Getting sick is a really nasty experience. Being forced to stay in bed because you cannot move an arm and a leg, your nose dripping constantly and a headache bouncing in your skull all day is the opposite of a pleasant experience. When you then take into account, you could’ve prevented this by just taking out a flu-shot at the beginning of autumn, you still wonder why you didn’t. No time? Did not want to fork out $30,00 as cost of living is hard enough? Not being able to work and missing opportunities for your business is far more costly, and regaining customer confidence when it comes to business continuity can be a real challenge.
Extrapolate this to a cyber hack where your customer data is threatened to be exposed to the outside world and criminals are able to reach into the deepest of pockets of your customers by extortion methods, identity theft etc.
The sheer number of emails that currently travel the globe is astounding. Billions of emails are underway every single day and, I must add, the majority are simply legitimate ones. Herein lies the problem from a security perspective, psychological conditioning. Basically meaning that the brain is acting based on experience from previous engagements. Whenever you see an email arriving in your inbox, there is some sort of automatic response and the “look and feel” of an email triggers a certain behaviour.
As a privacy and security focussed person, I want to keep a minimal financial fingerprint in the digital world. I do not pay via credit or debit card directly, but always use a trusted payment gateway which have sufficient security frameworks in place. This way I can ensure that these numbers are not splurged over the web and any breach of a particular website should not have an effect on my account. The main issue is that the right to be forgotten does not exist in the financial legislation in Australia. If you have any dealings with any financial institution, your data is locked in for at least 7 years. This makes you vulnerable and leaves you to the perils of the institution you’ve dealt with.
Individual solutions do not cut it in the real world. A holistic approach to cybersecurity needs to be addressed on multiple levels, and our QUADSEC security package covers a lot of this.
Even though companies would like to have employees return to the office after the pandemic, the norm of working-from-home or even working-from-anywhere is here to stay. This means that uncontrolled connectivity options are resulting in increasing attack-surfaces where home routers, public Wi-Fi spots, shared personal hotspots and more, are causing headaches for many businesses to secure their end-points.
Many very good end-point security solutions like Crowdstrike, Microsoft and SentinelOne provide an active method of securing endpoints with state-of-the-art software which provide an excellent overview of your overall security state for those end-points.
When it comes to Phishing attempts, email is the number 1 methodology to try and lure unsuspecting victims into traps that could result in various precarious scenarios with, most often, devastating consequences. It is therefore of the utmost importance to identify these attempts and prevent them from even reaching the email inbox of the recipient.
When your company assets are being used as part of a spam/phising attack where victims get emails with letterheads and logo’s of your company, the implications are far-reaching from brand damage via customer impact to financial burdens. So how do you do that?
A hack is not really a hack when a spear phising attempt is able to obtain employee credentials, who are then used to basically bypass all security measures that are in place. Is it really a “burglary” when you leave the front-door open, or more an invitation for criminals to go “shopping”?
The Latitude security page shows a somewhat troublesome image that seems to be in line with the policies and procedures that are followed in the company. Too much “easy going” will eventually catch up with you.
Irrespective of terminology, the fallout of the breach is significant, with detailed information of a large customer base being stolen. Latitude Financial Services observed a breach that had all the hallmarks of a relatively simple spearphishing campaign and it most likely took only one employee with enough authorisation in one or more systems, to do this significant damage.
This comes just days after I wrote about the poor state of security in the financial services industry and the lack of preventative measures that should’ve been in place to prevent this from happening. Latitude is not the only one and it is just matter of time that other institutions will see the same fate.
Actions to take now
I know I’m sitting on the side line here making a high level analysis, but when relatively simple things like credential theft through phising happens, you can imagine that awareness training and Verifier Impersonation Resistant MFA technologies have not been used at Latitude.
I’ve said it before, customer and employee phishing awareness as well as full proof MFA solutions will prevent this to the extent that attempts to breach into environments are only possible under physical duress of the owner of the token.
As an authorised partner of KnowBe4 and Yubico, we can help in bringing you solutions that tackle both the main two problems that have a root cause of the breach at Latitude. Ask us for a demo of KnowBe4 and how this can help your organisation in elevating awareness of the various phishing methodologies and how to thwart them, or click here to register directly.
Contact us for Yubico solutions to help you and your customers to obtain maximum, phising resistant, MFA protection.
When it comes to safeguarding your money, you would think that banks, lenders and mortgage brokers have their act together. With about 95% of all financial services being done over the internet, there are a significant amount of interactions that may be susceptible to modifications by malicious parties, which could result in losses of large sums of money. The gateway to your money at financial institutions should be improved.
The act of sending email that falsely claims to be from a legitimate organization. This is usually combined with a threat or request for information: for example, that an account will close, a balance is due, or information is missing from an account. The email will ask the recipient to supply confidential information, such as bank account details, PINs or passwords; these details are then used by the owners of the website to conduct fraud.
The act of circumventing security with an alias.
If you read my previous post (Cybersecurity prevention is like Whack-a-mole) you would have seen that a large part of defending your organisation against malicious people and organisations comes down to people and having the knowledge and awareness to be able to assess suspicious activities.
When it comes to cybersecurity, it may often feel like a game of whack-a-mole. Where to look, how hard do I need to hit the mole to prevent it from resurfacing again, and how do I know if I’m covered enough so that I’m reasonably confident malicious third parties are not able to do me or my business any harm.
