches suggests that not only are the number of security breaches going up — they’re increasing in severity, as well.

  1. In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. (Oath.com)Click To Tweet
  2. In 2016, Uber reported that hackers stole the information of over 57 million riders and drivers. (Uber)
  3. In 2017, 412 million user accounts were stolen from Friendfinder’s sites. (LeakedSource)Click To Tweet
  4. In 2017, 147.9 million consumers were affected by the Equifax Breach. (Equifax)
  5. According to 2017 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and that number is growing by 27 percent per year. (Accenture)Click To Tweet
  6. Thirty-one percent of organizations have experienced cyber attacks on operational technology infrastructure. (Cisco)
  7. 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Malware Tech Blog)Click To Tweet
  8. Attacks involving cryptojacking increased by 8,500 percent in 2017. (Symantec)
  9. In 2017, 5.4 billion attacks by the WannaCry virus were blocked. (Symantec)Click To Tweet
  10. There are around 24,000 malicious mobile apps blocked every day. (Symantec)
  11. In 2017, the average number of breached records by country was 24,089. The nation with the most breaches annually was India with over 33k files; the US had 28.5k. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  12. In 2018, Under Armor reported that its “My Fitness Pal” was hacked, affecting 150 million users. (Under Armor)
  13. Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches. (ID Theft Resource Center)Click To Tweet

Cybersecurity Costs

Average expenditures on cybercrime are increasing dramatically, and costs associated with these crimes can be crippling to companies who have not made cybersecurity part of their regular budget.

  1. In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million. (Accenture)Click To Tweet
  2. The average cost of a malware attack on a company is $2.4 million. (Accenture)
  3. The average cost in time of a malware attack is 50 days. (Accenture)Click To Tweet
  4. From 2016 to 2017 there was an 22.7 percentage increase in cybersecurity costs. (Accenture)
  5. The average global cost of cyber crime increased by over 27 percent in 2017. (Accenture)Click To Tweet
  6. The most expensive component of a cyber attack is information loss, which represents 43 percent of costs. (Accenture)
  7. Ransomware damage costs exceed $5 billion in 2017, 15 times the cost in 2015. (CSO Online)Click To Tweet
  8. The Equifax breach cost the company over $4 billion in total. (Time Magazine)
  9. The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190). (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  10. In companies with over 50k compromised records, the average cost of a data breach is $6.3 million. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  11. Including turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill the cost of lost business globally was highest for U.S. companies at $4.13 million per company. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  12. Damage related to cybercrime is projected to hit $6 trillion annually by 2021. (Cybersecurity Ventures)

Cybersecurity Facts and Figures

It’s crucial to have a grasp on the general landscape of metrics surrounding cybersecurity issues, including what the most common types of attacks are and where they come from.

  1. Ransomware detections have been more dominant in countries with higher numbers of internet-connected populations. The United States ranks highest with 18.2 percent of all ransomware attacks. (Symantec)Click To Tweet
  2. Trojan horse virus Ramnit largely affected the financial sector in 2017, accounting for 53 percent of attacks. (Cisco)
  3. Most malicious domains, about 60 percent, are associated with spam campaigns. (Cisco)Click To Tweet
  4. Seventy-four percent of companies have over 1,000 stale sensitive files. (Varonis)
  5. Malware and web-based attacks are the two most costly attack types — companies spent an average of US $2.4 million in defense. (Accenture)Click To Tweet
  6. The financial services industry takes in the highest cost from cyber crime at an average of $18.3m per company surveyed. (Accenture)
  7. Microsoft Office formats such as Word, PowerPoint and Excel make up the most prevalent group of malicious file extensions at 38 percent of the total. (Cisco)Click To Tweet
  8. About 20 percent of malicious domains are very new and used around 1 week after they are registered. (Cisco)
  9. Over 20 percent of cyber attacks in 2017 came from China, 11 percent from the US and 6 percent from the Russian Federation. (Symantec)Click To Tweet
  10. The app categories with most cybersecurity issues are lifestyle apps, which account for 27 percent of malicious apps. Music and audio apps account for 20 percent. (Symantec)
  11. The information that apps most often leak are phone numbers (63 percent) and device location (37 percent). (Symantec)Click To Tweet
  12. In 2017, spear-phishing emails were the most widely used infection vector, employed by 71 percent of those groups that staged cyber attacks. (Symantec)
  13. Between 2015 and 2017, the U.S. was the country most affected by targeted cyber attacks with 303 known large-scale attacks. (Symantec)Click To Tweet
  14. In 2017, overall malware variants were up by 88 percent. (Symantec)
  15. Among the top 10 malware detections were Heur.AdvML.C 23,335,068 27.5 2 Heur.AdvML.B 10,408,782 12.3 3 and JS.Downloader 2,645,965 3.1 (Symantec)Click To Tweet
  16. By 2020, the estimated number of passwords used by humans and machines worldwide will grow to 300 billion. (Cybersecurity Media)

Cybersecurity Risks

With new threats emerging every day, the risks of not securing files is more dangerous than ever, especially for companies.

  1. 21 percent of all files are not protected in any way. (Varonis)Click To Tweet
  2. 41 percent of companies have over 1,000 sensitive files including credit card numbers and health records left unprotected. (Varonis)
  3. 70 percent of organizations say that they believe their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  4. 69 percent of organizations don’t believe the threats they’re seeing can be blocked by their anti-virus software. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  5. Nearly half of the security risk that organizations face stems from having multiple security vendors and products. (Cisco)Click To Tweet
  6. 7 out of 10 organizations say their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  7. 65 percent of companies have over 500 users who never are never prompted to change their passwords. (Varonis)Click To Tweet
  8. Ransomware attacks are growing more than 350 percent annually. (Cisco)
  9. IoT attacks were up 600 percent in 2017. (Symantec)Click To Tweet
  10. The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020. (CSO Online)
  11. 61 percent of breach victims in 2017 were businesses with under 1,000 employees. (Verizon)Click To Tweet
  12. Ransomware damage costs will rise to $11.5 billion in 2019 and a business will fall victim to a ransomware attack every 14 seconds at that time. (Cybersecurity Ventures)
  13. Variants of mobile malware increased by 54 percent in 2017. (Symantec)Click To Tweet
  14. Today, 1 in 13 web requests lead to malware (Up 3 percent from 2016). (Symantec)
  15. 2017 represented an 80 percent increase in new malware on Mac computers. (Symantec)Click To Tweet
  16. In 2017 there was a 13 percent overall increase in reported system vulnerabilities. (Symantec)
  17. 2017 brought a 29 percent Increase in industrial control system–related vulnerabilities. (Symantec)Click To Tweet
  18. By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) at well over $1 trillion. (Cybersecurity Ventures)
  19. The United States and the Middle East spend the most on post-data breach response. Costs in the U.S. were $1.56 million and $1.43 million in the Middle East. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet

There’s no question that the situation with cybercrime is dire. Luckily, by assessing your business’s cybersecurity risk, making with company-wide changes and improving overall security behavior, it’s possible to protect your business from most data breaches.

Make sure you’ve done everything you can do to avoid your company becoming a victim to an attack. The time to change the culture toward improved cybersecurity is now.

Must-know cybersecurity statistics

The Anatomy of a Phishing Email

Recognize a phishing scam

Have you been hooked by a phishing email?

Phishing scams are one of the most common ways hackers gain access to sensitive or confidential information. In fact, according to the Verizon’s 2018 Data Breach Investigations Report, phishing is involved in 70 percent of breaches that feature a social engineering component.

What is Phishing?

At the most basic level, a phishing scam involves sending fraudulent emails that appear to be from a reputable company, with the goal of deceiving recipients into either clicking on a malicious link or downloading an infected attachment, usually to steal financial or confidential information.

If your employees don’t know the signs of a phishing email, your company is at risk. According to Verizon, the average time it took for the first victim of a large-scale phishing campaign to click on a malicious email was 16 minutes; however, it took twice as long — 33 minutes — for a user to report the phishing campaign to IT.

Given that 49 percent of malware is installed via email, these 17 minutes could spell disaster for your company.

How to Spot a Phishing Scam

We’ve broken out the most common components of a phishing email. Check out our full infographic to test your knowledge.

how to spot a phishing scam

How many did you get? Read on to learn more about the identifying characteristics of a typical phishing email.

scare tactics phishing

Subject line
Phishing campaigns typically aim to create a sense of urgency using intense language and scare tactics, starting with the email’s subject line. Common themes among phishing emails are that something sensitive, such as a credit card number or an account, has been compromised. This is done to induce the recipient into responding quickly, without recognizing the signs of a scam.

“From” field
To work, phishing campaigns must trick the email recipient into believing that the message is from a reputable company. As such, the email will appear to come from a legitimate entity within a recognized company, such as customer support. Upon closer look, however, you can see that both the name of the sender and the sender’s email address is a spoof on a known brand, not a real vendor.

phishing email body copy

“To” field
Phishing emails are often impersonal, addressing the recipient as a “user” or “customer.” This is a red flag; while businesses may send out mass eblasts announcing a sale or service, legitimate companies will address you by name when asking for an update to financial information, or dealing with a similarly sensitive matter.

Body copy
As with the subject line, the body copy of a phishing email is typically employs urgent language designed to encourage the reader to act without thinking. Phishing emails are also often riddled with both grammar and punctuation mistakes.

phishing scam malicious link

Malicious link
A suspicious link is one of the main giveaways of a phishing email. These links are often shortened (through bit.ly or a similar service) or, as above, are formatted to look like a legitimate link that corresponds with the company and message of the fake email. However, rolling over the link shows a malicious address that doesn’t take you to the stated web address.

Scare tactics
In addition to urgent language, phishing emails often employ scare tactics in hopes that readers will click malicious links out of alarm or confusion. Such messaging is often framed around updates that are immediately required or payments that must be made within a certain amount of time.

phishing scam footer

Email sign-off
As with the email’s greeting, the sign-off is often impersonal — typically a generic customer service title, rather than a person’s name and corresponding contact information.

Footer
A phishing email’s footer often includes tell-tale signs of a fake, including an incorrect copyright date or a location that doesn’t correspond with that of the company.

malicious attachment

Attachment(s)
In addition to malicious links, phishing scams often include malicious downloadable files, often compressed .zip files, which can infect your computer.

malicious landing page

Malicious landing page
If you do click on a phishing link, you’ll often be taken to a malicious landing page, much like the one above. There are several ways to spot a malicious landing page:

  • Website address: The web address of a malicious landing page attempts to mimic the web address of a legitimate company, but errors such as misspellings and unsecure connections denote an unsafe website.
  • Missing navigation and footer: The goal of a malicious landing site is to take your information. As such, these pages are often bare-bones. Here, you can see that the landing page is missing both the header and footer of Apple’s ID sign-in page.
  • Misspelling: Like in the phishing email, the malicious landing page will attempt to mimic a real company, but small oversights can tip you off: like above, where “Apple Pay” is misspelled as one word.
  • Information collection: The goal of phishing scams is to get you to enter personal or financial information, so malicious landing pages will almost always include some type of information collection form that deviates slightly from the company’s legitimate landing page. In the malicious page above, users are required to enter their Apple ID password; this is not required on the actual Apple ID login page.

So, were you able to spot all the errors? As phishing attacks become more common — and phishing tactics more sophisticated — it’s important to inspect all unsolicited emails with a careful eye.

Email recipients don’t shoulder all the burden, however. To truly combat phishing tactics, companies must become more vigilant, through both employee training and the use of security software, to better spot and prevent potentially debilitating attacks.

Is Your Company Prepared for a Cyber Attack?

Is Your Company Prepared for a Cyber Attack?

In December of 2016, a researcher approached credit card reporting agency Equifax with a simple message: Your website is vulnerable to a cyber attack. The company did nothing to patch the flaw. They were breached six months later, in May of 2017, with hackers stealing the sensitive data of 145.5 million Americans.

It’s an extreme example of an all-too-common business failing: that of cybersecurity preparedness.

As hacks continue to proliferate the news cycle, targeting both large corporations and small businesses, companies that previously didn’t see a need to invest in cybersecurity training and prevention are increasingly focusing in on one question: Are we prepared in the event of an attack? And, resoundingly, the answer is “no.”

Cybersecurity readiness involves developing a complex, proactive strategy that goes far beyond a basic response plan — although research suggests that many businesses don’t have one of those in place, either.

We’ve compiled the major steps you need to take to prepare your business for a cyber attack. Take a look at them below, and decide for yourself how your company would fare.

would your company survive a cyber attack

Creating an effective cybersecurity preparedness plan is a mix of implementing company-wide, procedural policies; utilizing data protection and taking technical precautions to protect your data; and putting a reactive plan in place in case the worst case does happen.

So, is your company prepared?

Sources
Verizon Data Breach Investigations Report | PWC Global State of Information Security Survey